phpbotgram

WebAppSignature
in package

FinalYes

Ed25519-based third-party WebApp signature validation.

Port of upstream aiogram/utils/web_app_signature.py.

This variant does NOT require the bot token — it uses the Telegram Ed25519 public key to verify the signature field in the init data. Use this when you need to validate WebApp data outside the bot server (e.g., in a microservice that has no access to the bot secret).

Requires the sodium PHP extension (built-in since PHP 7.2).

Table of Contents

Constants

PRODUCTION_PUBLIC_KEY_HEX  : string = 'e7bf03a2fa4602af4580703d88dda5bb59f32ed8b02a56...
Production Ed25519 public key (hex-encoded).
TEST_PUBLIC_KEY_HEX  : string = '40055058a4ee38156a06562e52eece92a771bcd8346a8c...
Test/sandbox Ed25519 public key (hex-encoded).

Methods

check()  : bool
Verify an Ed25519 signature for WebApp init data.
safeParseInitData()  : WebAppInitData
Verify and parse WebApp init data using the Ed25519 public key in one step.
__construct()  : mixed
parseQuery()  : array<string, string>
Parse a URL-encoded query string into a string-keyed assoc array, preserving the literal key names (no `.` or space mangling). Mirrors Python's `urllib.parse.parse_qsl(strict_parsing=True)`.

Constants

PRODUCTION_PUBLIC_KEY_HEX

Production Ed25519 public key (hex-encoded).

public string PRODUCTION_PUBLIC_KEY_HEX = 'e7bf03a2fa4602af4580703d88dda5bb59f32ed8b02a56c187fe7d34caed242d'

TEST_PUBLIC_KEY_HEX

Test/sandbox Ed25519 public key (hex-encoded).

public string TEST_PUBLIC_KEY_HEX = '40055058a4ee38156a06562e52eece92a771bcd8346a8c4615cb7376eddf72ec'

Methods

check()

Verify an Ed25519 signature for WebApp init data.

public static check(int $botId, string $initData[, null|string $publicKeyHex = null ]) : bool

The signature field in the init data is a URL-safe base64-encoded Ed25519 signature over:

"{$botId}:WebAppData\n" + sorted key=value pairs (newline-separated)

Parameters
$botId : int

the numeric bot ID (extracted from the token)

$initData : string

the raw WebApp init data query string

$publicKeyHex : null|string = null

hex-encoded Ed25519 public key; defaults to the production key

Return values
bool

true if the signature is valid, false otherwise

safeParseInitData()

Verify and parse WebApp init data using the Ed25519 public key in one step.

public static safeParseInitData(int $botId, string $initData[, null|string $publicKeyHex = null ]) : WebAppInitData

Calls self::check() first and throws if the signature is invalid, then delegates to WebApp::parseInitData().

Port of upstream safe_check_webapp_init_data_from_signature in aiogram/utils/web_app_signature.py.

Parameters
$botId : int

the numeric bot ID (extracted from the token)

$initData : string

the raw WebApp init data query string

$publicKeyHex : null|string = null

hex-encoded Ed25519 public key; defaults to the production key

Tags
throws
InvalidArgumentException

if the signature is invalid

JsonException

if any nested JSON field is malformed

Return values
WebAppInitData

parseQuery()

Parse a URL-encoded query string into a string-keyed assoc array, preserving the literal key names (no `.` or space mangling). Mirrors Python's `urllib.parse.parse_qsl(strict_parsing=True)`.

private static parseQuery(string $input) : array<string, string>
Parameters
$input : string
Return values
array<string, string>
On this page

Search results