diff --git a/webht/third_party/trippestOrderSync/controllers/TulanduoApi.php b/webht/third_party/trippestOrderSync/controllers/TulanduoApi.php
index 96220ea5..560b3bc4 100644
--- a/webht/third_party/trippestOrderSync/controllers/TulanduoApi.php
+++ b/webht/third_party/trippestOrderSync/controllers/TulanduoApi.php
@@ -33,6 +33,10 @@ class TulanduoApi extends CI_Controller
         )
     );
 
+    // userId key
+    // 1343 2e47c3721e3ff6e816fe6b928d7acc7d
+    // 29188 95c3b0d958a79a1216e651df182b3cb4
+    // 30548 9db75a2dc17156eb122364295804b7a2
 
     // test
     // public $list_url     = "http://dj.ltsoftware.net:9901/action/api/searchRouteOrder/";
@@ -535,8 +539,12 @@ log_message('error','in GCI ' . json_decode($resp)->responseData->orderId);
         $ret['status'] = -1;
         $ret['errMsg'] = "未知错误";
         $input = $this->input->post();
-        // todo 验证userID
         $vendorID = $input['userId'];
+        $validate = $this->calc_key($vendorID, $input['key']);
+        if ($validate !== TRUE) {
+            $ret['errMsg'] = "身份验证失败.";
+            return $this->output->set_content_type('application/json')->set_output(json_encode($ret));
+        }
         // $vendorID = 29188;//29188 1343; // test
         $vas_info = $this->Orders_model->get_vendorarrangestate_byVendor($input['orderId'], $vendorID);
         if (empty($vas_info) && ! empty($input['agcOrderNo'])) {
@@ -675,4 +683,11 @@ log_message('error','in GCI ' . json_decode($resp)->responseData->orderId);
         );
     }
 
+    public function calc_key($userId, $key)
+    {
+        $default = "b825e39422a54875a95752fc7ed6f5d2";
+        $ret = md5(hash("sha256", $userId.$default));
+        return $ret===$key;
+    }
+
 }