Message Authentication

From WeChat Official Account Admin Platform
Jump to: navigation, search

When developers try to authenticate a message for the first time, the WeChat server sends a GET request to the submitted URL with four parameters: signature, timestamp, nonce and echostr. Developers authenticate the messages by checking the signature parameter.

The WeChat system then accesses the URL carrying the four parameters when the developer receives a message from a user. The developer verifies messages by checking the signature parameter. The authentication method is the same as the first authentication.

Parameter Description
signature the timestamp and nonce parameters
timestamp time stamp
nonce a random number
echostr a random string

The developer verifies the GET request by checking the signature. If the request is confirmed to be from the WeChat server, return the unchanged value of the echostr parameter to facilitate successful access or access will fail.

The Encryption/verification steps are as follows:

1. Order the token, timestamp and nonce parameters lexicographically
2. Splice the three parameters into one string and encrypt it with Sha1
3. The developer compares the encrypted string with the signature, and identifies  that the request is from WeChat

An example of PHP code for checking the signature is as follows:

private function checkSignature()
       $signature = $_GET["signature"];
       $timestamp = $_GET["timestamp"];
       $nonce = $_GET["nonce"];	
	$token = TOKEN;
	$tmpArr = array($token, $timestamp, $nonce);
	$tmpStr = implode( $tmpArr );
	$tmpStr = sha1( $tmpStr );
	if( $tmpStr == $signature ){
		return true;
		return false;

Click here to download the PHP code above.

Developer Guide
Custom-defined Menu