Alipay International Mini Program Development PlatformAlipay International Mini Program Development PlatformDOCS

/v2/authorizations/applyTokenAndInquiryUserInfo

POST /v2/authorizations/applyTokenAndInquiryUserInfo

With this API call, a merchant can obtain an access token and inquire about user information in the super app. The merchant is then authorized by users to provide services on the mini program. The specific information to query is defined by the scopes of the authorization code you obtained by calling the my.getAuthCode JSAPI.

Notes:

  • When to make this API call:
    • This API is recommended for the scenario where the merchant wants to query user information and shorten the response time. In this scenario, the scope of authCode should support the query of user information (for example, auth_user).
    • For other scenarios, for example, the merchant doesn't want to query user information or have no strict requirement on the response time, we recommend the merchant call the applyToken API and the inquiryUseInfo API independently to get an accessToken or query user information.
  • How to make this API call:
    • Before calling this API, you must add the App_User_Authorization feature to your mini program in Mini Program Platform to access the API. For detailed instructions, refer to Add features.
    • To get an access token for the first time, call the my.getAuthCode JSAPI to obtain an authorization code from the super app as the request parameter. Then call this API to exchange for an access token and inquire about user information in the super app.
    • If the access token doesn't expire, call this API with the access token to query user information. In this scenario, this API can be used independently.
    • When the original access token expires, use the refresh token to exchange for a new access token and inquire about user information directly. In this scenario, this API can be used independently.
  • How to keep accessToken:
    • An access token should be kept in the merchant server only, which means it should not be returned to the mini program.

Structure

A message consists of a header and body. The following sections are focused on the body structure. For the header structure, see:

Request parameters

Field

Data type

Required

Description

Example

appId

String

Yes

Indicates the unique ID assigned by Mini Program Platform to identify a mini program.

  • Maximum length: 32 characters
  • Characters not allowed: special characters such as @ # ?

Note: To obtain the value of this field, log into Mini Program Platform and find Mini Program ID on the mini-program details page.

"3333010071465913xxx"

authClientId 

String 

Yes

Indicates the unique ID assigned by Mini Program Platform to identify an authorized merchant.

  • Maximum length: 128 characters
  • Characters not allowed: special characters such as @ # ?

Note: To obtain the value of this field, log into Mini Program Platform, navigate to mini-program details page, and find Client ID under the Development Configuration tab.

"202016726873874774774xxxx"

userInquiryType

String 

Yes

Indicates the way the authorized merchant inquires about user information. Valid values are:

  • AUTHORIZATION_CODE: Exchange for an access token and inquire about user information.
  • REFRESH_TOKEN: Exchange for a new access token and inquire about user information when the original one expires.
  • ACCESS_TOKEN: Inquire about user information.

"AUTHORIZATION_CODE"

customerBelongsTo

String 

Yes

Indicates the super app that a user uses. Valid values are:

  • ALIPAY_CN: Alipay CN
  • ALIPAY_HK: Alipay HK
  • ALIPAY_MO: Alipay MO
  • TNG: Touch 'n Go
  • GCASH: Gcash
  • DANA: Dana
  • KAKAOPAY: KakaoPay
  • BKASH: bKash
  • CHOPE: Chope
  • TRUEMONEY: TrueMoney

"TNG"

authCode

String

No

The authorization code is used to exchange for an access token. Mini programs can obtain an authorization code via the my.getAuthCode JSAPI and then send it to the merchant. Then the merchant is authorized to use the authorization code to exchange for an access token.

  • Maximum length: 64 characters
  • Characters not allowed: special characters such as @ # ?
  • Can be Null.

Note: This field is required when the value of userInquiryType is AUTHORIZATION_CODE.

"2810111301lGZcM9CjlF91WH00039190xxxx"

refreshToken

String 

No

The refresh token is used to exchange for a new access token when the original one expires. With the refresh token, a new access token can be obtained without further interaction with the user.

  • Maximum length: 128 characters
  • Characters not allowed: special characters such as @ # ?
  • Can be Null.

Note: This field is required when the value of userInquiryType is REFRESH_TOKEN.

"2810111301lGZcM9CjlF91WH00039190xxxx"

accessToken

String

No

The access token is used to access user information. For the specific information that can be accessed, see the my.getAuthCode JSAPI.

