Recently in the small program card volume, is really one by one pit, not only the online information is not much, the official document is chaotic, made several days to fix, here about the pit encountered in the process, basically 90% of these pits are in the signature.


The following parameters are used for the card volume signature:

  • Api_ticket (temporary ticket that invokes the card-related interface)
  • Timestamp (timestamp, in seconds)
  • Card_id (card volume ID obtained after the card volume is created)
  • Code (The code of the card is equivalent to the number of the card received by the user)
  • Openid (specify opeIND for the user)
  • Nonce_str (32-bit random string)


Because I created the card volume on the public platform of wechat, code and OpenID are not needed. Therefore, api_ticket, TIMESTAMP, card_id and nonce_str are actually signed. Card_id can be seen when creating the card volume on the public platform. Timestamp and nonce_str are the two timestamps and random number generation.


Obtaining the API_ticket is troublesome. We need to obtain the access_token first, and then exchange the access_token for the API_ticket

The address of the access_token interface is the following:


Here comes the key, I was cheated here for a few days, the request interface needs us to add appID and secret, but here uses the public account appID and secret!! The public number! The public number! Important things say three times, remember is the public number of appID rather than small procedures!!


In addition, the access_token server address must be added to the public account whitelist first, otherwise the public account will be prompted to obtain the white list, in wechat public platform click [security Center] can see the IP whitelist option, add your server IP address, oh yes, Before enabling the IP whitelist, you need to enable the developer password. This is in the “Basic Configuration” section. After enabling the developer password, the IP whitelist can add an address.


Okay, we should get the access_token normally, and then we need to exchange it for the API_ticket

The interface address to get api_ticket is the following:

Note that frequent invocation of the two interfaces within a short period of time may be limited. Therefore, cache api_ticket after it is obtained to avoid repeated invocation of the interface. The api_ticket validity period is two hours.


Now that you’ve got all the parameters for the signature, it’s time to generate the signature.

Post your own code, PHP side:

The last three parameters returned will be returned to the applet as the values of wx.addCard()–cardList–cardExt. Of course, we have to serialize these three parameters as a json string before assigning, cardExt receives a string instead of an object, so at this point, The flow of card volume is basically like this.


To sum up a few points to note:

  • The appID used to obtain access_token is a public number, not an applet
  • The server IP address must be whitelisted on the wechat public platform
  • The API_ticket is cached after it is retrieved because frequent calls to the interface may be limited.
  • In the applet wx.addcard (), the cardExt argument is a string, not an object, so the signature, along with other arguments, is converted to a string before assigning.
  • The fields in the cardExt string must match the parameters of the participating signature (except card_id, which is written in wx.addcard ()–cardList–cardId).


Basically this is all, finally teasing the official development documentation really enough chaos, some places also said unclear !!!!


Author: Kauthy



Original address:Chat about the card volume signature pit – tutorial – small program community – wechat small program – wechat small program development community – small program development forum – wechat small program alliance