Verifying telegram user token.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for lorrodx from gravatar.com lorrodx

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

TMA Authenticator

Python library for Telegram Mini App (TMA) and Web3 TON wallet authentication.

Features

  • 🔐 TMA Authentication: Telegram Mini App user authentication
  • 🌐 Web3 TON Authentication: TON wallet authentication via TON Connect
  • 🔑 JWT Token Generation: Secure token generation for both auth methods
  • 🔗 Unified Authentication: Single endpoint supporting TMA, Web3, and service tokens
  • 💾 Caching: Built-in caching for nonces and tokens
  • Full Test Coverage: Comprehensive test suite
  • 📚 Type Hints: Full type annotation support

Installation

pip install tma-authenticator

Or from source:

git clone https://github.com/your-repo/python-tma-authorization
cd python-tma-authorization
pip install -e .

Quick Start

TMA Authentication

from tma_authenticator.tma_authentication_router import TMAAuthenticationRouter
from tma_authenticator.tma_authenticator import TMAAuthenticator
from database.users import UsersDatabase
from config import TELEGRAM_BOT_TOKEN, IMPERSONATE_ADMIN_PASSWORD

user_database: UsersDatabase = UsersDatabase()
authenticator = TMAAuthenticator(TELEGRAM_BOT_TOKEN, IMPERSONATE_ADMIN_PASSWORD, user_database)
authentication_router = authenticator.authentication_router

Web3 TON Authentication

from fastapi import FastAPI
from aiocache import Cache
from tma_authenticator.web3_ton_router import Web3TonRouter

app = FastAPI()

# Setup cache
Cache.from_url("memory://")

# Create Web3 TON router
web3_router = Web3TonRouter(
    jwt_secret="your-super-secret-jwt-key",
    jwt_algorithm="HS256",
    jwt_expiration_minutes=60,
    nonce_ttl_seconds=300,
)

# Include router
app.include_router(web3_router)

Unified Authentication

The TMAAuthenticator supports three authentication methods that can be used independently or combined:

  1. TMA Authorization (Authorization header) - Telegram Mini App token
  2. Service Token (X-Service-Token header) - Service-to-service JWT
  3. Web3 Token (X-Web3-Token header) - Wallet-based JWT (NEW)

Web3 Token Authentication

from tma_authenticator import TMAAuthenticator

authenticator = TMAAuthenticator(
    service_name="my-app",
    bot_token="YOUR_BOT_TOKEN",
    auth_url="https://auth-service.com",
    storage_provider=storage,
    jwt_secret="your-secret-key",  # Enable Web3 support
    jwt_algorithm="HS256"
)

@app.get("/protected")
async def protected_route(user = Depends(authenticator.oauth_verify_token)):
    # Accepts any of the three token types
    return {
        "user_id": user.tg_id,
        "username": user.username,
        "wallet": user.wallet_address  # Present when Web3 token is used
    }

Usage:

# Web3 token only
curl -H "X-Web3-Token: Bearer <JWT>" https://api.example.com/protected

# TMA + Web3 (combine Telegram identity with wallet)
curl -H "Authorization: Bearer <TMA_TOKEN>" \
     -H "X-Web3-Token: Bearer <WEB3_JWT>" \
     https://api.example.com/protected

See WEB3_TOKEN_AUTHENTICATION.md for complete documentation.

Web3 TON Authentication

The library now supports TON wallet authentication following the TON Connect 2.0 specification.

Available Endpoints

  1. GET /.well-known/jwks.json - JWKS public keys endpoint
  2. GET /web3/nonce?wallet=<address> - Generate nonce for wallet
  3. POST /web3/ton/check-proof - Verify TON proof and get JWT token

Authentication Flow

1. Client requests nonce: GET /web3/nonce?wallet=0:abc...
2. Client signs proof with TON wallet using TON Connect
3. Client submits proof: POST /web3/ton/check-proof
4. Server verifies proof and returns JWT token
5. Client uses JWT token for authenticated requests

Example Usage

See WEB3_TON_AUTH.md for complete documentation and examples.

