PHPackages smskin/laravel-tgwebapp-auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. smskin/laravel-tgwebapp-auth ActiveLibrary[Authentication & Authorization](/categories/authentication) smskin/laravel-tgwebapp-auth ============================ Authentication guard for Telegram web app user integration 1.0.5(1y ago)61.0k2[1 PRs](https://github.com/smskin/laravel-tgwebapp-auth/pulls)MITPHPPHP ^8.1CI passing Since Oct 23Pushed 8mo ago1 watchersCompare [ Source](https://github.com/smskin/laravel-tgwebapp-auth)[ Packagist](https://packagist.org/packages/smskin/laravel-tgwebapp-auth)[ RSS](/packages/smskin-laravel-tgwebapp-auth/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (6)Versions (8)Used By (0) Telegram WebApp User Authentication Module ========================================== [](#telegram-webapp-user-authentication-module) [Telegram WebApp Documentation](https://core.telegram.org/bots/webapps) Use Case: When developing an API for a Telegram WebApp, it is necessary to verify that the user who sent the request to the API is indeed the one they claim to be (i.e., the request actually came from the Telegram WebApp). How It Works ------------ [](#how-it-works) 1. The Telegram WebApp JS script retrieves the WebAppUser object from the API and sends it in every request to the API in the request header (the header name is configurable). 2. The Guard receives the request and extracts the WebAppUser object from it. 3. The Guard verifies the data signature using the BOT\_TOKEN. 4. The Guard looks for the user in the database: 1. If the user is found, they are authenticated. 2. If the user is not found: 1. If automatic user creation is allowed, the user will be created and authenticated. 2. If automatic user creation is disabled, a 403 error is returned. Configuration ------------- [](#configuration) In the `config/auth.php` file, the `tgwebapp` guard must be registered. Example of the file content after registering the guard: ``` ... 'guards' => [ 'web' => [ 'driver' => 'session', 'provider' => 'users', ], 'tgwebapp' => [ 'driver' => 'tgwebapp', // the name of the guard 'token' => env('TELEGRAM_BOT_TOKEN'), // bot token 'autoCreation' => true, // flag allowing automatic user creation 'userDataHeaderName' => 'X-TELEGRAM-USER-DATA', // header name from which the guard retrieves the WebAppUser object 'userModel' => \App\Models\User::class, // user model class ] ], ... ``` Usage ----- [](#usage) Include the guard in the routing file `routes/web.php`. ``` ... Route::middleware('auth:tgwebapp')->group(function(){ Route::get('/me', function(){ return 'Hello!'; }); }); ... ``` A GET request to /me will go through authentication via the Telegram WebApp guard. ### Health Score 36 — LowBetter than 82% of packages Maintenance52 Moderate activity, may be stable Popularity21 Limited adoption so far Community9 Small or concentrated contributor base Maturity52 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~17 days Total 6 Last Release 477d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/92de9daad6e0c4ef7b8b4fa112373401ae79ac02d185653724ca4ac425add1b7?d=identicon)[smskin](/maintainers/smskin) --- Top Contributors [![smskin](https://avatars.githubusercontent.com/u/3227797?v=4)](https://github.com/smskin "smskin (9 commits)") --- Tags laravelAuthenticationusertelegramwebapp ### Code Quality TestsPHPUnit Static AnalysisPsalm Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/smskin-laravel-tgwebapp-auth/health.svg) ``` [![Health](https://phpackages.com/badges/smskin-laravel-tgwebapp-auth/health.svg)](https://phpackages.com/packages/smskin-laravel-tgwebapp-auth) ``` ### Alternatives [lab404/laravel-impersonate Laravel Impersonate is a plugin that allows to you to authenticate as your users. 2.3k16.4M48](/packages/lab404-laravel-impersonate)[pragmarx/google2fa-laravel A One Time Password Authentication package, compatible with Google Authenticator. 1.0k15.5M63](/packages/pragmarx-google2fa-laravel)[lab404/laravel-auth-checker Laravel Auth Checker allows you to log users authentication, devices authenticated from and lock intrusions. 223164.9k2](/packages/lab404-laravel-auth-checker)[hasinhayder/tyro Tyro - The ultimate Authentication, Authorization, and Role & Privilege Management solution for Laravel 12 & 13 6712.1k2](/packages/hasinhayder-tyro)[tg/tgwebvalid An easy way to validate Telegram Login Widget and Telegram Mini App users on your website using PHP 6821.7k1](/packages/tg-tgwebvalid)[sarav/laravel-multiauth A Simple Laravel Package for handling multiple authentication 5030.7k](/packages/sarav-laravel-multiauth) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)