License keys

It’s important that plugin developers can control who installs their plugins. The Platform provides a simple license key mechanism to control installation.

Installation secret

The plugin.json file contains an optional installSecret key. This should be generated from random data. The Plugin Tool will generate a random key for you when it creates the initial plugin files for you.

If you do not include this key, anyone can install the plugin if they know its name.

If you’re writing a set of related plugins, you might want to use the same installSecret for all of them. This will allow a single license key to be used to install every plugin.

License keys

When someone installs your plugin, they’ll be asked for a license key. You need to generate a key for their application. The plugin installation process will provide a numeric application ID, which you use to generate a license key.

    haplo-plugin -p test_plugin license-key 123456

In this example, the application ID is 123456. If you have multiple plugins in the working directory, you’ll need to specify the plugin with the -p option.

License key generation algorithm

It may be inconvenient to have to use the Plugin Tool to generate license keys, in which case you can easily write your own code.

The algorithm is simple:

  • Take the installSecret, encoded as UTF-8 with no terminator.
  • Generate the string "application:123456", where 123456 is the application ID. Encode that as UTF-8 with no terminator.
  • Use the standard HMAC-SHA1 algorithm to sign the generated string with the installSecret. The standard libraries for your language should provide an implementation of HMAC-SHA1.
  • The license key is the output of the HMAC-SHA1 algorithm, as a hex-encoded string with lower case letters.