Agent skill

auth-wechat-miniprogram

CloudBase WeChat Mini Program native authentication guide. This skill should be used when users need mini program identity handling, OPENID/UNIONID access, or `wx.cloud` auth behavior in projects where login is native and automatic.

View SKILL.md on GitHub Repository
Stars 985
Forks 124

Install this agent skill to your Project

npx add-skill https://github.com/TencentCloudBase/CloudBase-MCP/tree/main/config/.claude/skills/auth-wechat

SKILL.md

Activation Contract

Use this first when

  • The task is about WeChat Mini Program auth behavior, wx.cloud identity, OPENID / UNIONID, or how a mini program caller is identified in CloudBase.
  • The project is a CloudBase mini program and the auth question is about native mini program identity rather than provider configuration.

Read before writing code if

  • The request mentions mini program login, user identity in cloud functions, or wx.cloud auth assumptions.
  • The user expects a Web-style login page or explicit token exchange in a mini program; route them back to native mini program auth behavior.

Then also read

  • Mini program project implementation -> ../miniprogram-development/SKILL.md
  • Cloud function implementation -> ../cloud-functions/SKILL.md

Do NOT use for

  • Web-based WeChat login or Web auth UI.
  • Provider enable/disable or auth console setup.
  • Generic Node-side auth flows outside mini program identity handling.

Common mistakes / gotchas

  • Generating a Web-style login page for a wx.cloud mini program.
  • Treating mini program auth as a provider-configuration problem.
  • Forgetting that caller identity is injected in cloud functions automatically.

When to use this skill

Use this skill for WeChat Mini Program (小程序) authentication in a CloudBase project.

Use it when you need to:

  • Implement identity-aware WeChat Mini Program flows with CloudBase
  • Access user identity (openid, unionid) in cloud functions
  • Understand how WeChat authentication integrates with CloudBase
  • Build Mini Program features that require user identification

Key advantage: WeChat Mini Program authentication with CloudBase is seamless and automatic - no complex OAuth flows needed. When a Mini Program calls a cloud function, the user's openid is automatically injected and verified by WeChat.

Do NOT use for:

  • Web-based WeChat login (use the auth-web skill)
  • Server-side auth with Node SDK (use the auth-nodejs skill)
  • Non-WeChat authentication methods (use appropriate auth skills)

How to use this skill (for a coding agent)

  1. Confirm CloudBase environment

    • Ask the user for:
      • env – CloudBase environment ID
      • Confirm the Mini Program is linked to the CloudBase environment

  2. Understand the authentication flow

    • WeChat Mini Program authentication is native and automatic
    • No explicit login API calls needed in most cases
    • User identity is automatically available in cloud functions
    • CloudBase handles all authentication verification

  3. Pick a scenario from this file

    • For basic user identity in cloud functions, use Scenario 2
    • For Mini Program initialization, use Scenario 1
    • For calling a cloud function from the Mini Program and receiving user identity, use Scenario 3
    • For testing authentication, use Scenario 4

  4. Follow CloudBase API shapes exactly

    • Use wx-server-sdk in cloud functions
    • Use wx.cloud in Mini Program client code
    • Treat method names and parameter shapes in this file as canonical

  5. If you're unsure about an API

    • Consult the official CloudBase Mini Program documentation
    • Only use methods that appear in official documentation

Core concepts

How WeChat Mini Program authentication works with CloudBase

  1. Automatic authentication:

    • When a Mini Program user calls a cloud function, WeChat automatically injects the user's identity
    • No need for complex OAuth flows or token management
    • CloudBase verifies the authenticity of the identity

  2. User identifiers:

    • OPENID – Unique identifier for the user in this specific Mini Program
    • APPID – The Mini Program's App ID
    • UNIONID – (Optional) Unique identifier across all apps under the same WeChat Open Platform account
      • Only available when the Mini Program is bound to a WeChat Open Platform account
      • Useful for identifying the same user across multiple Mini Programs or Official Accounts

  3. Security:

    • The openid, appid, and unionid are verified and trustworthy
    • WeChat has already completed authentication
    • Developers can directly use these identifiers without additional verification

  4. No explicit login required:

    • Users are automatically authenticated when they use the Mini Program
    • No need to call login APIs in most cases
    • Identity is available immediately in cloud functions

Scenarios – WeChat Mini Program auth patterns

Scenario 1: Initialize CloudBase in Mini Program

Use this in your Mini Program's app.js or entry point:

js
// app.js
App({
  onLaunch: function () {
    // Initialize CloudBase
    wx.cloud.init({
      env: 'your-env-id',  // Your CloudBase environment ID
      traceUser: true      // Optional: track user access in console
    })
  }
})

Key points:

  • Call wx.cloud.init() once when the Mini Program launches
  • Set env to your CloudBase environment ID
  • traceUser: true enables user access tracking in CloudBase console (optional but recommended)

