Instant Messaging
Getting Started
Platform Service
Message-related Callback
Related Callbacks of User Information
Related Callbacks of Advanced Team
Related Callbacks of Super Team
Related Callbacks of Audio and Video
Callback related to Log in
Data Sync
Data Sync Overview
Activate Data Sync
IM Session Message Delivery
Other IM Message Delivery
Audio/video/whiteboard Duration Message Delivery
Content Moderation
Best Practice
API Reference
Status Code
Account Management
Register Accounts
Refresh Token
Ban Accounts
Mute Accounts
Push Notification
Login Authentication
Send Messages
Unsend Messages
Send Broadcast Messages
Upload Files
Delete a message
Delete a roaming message
Message history
Custom system notification
User Profile
User Relationship
Host User Relationship
Advanced group
Chat room
Create a chat room
Get the URL of a chat room
Update chat room info
Edit chat room states
Set a timer to close a chat room
Manage roles
Get the member list
Manage chatbots
Manage tags
Message queues
Online Status

Login Authentication

Update time: 2022/11/25 16:10:56


CommsEase provides three types of login authentication.

Static token authentication

This authentication method is a default authentication method of YunXin. Users should set or automatically generate a token when creating an accid by calling CommsEase server API (/user/create.action). The token is permanent, and the client SDK should fill in the accid and token when logging into CommsEase server. CommsEase server will check whether the accid and token are consistent.

If a user wants to update the token voluntarily, or if the token is accidentally leaked and the token needs to be updated, the relevant API interfaces (/user/update.action and /user/refreshToken.action) can be called for update.

Appsecret-based dynamic token authentication

When a user creates an application in the background of the CommsEase website, an appkey and appsecret will be generated. Based on the appkey, appsecret and accid, CommsEase will agree on a method to generate a dynamic token as follows:

#Get the current timestamp (in milliseconds) first
curTime = 1614764611561
#Set the expiration time (in seconds), for example 600
ttl = 600
#Generate signature, combine five fields (appkey, accid, curTime, ttl, and appsecret) into a string, and perform sha1 encoding
signature = sha1(appkey + accid + curTime + ttl + appsecret)
#Assemble into json
json = {"signature": "xx", "curTime":1614764611561, "ttl": 600}
#Convert json into a string and base64 encode it to generate the final token

After generating a token using the above method, the client SDK fills in the token and logs in, and the account is successfully logged in after successful server verification.

  • The above dynamic token generation method relies on appsecret, so the generation logic must be implemented on the user's server side to avoid appsecret leakage.
  • The token of this authentication method is dynamic and temporary, and its validity period is set by the customer, a validity period that is too long is not recommended.

Third-party callback based authentication

This authentication method relies on login callback among the third-party callback features for customers to open a CommsEase account. In the login callback, the CommsEase server will copy the client accid, token, client type, client ip, login custom extension and other fields to the user server, and then the user server will determine whether the verification can pass. If not, the CommsEase server will return 302 error code to the end.

If this authentication method is adopted, the CommsEase server will not verify the token and other fields.


  • The first authentication method is default by YunXin, and the features of the latter two authentication methods should be enabled separately. In particular, for third-party callback based authentication methods, you should enable additional login callback feature. If the login callback is not enabled, any token can be successful logged in.
  • The user can enable one or more of the above three authentication methods, and the sdk will inform the CommsEase server of the authentication method used for this login. If the authentication method is not in the list of available authentication types, you will be informed of login failure.
Was this topic helpful?
  • Features
  • Static token authentication
  • Appsecret-based dynamic token authentication
  • Third-party callback based authentication
  • Considerations