[Web API] Retrieve licenses in bulk

I would like to retrieve license details in bulk using their keys.

As far as I can tell, we have:

  • GET /v3/licenses : we can filter the list based on a license key using the key parameter, but my understanding is that we can only provide a single key. Is that right?

  • GET /v3/licenses/{id} : this can only be used to get a single license at a time.

I would like to avoid sending many requests, is there a way to do this in bulk?

Hi Lindale,

As of now, we do not support retrieving license details in bulk, But we are planning to do so by adding support for various operators in query parameters in a month or so.

This is great news! I’m looking forward to it


We have added support for query operators, you can now do the following:

GET /v3/licenses?key[in]=key1,key2,key3

That’s perfect, thanks a lot!

Is there a limit on the length of the query parameters?

As such there is no limit. You can pass any number of license keys.

1 Like

I noticed that when calling GET /v3/licenses?key[in]= (empty key[in] param), all licenses are returned.

I wasn’t expected this, and noticed it by chance. I believe this could cause security issues, and I think it should return an empty array.

We ignore all the query params which are empty, hence [in] is ignored if you don’t pass any value. We can’t change this as this has been the default behaviour for all the query params even before we introduced query operators.

I guess it is not a security issue because anyone having access to the access token can anyways read all the licenses.

Indeed it’s not a direct security issue. But it’s easy to do something like that:

const licenses = await getRepository(License).find({
  where: { user: user }]

const licenseKeys = licenses.map(license => license.key);

const cryptlexLicenses = await httpClient.get(

const formattedLicenses = cryptlexLicenses.map(license => formatLicense(license));

return res.json(formattedLicenses);

This would return all licenses if the user doesn’t have any.

You should at least explain this behavior in the docs. I think many people do not expect this.

Yes, it will cause the issue in your case. I guess you need to add a check if licenseKeys array is empty.

We will see how we can update our API docs to convey this behaviour.

Yes this is what we already do, the above is just an exemple. But we first implemented the check to avoid unnecessary requests. It’s just because I noticed the behavior by chance that I realised how important the check is, security-wise.