# User Login State Signature
A part of the Mini Program's background (HTTP) interface requires authentication of the user's login state. When calling, the developer needs to provide the signature generated with the key session_key . Where session_key refers to the login state obtained through wx.login.
# Signature Algorithm
The currently supported signature algorithm is hmac_sha256. For POST requests, the algorithm for developers to generate signatures is:
signature = hmac_sha256( post_data, session_key )
Where the post_data is the packet for this POST request. In particular, for a GET request, post_data is equal to a string of length 0.
signature = hmac_sha256( "", session_key )
# Signature Example
For example, a developer needs a request of HTTP (POST) interface, where the request packet is a json string.
curl -d '{"foo":"bar"}' 'https://api.weixin.qq.com/some_api?access_token=xxx&openid=xxx&signature=???&sig_method=hmac_sha256'
The developer needs to calculate the signature parameter. Assume that the user's currently valid session_key is:
'o0q0otL8aEzpcZL/FT9WsQ=='
Then the signature generated by the developer should be
hmac_sha256('{"foo":"bar"}', 'o0q0otL8aEzpcZL/FT9WsQ==') = 654571f79995b2ce1e149e53c0a33dc39c0a74090db514261454e8dbe432aa0b
HTTP requests initiated by developer server
curl -d '{"foo":"bar"}' 'https://api.weixin.qq.com/some_api?access_token=xxx&openid=xxx&signature=654571f79995b2ce1e149e53c0a33dc39c0a74090db514261454e8dbe432aa0b&sig_method=hmac_sha256'
# session_key validity check
We provide an interface for the developer to verify that if the server's login state session_key is valid. In order to maintain the privacy of session_key, the verification interface we provide does not directly use plaintext session_key by itself, but is verified by verifying the login state signature.
# Interface Address
Request method: GET
https://api.weixin.qq.com/wxa/checksession?access\_token=ACCESS\_TOKEN&signature=SIGNATURE&openid=OPENID&sig\_method=SIG\_METHOD
# Call Example
curl -G 'https://api.weixin.qq.com/wxa/checksession?access_token=OsAoOMw4niuuVbfSxxxxxxxxxxxxxxxxxxx&signature=fefce01bfba4670c85b228e6ca2b493c90971e7c442f54fc448662eb7cd72509&openid=oGZUI0egBJY1zhBYw2KhdUfwVJJE&sig_method=hmac_sha256'
# Parameter Description
Parameters | Required | Description |
---|---|---|
access_token | Yes | Interface call credentials |
openid | Yes | User unique identifier |
Signature | Yes | User login state signature |
sig_method | Yes | Hash method for user login state signature |
# Result Returned
The return JSON data packet in correct situations is as follows:
{"errcode":0,"errmsg":"ok"}
The return JSON packet in error situations is as follows (the example is a signature error):
{"errcode":87009,"errmsg":"invalid signature"}