WeChat Development Access Guide

Overview

To access the WeChat public platform for development, developers need to follow the following steps:

1. Fill in the server configuration
2. Verify the validity of the server address
3. Implement business logic based on interface documentation

These three steps are described in detail below.
Step 1: Fill in the server configuration

After logging in to the WeChat public platform official website, click the "Modify Configuration" button on the public platform backend management page - Developer Center page, and fill in the server address (URL), Token, and EncodingAESKey, where the URL is the interface URL used by developers to receive WeChat messages and events. The Token can be filled in arbitrarily by the developer and used to generate the signature (the Token will be compared with the Token contained in the interface URL to verify security). The EncodingAESKey is filled in manually by the developer or randomly generated and will be used as the encryption and decryption key for the message body.

At the same time, developers can choose the message encryption and decryption mode: plain text mode, compatible mode and secure mode. The mode selection and server configuration will take effect immediately after submission. Developers are requested to fill in and select carefully. The default state of the encryption and decryption mode is plain text mode. Selecting compatible mode and secure mode requires configuring the relevant encryption and decryption code in advance. For details, please refer to the document on message body signature and encryption and decryption.

Step 2: Verify the validity of the server address

After the developer submits the information, the WeChat server will send a GET request to the server address URL filled in. The GET request carries four parameters:

The developer verifies the request by checking the signature (see below for verification methods). If it is confirmed that the GET request comes from the WeChat server, please return the echostr parameter content as is, then the access is effective and you become a developer successfully, otherwise the access fails.

The encryption/verification process is as follows:
1. Sort the three parameters token, timestamp, and nonce in lexicographic order
2. Concatenate the three parameter strings into one string for sha1 encryption
3. The developer can obtain the encrypted string and compare it with the signature to identify that the request comes from WeChat

PHP sample code for checking signature:

 private function checkSignature()
 {
        $signature = $_GET[ "signature" ];
        $timestamp = $_GET[ "timestamp" ];
        $nonce = $_GET[ "nonce" ]; 
                 
 $token = TOKEN;
    $tmpArr = array($token, $timestamp, $nonce);
    sort($tmpArr, SORT_STRING);
    $tmpStr = implode( $tmpArr );
    $tmpStr = sha1( $tmpStr ); 
     
 if ( $tmpStr == $signature ) {
 return   true ;
 } else {
 return   false ;
 }
 }

PHP Sample Code

 <?php
 /**
 * wechat php test
 */   
 
 //define your token  
 define( "TOKEN" , "weixin" );
 $wechatObj = new wechatCallbackapiTest();
 $wechatObj- >valid(); 
 
 class wechatCallbackapiTest
 {
 public   function valid()
 {
 $echoStr = $_GET [ "echostr" ]; 
 
 //valid signature , option  
 if ( $this ->checkSignature()){
 echo   $echoStr ;
 exit ;
 }
 } 
 
 public   function responseMsg()
 {
 //get post data, May be due to the different environments  
 $postStr = $GLOBALS [ "HTTP_RAW_POST_DATA" ]; 
 
 //extract post data  
 if (! empty empty ( $postStr )){
 /* libxml_disable_entity_loader is to prevent XML eXternal Entity Injection,
                   the best way is to check the validity of xml by yourself */  
                libxml_disable_entity_loader(true);
 $postObj = simplexml_load_string( $postStr , 'SimpleXMLElement' , LIBXML_NOCDATA);
 $fromUsername = $postObj ->FromUserName;
 $toUsername = $postObj ->ToUserName;
 $keyword = trim( $postObj ->Content);
 $time = time();
 $textTpl = "<xml>
                            <ToUserName><![CDATA[%s]]></ToUserName>
                            <FromUserName><![CDATA[%s]]></FromUserName>
                            <CreateTime>%s</CreateTime>
                            <MsgType><![CDATA[%s]]></MsgType>
                            <Content><![CDATA[%s]]></Content>
                            <FuncFlag>0</FuncFlag>
                            </xml>";
 if (! empty empty ( $keyword ))
 {
 $msgType = "text" ;
 $contentStr = "Welcome to wechat world!" ;
 $resultStr = sprintf( $textTpl , $fromUsername , $toUsername , $time , $msgType , $contentStr );
 echo   $resultStr ;
 } else {
 echo   "Input something..." ;
 } 
 
 } else {
 echo   "" ;
 exit ;
 }
 } 
         
 private   function checkSignature()
 {
 // you must define TOKEN by yourself  
 if (!defined( "TOKEN" )) {
 throw   new Exception( 'TOKEN is not defined!' );
 } 
         
 $signature = $_GET [ "signature" ];
 $timestamp = $_GET [ "timestamp" ];
 $nonce = $_GET [ "nonce" ]; 
                 
 $token = TOKEN;
 $tmpArr = array ( $token , $timestamp , $nonce );
 // use SORT_STRING rule  
        sort( $tmpArr , SORT_STRING);
 $tmpStr = implode( $tmpArr );
 $tmpStr = sha1( $tmpStr ); 
         
 if ( $tmpStr == $signature ) {
 return true;
 } else {
 return false;
 }
 }
 } 
 
 ?>

Step 3: Implement business logic based on interface documentation

After successfully verifying the validity of the URL, the access becomes effective and you become a developer. If the public account type is a service account (subscription accounts can only use ordinary message interfaces), you can apply for authentication on the public platform website. The service account that successfully authenticates will obtain many interface permissions to meet the needs of developers.

From then on, every time a user sends a message to the official account or generates a custom menu click event, the server configuration URL filled in by the developer will receive the messages and events pushed by the WeChat server, and then the developer can respond according to their own business logic, such as replying to messages.

When the official account calls each interface, it will generally get the correct result. For specific results, see the description of the corresponding interface. When an error is returned, you can query the cause of the error based on the return code. Global return code description

When a user sends a message to a public account, the public account receives an OpenID from the sender of the message, which is the result of encryption using the user's WeChat account. Each user has a unique OpenID for each public account.

In addition, since developers often need to share user accounts and unify the account system between multiple platforms (mobile applications, websites, public accounts), WeChat Open Platform (open.weixin.qq.com) provides a UnionID mechanism. Developers can obtain basic user information through OpenID. If developers have multiple applications (mobile applications, website applications, and public accounts, public accounts will only obtain UnionID after being bound to WeChat Open Platform accounts), they can distinguish the uniqueness of users by obtaining UnionID in the user's basic information, because as long as they are mobile applications, website applications, and public accounts under the same WeChat Open Platform account, the user's UnionID is unique. In other words, the same user has the same UnionID for different applications under the same WeChat Open Platform account. For details, please see the WeChat Open Platform Resource Center-Mobile Application Development-WeChat Login-Authorization Relationship Interface Call Guide-Obtaining User Personal Information (UnionID Mechanism).

Please also note that the WeChat public account interface only supports interface 80.