# User Login State Signature

A part of the Mini Program's background (HTTP) interface requires authentication of the user's login state. When calling, the developer needs to provide the signature generated with the key session_key . Where session_key refers to the login state obtained through wx.login.

# Signature Algorithm

The currently supported signature algorithm is hmac_sha256. For POST requests, the algorithm for developers to generate signatures is:

signature = hmac_sha256( post_data, session_key )

Where the post_data is the packet for this POST request. In particular, for a GET request, post_data is equal to a string of length 0.

signature = hmac_sha256( "", session_key )

# Signature Example

For example, a developer needs a request of HTTP (POST) interface, where the request packet is a json string.

curl -d '{"foo":"bar"}' 'https://api.weixin.qq.com/some_api?access_token=xxx&openid=xxx&signature=???&sig_method=hmac_sha256'

The developer needs to calculate the signature parameter. Assume that the user's currently valid session_key is:

'o0q0otL8aEzpcZL/FT9WsQ=='

Then the signature generated by the developer should be

hmac_sha256('{"foo":"bar"}', 'o0q0otL8aEzpcZL/FT9WsQ==') = 654571f79995b2ce1e149e53c0a33dc39c0a74090db514261454e8dbe432aa0b

HTTP requests initiated by developer server

curl -d '{"foo":"bar"}' 'https://api.weixin.qq.com/some_api?access_token=xxx&openid=xxx&signature=654571f79995b2ce1e149e53c0a33dc39c0a74090db514261454e8dbe432aa0b&sig_method=hmac_sha256'

# session_key validity check

We provide an interface for the developer to verify that if the server's login state session_key is valid. In order to maintain the privacy of session_key, the verification interface we provide does not directly use plaintext session_key by itself, but is verified by verifying the login state signature.

# Interface Address

Request method: GET

https://api.weixin.qq.com/wxa/checksession?access\_token=ACCESS\_TOKEN&signature=SIGNATURE&openid=OPENID&sig\_method=SIG\_METHOD

# Call Example

curl -G 'https://api.weixin.qq.com/wxa/checksession?access_token=OsAoOMw4niuuVbfSxxxxxxxxxxxxxxxxxxx&signature=fefce01bfba4670c85b228e6ca2b493c90971e7c442f54fc448662eb7cd72509&openid=oGZUI0egBJY1zhBYw2KhdUfwVJJE&sig_method=hmac_sha256'

# Parameter Description

Parameters Required Description
access_token Yes Interface call credentials
openid Yes User unique identifier
Signature Yes User login state signature
sig_method Yes Hash method for user login state signature

# Result Returned

The return JSON data packet in correct situations is as follows:

{"errcode":0,"errmsg":"ok"}

The return JSON packet in error situations is as follows (the example is a signature error):

{"errcode":87009,"errmsg":"invalid signature"}
点击咨询小助手