Signature

WeChat Pay API V3 ensures the authenticity of the request and the integrity of the data by verifying the signature.

1. Request Signature

Merchants need to use their own private keys to sign the combination of key data such as API URL and message body with SHA-256 with RSA. The requested signature is passed through the HTTP header Authorization. For details, please see Signature Generation Guide. Requests without signatures or with unverified signatures will not be processed, and the message 401 Unauthorized will be returned.

2. Response Signature

After the signature of a request is verified, WeChat Pay API V3 will use the platform private key of WeChat Pay to sign the response. The signature information is contained in the HTTP header. Please refer to Signature Verification Guide.

Notice

Please use the public key of WeChat Pay to verify the signature, which is included in the WeChat Pay platform certificate

Please verify the signature in the response

A successful response without a signature (HTTP status code is 2xx) should be considered forged or tampered.

3. Callback Notification Signature

When the merchant's API is called, WeChat Pay will use the platform private key of WeChat Pay to sign the callback request. The signature method is the same as the response signature method. The merchant must use the WeChat Pay public key to verify the signature of the callback.

Notice

The notification must verify the signature of WeChat Pay to avoid malicious attacks.