Offline License

Web API
#1

Hello!

I can make all the process from generating the Offline License Request file to getting the Offline License file using the LexActivator library plus the WebAPI, but what it is not good for me is that (as far I could tell) for the WebAPI part I need to use my company WebAPI key in Authentication Bearer in the header, why can’t I use just the client license key or some kind of client ID for it? Is there a way to do it that I missed or is it the only way to do so is sending my key? I ask this because for binaries that need to be distributed, this is a huge security risk.

#2

Hello @AugustoMartins,

Thank you for reaching out.

If you are automating the offline activation workflow using our Web API, the recommended and secure approach is to ensure that the access token is only used on your backend.

Your flow should be:

  • The client generates the offline activation request file.
  • The client sends this data to your backend.
  • Your backend calls the Cryptlex Web API using the access token. A valid access token with no permissions is sufficient for this endpoint.
  • Your backend returns the offline license response to the client.

This ensures that the access token is never exposed on the client side. Storing or embedding the access token within the application binary is not recommended, as it poses a security risk.

#3

The problem is that our application is not online, we do not have a backend, we deliver the binaries to the client and they can use in many different machines. I would like to suggest to add this kind of function to LexActivator library or making it possible to connect to Cryptlex Web API using a client Key, instead of my company Key.

#4

At the moment, the requirement appears a bit unclear. You mentioned that the application is not online, but at the same time, you require a function in LexActivator to connect to the Cryptlex Web API, which itself requires internet connectivity.

#5

What I meant is that our application is not in a web server, so we do not have a backend for it, in order to support automatic generation of Offline License, we would need to create a server just for that, which is non-optimal.

The suggestions are:
1- Support the complete generation of offline license in LexActivator library without the need of a WebApi key; or
2- Add an option to generate the offline license in the WebApi but using a client key instead of company key

#6

Thank you for the clarification.

We also offer a customer portal where your users can log in and generate the offline activation response files themselves, without requiring you to set up a backend service. Would this approach work for your use-case?

You can refer to the relevant guide here: Customer Portal | Cryptlex Documentation

#7

Yes, we know about the possibility of the user to generate for themselves, but some of our users are going to install our product in many offline machines and we would like to make this process easier for them. We created an internal POC that would automatize this, but we won’t release it because of the WebApi key issue.

Thanks for the help, and I would really like to have this option to generate the offline license without the need to share our WebApi key. Is there an official channel for service suggestion?

#8

Hey @AugustoMartins,

I will discuss your use-case with our team and keep you updated soon.