Verifying telegram user token.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for lorrodx from gravatar.com lorrodx

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

TMA Authenticator

Python library for Telegram Mini App (TMA) and Web3 TON wallet authentication.

Features

  • 🔐 TMA Authentication: Telegram Mini App user authentication
  • 🌐 Web3 TON Authentication: TON wallet authentication via TON Connect
  • 🔑 JWT Token Generation: Secure token generation for both auth methods
  • 🔗 Unified Authentication: Single endpoint supporting TMA, Web3, and service tokens
  • 💾 Caching: Built-in caching for nonces and tokens
  • Full Test Coverage: Comprehensive test suite
  • 📚 Type Hints: Full type annotation support

Installation

pip install tma-authenticator

Or from source:

git clone https://github.com/your-repo/python-tma-authorization
cd python-tma-authorization
pip install -e .

Quick Start

TMA Authentication

from tma_authenticator.tma_authentication_router import TMAAuthenticationRouter
from tma_authenticator.tma_authenticator import TMAAuthenticator
from database.users import UsersDatabase
from config import TELEGRAM_BOT_TOKEN, IMPERSONATE_ADMIN_PASSWORD

user_database: UsersDatabase = UsersDatabase()
authenticator = TMAAuthenticator(TELEGRAM_BOT_TOKEN, IMPERSONATE_ADMIN_PASSWORD, user_database)
authentication_router = authenticator.authentication_router

Web3 TON Authentication

from fastapi import FastAPI
from aiocache import Cache
from tma_authenticator.web3_ton_router import Web3TonRouter

app = FastAPI()

# Setup cache
Cache.from_url("memory://")

# Create Web3 TON router
web3_router = Web3TonRouter(
    jwt_secret="your-super-secret-jwt-key",
    jwt_algorithm="HS256",
    jwt_expiration_minutes=60,
    nonce_ttl_seconds=300,
)

# Include router
app.include_router(web3_router)

Unified Authentication

The TMAAuthenticator supports three authentication methods that can be used independently or combined:

  1. TMA Authorization (Authorization header) - Telegram Mini App token
  2. Service Token (X-Service-Token header) - Service-to-service JWT
  3. Web3 Token (X-Web3-Token header) - Wallet-based JWT (NEW)

Web3 Token Authentication

from tma_authenticator import TMAAuthenticator

authenticator = TMAAuthenticator(
    service_name="my-app",
    bot_token="YOUR_BOT_TOKEN",
    auth_url="https://auth-service.com",
    storage_provider=storage,
    jwt_secret="your-secret-key",  # Enable Web3 support
    jwt_algorithm="HS256"
)

@app.get("/protected")
async def protected_route(user = Depends(authenticator.oauth_verify_token)):
    # Accepts any of the three token types
    return {
        "user_id": user.tg_id,
        "username": user.username,
        "wallet": user.wallet_address  # Present when Web3 token is used
    }

Usage:

# Web3 token only
curl -H "X-Web3-Token: Bearer <JWT>" https://api.example.com/protected

# TMA + Web3 (combine Telegram identity with wallet)
curl -H "Authorization: Bearer <TMA_TOKEN>" \
     -H "X-Web3-Token: Bearer <WEB3_JWT>" \
     https://api.example.com/protected

See WEB3_TOKEN_AUTHENTICATION.md for complete documentation.

Web3 TON Authentication

The library now supports TON wallet authentication following the TON Connect 2.0 specification.

Available Endpoints

  1. GET /.well-known/jwks.json - JWKS public keys endpoint
  2. GET /web3/nonce?wallet=<address> - Generate nonce for wallet
  3. POST /web3/ton/check-proof - Verify TON proof and get JWT token

Authentication Flow

1. Client requests nonce: GET /web3/nonce?wallet=0:abc...
2. Client signs proof with TON wallet using TON Connect
3. Client submits proof: POST /web3/ton/check-proof
4. Server verifies proof and returns JWT token
5. Client uses JWT token for authenticated requests

Example Usage

See WEB3_TON_AUTH.md for complete documentation and examples.

