Last active September 19, 2024
Telegram Bot 6.0 Validating data received via the Web App node implementation
const TELEGRAM_BOT_TOKEN = '110201543:AAHdqTcvCH1vGWJxfSeofSAs0K5PALDsaw';
export const verifyTelegramWebAppData = async (telegramInitData: string): boolean => {
// The data is a query string, which is composed of a series of field-value pairs.
const encoded = decodeURIComponent(telegramInitData);
// HMAC-SHA-256 signature of the bot's token with the constant string WebAppData used as a key.
const secret = crypto
.createHmac('sha256', 'WebAppData')
// Data-check-string is a chain of all received fields'.
const arr = encoded.split('&');
const hashIndex = arr.findIndex(str => str.startsWith('hash='));
const hash = arr.splice(hashIndex)[0].split('=')[1];
// sorted alphabetically
arr.sort((a, b) => a.localeCompare(b));
// in the format key=<value> with a line feed character ('\n', 0x0A) used as separator
// e.g., 'auth_date=<auth_date>\nquery_id=<query_id>\nuser=<user>
const dataCheckString = arr.join('\n');
// The hexadecimal representation of the HMAC-SHA-256 signature of the data-check-string with the secret key
const _hash = crypto
.createHmac('sha256', secret.digest())
// if hash are equal the data may be used on your server.
// Complex data types are represented as JSON-serialized objects.
return _hash === hash;
Here a Node implementation for Telegram Bot 6.0 Web App init data validation

TopYar commented May 1, 2022

Example with crypto-js:

const CryptoJS = require("crypto-js")

export const verifyTelegramWebAppData = async (telegramInitData: string): Promise<boolean> => {
  const initData = new URLSearchParams(telegramInitData);
  const hash = initData.get("hash");
  let dataToCheck: string[] = [];
  initData.forEach((val, key) => key !== "hash" && dataToCheck.push(`${key}=${val}`));
  const secret = CryptoJS.HmacSHA256(TELEGRAM_BOT_TOKEN, "WebAppData");
  const _hash = CryptoJS.HmacSHA256(dataToCheck.join("\n"), secret).toString(CryptoJS.enc.Hex);
  return _hash === hash;

I added here package with golang implementation for verifying method, feel free to test or use

polRk commented May 19, 2022

welljs commented Feb 21, 2023

Example suggested by @TopYar wrapped in middleware for Nestjs/Fastify with nodejs native crypto


declare module 'http' {
  interface IncomingHttpHeaders {
    'tg-init-data'?: string


import {Injectable, Logger, NestMiddleware, UnauthorizedException} from '@nestjs/common';
import {FastifyRequest, FastifyReply} from 'fastify';
import * as crypto from 'crypto';

const {
  env: {
} = process;

export class CheckInitDataMiddleware implements NestMiddleware {
  private readonly logger: Logger = new Logger(;

  use(req: FastifyRequest['raw'], res: FastifyReply['raw'], next: () => void) {
    this.logger.log(`Checking webapp init data`);

    const {headers: {['tg-init-data']: tgInitData}} = req;
    const initData = new URLSearchParams(tgInitData);
    const hashFromClient = initData.get('hash');
    const dataToCheck: string[] = [];

    initData.forEach((v, k) => k !== 'hash' && dataToCheck.push(`${k}=${v}`));

    const secret = crypto
      .createHmac('sha256', 'WebAppData')

    const signature = crypto
      .createHmac('sha256', secret.digest())

    const referenceHash = signature.digest('hex');

    if (hashFromClient === referenceHash) {
      return next();
    throw new UnauthorizedException('Invalid init data');

0snilcy commented Mar 10, 2023

raskyer commented Apr 10, 2023

Note that it seems to doesn't work when the user in telegram has a special character in its firstname or lastname.
Try it on your own :

  • In telegram add '&' in your firstname or lastname
  • try to connect on your webapp (with this auth mechanism)

You'll see that the hash generated by this method is different from the one generated by telegram

motsgar commented May 21, 2023

Fixed the problem with '&' not working correctly:

const verifyInitData = (telegramInitData: string): boolean => {
    const urlParams = new URLSearchParams(telegramInitData);

    const hash = urlParams.get('hash');

    let dataCheckString = '';
    for (const [key, value] of urlParams.entries()) {
        dataCheckString += `${key}=${value}\n`;
    dataCheckString = dataCheckString.slice(0, -1);

    const secret = crypto.createHmac('sha256', 'WebAppData').update(process.env.API_TOKEN ?? '');
    const calculatedHash = crypto.createHmac('sha256', secret.digest()).update(dataCheckString).digest('hex');

    return calculatedHash === hash;

GemsGame commented May 7, 2024

Fixed the problem with '&' not working correctly:

const verifyInitData = (telegramInitData: string): boolean => {
    const urlParams = new URLSearchParams(telegramInitData);

    const hash = urlParams.get('hash');

    let dataCheckString = '';
    for (const [key, value] of urlParams.entries()) {
        dataCheckString += `${key}=${value}\n`;
    dataCheckString = dataCheckString.slice(0, -1);

    const secret = crypto.createHmac('sha256', 'WebAppData').update(process.env.API_TOKEN ?? '');
    const calculatedHash = crypto.createHmac('sha256', secret.digest()).update(dataCheckString).digest('hex');

    return calculatedHash === hash;

thanks. it's works

brzhex commented May 13, 2024

Here's a variant for initDataUnsafe, which will create the right string for validation from the object and check the hash

const verifyDataIntegrity = (initDataUnsafe, hash) => {
        const dataCheckString = Object.entries(initDataUnsafe).sort().map(([k, v]) => {
            if (typeof v === "object" && v !== null) {
                v = JSON.stringify(v);
            return `${k}=${v}`;

        const secret = crypto.createHmac("sha256", "WebAppData").update(process.env.API_TOKEN ?? "");
        const calculatedHash = crypto.createHmac("sha256", secret.digest()).update(dataCheckString).digest("hex");
        return calculatedHash === hash;

