AuthWidget
in package
Telegram Login Widget signature validation.
Port of upstream aiogram/utils/auth_widget.py.
When a user authenticates via the Telegram Login Widget, Telegram passes
a set of fields (including a hash) to your callback URL. These helpers
let you verify that the data was signed by the correct bot.
Algorithm (per Telegram docs):
- Compute
secret = SHA-256(bot_token)— note: raw bytes, NOT hex. - Sort the data fields alphabetically (excluding
hash). - Build check string as "key=value" pairs joined by newlines.
- Compute
HMAC-SHA256(secret, check_string). - Compare hex digest with the received
hashusing constant-time comparison.
Table of Contents
Methods
- checkIntegrity() : bool
- Verify Login Widget data integrity when the `hash` is inside the data array.
- checkSignature() : bool
- Verify a Telegram Login Widget hash.
- __construct() : mixed
Methods
checkIntegrity()
Verify Login Widget data integrity when the `hash` is inside the data array.
public
static checkIntegrity(string $token, array<string, int|string> $data) : bool
Extracts hash from $data, removes it, then delegates to
self::checkSignature().
Parameters
- $token : string
-
the bot token
- $data : array<string, int|string>
-
the full widget data including
hash
Tags
Return values
bool —true if the hash is valid, false otherwise
checkSignature()
Verify a Telegram Login Widget hash.
public
static checkSignature(string $token, string $hash, array<string, int|string> $data) : bool
Parameters
- $token : string
-
the bot token
- $hash : string
-
the hex-encoded HMAC-SHA256 hash received from Telegram
- $data : array<string, int|string>
-
the remaining widget data fields (without
hash)
Return values
bool —true if the hash is valid, false otherwise
__construct()
private
__construct() : mixed