Export (0) Print
Expand All

Best practices and design patterns for app license checking

apps for Office and SharePoint

You are responsible for creating the app license checks and then enforcing license restrictions within your apps. Here are some general best practices worth following.

Last modified: July 01, 2013

Applies to: apps for Office | apps for SharePoint | Office 2013 | Office 365 | SharePoint Foundation 2013 | SharePoint Server 2013

For security reasons, we strongly recommended that you place the code that performs the app license check somewhere outside the reach of potential tampering. For example, you can limit your app’s security exposure by using server-side code to query the Office Store verification web service, instead of performing the license check client-side.

Information specific to apps for Office

For apps for Office, you are required to use server-side code to query the Office Store verification web service.

Information specific to apps for SharePoint

For apps for SharePoint, if you are hosting your app pages on SharePoint, you can use the SharePoint web proxy to make JavaScript calls to the Office Store verification service. However, for security reasons we strongly recommend that you only use server-side code to query the Office Store verification web service.

Add license checks only at those points in your app where you want to take some action based on whether the user has a valid license or other license information. For example, when the user launches the app, or when the user attempts to access certain app features that you want to control based on app license information.

Information specific to apps for SharePoint

For apps for SharePoint, do not perform app license checks on every page of your app. Constant querying of the SharePoint deployment for the app license token is rarely necessary, and can lead to your app performance being throttled.

For apps with a perpetual unlimited user license, cache until the license token expires. For apps with a multiuser license, either trial or perpetual, cache per session because user assignment can change.

Make sure the production version of your app does not accept test licenses.

When you finish testing your app and are ready to move it to production, make sure you add code to the license checks in your app so that the app no longer accepts test licenses. After you pass the app license token to the verification service’s VerifyEntitlementToken method, you can use the VerifyEntitlementTokenResponse object returned by that method to access the app license properties. For test app licenses, the IsTest property returns true and the IsValid property returns false.

Show:
© 2014 Microsoft