Compatibility of LexActivator and Web API


#1

Hello,
I am using Cryptlex v2.9.
When I upgrade Cryptlex to V3.x, I consider using the Web API to manage licenses.
Therefore, I checked whether the Web API could realize what was done with the LexActivator v3.x.
As a result, I have two questions.

  1. https://docs.cryptlex.com/node-locked-licenses/using-web-api#verifying-license-activation

    Each time, your app starts, you need to verify whether your license is already activated or not.
    This verification should occur locally by verifying the signature of the JWT activation token using the RSA public key.

    From the above quote, I realize that if I want to validate a license with the web API, I have to implement myself to be able to validate the license locally.
    However, I have used LexActivator to validate the license so far, so I do not know how to do it.
    How do I determine that the license activation is correct?

  2. https://docs.cryptlex.com/node-locked-licenses/overview#what-is-lexactivator

    • Verifies the HTTPS response signature using 2048 bit RSA public key.
    • Stores the HTTPS response in an encrypted form on the disk using AES 128 bit symmetric encryption algorithm.
    • Generates multiple fingerprints of the machine using an advanced device fingerprinting algorithm, which can be used to allow for different fingerprint matching strategies.
    • Does virtual machine detection so you can prevent users from activating your licenses in virtual machines. Virtual machines can be cloned which may sometimes result in same fingerprint on different machines.

    As quoted above, LexActivator provided many APIs.
    If I use Web API, will these APIs be unnecessary?
    If I need them, which APIs do I need to implement myself?

Best regards,
miles


#2

Hi Miles,

We strongly recommend against using web API directly for license activation, unless you are using Android, IOS or OpenBSD OS.

You will have to create your own Lexactivator library if you directly use the web API for license activation and there is no point in doing that. You will have to implement AES encryption for storing the token in encrypted form on disk, implement RSA verification for validating the token, implement JWT parsing for parsing the activation token, implement device fingerprinting, implement offline activation etc. Unless you have a serious reason for not using Lexactivator, then just stick with Lexactivator. It itself uses web API and makes licensing easy to implement.