Telegram Bot API 6.0 announces a revolution in the development of chatbots using WebApp feature.

You can read more details on it in the official blog and documentation.

aiogram implements simple utils to remove headache with the data validation from Telegram WebApp on the backend side.


For example from frontend you will pass application/x-www-form-urlencoded POST request with _auth field in body and wants to return User info inside response as application/json

from aiogram.utils.web_app import safe_parse_webapp_init_data
from aiohttp.web_request import Request
from aiohttp.web_response import json_response

async def check_data_handler(request: Request):
    bot: Bot = request.app["bot"]

    data = await request.post()  # application/x-www-form-urlencoded
        data = safe_parse_webapp_init_data(token=bot.token, init_data=data["_auth"])
    except ValueError:
        return json_response({"ok": False, "err": "Unauthorized"}, status=401)
    return json_response({"ok": True, "data": data.user.dict()})


aiogram.utils.web_app.check_webapp_signature(token: str, init_data: str) bool[source]#

Check incoming WebApp init data signature

Source: https://core.telegram.org/bots/webapps#validating-data-received-via-the-web-app

  • token – bot Token

  • init_data – data from frontend to be validated


aiogram.utils.web_app.parse_webapp_init_data(init_data: str, *, loads: ~typing.Callable[[...], ~typing.Any] = <function loads>) WebAppInitData[source]#

Parse WebApp init data and return it as WebAppInitData object

This method doesn’t make any security check, so you shall not trust to this data, use safe_parse_webapp_init_data instead.

  • init_data – data from frontend to be parsed

  • loads


aiogram.utils.web_app.safe_parse_webapp_init_data(token: str, init_data: str, *, loads: ~typing.Callable[[...], ~typing.Any] = <function loads>) WebAppInitData[source]#

Validate raw WebApp init data and return it as WebAppInitData object

Raise ValueError when data is invalid

  • token – bot token

  • init_data – data from frontend to be parsed and validated

  • loads



class aiogram.utils.web_app.WebAppInitData(*, query_id: Optional[str] = None, user: Optional[WebAppUser] = None, receiver: Optional[WebAppUser] = None, start_param: Optional[str] = None, auth_date: datetime, hash: str, **extra_data: Any)[source]#

This object contains data that is transferred to the Web App when it is opened. It is empty if the Web App was launched from a keyboard button.

Source: https://core.telegram.org/bots/webapps#webappinitdata

query_id: Optional[str]#

A unique identifier for the Web App session, required for sending messages via the answerWebAppQuery method.

user: Optional[WebAppUser]#

An object containing data about the current user.

receiver: Optional[WebAppUser]#

An object containing data about the chat partner of the current user in the chat where the bot was launched via the attachment menu. Returned only for Web Apps launched via the attachment menu.

start_param: Optional[str]#

The value of the startattach parameter, passed via link. Only returned for Web Apps when launched from the attachment menu via link. The value of the start_param parameter will also be passed in the GET-parameter tgWebAppStartParam, so the Web App can load the correct interface right away.

auth_date: datetime#

Unix time when the form was opened.

hash: str#

A hash of all passed parameters, which the bot server can use to check their validity.

class aiogram.utils.web_app.WebAppUser(*, id: int, is_bot: Optional[bool] = None, first_name: str, last_name: Optional[str] = None, username: Optional[str] = None, language_code: Optional[str] = None, photo_url: Optional[str] = None, **extra_data: Any)[source]#

This object contains the data of the Web App user.

Source: https://core.telegram.org/bots/webapps#webappuser

id: int#

A unique identifier for the user or bot. This number may have more than 32 significant bits and some programming languages may have difficulty/silent defects in interpreting it. It has at most 52 significant bits, so a 64-bit integer or a double-precision float type is safe for storing this identifier.

is_bot: Optional[bool]#

True, if this user is a bot. Returns in the receiver field only.

first_name: str#

First name of the user or bot.

last_name: Optional[str]#

Last name of the user or bot.

username: Optional[str]#

Username of the user or bot.

language_code: Optional[str]#

IETF language tag of the user’s language. Returns in user field only.

photo_url: Optional[str]#

URL of the user’s profile photo. The photo can be in .jpeg or .svg formats. Only returned for Web Apps launched from the attachment menu.