From 304eb16e2e9b2009c2e21ef9e4468e098e428807 Mon Sep 17 00:00:00 2001 From: magdev Date: Thu, 22 Jan 2026 19:12:58 +0100 Subject: [PATCH] Update README with response signing documentation - Added Response Signing section explaining X-License-Signature and X-License-Timestamp headers - Added wp-config.php configuration example for WC_LICENSE_SERVER_SECRET - Updated client section to recommend official magdev/wc-licensed-product-client Composer package - Documented LicenseClient and SecureLicenseClient classes Co-Authored-By: Claude Opus 4.5 --- README.md | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index abef446..0fe264e 100644 --- a/README.md +++ b/README.md @@ -107,12 +107,42 @@ When a customer purchases a licensed product, they must enter the domain where t Full API documentation available in `openapi.json` (OpenAPI 3.1 specification). -### Client Examples +### Response Signing (Optional) -Ready-to-use API client examples are available in `docs/client-examples/`: +When the server is configured with a shared secret, all API responses include cryptographic signatures for tamper protection: + +**Configuration (wp-config.php):** + +```php +define('WC_LICENSE_SERVER_SECRET', 'your-secure-random-string-min-32-chars'); +``` + +**Response Headers:** + +| Header | Description | +| ------ | ----------- | +| `X-License-Signature` | HMAC-SHA256 signature of the response body | +| `X-License-Timestamp` | Unix timestamp when the response was generated | + +The signature prevents man-in-the-middle attacks and ensures response integrity. Use the `magdev/wc-licensed-product-client` Composer package with the `SecureLicenseClient` class to automatically verify signatures. + +### Client Libraries & Examples + +**PHP (Recommended):** Install the official client library via Composer: + +```bash +composer require magdev/wc-licensed-product-client +``` + +The library provides: + +- `LicenseClient` - Standard client for API calls +- `SecureLicenseClient` - Client with automatic response signature verification + +**Example clients** for other languages are available in `docs/client-examples/`: - **cURL** - Shell script examples ([curl.sh](docs/client-examples/curl.sh)) -- **PHP** - Client class with examples ([php-client.php](docs/client-examples/php-client.php)) +- **PHP** - Standalone client example ([php-client.php](docs/client-examples/php-client.php)) - **Python** - Client class with dataclasses ([python-client.py](docs/client-examples/python-client.py)) - **JavaScript** - Browser and Node.js client ([javascript-client.js](docs/client-examples/javascript-client.js)) - **C#** - Async client with System.Text.Json ([csharp-client.cs](docs/client-examples/csharp-client.cs))