PHPackages                             smskin/laravel-tgwebapp-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. smskin/laravel-tgwebapp-auth

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

smskin/laravel-tgwebapp-auth
============================

Authentication guard for Telegram web app user integration

1.0.5(1y ago)61.0k2[1 PRs](https://github.com/smskin/laravel-tgwebapp-auth/pulls)MITPHPPHP ^8.1CI passing

Since Oct 23Pushed 10mo ago1 watchersCompare

[ Source](https://github.com/smskin/laravel-tgwebapp-auth)[ Packagist](https://packagist.org/packages/smskin/laravel-tgwebapp-auth)[ RSS](/packages/smskin-laravel-tgwebapp-auth/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (6)Versions (8)Used By (0)

Telegram WebApp User Authentication Module
==========================================

[](#telegram-webapp-user-authentication-module)

[Telegram WebApp Documentation](https://core.telegram.org/bots/webapps)

Use Case: When developing an API for a Telegram WebApp, it is necessary to verify that the user who sent the request to the API is indeed the one they claim to be (i.e., the request actually came from the Telegram WebApp).

How It Works
------------

[](#how-it-works)

1. The Telegram WebApp JS script retrieves the WebAppUser object from the API and sends it in every request to the API in the request header (the header name is configurable).
2. The Guard receives the request and extracts the WebAppUser object from it.
3. The Guard verifies the data signature using the BOT\_TOKEN.
4. The Guard looks for the user in the database:
    1. If the user is found, they are authenticated.
    2. If the user is not found:
        1. If automatic user creation is allowed, the user will be created and authenticated.
        2. If automatic user creation is disabled, a 403 error is returned.

Configuration
-------------

[](#configuration)

In the `config/auth.php` file, the `tgwebapp` guard must be registered.

Example of the file content after registering the guard:

```
...
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'tgwebapp' => [
        'driver' => 'tgwebapp', // the name of the guard
        'token' => env('TELEGRAM_BOT_TOKEN'), // bot token
        'autoCreation' => true, // flag allowing automatic user creation
        'userDataHeaderName' => 'X-TELEGRAM-USER-DATA', // header name from which the guard retrieves the WebAppUser object
        'userModel' => \App\Models\User::class, // user model class
    ]
],
...

```

Usage
-----

[](#usage)

Include the guard in the routing file `routes/web.php`.

```
...
Route::middleware('auth:tgwebapp')->group(function(){
    Route::get('/me', function(){
        return 'Hello!';
    });
});
...

```

A GET request to /me will go through authentication via the Telegram WebApp guard.

###  Health Score

35

—

LowBetter than 77% of packages

Maintenance47

Moderate activity, may be stable

Popularity21

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity53

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~17 days

Total

6

Last Release

531d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/3227797?v=4)[Sergey Mihaylov](/maintainers/smskin)[@smskin](https://github.com/smskin)

---

Top Contributors

[![smskin](https://avatars.githubusercontent.com/u/3227797?v=4)](https://github.com/smskin "smskin (9 commits)")

---

Tags

laravelAuthenticationusertelegramwebapp

###  Code Quality

TestsPHPUnit

Static AnalysisPsalm

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/smskin-laravel-tgwebapp-auth/health.svg)

```
[![Health](https://phpackages.com/badges/smskin-laravel-tgwebapp-auth/health.svg)](https://phpackages.com/packages/smskin-laravel-tgwebapp-auth)
```

###  Alternatives

[lab404/laravel-impersonate

Laravel Impersonate is a plugin that allows to you to authenticate as your users.

2.3k18.6M64](/packages/lab404-laravel-impersonate)[lab404/laravel-auth-checker

Laravel Auth Checker allows you to log users authentication, devices authenticated from and lock intrusions.

225167.3k2](/packages/lab404-laravel-auth-checker)[tg/tgwebvalid

An easy way to validate Telegram Login Widget and Telegram Mini App users on your website using PHP

6725.8k1](/packages/tg-tgwebvalid)[lakm/nopass

Provides passwordless authentication for your laravel projects.

2215.9k3](/packages/lakm-nopass)[maicol07/laravel-oidc-client

OpenID Connect Client for Laravel

281.3k](/packages/maicol07-laravel-oidc-client)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
