Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mclicense.org/llms.txt

Use this file to discover all available pages before exploring further.

MC License implements multiple layers of security to protect license validation and prevent unauthorized usage. Our library handles this automatically, but it’s important to understand these security measures when implementing custom solutions or troubleshooting issues. To set the scene, when your plugin starts on a user’s server, it’ll send a request to the MC License validation API. Below is an example response: 
{
    "pluginId": "6712560768f39ad2a157b130a75",
    "message": "License is valid",
    "nonce": "81ac23b0-92d2-4edf-aeac-fbabd6b76a2b",
    "key": "119f1219-6180-4a38-9a6b-1cda33b44449",
    "status": "valid",
    "signature": "X8kL5NwP9yJ3qMvD7hRs2tBnF4uA6xZeYjW0mCQgKpT/vIi9SO+VfbE4UlNyH2cGaB8dX5wLrk1mPnQjYD9v7W3y0h6RoMvx4zKn2UbqNcF8tE5iJmLgVx9UcB/wSt4pHI7fD1eY9vQaBxCy3jn5kT8uOlX2mQdRp6c4hNZqWvALmUr1sPtI9ExbYw0gDmFiGvK5U8cTn2pH4AByZRe3xQkM9jW7VNt6PqwS1LdEvXn8OyC3QmKfHu9sY4TxJ0NpM2vR8Yk5BwPcXLq7t96NOcz4qDhB3eWi1m9kUxE6vGf4nPs5i2wYx8KrjTlQ8cH0pBv4Ny1UaJmRz3s=="
}

RSA Signature Verification

Every response from our API is cryptographically signed using RSA, a robust asymmetric encryption algorithm. This signature is used to verify the authenticity of the response and ensure that it hasn’t been tampered with. Here’s how it works:
  1. Our server signs the response data using a private key that only we possess
  2. Your plugin verifies the signature using our public key
  3. If the response data has been tampered with, the signature verification will fail.
If someone tries to:
  • Modify any field in the response
  • Forge a response with a different signature
  • Reuse an old signature with new data
The signature verification will fail and the license check will be rejected.

Nonce Validation

A nonce is a unique identifier that is generated for each request. It’s used to prevent replay attacks, where an attacker intercepts a valid response and sends it multiple times to bypass the license check. Here’s how it works:
  1. Your plugin generates a random UUID to use as the nonce and includes it in the validation request
  2. The MC License server receives the request with your nonce and includes the exact same nonce in its response
  3. The server signs the response data which includes the nonce
  4. Your plugin verifies that the response contains exactly the same nonce it sent
  5. If the nonces don’t match, the response is rejected.
Together with RSA signature verification, this ensures that responses are both authentic (from our server) and can only be used once (not replayed).

Status Codes

Every validation response includes a status field indicating the outcome of the license check.
StatusDescription
validLicense is valid and active
invalid_formatLicense key does not match the expected format (alphanumeric + hyphens, max 36 chars)
not_foundNo license exists for the provided key and plugin ID
expiredLicense has passed its expiration date
max_ipsLicense has exceeded the maximum number of allowed IP addresses
blacklistedLicense key has been blacklisted
disabledLicense has been manually disabled by the plugin owner
invalid_polymartLicense failed Voxel Shop (Polymart) ownership verification
server_errorAn internal server error occurred during validation