JIYIK CN >

During the development of WeChat official accounts, if we want to actively push messages to the WeChat server, we must have access_token. Access_token is the only ticket for the official account. When we develop and call various WeChat interfaces, we need to use access_token. Access_token is a string similar to the one shown below.

wGOSbMw6iKvhIOcjCJTi_r6wXpOF_Vnih-TEvumx_1OXgnaZiRfy0g0hJ08ykRkc0bMAYTzKdZoAmZ32ROdmgo5_JQbgTcPth2bajjoRqfEeC_VRz53cl2_CLavkNkBTSKWcAEAMEQ

This string is quite long. Therefore, the storage of access_token must reserve at least 512 characters. And the access_token obtained is not permanent, and its validity period is 2 hours. This validity period will be added to the return result of our access_token, and the field name is expires_in. We will talk about how to obtain access_token below. Let's first take a look at how WeChat officially explains the use and generation of access_token.

1. In order to keep appsecrect confidential, the third party needs a central control server for access_token acquisition and refresh. The access_token used by other business logic servers all come from the central control server and should not be refreshed separately, otherwise the access_token will be overwritten and affect the business;
2. The validity period of the access_token is currently conveyed through the returned expire_in, which is currently within 7200 seconds. The central control server needs to refresh the new access_token in advance according to this validity period. During the refresh process, the central control server still outputs the old access_token to the outside. At this time, the public platform backend will ensure that both the new and old access_tokens are available within a short refresh time, which ensures the smooth transition of third-party business;
3. The validity period of the access_token may be adjusted in the future, so the central control server not only needs to actively refresh internally, but also needs to provide an interface for passively refreshing the access_token, so that the business server can trigger the access_token refresh process when the API call knows that the access_token has timed out.
Therefore, we should refresh and obtain the access_token regularly. Otherwise, repeated acquisition will cause the last access_token to become invalid.

Well, after talking so much, we also understand the importance of access_token, so how should we get it? In fact, getting access_token is also very simple. WeChat provides us with the http interface:

https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=APPSECRET

Note: The https protocol must be used when calling all WeChat interfaces.

The above interface requires us to send three parameters:

grant_type This parameter needs to be filled in with client_credential when obtaining access_token

The appid parameter can be obtained in the basic configuration. Each developer has a unique appid, which serves as the only credential for third-party users.

The value of the secret parameter is appsecret. Each developer also has an appsecret, which is a third-party user's unique credential key. Like appid, appsecret can also be obtained in the basic configuration.

Now that we know the three parameters, we can start calling this interface. Because it is an http interface, we use php language to call it, so curl is needed.

$url = "https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=" . self::appId . "&secret=" . self::appSecret;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$res = curl_exec($ch);
curl_close($ch);

The returned result is a JSON string, which contains two contents: one is access_token and the other is the validity period (expires_in).

{"access_token":"gq84-toUzqn2mNX_ibmvMOIVm1TIKPD6mGLUfMNdCytpsLv6H-aCZgXMPkEt_D4Iqjjoe8 w_qgo_9oli3dECpimhb-FUONTEJLarG6PGYSpPZSAb8rcwv4WR0BMwwc8ESCXiAGABLG","expires_in":7200}

Similarly, if an error occurs during the call, a json string will be returned. The content of the json string varies depending on the cause of the error. An example is as follows:

{"errcode":40013,"errmsg":"invalid appid"}

Access_token use case - Get WeChat server IP address

We have introduced the purpose of access_token and how to obtain it above. Here we introduce a use case of access_token - if the public account needs to know the IP address list of WeChat server for security considerations, so as to make relevant restrictions, the WeChat server IP address list can be obtained through the corresponding interface.

Its interface is as follows

https://api.weixin.qq.com/cgi-bin/getcallbackip?access_token=ACCESS_TOKEN

We can see that this interface has only one parameter - access_token. Let's see how to use it.

$url = "https://api.weixin.qq.com/cgi-bin/getcallbackip?access_token=".$this->get_accesstoken();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$res = curl_exec($ch);

The returned result is also a json string.

{ "ip_list":["ip1"," ip2"] }

Similarly, this interface may also return a call error. The error is mostly caused by invalid or expired access_token.

{"errcode":40001,"errmsg":"invalid credential, access_token is invalid or not latest hint: [w2KXsa0239vr29!]"}

Well, the above is a detailed introduction to the purpose and acquisition method of access_token.