  • Maximum length: 128 characters
  • Characters not allowed: special characters such as @ # ?

Note: This field is required when the value of userInquiryType is ACCESS_TOKEN.

"281010033AB2F588D14B43238637264FCA5AAF35xxxx"

extendInfo

String

No

Indicates the extended information about this API.

  • Maximum length: 4096 characters
  • Characters not allowed: special characters such as @ # ?
  • Can be Null.
copy
{
    "memo": "memo"
}

Response parameters

Field

Data type

Required

Description

Example

result

Result

Yes

Indicates the request result such as status and error codes.

copy
{
  "resultCode": "SUCCESS",
  "resultStatus": "S",
  "resultMessage": "success"
}

accessToken

String

No

The access token is used to access user information. For the specific information that can be accessed, see the my.getAuthCode JSAPI.

  • Maximum length: 128 characters
  • Characters not allowed: special characters such as @ # ?
  • Can be Null.

Note: This field must be returned when the value of userInquiryType is AUTHORIZATION_CODEor REFRESH_TOKEN and the result reaches an S status.

"281010033AB2F588D14B43238637264FCA5AAF35xxxx"

accessTokenExpiryTime

Datetime

No

Indicates when an access token expires. For example, in the payment scenario, once the access token expires, the authorized merchant cannot use this token to debit the user's account.

The value follows the ISO 8601 standard format. For example, "2019-11-27T12:01:01+08:30".

Note: This field must be returned when the value of userInquiryType is AUTHORIZATION_CODEor REFRESH_TOKEN and the result reaches an S status.

"2019-06-06T12:12:12+08:00"

refreshToken

String

No

The refresh token is used to exchange for a new access token when the original one expires. With the refresh token, a new access token can be obtained without further interaction with the user.

  • Maximum length: 128 characters
  • Characters not allowed: special characters such as @ # ?
  • Can be Null.

Note: This field must be returned when the value of userInquiryType is AUTHORIZATION_CODEor REFRESH_TOKEN and the result reaches an S status.

"2810100334F62CBC577F468AAC87CFC6C9107811xxxx"

refreshTokenExpiryTime

Datetime

No

Indicates when the refresh token expires. Once the refresh token expires, the authorized merchant cannot use this token to exchange for a new access token.

The value follows the ISO 8601 standard format. For example, "2019-11-27T12:01:01+08:30".

Note: This field must be returned when the value of userInquiryType is AUTHORIZATION_CODEor REFRESH_TOKEN and the result reaches an S status.

"2019-06-08T12:12:12+08:00"

userInfo

User

No

Indicates the user information that the merchant queried.

Note:

  • The appUserId assigned by the super app is passed to the extendInfo in the userInfo to uniquely identify a user.
  • The acqUserId assigned by Alipay merchant service is passed to the extendInfo in the userInfo to uniquely identify a user.

-

extendInfo

String

No

Indicates the extended information about this API.

  • Maximum length: 4096 characters
  • Characters not allowed: special characters such as @ # ?
  • Can be Null.

-

Result process logic

In the response, the result.resultStatus field indicates the result of processing a request. The following table describes each result status:

Result status

Description 

S

The authorization and inquiry request is successful.

The corresponding result.resultCode is SUCCESS and the result.resultMessage is SUCCESS.

U

The status of the authorization and inquiry request is unknown.  

The corresponding result.resultCode is UNKNOWN_EXCEPTION and result.resultMessage is "An API calling is failed, which is caused by unknown reasons.".

For details, see the Common error codes section.

F

The authorization and inquiry request is failed.

The corresponding result.resultCode and result.resultMessage may vary based on different situations. For details, see the following Error codes section.

Error codes

Error codes are usually classified into the following categories:

  • Common error codes are common for all mini program OpenAPIs in V2.  
  • API-specific error codes are listed in the following table.

Error code

Result status

Error message

Further action

AUTH_CLIENT_UNSUPPORTED_GRANT_TYPE

F

The authorized merchant does not support this user inquiry type.

Use a valid userInquiryType such asAUTHORIZATION_CODE or REFRESH_TOKEN.

INVALID_AUTH_CLIENT

F

Either the authorized merchant does not exist or the merchant does not onboard to the native app.

Specify the authClientId request parameter properly. For more information, refer to its parameter description in the Request parameters section.