Quick example:

# Step 1: Get nonce
curl "http://localhost:8000/web3/nonce?wallet=0:0e911c7..."

# Step 2: Submit proof (after signing with wallet)
curl -X POST "http://localhost:8000/web3/ton/check-proof" \
  -H "Content-Type: application/json" \
  -d '{
    "ton_addr": {
      "address": "0:0e911c7...",
      "network": "-3",
      "publicKey": "b3e155...",
      "walletStateInit": "te6cc..."
    },
    "ton_proof": {
      "proof": {
        "domain": {"lengthBytes": 4, "value": "t.me"},
        "payload": "2025-12-22T14:55:08.825Z",
        "signature": "360QU7...",
        "timestamp": 1734876508
      }
    }
  }'

Documentation

Testing

# Run all tests
pytest

# Run Web3 TON tests only
pytest tests/test_web3_ton_router.py -v

# Run with coverage
pytest --cov=tma_authenticator

Examples

Requirements

  • Python 3.8+
  • FastAPI
  • aiocache
  • python-jose
  • pytoniq-core
  • pynacl

See requirements.txt for complete list.

License

MIT License - See LICENSE file for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for lorrodx from gravatar.com lorrodx

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

3.0.0

2.2.1

2.2.1.dev34107 pre-release

This version

2.2.0.dev33618 pre-release

2.1.0

2.1.0.dev32975 pre-release

2.1.0.dev32974 pre-release

2.0.1

2.0.1.dev32548 pre-release

2.0.1.dev32547 pre-release

2.0.1.dev32520 pre-release

2.0.1.dev32515 pre-release

2.0.1.dev32503 pre-release

2.0.1.dev32502 pre-release

2.0.1.dev32483 pre-release

2.0.0

1.3.1

1.3.0

1.3.0.dev25654 pre-release

1.3.0.dev25651 pre-release

1.3.0.dev25622 pre-release

1.3.0.dev25498 pre-release

1.3.0.dev25497 pre-release

1.3.0.dev25423 pre-release

1.2.0

1.2.0.dev23158 pre-release

1.2.0.dev23150 pre-release

1.2.0.dev23148 pre-release

1.2.0.dev0 pre-release

1.1.2

1.1.2.dev21202 pre-release

1.1.1

1.1.0

1.0.2

1.0.1

1.0.0

1.0.0.dev22665 pre-release

1.0.0.dev22593 pre-release

0.2.2

0.2.1

0.2.0

0.1.1

0.1.0

0.0.8

0.0.7

0.0.6.4

0.0.6.3

0.0.6.2

0.0.6.1

0.0.6

0.0.5.2

0.0.5.1

0.0.5.0

0.0.4.5

0.0.1

0.0.1.dev26823 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tma_authenticator-2.2.0.dev33618.tar.gz (13.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tma_authenticator-2.2.0.dev33618-py3-none-any.whl (18.1 kB view details)

Uploaded Python 3

File details

Details for the file tma_authenticator-2.2.0.dev33618.tar.gz.

File metadata

  • Download URL: tma_authenticator-2.2.0.dev33618.tar.gz
  • Upload date:
  • Size: 13.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.3.2 CPython/3.12.12 Linux/5.4.0-146-generic

File hashes

Hashes for tma_authenticator-2.2.0.dev33618.tar.gz
Algorithm Hash digest
SHA256 94bb6efa0343d4c307e46a71c83281549f46c87cb2f81dca3db58a7dc771da5f
MD5 259439aeeaf296de3599bd511130b274
BLAKE2b-256 ebaa8181be7f33270d4cfc43dc33c937f9ff7178d425c9978a6bf7bf82b6a2d5

See more details on using hashes here.

File details

Details for the file tma_authenticator-2.2.0.dev33618-py3-none-any.whl.

File metadata

File hashes

Hashes for tma_authenticator-2.2.0.dev33618-py3-none-any.whl
Algorithm Hash digest
SHA256 a1871581be26ae3337fcdc9e7ca3234bbdaf1ea1056e082fe21f69752d78b550
MD5 22e8121a0031579aab5938dacf098ae7
BLAKE2b-256 8f056450b9b7f4e86e942c72ff3181891344bcb9a9646ac86f13c70477e11f3e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page