# Access Overview

Developers need to perform the following steps to access the Weixin Official Accounts Platform:

  1. Enter server configurations

  2. Verify that the server address is valid

  3. Implement the business logic as per the API documentation

The three steps are described in detail below.

# Step 1: Enter Server Configurations

Log in to the official website of the Weixin Official Accounts Platform, go to Development > Basic Settings and check the agreement to become a developer, and click the Modify Configuration button to enter the server address (URL), Token, and EncodingAESKey. The URL is the URL of an API used by the developer to receive Weixin messages and events. The Token can be randomly entered by the developer to generate a signature (this token is compared with the token contained in the API URL to verify security). The EncodingAESKey is manually entered by the developer or randomly generated and used as the encryption/decryption key for the message body.

The developer can also select a message encryption/decryption mode from the plaintext mode, compatibility mode, and security mode. The selected mode and the server configurations take effect immediately after submission, so please proceed with caution. The plaintext mode is used by default, and you need to configure relevant encryption/decryption code in advance if selecting either of the other two modes. For details, see the documentation related to message body signature and encryption/decryption.

# Step 2: Verify That the Message Comes from the Weixin Server

After the developer submits the information, the Weixin server sends a GET request to the entered server URL. The parameters carried by the GET request are as follows:

Parameter Description
signature Weixin encrypted signature. The signature combines the token parameter entered by the developer and the timestamp and nonce parameters in the request.
timestamp Timestamp
nonce Random number
echostr Random string

Developers verify the request by verifying the signature (see the verification method below). If you confirm that the GET request comes from the Weixin server, return the echostr parameter as is, so that the access takes effect and you enter the developer mode; otherwise, the access failed. The encryption/verification procedure is as follows:

(1) Sort the token, timestamp, and nonce parameters in lexicographic order. (2) Join the strings of the three parameters into one string and encrypt it via SHA1. (3) Compare the encrypted string with the signature. If they match, the request comes from Weixin.

PHP code sample for verifying the signature:

private function checkSignature()
	$signature = $_GET["signature"];
	$timestamp = $_GET["timestamp"];
	$nonce = $_GET["nonce"];
$token = TOKEN;
$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr, SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );

if( $tmpStr == $signature ){
return true;
return false;

Download the PHP code sample

# Step 3: Implement the Business Logic as per the API Documentation

If the URL is validated, the access takes effect and you enter the developer mode. You can apply for Weixin Verification on the Official Accounts Platform to obtain more API permissions and thus meet more business needs.

In the developer mode, every time a user sends a message to the Official Account, or a custom menu is generated, or a WeChat Pay order is generated, the message or event is pushed from the Weixin server to the URL the developer entered in the server configurations, and the developer can respond according to the business logic, such as replying to the message.

Generally when the Official Account calls an API, the result for a successful request is returned. For the specific result, see the description of relevant API. When an error is returned, the error cause can be queried based on the error code. See Common Error Codes.

When a user sends a message to the Official Account, the OpenID of the message sender (the user) is obtained by the Official Account side. The OpenID is the user's Weixin ID after encryption. Each user has a unique OpenID for each Official Account.

In addition, the Weixin Open Platform (open.weixin.qq.com) provides a UnionID mechanism to meet developers' need of using a unified user account across multiple platforms (mobile apps, websites, and Official Accounts). A developer can obtain users' basic information through OpenIDs, and can use UnionIDs in users' basic information to distinguish and identify users if the developer owns multiple apps (including mobile apps, website apps, and Official Accounts. For Official Accounts, UnionIDs can be obtained only after the Official Account is linked to the Weixin Open Platform account). The UnionID of a user is unique if the mobile apps, website apps, and Official Accounts belong to the same Weixin Open Platform account. In other words, the UnionID is the same for different apps owned by the same Weixin Open Platform account. For details, go to Weixin Open Platform > Resource Center > Mobile App Development > Weixin Login > Authorization Relationship API Call Guide > Obtain User Information (UnionID Mechanism).

Note that the Weixin Official Account APIs must begin with http:// or https:// and support ports 80 and 443 respectively.