Scenario 2: Get user identity in a cloud function

Use this when you need to know who is calling your cloud function:

js
// Cloud function: cloudfunctions/getUserInfo/index.js
const cloud = require('wx-server-sdk')

// Initialize cloud with dynamic environment
cloud.init({
  env: cloud.DYNAMIC_CURRENT_ENV
})

exports.main = async (event, context) => {
  // Get user identity - this is automatically injected by WeChat
  const { OPENID, APPID, UNIONID } = cloud.getWXContext()

  console.log('User identity:', { OPENID, APPID, UNIONID })

  // Use OPENID for user-specific operations
  // For example: query user data, check permissions, etc.

  return {
    openid: OPENID,
    appid: APPID,
    unionid: UNIONID  // May be undefined if not available
  }
}

Key points:

  • Use cloud.getWXContext() to get user identity
  • OPENID is always available and uniquely identifies the user
  • APPID identifies the Mini Program
  • UNIONID is only available when:
    • The Mini Program is bound to a WeChat Open Platform account
    • The user has authorized the Mini Program
  • These values are verified and trustworthy - no need to validate them
  • Use cloud.DYNAMIC_CURRENT_ENV to automatically use the current environment

Best practices:

  • Store OPENID in your database to associate data with users
  • Use OPENID for authorization and access control
  • Use UNIONID when you need to identify users across multiple Mini Programs or Official Accounts
  • Never expose OPENID to other users (it's a private identifier)

Scenario 3: Call cloud function from Mini Program

Use this in your Mini Program to call a cloud function and get user identity:

js
// In Mini Program page
Page({
  onLoad: function() {
    this.getUserInfo()
  },

  getUserInfo: function() {
    wx.cloud.callFunction({
      name: 'getUserInfo',  // Cloud function name
      data: {},             // Optional parameters
      success: res => {
        console.log('User info from cloud function:', res.result)
        // res.result contains { openid, appid, unionid }

        // Use the user info
        this.setData({
          openid: res.result.openid
        })
      },
      fail: err => {
        console.error('Failed to get user info:', err)
      }
    })
  }
})

Key points:

  • Use wx.cloud.callFunction() to call cloud functions
  • User identity is automatically passed to the cloud function
  • No need to manually send user credentials
  • Handle both success and error cases

Scenario 4: Test authentication - Simple test function

Cloud function (cloudfunctions/test/index.js):

js
const cloud = require('wx-server-sdk')

cloud.init({
  env: cloud.DYNAMIC_CURRENT_ENV
})

exports.main = async (event, context) => {
  // Get verified user identity - automatically injected by WeChat
  const { OPENID, APPID, UNIONID } = cloud.getWXContext()

  console.log('User identity:', { OPENID, APPID, UNIONID })

  return {
    success: true,
    message: 'Authentication successful',
    identity: {
      openid: OPENID,
      appid: APPID,
      unionid: UNIONID || 'Not available'
    },
    timestamp: new Date().toISOString()
  }
}

Mini Program code:

js
// pages/index/index.js
Page({
  data: {
    userIdentity: null
  },

  onLoad: function() {
    this.testAuth()
  },

  testAuth: function() {
    console.log('Testing authentication...')

    wx.cloud.callFunction({
      name: 'test',
      success: res => {
        console.log('Authentication test result:', res.result)

        this.setData({
          userIdentity: res.result.identity
        })

        wx.showToast({
          title: 'Auth successful',
          icon: 'success'
        })
      },
      fail: err => {
        console.error('Authentication test failed:', err)
        wx.showToast({
          title: 'Auth failed',
          icon: 'error'
        })
      }
    })
  }
})

Key points:

  • No explicit login API call needed
  • User identity is automatically available in cloud function
  • OPENID is always present and verified
  • UNIONID may be undefined if not available
  • Use this pattern to verify authentication is working correctly

Best practices

1. Always use cloud.DYNAMIC_CURRENT_ENV

js
cloud.init({
  env: cloud.DYNAMIC_CURRENT_ENV
})

This ensures the cloud function uses the correct environment automatically.

2. Store OPENID for user identification

  • Use OPENID as the primary user identifier
  • Store it in your database to associate data with users
  • Never expose OPENID to other users

3. Handle UNIONID availability

js
const { OPENID, UNIONID } = cloud.getWXContext()

if (UNIONID) {
  // User has UNIONID - can be used for cross-app identification
  console.log('UNIONID available:', UNIONID)
} else {
  // UNIONID not available - use OPENID only
  console.log('Using OPENID only:', OPENID)
}

4. Use OPENID for user-specific operations

  • Use OPENID to identify and authorize users
  • Store OPENID when you need to associate data with users
  • Use OPENID in queries to ensure users only access their own data

