Telegram Mini AppsInit Data
In the list of launch parameters, initialization data is located in the tgWebAppData parameter. It is a set of data mostly related to a specific user who launched the Mini App.
A striking feature of init data is the fact that it can be used as an authentication or authorization factor. For this reason, do not forget about the security of the application and init data specifically.
TIP
This section provides detailed information about an essential aspect of Telegram Mini Apps, which relates to application security for developers. We recommend utilizing well-established and tested packages:
- For browser: @tma.js/init-data
- For Node: @tma.js/init-data-node
- For GoLang: init-data-golang
Retrieving
To extract init data, it is required to firstly get the launch parameters, then extract parameter with name tgWebAppData and pass it to the URLSearchParams constructor:
// Get launch parameters.
const params = new URLSearchParams(window.location.hash.slice(1));
const initDataRaw = params.get('tgWebAppData'); // user=...&query_id=...&...
const initData = new URLSearchParams(initDataRaw);
// ['user', '{"id":279058397,"first_name":"Vladislav", ... }']
// ['chat_instance', '8428209589180549439']
// ['chat_type', 'sender']
// ['auth_date', '1698272211']
// ['hash', 'ddc15fc7419ae9cb9a597b98efee42ea0']// Get launch parameters.
const params = new URLSearchParams(window.location.hash.slice(1));
const initDataRaw = params.get('tgWebAppData'); // user=...&query_id=...&...
const initData = new URLSearchParams(initDataRaw);
// ['user', '{"id":279058397,"first_name":"Vladislav", ... }']
// ['chat_instance', '8428209589180549439']
// ['chat_type', 'sender']
// ['auth_date', '1698272211']
// ['hash', 'ddc15fc7419ae9cb9a597b98efee42ea0']Authorization and Authentication
A special feature of initialization data is the ability to be used as a factor for authorization or authentication. The fact is that the data generated by the native Telegram application is signed with the secret key of the Telegram bot, after which the generated signature is placed next to the parameters themselves.
Thus, knowing the secret key of the Telegram bot, the developer has the opportunity to verify the signature of the parameters and make sure that they were indeed issued to the specified user.
Also, the signature verification operation is fast enough and does not require large server resources. More information about the data signature and verification algorithm can be found in this documentation.
Sending to Server
In order to authorize the user on the server, the developer needs to transmit the initialization data that was specified when launching the Mini App. To make life easier for yourself, the developer can transmit them at each request to the server, after which the signature verification is carried out on the server side.
Here comes the example with the usage of such package as axios:
import axios from 'axios';
const initData = new URLSearchParams(window.location.hash.slice(1))
.get('tgWebAppData');
if (initData === null) {
throw new Error('Ooof! Something is wrong. Init data is missing');
}
// Create axios instance.
const http = axios.create({
headers: {
// Append authorization header.
Authorization: `tma ${initData}`,
}
});import axios from 'axios';
const initData = new URLSearchParams(window.location.hash.slice(1))
.get('tgWebAppData');
if (initData === null) {
throw new Error('Ooof! Something is wrong. Init data is missing');
}
// Create axios instance.
const http = axios.create({
headers: {
// Append authorization header.
Authorization: `tma ${initData}`,
}
});In turn, the following actions must be performed on the server side:
- Get the value of the
Authorizationheader; - Check that the first part of it is equal to
tma; - Get initialization data and verify its signature.
If this algorithm is successful, the server part of the application can trust the transmitted initialization data.
TIP
In real-world applications, it is recommended to use additional mechanisms for verifying initialization data. For example, add their expiration date. This check can be implemented using the auth_date parameter, which is responsible for the date when the parameters were created. This solution will allow in case of theft of initialization data to prevent their constant use by an attacker.
Parameters List
This section provides a complete list of parameters used in initialization data.
| Parameter | Type | Description |
|---|---|---|
| auth_date | number | The date the initialization data was created. Is a number representing a Unix timestamp. |
| can_send_after | number | Optional. The number of seconds after which a message can be sent via the method answerWebAppQuery. |
| chat | Chat | Optional. An object containing information about the chat with the bot in which the Mini Apps was launched. It is returned only for Mini Apps opened through the attachments menu. |
| chat_type | string | Optional. The type of chat from which the Mini Apps was opened. Values:
|
| chat_instance | string | Optional. A global identifier indicating the chat from which the Mini Apps was opened. Returned only for applications opened by direct link. |
| hash | string | Initialization data signature. |
| query_id | string | Optional. The unique session ID of the Mini App. Used in the process of sending a message via the method answerWebAppQuery. |
| receiver | User | Optional. An object containing data about the chat partner of the current user in the chat where the bot was launched via the attachment menu. Returned only for private chats and only for Mini Apps launched via the attachment menu. |
| start_param | string | Optional. The value of the startattach or startapp query parameter specified in the link. It is returned only for Mini Apps opened through the attachment menu. |
| user | User | Optional. An object containing information about the current user. |
Other Types
Chat
Describes the chat information.
| Property | Type | Description |
|---|---|---|
| id | number | Unique chat ID. |
| type | string | Chat type. Values:
|
| title | string | Chat title. |
| photo_url | string | Optional. Chat photo link. The photo can have .jpeg and .svg formats. It is returned only for Mini Apps opened through the attachments menu. |
| username | string | Optional. Chat user login. |
User
Describes information about a user or bot.
| Property | Type | Description |
|---|---|---|
| added_to_attachment_menu | boolean | Optional. True, if this user added the bot to the attachment menu. |
| allows_write_to_pm | boolean | Optional. True, if this user allowed the bot to message them. |
| is_premium | boolean | Optional. Has the user purchased Telegram Premium. |
| first_name | string | Bot or user name. |
| id | number | Bot or user ID. |
| is_bot | boolean | Optional. Is the user a bot. |
| last_name | string | Optional. User's last name. |
| language_code | string | Optional. IETF user's language. |
| photo_url | string | Optional. Link to the user's or bot's photo. Photos can have formats .jpeg and .svg. It is returned only for Mini Apps opened through the attachment menu. |
| username | string | Optional. Login of the bot or user. |