RSA Signature Verification
Every response from our API is cryptographically signed using RSA, a robust asymmetric encryption algorithm. This signature is used to verify the authenticity of the response and ensure that it hasn’t been tampered with. Here’s how it works:- Our server signs the response data using a private key that only we possess
- Your plugin verifies the signature using our public key
- If the response data has been tampered with, the signature verification will fail.
- Modify any field in the response
- Forge a response with a different signature
- Reuse an old signature with new data
Nonce Validation
A nonce is a unique identifier that is generated for each request. It’s used to prevent replay attacks, where an attacker intercepts a valid response and sends it multiple times to bypass the license check. Here’s how it works:- Your plugin generates a random UUID to use as the nonce and includes it in the validation request
- The MC License server receives the request with your nonce and includes the exact same nonce in its response
- The server signs the response data which includes the nonce
- Your plugin verifies that the response contains exactly the same nonce it sent
- If the nonces don’t match, the response is rejected.