erik2055

It seems to have to do with an ampersand (&) in the company name.
That is not “allowed”.
It is, in the communication, interpreted as an HTML query delimiter.
License Manager should, however, allow it.

Sorry The line
“the only thing you can make sure of is that the communication can be read by …”
must be:
“the only thing you can make sure of is that the communication can be read ONLY by …”

Yes, and I found another relevant posting too. Here they are:
https://www.ads-software.com/support/topic/why-the-need-for-the-secret-key-for-license-verification-requests/
and
https://www.ads-software.com/support/topic/is-the-secret-key-public/

Some more comments on the issue:
The Verification key is NOT the only way the server can know that communication is comming from a legitimate source, because
1: the key is sent “in the clear” and therefor it is not a secret anymore.
2: you, the server plugin, rely on the client, who has the key, to keep it a secret. Can’t do that!

I’ve been thinking and reading about the issue: the only thing you can make sure of is that the communication can be read by you (the server-side plugin), by encrypting the communication with the server’s public key client-side and decrypt server-side with the private key (X509) at the earliest moment, right after receiving the request and before accessing the license database.
You could also sign an un-encrypted request with X509.
You cannot prevent the client accessing your server, because free access is what WWW and WordPress is all about.
I’m not very experienced in PHP/WP-Plugins, but I think there is a library for this (Bouncy Castle?)

Suggestions:
1: Don’t send error text messages to the client. Just short error codes. The server doesn’t know the client, in principle. It may even be a Swahili-language program. Let the client generate the message from the error code. Quicker too.
2: Send error codes with ALL server-to-client communications.