Quick example:

# Step 1: Get nonce
curl "http://localhost:8000/web3/nonce?wallet=0:0e911c7..."

# Step 2: Submit proof (after signing with wallet)
curl -X POST "http://localhost:8000/web3/ton/check-proof" \
  -H "Content-Type: application/json" \
  -d '{
    "ton_addr": {
      "address": "0:0e911c7...",
      "network": "-3",
      "publicKey": "b3e155...",
      "walletStateInit": "te6cc..."
    },
    "ton_proof": {
      "proof": {
        "domain": {"lengthBytes": 4, "value": "t.me"},
        "payload": "2025-12-22T14:55:08.825Z",
        "signature": "360QU7...",
        "timestamp": 1734876508
      }
    }
  }'

Documentation

Testing

# Run all tests
pytest

# Run Web3 TON tests only
pytest tests/test_web3_ton_router.py -v

# Run with coverage
pytest --cov=tma_authenticator

Examples

Requirements

  • Python 3.8+
  • FastAPI
  • aiocache
  • python-jose
  • pytoniq-core
  • pynacl

See requirements.txt for complete list.

License

MIT License - See LICENSE file for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for lorrodx from gravatar.com lorrodx

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

3.0.0

2.2.1

2.2.1.dev34107 pre-release

2.2.0.dev33618 pre-release

2.1.0

2.1.0.dev32975 pre-release

2.1.0.dev32974 pre-release

2.0.1

2.0.1.dev32548 pre-release

2.0.1.dev32547 pre-release

2.0.1.dev32520 pre-release

This version

2.0.1.dev32515 pre-release

2.0.1.dev32503 pre-release

2.0.1.dev32502 pre-release

2.0.1.dev32483 pre-release

2.0.0

1.3.1

1.3.0

1.3.0.dev25654 pre-release

1.3.0.dev25651 pre-release

1.3.0.dev25622 pre-release

1.3.0.dev25498 pre-release

1.3.0.dev25497 pre-release

1.3.0.dev25423 pre-release

1.2.0

1.2.0.dev23158 pre-release

1.2.0.dev23150 pre-release

1.2.0.dev23148 pre-release

1.2.0.dev0 pre-release

1.1.2

1.1.2.dev21202 pre-release

1.1.1

1.1.0

1.0.2

1.0.1

1.0.0

1.0.0.dev22665 pre-release

1.0.0.dev22593 pre-release

0.2.2

0.2.1

0.2.0

0.1.1

0.1.0

0.0.8

0.0.7

0.0.6.4

0.0.6.3

0.0.6.2

0.0.6.1

0.0.6

0.0.5.2

0.0.5.1

0.0.5.0

0.0.4.5

0.0.1

0.0.1.dev26823 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tma_authenticator-2.0.1.dev32515.tar.gz (15.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tma_authenticator-2.0.1.dev32515-py3-none-any.whl (17.4 kB view details)

Uploaded Python 3

File details

Details for the file tma_authenticator-2.0.1.dev32515.tar.gz.

File metadata

  • Download URL: tma_authenticator-2.0.1.dev32515.tar.gz
  • Upload date:
  • Size: 15.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.2.1 CPython/3.12.12 Linux/5.4.0-146-generic

File hashes

Hashes for tma_authenticator-2.0.1.dev32515.tar.gz
Algorithm Hash digest
SHA256 f5c7c164d4ac933ff505cd3a18fbae5f3a78c4476274128e9f63ef7ac320f4db
MD5 76e39b6bd2b8406d96becfe0294c739d
BLAKE2b-256 d59fcdc96bdd9dea1b38a53731548064c19a03aa5e24a5245d64c78d5bc5599d

See more details on using hashes here.

File details

Details for the file tma_authenticator-2.0.1.dev32515-py3-none-any.whl.

File metadata

File hashes

Hashes for tma_authenticator-2.0.1.dev32515-py3-none-any.whl
Algorithm Hash digest
SHA256 65b7b05e9f5bf25de490b796920073c46f8c288a6be192febada75eff12f2063
MD5 00a4c642f3f82716bc350a11153aec8e
BLAKE2b-256 da488e247998b1925bd67b2de8161a69f89f9a94b12fbbda6cc50a0accdbfd82

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page