We are publishing a package that (among other things) gives access to our external webapplication through a custom web tab. The license of this package is handled by LMA.

As it's easy to duplicate the custom web tab included in our package, our external webapp must check if the user has a licence for our package.

It's easy to check if user's organization has a valid license because this information is available in our own Salesforce account: We use the API to dynamically query our Salesforce Organisation and check if user's organization has a valid license.

It seems not so easy to check if the given user is a licensed user, as this information is not in our Salesforce account. This information is available in the user's organization but we don't know how to directly retrieve this information from the outside (through the API).

For now, we included a Custom Field in the package and our external webapp checks if the user has access to this Custom Field (LMA prevents users who are not licensed from having access to this field). This technique needs the Field Level Security (FLS) for this custom field to be set to visible for all profiles (otherwise we can not say if a user does not  have access to this field because of LMA or because of FLS), which causes some problems, as I've explained in this thread.

We are looking for alternate ways.

We've found one possible way, as APEX ignores FLS (according to this thread), we could check the accessibility of this field with APEX (hoping that LMA will prevent APEX access for non licensed users) and exposing a webservice that will give this information to our external webserver. However this can work only with Entreprise Edition or more, as Profesional Edition or less can not expose webservices, even if you are an aloha app.

Is anyone seeing another way to check if a given user is licensed?