1. Home
  2. Docs
  3. WooCommerce License Keys
  4. Security
  5. Authorization: Access Token

Authorization: Access Token

This option is only available for WooCommerce License Keys (extended) premium plugin.

Enabling authorization through an access token adds a layer of security to the interaction with the API; allowing to restrict access to the Activation, Validation, and Deactivation endpoints only if a valid access token is provided.

Enabling token authorization

Check the “Enable authorization” security checkbox option, located at the License Key API settings.

This will add a new “Token” endpoint in the API, to be used to request an access token prior to beginning with any interaction with the other endpoints.

The option “Token expiration” allows setting the expiration (or lifespan) in seconds of the token.


The client (product) first needs to send a “Token request” to the License Keys API, then the API will validate it and respond back with an error or an access token.

The client will proceed to send an “Endpoint request” (endpoint meaning Activate, Validate or Deactivate) to the API, this request will have the authorization defined as part of its headers. The API will validate the access token and proceed to process the request.

Token endpoint / token request

Use HTTP GET method to make a request to the token endpoint.

API Handlers

Endpoint provided per API handler:

WP AjaxQuery string action license_key_token. For example:
WP Rest APIEndpoint /wp-json/woo-license-keys/v1/token.


The token endpoint requires the parameters grant_type and license_key to return an access token.

grant_typestringToken grant type, the value sent in the request should always be license_key.
license_keystringThe customer’s license key.


The JSON response will either be an error (see API errors documentation) or an access token, for example:

    "access_token": "3Xm1rBIlGsL2ff4kNyJXJAvX4erU8fdxUcU74dQ...",
    "token_type": "Bearer",
    "expires": 600

The access token to be used for authorization.

The access token type (see OAuth authentication protocol).

The expiration (lifespan) in seconds.

Endpoint authorization

The token needs to be sent as an authorization header on every request made to Activate, Validate, and Deactivate endpoints.

The standard format is:

Authorization: {token_type} {access_token}

{token_type} and {access_token} need to be replaced wit the actual values, for example:

Authorization: Bearer 3Xm1rBIlGsL2ff4kNyJXJAvX4erU8fdxUcU74dQ...

The endpoint will respond with an error if no token or an invalid token is provided.

Was this article helpful to you? Yes No