Signature Verification (recommended)

Last updated: 2020-02-19 19:19:48



This article mainly introduces the method of Tencent Mobile push signature Verification.

Using HMAC-SHA256 algorithm, Signing information is produced according to SecretKey. Authentication by verifying the signature is more secure, and it is recommended to use it.

Parameter description

Parameters Description
AccessId Tencent Mobile push Backend Background Assign's application ID, please go to Tencent Mobile push console to obtain
SecretKey Tencent Mobile push Backend Background Assign's SecretKey, corresponds to AccessId. Go to Tencent Mobile push console to obtain
LoginUin Tencent Cloud login account
OwnerUin The main account corresponding to the account on Tencent Cloud
Sign Interface signature method
Timestamp Request timestamp

Signature generation method

  1. Get the original string to be signed by requesting timestamp + accessId + requesting body to concatenate characters:
    stringtosign = ${timeStamp} + ${accessId} + ${requestBody}
  2. Use secretKey as the key to sign the original string to be signed, and generate the signature:
    sign = Base64(HMAC_SHA256(stringToSign, secretKey))

HTTP Protocol assembly mode

In addition to the general header Protocol, HTTP Protocol header needs to carry the information of current request timestamp, AccessId, and signature Sign. The specific parameters are as follows:

Parameter Key in Header Meaning Is it necessary
Sign Request Signature Yes
AccessId Application of ID Yes
Timestamp Request timestamp Yes

The specific HTTP request message is as follows:

POST /v3/push/app HTTP/1.1
Content-Type: application/json
AccessId: 1500001048
TimeStamp: 1565314789
{"audience_type": "account","platform": "android","message": {"title": "test title","content": "test content","android": { "action": {"action_type": 3,"intent": "xgscheme://com.xg.push/notify_detail?param1=xg"}}},"message_type": "notify","account_list": ["5822f0eee44c3625ef0000bb"] }

Signature generation example

  1. The signature string to be stitched is generated as follows:
String to be encrypted=15653147891500001048{"audience_type": "account","platform": "android","message": {"title": "test title","content": "test content","android": { "action": {"action_type": 3,"intent": "xgscheme://com.xg.push/notify_detail?param1=xg"}}},"message_type": "notify","account_list": ["5822f0eee44c3625ef0000bb"] }
  1. Generate hexadecimal hash, through HMAC-SHA256 algorithm according to the key, where the example corresponds to secretKey =1452fcebae9f3115ba794fb0fff2fd73 .
hashcode= hmac-sha256(stringToSign, secretKey)
get hashcode="cd20774682bf78bfdb43e17d1d5d56b3e5b789a1670fc1527ef54c65d2d7b76d"
  1. Encode the hashcode with base64 to get the signature string as follows:
Get Sign=Base64(hashcode)

Example of Python signature

#!/usr/bin/env python
import hmac
import base64
from hashlib import sha256

s = '15653147891500001048{"audience_type": "account","platform": "android","message": {"title": "test title","content": "test content","android": { "action": {"action_type": 3,"intent": "xgscheme://com.xg.push/notify_detail?param1=xg"}}},"message_type": "notify","account_list": ["5822f0eee44c3625ef0000bb"] }'
key = '1452fcebae9f3115ba794fb0fff2fd73'
hashcode =, s, digestmod=sha256).hexdigest()
print base64.b64encode(hashcode)

Example of Java signature

package com.tencent.xg;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;

public class SignTest {
    public static void main(String[] args) {
        try {
            String stringToSign = "15653147891500001048{\"audience_type\": \"account\",\"platform\": \"android\",\"message\": {\"title\": \"test title\",\"content\": \"test content\",\"android\": { \"action\": {\"action_type\": 3,\"intent\": \"xgscheme://com.xg.push/notify_detail?param1=xg\"}}},\"message_type\": \"notify\",\"account_list\": [\"5822f0eee44c3625ef0000bb\"] }";
            String appSecret = "1452fcebae9f3115ba794fb0fff2fd73";

            Mac mac;
            mac = Mac.getInstance("HmacSHA256");
            mac.init(new SecretKeySpec(appSecret.getBytes("UTF-8"), "HmacSHA256"));
            byte[] signatureBytes = mac.doFinal(stringToSign.getBytes("UTF-8"));

            String hexStr = Hex.encodeHexString(signatureBytes);
            String signature = Base64.encodeBase64String(hexStr.getBytes());

        } catch (NoSuchAlgorithmException | InvalidKeyException | UnsupportedEncodingException e) {

Example of Golang signature

import (

func TestSign(t *testing.T) {
   requestBody := "15653147891500001048{\"audience_type\": \"account\",\"platform\": \"android\",\"message\": {\"title\": \"test title\",\"content\": \"test content\",\"android\": { \"action\": {\"action_type\": 3,\"intent\": \"xgscheme://com.xg.push/notify_detail?param1=xg\"}}},\"message_type\": \"notify\",\"account_list\": [\"5822f0eee44c3625ef0000bb\"] }"
   secretKey := "1452fcebae9f3115ba794fb0fff2fd73"

   h := hmac.New(sha256.New, []byte(secretKey))
   sha := hex.EncodeToString(h.Sum(nil))
   sign := base64.StdEncoding.EncodeToString([]byte(sha))