Integrating Client Software
Your software (a desktop app, WordPress plugin, Flutter app, CLI…) is the client. It enforces licensing by calling the WPLM REST API, and can verify signed licenses offline using the bundled public key.
The core flow
Section titled “The core flow”- Activate — on first run, the user enters a key; the client computes a
device fingerprint and calls
POST /wplm/v1/activate. - Validate — periodically (e.g. on launch), call
POST /wplm/v1/validateto confirm the license is still good. - Heartbeat — for floating licenses, call
POST /wplm/v1/heartbeaton an interval to keep the lease alive. - Deactivate — on uninstall/sign-out, call
POST /wplm/v1/deactivateto free the seat.
# Activate this devicecurl -X POST https://vendor.com/wp-json/wplm/v1/activate \ -H "Content-Type: application/json" \ -d '{ "license_key": "ABCD-EFGH-IJKL-MNOP", "fingerprint": "sha256-of-machine-id" }'Fingerprints
Section titled “Fingerprints”Compute a stable per-device fingerprint from platform-appropriate sources
(machine GUID, hardware ids). Send it raw or pre-hashed — the server re-hashes it
with HMAC-SHA256 before storage either way. For cloud nodes that share
hardware, use a random per-install UUID instead.
Offline verification
Section titled “Offline verification”/validate returns a payload signed with Ed25519. Fetch the public key once
from GET /wplm/v1/public-key, bundle it in your client, and verify the signature
locally — no network needed:
signedKey = base64url(payload) . "." . base64url(signature)verify(signature, payload, WPLM_PUBLIC_KEY) // sodium_crypto_sign_verify_detachedThis lets your app keep working from a cached, signed payload when the network is down, within a configurable cache-TTL / max-clock-drift window. Reject payloads whose signed timestamp drifts beyond your allowed window (replay protection).
Offline revocation (CRL)
Section titled “Offline revocation (CRL)”Cache the signed revocation list from GET /wplm/v1/crl. Even offline, refuse any
cached-valid license whose key hash (or device fingerprint) appears on the CRL —
so a leaked key is killed within your refresh window.
No secrets in clients
Section titled “No secrets in clients”Clients embed only the public key, the product id, and the server URL. The Ed25519 private key and any API consumer secrets never ship in client software — only management/back-office tools use API keys.
Typed error handling
Section titled “Typed error handling”Map the API error codes to typed errors in your SDK: NotFound, Expired,
Suspended, Revoked, LimitExceeded, Blacklisted, NetworkError,
SignatureInvalid.