I am not sure to understand the full workflow of license checking with WebAPI.
Assume I have created a product and a license in the Cryptlex user interface.
I know my account ID, my user ID, the product ID and the license key.
The following is my understanding. Please correct if needed.
In the app I want to protect, I have to activate the license (step 1).
So, I have to make a POST call to /Activations, giving the required parameters, including the fingerprint (computed by my code), product id, account id, license key, etc.
The result is a 200 HTTP code, with the body a JSON array, with 1 entry for this activation. This entry has some fields like licenseId, leaseExpiresAt, productId and metadata.
Then, I have to check if the license is still active by regularly querying for its status (step 2).
So, I have to make a GET call /licenses/{licenseId} and I get the fields revoked, suspended, validity, expiresAt which give me the information needed to act.
Is this correct?
The following remarks/questions come to mind:
- There is no fingerprint involved in the license check in step 2. What is the purpose of the fingerprint.
- There is no product.data file involved with the use of the API.
- I tested the above workflow with PostMan and I get very strange results:
a. I activate a license with a given key and product id and get a 200 result with a different product id and a license id matching another license key.
b. If I mess up the userId, productId or accountId field, I still get a 200 result with the same values.
Note that I am testing with a trial account that is about to expire (my company did buy a full Cryptlex license but I did not want to “pollute” the official account with test data).
I did make tests with a custom program built with LexActivator and activated some licenses, but this should not interfere with PostMan.
Thank you for clarifications.