Example of use

const { hash, } = window.Telegram.WebApp.initDataUnsafe;
console.log(verifyDataIntegrity(rest, hash));

aka-nez commented Jun 11, 2024

Here is an example with ruby

def validate(init_data)
      parsed_data = CGI.parse(init_data)

      # Extract the hash from the parsed data
      return false unless parsed_data['hash']
      received_hash = parsed_data.delete('hash').first

      # Create the data_check_string
      data_check_string = do |key|

      # Compute the secret_key
      secret_key = OpenSSL::HMAC.digest(
        bot_token # your bot token

      # Compute the HMAC-SHA-256 of the data_check_string with the secret key
      check_hash = OpenSSL::HMAC.hexdigest(

      # Compare the computed hash with the received hash
      check_hash == received_hash

NestJS people

import { Injectable, NestMiddleware } from '@nestjs/common';
import { Request, Response, NextFunction } from 'express';
import crypto from 'crypto';
import TelegramBot from 'node-telegram-bot-api';

function verifyInitData(telegramInitData: string, botToken: string): { isVerified: boolean, urlParams: URLSearchParams } {
  const urlParams: URLSearchParams = new URLSearchParams(telegramInitData);

  const hash = urlParams.get('hash');

  let dataCheckString = '';
  for (const [key, value] of urlParams.entries()) {
    dataCheckString += `${key}=${value}\n`;
  dataCheckString = dataCheckString.slice(0, -1);

  const secret = crypto.createHmac('sha256', 'WebAppData').update(botToken);
  const calculatedHash = crypto.createHmac('sha256', secret.digest()).update(dataCheckString).digest('hex');

  const isVerified = calculatedHash === hash;

  return { isVerified, urlParams };

export class ValidateTelegramDataMiddleware implements NestMiddleware {
  use(req: Request & { user: any }, res: Response, next: NextFunction) {
    const telegramInitData = ((req.headers.initdata ?? req.query.initData ?? req.query.initdata) as string);
    const botToken = process.env.TELEGRAM_TOKEN;

    if (!telegramInitData || !botToken) {
      return res.status(400).send('Invalid request');

    const { urlParams, isVerified } = verifyInitData(telegramInitData, botToken);

    if (!isVerified) {
      return res.status(403).send('Unauthorized request');

    const user: TelegramBot.User = typeof urlParams.get('user') === 'string' ? JSON.parse(urlParams.get('user')) : urlParams.get('user');

    req.user = user;


S0mbre commented Jul 8, 2024

Python impl here ))

import hmac

BOT_TOKEN = 'my-bot-token'

def hmac_256(key: str | bytes, value: str | bytes, as_hex: bool = False) -> str | bytes:
    """Makes HMAX digest of key, value as bytes or a hex string"""
    if isinstance(key, str):
        key = key.encode()
    if isinstance(value, str):
        value = value.encode()
    if as_hex: return, value, 'sha256').hexdigest()
    return hmac.digest(key, value, 'sha256')

def hmac_validate(digest1: str | bytes, digest2: str | bytes) -> bool:
    """Validates a pair of HMAC hashes - must use this instead of simple == for security reasons!"""
    if type(digest1) != type(digest2): return False
    return hmac.compare_digest(digest1, digest2)

def validate_web_app(initdata: str) -> bool:
    # see
    their_hash = None
    vals = sorted(initdata.split('&'))
    for val in vals:
        if val.startswith('hash='):
            their_hash = val.split('=')[1].strip() or None
    if not their_hash: return False
    initdata = '\n'.join(vals)
    secret_key = hmac_256('WebAppData', BOT_TOKEN)
    my_hash = hmac_256(secret_key, initdata, True)
    return hmac_validate(my_hash, their_hash)

AMAT0RY commented Jul 29, 2024

TheBlackHacker commented Aug 12, 2024

Python implementation
For anyone who have tried @S0mbre's solution - but NOT WORK

import hmac
import hashlib
from urllib.parse import parse_qs


def verify_telegram_web_app_data(telegram_init_data):
    # Get hash_value from the query string
    init_data = parse_qs(telegram_init_data)
    hash_value = init_data.get('hash', [None])[0]
    data_to_check = []

    # Sort key-value pair by alphabet
    sorted_items = sorted((key, val[0]) for key, val in init_data.items() if key != 'hash')
    data_to_check = [f"{key}={value}" for key, value in sorted_items]

    # HMAC Caculation
    secret ="WebAppData", TELEGRAM_BOT_TOKEN.encode(), hashlib.sha256).digest()
    _hash =, "\n".join(data_to_check).encode(), hashlib.sha256).hexdigest()
    return _hash == hash_value

nimaxin commented Aug 15, 2024

You can use the init-data-py library for Python.
Install init-data-py library:

pip install init-data-py

This library allows you to validate, parse, create, and sign Telegram Mini App data. below is an example of how to validate the data:

from init_data_py import InitData

bot_token = "" # Bot token from which the mini app is launched
query_string = "" # window.Telrgram.WebApp.initData

init_data = InitData.parse(query_string)

init_data.validate(bot_token, lifetime=60)

