I’m working with Telegram bots that can launch web applications through inline keyboards. When users click these buttons, Telegram automatically opens the website in a webview and adds authentication parameters to the URL.
Sample URL with auth data:
https://EXAMPLE_SITE.com/auth?
userId=USER_ID
&webAppVer=7.2
&botLink=https://t.me/EXAMPLE_bot
&webAppData=session_id=SESSION_123
&userInfo={
"id":123,
"first_name":"John",
"last_name":"Doe",
"username":"johndoe",
"language_code":"en",
"allows_write_to_pm":true
}
×tamp=1713881657
&signature=AUTH_SIGNATURE
&webAppVer=7.2
&platform=web
&themeData={"background":"#ffffff", "text_color":"#000000"}
The bot only stores the base URL https://EXAMPLE_SITE.com/auth but Telegram adds all the authentication details automatically when the button is pressed.
My question: Is there a way to generate these URL parameters programmatically?
What I’ve attempted:
- Found documentation about URL authorization in Telegram API
- Tried using
RequestUrlAuth and AcceptUrlAuth methods from wtelegramclient library but getting null responses
var userInfo = await telegramClient.Contacts_ResolveUsername("testBotName");
var messages = await telegramClient.Messages_GetHistory(new InputPeerUser(userInfo.User.ID, userInfo.User.access_hash), limit: 1);
var authRequest = await telegramClient.Messages_RequestUrlAuth(url: "https://example.com");
var authAccept = await telegramClient.Messages_AcceptUrlAuth(new InputPeerUser(userInfo.User.ID, userInfo.User.access_hash), msg_id: messages.Messages[0].ID, url: "https://example.com");
Any guidance on the correct approach would be helpful.
yeah, telegram generates those auth params with their private keys so u can’t forge them. that’s why your RequestUrlAuth calls return null - ur using the wrong api methods for webapp auth. webapp buttons work totally differently from url auth buttons. they have a separate authentication flow that needs user interaction to trigger.
Those authentication parameters are generated server-side by Telegram when users click web app buttons - you can’t create them through the Bot API. They contain cryptographic signatures that only Telegram’s infrastructure can generate. RequestUrlAuth and AcceptUrlAuth won’t work here since they’re for URL button auth, not web app auth. Web apps have their own flow where Telegram automatically handles parameter generation. If you want to launch web apps programmatically with auth, create inline keyboard buttons with web_app type instead of trying to build the URLs manually. Your bot sends the keyboard with web app buttons, user clicks, and Telegram injects all the auth parameters automatically. For testing, I’d suggest implementing the validation logic on your web app first using Telegram’s Web Apps docs, then work backwards to figure out the parameter structure.
Those parameters aren’t something you generate manually - Telegram’s servers create them with cryptographic signatures when the web app starts up. What you’re trying to do breaks Telegram’s security model since those signatures verify user data and stop tampering. I’ve built Telegram web apps before, and here’s how it actually works: your bot creates inline keyboards with WebAppInfo objects, users click the buttons, and Telegram handles authentication automatically. The initData parameter has HMAC-SHA256 signatures that only Telegram can make using your bot’s secret key. If you need programmatic user data access, try the answerWebAppQuery method or set up proper webhook handling for web app data. The whole authentication flow requires user interaction for security reasons, so you can’t really bypass it (and shouldn’t try).