Title: Using the API from frontend apps Last modified: May 16, 2020 --- # Using the API from frontend apps * Resolved [mrthunderfield](https://wordpress.org/support/users/mrthunderfield/) * (@mrthunderfield) * [6 years ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/) * Thanks for the plugin, it seems to do most of what we need! I have developed a frontend-only app for my client which should activate the generated license key through the API, but I notice that you require a secret to communicate with the API. I’m reluctant to include the secret in the frontend code, so it would be great to have a few routes that don’t require this level of security that frontend apps could use to activate or validate licenses. * Does the key/secret pair give any additional access to WordPress or Woocommerce, other than the functions of this plugin? If not, I can disable the routes I don’t need and just include the secret in the frontend code. * To be honest, this level of security seems a bit over the top and makes any other apps than server-side apps needlessly difficult to implement. I’d have to write a WordPress plugin that wraps the API and expose a custom API just to prevent the secret from leaking out, which seems counter-productive when I’m already using a plugin with an API. Even if I take the step of including the secret in the frontend code, I now need to maintain separate builds for local, dev and production sites since they each use a separate key/secret pair. * I fully understand the need to protect sensitive routes that can modify the data, but the routes that just activates or validates a key should be usable from frontend or otherwise unsecure apps. Viewing 7 replies - 1 through 7 (of 7 total) * [Christiaan van Luik](https://wordpress.org/support/users/cvl01/) * (@cvl01) * [6 years ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-12881129) * I second this. Think this will be a very useful feature to make this plugin interesting for much more software vendors. * For example, I’m a plugin developer. I sell the plugin as a woocommerce download product. After that they would need the license key to set up automatic updates. * Many alternatives, like EDD software licenses or WooCommerce Software License Manager have this kind of functionality. * If you would be able to add this functionality to the theme, I would be happy to create a plugin update checker for use with this plugin. * [dynamic22](https://wordpress.org/support/users/dynamic22/) * (@dynamic22) * [6 years ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-12883364) * +1 also wanted that its just need to check if it gives “”succes” true” or “false” when a license is valid or expired.. * now it always returns “Succes “true”” even if a key is expired, deactivated or any other state * my program now check on the status: 1,2,3 but that only change when i manualy change the status so it wont change automatic when the license expire after time.. * Ive btw insert the key and secret in my frontend and disabled all routines exept get licence.. * [Drazen Bebic](https://wordpress.org/support/users/drazenbebic/) * (@drazenbebic) * [5 years, 11 months ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-13057522) * Hello [@mrthunderfield](https://wordpress.org/support/users/mrthunderfield/), [@cvl01](https://wordpress.org/support/users/cvl01/), and [@dynamic22](https://wordpress.org/support/users/dynamic22/) * To sum everything up, you would like the following additions/changes: * 1. open routes for license activation, deactivation, validation (no API key, secret, whatsoever). 2. Error during license validation request if the license is not valid anymore. * Please let me know if I’m correct on these assumptions. * I’m thinking of making new v3 API routes which would implement this. For backwards compatibility I simply can’t change the existing v2 routes, but it’s been a while since I’ve added those and there have been some things I wanted to tweak and change, so a v3 API is very likely coming. * [dynamic22](https://wordpress.org/support/users/dynamic22/) * (@dynamic22) * [5 years, 11 months ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-13058914) * [@drazenbebic](https://wordpress.org/support/users/drazenbebic/) correct * Cos to validate/activate or deactivate u need to know the correct licence key noboddy else know that only the user that has it so if a url for example validate = website.com/validate/licencekey is better then website.com/validate/v2/licenekey- keyuser-keysecret-andrest 🙂 * And a change from status succes true to false would be nice so when my system checks up the code and its expired customers need to renew thier licence. * [Drazen Bebic](https://wordpress.org/support/users/drazenbebic/) * (@drazenbebic) * [5 years, 11 months ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-13093360) * [@dynamic22](https://wordpress.org/support/users/dynamic22/) * > Cos to validate/activate or deactivate u need to know the correct licence key > noboddy else know that only the user that has it so if a url for example validate > = website.com/validate/licencekey is better then website.com/validate/v2/licenekey- > keyuser-keysecret-andrest * Yes, but what’s stopping someone from writing a script which will hammer your WordPress REST API with requests? This only makes sense if I also implement rate- limiting into the REST API. For example, if you made 5 unsuccessful activation requests in the last 10 minutes, then you’re locked out. Of course the number of requests and the time would be configurable. * > And a change from status succes true to false would be nice so when my system > checks up the code and its expired customers need to renew thier licence. * Changing the “success: true” to “success: false” would also require to change the response status code. Currently it’s sending 200 OK, instead I would send a 4xx or 5xx status code to make it clear that the validation did not succeed. * Thread Starter [mrthunderfield](https://wordpress.org/support/users/mrthunderfield/) * (@mrthunderfield) * [5 years, 11 months ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-13093407) * [@drazenbebic](https://wordpress.org/support/users/drazenbebic/) * Yes, exactly! I basically need routes that can be called from frontend code which can’t include secrets. * I’ve been using the plugin now as it is, including the secret in the frontend code, and disabling routes that I don’t need. It’s been working great, but still feels wrong to include the secret in the frontend code. * [Drazen Bebic](https://wordpress.org/support/users/drazenbebic/) * (@drazenbebic) * [5 years, 11 months ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-13097396) * [@mrthunderfield](https://wordpress.org/support/users/mrthunderfield/) * Okay, it makes sense as long as there’s a rate limiting implemented. * But just so you know, this will be part of the v3 API. I’m still collecting ideas for it so it’s probably going to take a while until it’s here. Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Using the API from frontend apps’ is closed to new replies. * ![](https://ps.w.org/license-manager-for-woocommerce/assets/icon-256x256.gif? rev=2824216) * [License Manager for WooCommerce](https://wordpress.org/plugins/license-manager-for-woocommerce/) * [Frequently Asked Questions](https://wordpress.org/plugins/license-manager-for-woocommerce/#faq) * [Support Threads](https://wordpress.org/support/plugin/license-manager-for-woocommerce/) * [Active Topics](https://wordpress.org/support/plugin/license-manager-for-woocommerce/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/license-manager-for-woocommerce/unresolved/) * [Reviews](https://wordpress.org/support/plugin/license-manager-for-woocommerce/reviews/) ## Tags * [api](https://wordpress.org/support/topic-tag/api/) * [client](https://wordpress.org/support/topic-tag/client/) * [frontend](https://wordpress.org/support/topic-tag/frontend/) * 7 replies * 4 participants * Last reply from: [Drazen Bebic](https://wordpress.org/support/users/drazenbebic/) * Last activity: [5 years, 11 months ago](https://wordpress.org/support/topic/using-the-api-from-frontend-apps/#post-13097396) * Status: resolved