5. Error handling

Always handle errors when calling cloud functions:

js
wx.cloud.callFunction({
  name: 'myFunction',
  success: res => {
    // Handle success
  },
  fail: err => {
    console.error('Cloud function error:', err)
    // Show user-friendly error message
    wx.showToast({
      title: 'Operation failed',
      icon: 'error'
    })
  }
})

6. Initialize CloudBase early

Initialize CloudBase in app.js onLaunch:

js
App({
  onLaunch: function () {
    wx.cloud.init({
      env: 'your-env-id',
      traceUser: true
    })
  }
})

Common patterns

Pattern 1: Get and return user identity

js
const cloud = require('wx-server-sdk')
cloud.init({ env: cloud.DYNAMIC_CURRENT_ENV })

exports.main = async (event, context) => {
  const { OPENID, APPID, UNIONID } = cloud.getWXContext()

  return {
    openid: OPENID,
    appid: APPID,
    unionid: UNIONID || null
  }
}

Pattern 2: Use OPENID for authorization

js
const cloud = require('wx-server-sdk')
cloud.init({ env: cloud.DYNAMIC_CURRENT_ENV })

exports.main = async (event, context) => {
  const { OPENID } = cloud.getWXContext()

  // Check if user is authorized
  if (OPENID === event.resourceOwnerId) {
    // User is authorized to access this resource
    return { authorized: true }
  } else {
    return { authorized: false, error: 'Unauthorized' }
  }
}

Pattern 3: Handle UNIONID availability

js
const cloud = require('wx-server-sdk')
cloud.init({ env: cloud.DYNAMIC_CURRENT_ENV })

exports.main = async (event, context) => {
  const { OPENID, UNIONID } = cloud.getWXContext()

  if (UNIONID) {
    // Can use UNIONID for cross-app user identification
    console.log('User has UNIONID:', UNIONID)
  } else {
    // Fall back to OPENID only
    console.log('Using OPENID only:', OPENID)
  }

  return { openid: OPENID, hasUnionId: !!UNIONID }
}

Summary

WeChat Mini Program authentication with CloudBase is simple and secure:

  1. No explicit login needed - authentication is automatic
  2. User identity is verified - OPENID, APPID, and UNIONID are trustworthy
  3. Easy to use - just call cloud.getWXContext() in cloud functions
  4. Secure by default - WeChat handles all authentication verification

Key takeaways:

  • Initialize CloudBase with wx.cloud.init() in Mini Program
  • Use cloud.getWXContext() to get user identity in cloud functions
  • Use OPENID for user identification and authorization
  • Handle UNIONID availability appropriately
  • No explicit login API calls needed - authentication is automatic

For more complex authentication scenarios or integration with other systems, consider using CloudBase custom login in combination with WeChat authentication.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

TencentCloudBase/CloudBase-MCP

cloudbase

Essential CloudBase (TCB, Tencent CloudBase, 云开发, 微信云开发) development guidelines. MUST read when working with CloudBase projects, developing web apps, mini programs, backend services, fullstack development, static deployment, cloud functions, mysql/nosql database, authentication, cloud storage, web search or AI(LLM streaming) using CloudBase platform. Great supabase alternative.

985 124
Explore
TencentCloudBase/CloudBase-MCP

skill-authoring

Design, improve, and evaluate reusable agent skills with high-quality SKILL.md files, precise trigger descriptions, progressive disclosure, and testable behavior. This skill should be used when users ask to create a new skill, rewrite or review an existing skill, audit a skill collection such as `config/source/skills` for redundancy or overlap, improve skill trigger quality, organize skill references, or evaluate whether a skill should trigger and behave correctly.

985 124
Explore
TencentCloudBase/CloudBase-MCP

git-workflows

Reusable git delivery workflows derived from local slash commands (commit, push, PR, release notes, and GitHub Actions failure triage with worktree-based fixes).

985 124
Explore
TencentCloudBase/CloudBase-MCP

codebase-audit

Perform a full codebase review, categorize findings by severity, file GitHub issues, then fix each issue in an isolated git worktree and submit PRs. Use this skill when the user asks to audit the codebase, do a comprehensive code review, find and fix security/quality/reliability issues, or run a proactive health check across the entire repository.

985 124
Explore
TencentCloudBase/CloudBase-MCP

manage-local-skills

Analyze, standardize, validate, and sync locally maintained skills into agent skill directories with a `skills` CLI-aligned workflow. Use this skill when Codex needs to turn ad-hoc prompt or rules folders into reusable `SKILL.md`-based skills, install or sync one or more local skills from `./skills` into Claude, Cursor, CodeBuddy, Codex, or similar agent directories, or manage local skill path mappings and symlink or copy installation behavior.

985 124
Explore
TencentCloudBase/CloudBase-MCP

planning-workflows

Spec and no-spec planning workflows derived from local slash commands (requirements, design, tasks).

985 124
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results