Validating the license status (preferably in the browser)

I’d like to validate the license status of my tenants. Confluence and jira send the license information with every request in the lic parameter.

Is it enough to simply check that parameter for license information? Can that information be trusted?
By using the jwt authentication I could ensure, that the information was not changed, but in this case I’d need to store the shared secret and read it for every single request, which seems like a huge overhead to me just to validate a license.

Since I’m mainly focused on developing macros, I’d like to know if I can securely get that license information just in the browser, without the need of server validation, so that my app does not need any server logic but contains only of static assets.

Yes. The lic param is valid and can be used for the purpose you describe. If you want to be really safe, you can use the AP.request command to get the license status of your app as well in a way that can’t be faked.