Getting a validation token
You can generate a validation token from the customer area. Each license and cloud subscription will have a "validation token" link under it.
Clicking that link will generate a token if you don't have one for that license/subscription or display the current token if one has been generated.
If you wish to change your token, it can be regenerated from there. Note that your previous tokens will immediately fail to validate.
In general, it is recommended that you provide your validation token to trusted parties only. After giving out a token and having it be verified, you may wish to regenerate your token. However, if you do this, it will break any ongoing checks that third-parties may do; you will need to balance these needs.
Using the license/subscription validation API
- When requesting a validation token from a customer, you must explain how the token will be used. You may only use the token in this manner. You will not disclose a validation token to a third party (other than XenForo Ltd.).
- Each IP can only make 1000 API requests per 24 hours. The request period restarts a midnight GMT. If you need more requests than this, contact us to discuss your requirements.
If you are going to make use of license validation tokens, here are some best practices:
- Ask for the domain that is associated with a token. This provides an extra step of validation and helps confirm ownership.
- If confirming ownership of a domain is important, you may wish to have the user upload a file to their domain with a particular name or content. Google Webmaster Tools uses this technique.
- Accept a license_token, subscription_token or customer_token only once, as necessary.
- Optionally consider storing the validation_token and periodically checking that it is still valid (and has the values that you require). Note that token regeneration will break this so you must handle this situation gracefully.
Using the license/subscription validation API programmatically
While we provide the API via a human readable web interface, it can also be queried programmatically via JSON.
POST requests to
https://xenforo.com/customer-api/license-lookup.json with the following parameters:
token- the license/subscription validation token to look up
domain- checks whether the license/subscription is attached to this domain (optional)
A request for a valid token will return a JSON object with the following keys/values:
validation_token- (string) the token that was looked up
customer_token- (string) a string that will uniquely identify the customer this license is associated with
subscription_token- (string or null) this will uniquely represent the license/subscription in question. It will not change when the token is regenerated. One of these values will always be null depending on the type of validation token.
is_valid- (boolean) this will be true unless the license/subscription is no longer legitimate. Licenses with expired support are still valid.
can_transfer- (boolean or null) true if the license can be transferred. null if the validation token is for a cloud subscription.
domain_match- (boolean or null) if a domain was provided, this will be true/false based on whether it matched the license/subscription. If no domain was provided, this will be null.
domain- (string or null) if a domain was provided, the domain that we tested. This may be changed from original domain supplied in the request.
A request for an invalid token will return a
404 HTTP response. If you have made too many requests, a
503 HTTP response will be returned.