Purpose
MHM Rentiva handles license validation and activation processes with the external license server (https://api.maxhandmade.com/v1) via an asynchronous, high-security protocol.
π‘οΈ License Server and Security Protocols
The system mandates HMAC-SHA256 signing and data encryption to prevent license key manipulation and Man-in-the-Middle attacks.
ποΈ 1. Communication Architectureβ
The plugin manages all license operations through the LicenseManager service.
| Criterion | Technical Detail |
|---|---|
| Signing Method | HMAC-SHA256 (Hash-based Message Authentication Code) |
| Encryption | Data stream is encrypted over TLS 1.2/1.3 (HTTPS). |
| Verification | Two-way signature check using a Shared HMAC Secret. |
| API Key | MHM_RENTIVA_LICENSE_API_KEY is used for server identification. |
βοΈ 2. Signature Generationβ
A signature is generated dynamically for each request and sent via the X-MHM-SIGNATURE header.
A. Canonical Message Structureβ
Before signing, the following data is concatenated to form the raw message:
- HTTP Method: (e.g.,
POST) - Canonical Path: (e.g.,
/v1/licenses/validate) - Timestamp: (e.g.,
1709825400) - Raw Body: The dataset sent in JSON format.
B. PHP Signature Code Exampleβ
$message = "POST" . "/v1/licenses/validate" . "1709825400" . $raw_body;
$signature = hash_hmac('sha256', $message, $hmac_secret);
π‘ 3. HTTP Security Headersβ
Custom headers used to ensure request security:
X-MHM-API-KEY: Identifying License API Key.X-MHM-TIMESTAMP: Request timestamp (+/- 300 second tolerance).X-MHM-SIGNATURE: Digital signature generated withHMAC-SHA256.X-MHM-SITE-HASH: The site's unique, one-way encrypted identity.X-Environment: Mode (production,staging,development).
β³ 4. Error Handling and Grace Periodβ
When the connection to the server is lost, the plugin does not deactivate immediately:
- 7-Day Grace Period: If the site was previously active and fewer than 7 days have passed since the last successful check, the plugin maintains "Active" status even if a connection error occurs.
- Offline Mode Audit: Critical functions (e.g., accepting payments) are not restricted during this period, but if a valid verification cannot be performed by the end of day 7, Pro features are deactivated.
- SSL Verification: SSL certificate verification is mandatory in production environments.
Section Summaryβ
- The license protocol protects the plugin's intellectual property and user data integrity.
- HMAC-SHA256 guarantees that requests have not been tampered with (integrity).
- The Grace Period mechanism ensures server outages do not affect the user experience.
Changelogβ
| Date | Version | Note |
|---|---|---|
| 23.04.2026 | 4.27.2 | English translation added. |
| 19.03.2026 | 4.21.2 | HMAC signature architecture, Grace Period, and Offline Mode rules detailed. |