Official Accounts message encryption/decryption is a new mechanism provided by the Official Accounts Platform to further strengthen the security of Official Accounts. Developers should know that message encryption/decryption is only required for Official Accounts replying to users' messages and not required for Official Accounts calling APIs. Specific modifications to the message encryption/decryption feature include:

1. The message body signature verification is added to verify the correctness of message bodies by the Official Accounts Platform and Official Accounts.
2. The common and event messages pushed to Weixin Official Accounts and the device messages pushed to the Official Accounts of devices are encrypted.
3. The replies of Official Accounts to ciphertext messages are encrypted.

Developers can refer to the Access Guide and the Developer FAQ to access the message body signature and encryption/decryption feature. For technology implementation, see the Technical Solution.

After the encryption/decryption feature is enabled (that is, the compatibility mode or the security mode is selected), when the Official Accounts Platform server pushes messages to the URL (which can be modified in the "Developer Center") configured by the Official Accounts server, two parameters (encryption type and message body signature) will be added in the URL to reflect the new feature. The encryption algorithm uses AES. For the encryption/decryption process and the solution, refer to the Access Guide, Technical Solution, and sample codes.

To facilitate developers' use of the new message encryption feature, the Official Accounts Platform provides three encryption/decryption modes: plaintext mode, compatibility mode, and security mode (which can be selected in the "Developer Center"). Note that you need to enter the message encryption/decryption key "EncodingAESKey" in the Developer Center before selecting the compatibility mode or the security mode.

Plaintext mode (default): The current state is unchanged without using the new feature. Message bodies are sent and received in plaintext.
Compatibility mode: The content of messages sent by the Official Accounts Platform contains both plaintext and ciphertext, with the length of the message packet being increased by 3 times. Official Accounts can reply either in plaintext or in ciphertext, without affecting existing messaging. Developers can conduct debugging in this mode.
Security mode (recommended): The content of message bodies sent by the Official Accounts Platform and replied by Official Accounts contains only ciphertext. It is recommended that developers use this mode to send and receive messages after successful debugging.

What is EncodingAESKey?

The Weixin Official Accounts Platform uses the AES symmetric encryption algorithm to encrypt the message body pushed to Official Accounts, and EncodingAESKey is the key for encryption. Official Accounts use this key to decrypt the received ciphertext message body and to encrypt the replied message body.

In addition, the Weixin Official Accounts Platform provides sample codes in 5 languages (C++, php, Java, Python, and C#). Click to download.