INVALID_AUTH_CLIENT_STATUS

F

The status of the authorized merchant is invalid.

Contact technical support to troubleshoot the issue.

INVALID_REFRESH_TOKEN

F

The refresh token does not exist.

Obtain a new refresh token via this API.

EXPIRED_REFRESH_TOKEN

F

The refresh token expires.

Obtain a new authorization code from the super app via the my.getAuthCode JSAPI and then obtain a new refresh token via this API.

USED_REFRESH_TOKEN

F

The refresh token has been used.

Obtain a new refresh token via this API.

INVALID_AUTHCODE

F

The authorization code does not exist.

Obtain a new authorization code from the super app via the my.getAuthCode JSAPI.

USED_AUTHCODE

F

The authorization code has been used.

Obtain a new authorization code from the super app via the my.getAuthCode JSAPI.

EXPIRED_AUTHCODE

F

The authorization code expires.

Obtain a new authorization code from the super app via the my.getAuthCode JSAPI.

EXPIRED_ACCESS_TOKEN

F

The access token is expired.

Obtain a new access token with a refresh token via this API.

INVALID_ACCESS_TOKEN

F

The access token is not valid.

Obtain a new authorization code via the my.getAuthCode JSAPI and then get a valid access token and inquire about user information with the authorization code via this API.

APP_NOT_EXIST

F

The app ID does not exist.

Specify the appId request parameter properly. For more information, refer to its parameter description in the Request parameters section.

MERCHANT_AUTH_INFO_NOT_EXIST

F

The merchant does not grant authorization to Mini Program Platform for further operations.

Contact technical support to troubleshoot the issue.

OAUTH_FAIL

F

oAuth authentication failed

Ensure that the appId parameter is correctly specified and that the App_User_Authorization feature is added to your mini program. If the issue persists, please contact our technical support for assistance.

Samples

Obtain access token and query user information

The data flow to obtain an access token and inquire about a user's information is illustrated as follows:

image

  1. The mini program calls the my.getAuthCode JSAPI to request an authorization code from the super app.
  2. The super app processes the request and shows the information that needs to be authorized.
  3. The user confirms the authorization in the super app.
  4. The super app service processes the authorization information to the super app server.
  5. The super app server verifies the authorization information and then generates the authorization code.
  6. The super app server returns the authorization code to the super app service.
  7. The super app service returns the authorization code to the mini program.
  8. The mini program sends the authorization code to the merchant server.
  9. The merchant server calls this API to exchange for an access token from the super app server and inquire about user information.
  10. The super app server verifies the authorization code and generates the access token.
  11. The super app server inquires about user information by the access token.
  12. The super app returns the access token and user information to the merchant server.

Request

  • Use an authorization code to exchange for an access token and inquire about the user's specific information
copy
{
  "appId":"3333010071465913xxx",
  "authClientId": "202016726873874774774xxxx",
  "userInquiryType": "AUTHORIZATION_CODE",
  "customerBelongsTo": "CHOPE",
  "authCode": "2810111301lGZcM9CjlF91WH00039190xxxx"
}
    • The user of CHOPE authorizes the merchant.
    • The mini program (3333010071465913xxx) calls the my.getAuthCode JSAPI to obtain the authorization code (2810111301lGZcM9CjlF91WH00039190xxxx) and then send the authorization code to the merchant (202016726873874774774xxxx). The merchant uses the authorization code to exchange for an access token and inquire about the user's specific information as the value of userInquiryType is AUTHORIZATION_CODE.
  • Use a refresh token to exchange for an access token and inquire about the user's specific information
copy
{
  "appId":"3333010071465913xxx",
  "authClientId": "202016726873874774774xxxx",
  "userInquiryType": "REFRESH_TOKEN",
  "customerBelongsTo": "CHOPE",
  "refreshToken": "2810111301lGZcM9CjlF91WH00039190xxxx"
}

The value of userInquiryType is REFRESH_TOKEN, which means the merchant can obtain an access token and inquire about the user's specific information by the refresh token (2810111301lGZcM9CjlF91WH00039190xxxx).

