Hello,
Thanks for your job. I wanted to raise a specific security concern regarding the License Verification API.
Currently, the validation endpoint returns a standard JSON response. The problem is that it’s trivial for a bad actor to redirect traffic destined for api.lemonsqueezy.com (via a local hosts file or DNS spoofing) to a local server. This fake server can simply return a mocked “valid” response, and the client application has no way of distinguishing it from a legitimate response from your servers.
The Request:
We need a key-pair / digital signature system for the API.
Ideally, Lemon Squeezy would sign the verification response using a private key, and we (the developers) would verify that signature using a public key embedded in our software.
Of course, it would be an on/off toggle to enable this functionality in order to maintain backward compatibility.
Why this matters:
I know this is not a small ask. Implementing response signing is complex and adds friction to the implementation side.
However, I believe this is absolutely critical for Lemon Squeezy’s development as a serious licensing platform. Without cryptographic verification, any desktop software using your licensing system is vulnerable to a 2-minute bypass. Adding this would make the platform significantly more robust for licenses vendors.
Thanks for considering this.