WeChat small program API access guidelines
May 19, 2021 WeChat Mini Program Development Document
Table of contents
An overview of access
To access weChat's small program messaging service, developers need to follow these steps:
1, fill in the server configuration
2, verify the validity of the server address
3, according to the interface documents to implement business logic
These 3 steps are detailed below.
Step 1: Fill in the server configuration
After logging on to weChat's website, on the "Settings-Message Server" page of the small program's official website, the administrator scans the code to enable the messaging service and fills in the server address (URL), Token, and EncodingAESKey.
A URL is an interface URL that developers use to receive WeChat messages and events. T oken can be filled in by the developer at will and used as a build signature (the Token is compared to the Token contained in the interface URL to verify security). EncodingAESKey is manually filled out or randomly generated by the developer and will be used as a message body plus decryption key.
At the same time, developers can choose how messages are decrypted: clear text mode, compatibility mode, and security mode. Y ou can choose the message data format: XML or JSON. The default state for encryption is clear text format, while the default state for data format is XML format.
The choice of mode and server configuration will take effect immediately after submission, please developers carefully fill in and select. Switching encryption methods and data formats requires configuring the relevant code in advance, please refer to the message plus decryption instructions for details.
Step 2: Verify that the message does come from a WeChat server
After the developer submits the information, the WeChat server will send the GET request to the server address URL, and the GET request carries parameters as shown in the following table:
| parameter | describe |
|---|---|
| signature | WeChat encryption signature, Signature combines the TOKEN parameter and the TIMESTAMP parameter in the request, and the nonce parameter. |
| timestamp | Timestamp |
| nonce | random number |
| echostr | Random string |
Developers check the request by verifying Signature (there is a check method below).If you confirm that the GET request is from the WeChat server, return to the Echostr parameter as appropriate, the access takes effect, and has become the developer, otherwise the access failed.The encryption / calibration process is as follows: 1. Sort the three parameters of Token, TimeStamp, Nonce; 2. Stitching three parameters into a string to perform SHA1 encryption; 3. Developers get encrypted stringsCompared with Signature, identify the request from WeChat
Check Signature PHP sample code:
private function checkSignature()
{
$signature = $_GET["signature"];
$timestamp = $_GET["timestamp"];
$nonce = $_GET["nonce"];
$token = TOKEN;
$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr, SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );
if( $tmpStr == $signature ){
return true;
}else{
return false;
}
}
PHP sample code download: Download
Step 3: Implement business logic based on interface documentation
After verifying the validity of the URL, the access takes effect and becomes a developer. At this point, when the user sends a message to the customer service of the small program, or enters the session, etc., the server configuration URL filled in by the developer will get the messages and events pushed by the WeChat server, and the developer can respond according to his business logic.
Also note that the URL filled in by the developer must start with http:// or https:// and support 80 ports and 443 ports, respectively.