Callback Verification
Business scenario
For QR Code Payment, Official Account Payment, In-App Payment, and Mini Program Payment modes, WeChat Pay will return the payment result via the institution callback URL. The institution then needs to verify the callback signature and content to prevent any fake callback that may cause fund loss.
Solution
The institution/merchant must do the following after receiving the callback information from WeChat Pay:
-
1Signature Verification
Verify the sign field to ensure that the callback information is sent by WeChat Pay. For details on verifying the signature, refer to the signature algorithm section in the API documentation.
-
2Information Verification
After verifying the signature, check if the order information is correct, such as whether the order number has been generated on the system, and whether the order number and payment amount match the system records.
-
3Return Specific Information
Sync the order result to its own system if both signature and business information are verified, then return a correct response packet to WeChat Pay. Otherwise, WeChat Pay will consider the callback to be failed and continue to retry, resulting in a waste of resources.
-
Complete
Note: The same notification may be sent to the merchant system multiple times. The merchant system must be able to process repeated notifications properly. After receiving a notification, the system must first check the status of the business data to verify whether the notification has been processed. If so, return a success result directly; if not, process the notification. Before the status check and process of business data, perform concurrent control of these data with data locks to avoid data corruption caused by reentrant functions.