Response

copy
{
    "result": {
        "resultCode": "SUCCESS",
        "resultStatus": "S",
        "resultMessage": "success"
    },
    "accessToken": "281010033AB2F588D14B43238637264FCA5AAF35xxxx",
    "accessTokenExpiryTime": "2019-06-06T12:12:12+08:00",
    "refreshToken": "2810100334F62CBC577F468AAC87CFC6C9107811xxxx",
    "refreshTokenExpiryTime": "2019-06-08T12:12:12+08:00",
  "userInfo": {
    "userId": "1000001119398804xxxx",
    "status": "ACTIVE",
    "nickName": "Jack",
    "userName": {
      "fullName": "Jack Sparrow",
      "firstName": "Jack",
      "lastName": "Sparrow"
    },
    "avatar": "http://example.com/avatar.htm?avatarId=FBF16F91-28FB-47EC-B9BE-27B285C23CD3xxxx",
    "gender": "MALE",
    "birthDate": "2020-07-25",
    "nationality": "US", 
    "loginIdInfos": [
      {
        "loginId": "1116874199xxx",
        "loginIdType": "MOBILE_PHONE"
      }
     ],
    "contactInfos": [
      {
        "contactNo": "1116874199xxx",
        "contactType": "MOBILE_PHONE"
      }
    ],
    "extendInfo": "{\"appUserId\":\"200xxxx\",\"acqUserId\":\"300xxxx\"}"
  },
    "extendInfo": ""
}
  • result.resultStatus is S, which shows the request to obtain an access token and inquire about the user's specific information is successful.
  • The authorized merchant can use the access token (281010033AB2F588D14B43238637264FCA5AAF35) before accessTokenExpiryTime (2019-06-06T12:12:12+08:00).
  • 1000001119398804xxxx is the user who authorizes the merchant.
  • The authorized merchant can use the refresh token (2810100334F62CBC577F468AAC87CFC6C9107811) to exchange for a new access token and inquire about the user's specific information before refreshTokenExpiryTime (2019-06-08T12:12:12+08:0).
  • userInfo describes the user's information you get via the applyTokenAndinquiryUserInfo API. The information includes userId, status, nickName, userName, avatar, gender, birthDate, nationality, loginIdInfos, contactInfos, and extendInfo.

Query user information by access token

The data flow of inquiring about a user's information is illustrated as follows:

image

  1. The merchant server calls this API with the access token to inquire about the user's information.
  2. The super app server returns the user's information to the merchant server based on the scopes of the access token.

Request

copy
{
  "appId": "3333010071465913xxx",
  "authClientId": "202016726873874774774xxxx",
  "userInquiryType": "ACCESS_TOKEN",
  "accessToken": "281010033AB2F588D14B43238637264FCA5AAF35xxxx",
  "customerBelongsTo": "CHOPE"
}

The merchant (202016726873874774774xxxx) uses the access token (281010033AB2F588D14B43238637264FCA5AAF35xxxx) to access the user's specific information.

Response

copy
{
    "result": {
        "resultCode": "SUCCESS",
        "resultStatus": "S",
        "resultMessage": "success"
    },
  "userInfo": {
    "userId": "1000001119398804xxxx",
    "status": "ACTIVE",
    "nickName": "Jack",
    "userName": {
      "fullName": "Jack Sparrow",
      "firstName": "Jack",
      "lastName": "Sparrow"
    },
    "avatar": "http://example.com/avatar.htm?avatarId=FBF16F91-28FB-47EC-B9BE-27B285C23CD3xxxx",
    "gender": "MALE",
    "birthDate": "2020-07-25",
    "nationality": "US", 
    "loginIdInfos": [
      {
        "loginId": "1116874199xxx",
        "loginIdType": "MOBILE_PHONE"
      }
     ],
    "contactInfos": [
      {
        "contactNo": "1116874199xxx",
        "contactType": "MOBILE_PHONE"
      }
    ],
    "extendInfo": "{\"appUserId\":\"200xxxx\",\"acqUserId\":\"300xxxx\"}"
  }
}
  • result.resultStatus is S, which means the inquiry request is successful.
  • userInfo describes the user's information you get via the applyTokenAndInquiryUserInfo API. The information is based on the scopes of the access token, including userId, status, nickName, userName, avatar, gender, birthDate, nationality, loginIdInfos, contactInfos, and extendInfo.

Related links

my.getAuthCode

my.getAppIdSync

/v2/authorizations/applyToken

/v2/users/inquiryUserInfo