Start Parameter
The start parameter is a custom string parameter passed to a Mini App from an external environment. Its value is stored in the WebAppStartParam launch parameter.
The Direct Link contains the startapp query parameter.
https://mini-app-me-host/botusername/appname?startapp=ABC
Init Data
In the list of launch parameters, initialization data is located in the WebAppData parameter. It is a set of data mostly related to a specific user who launched the Mini App.
A striking feature of init data is the fact that it can be used as an authentication or authorization factor. For this reason, do not forget about the security of the application and init data specifically.
window.OpenWeb3.WebApp.initData()
Authorization and Authentication
A special feature of initialization data is the ability to be used as a factor for authorization or authentication. The fact is that the data generated by your native application is signed with the secret key of the IM bot, after which the generated signature is placed next to the parameters themselves.
Thus, knowing the secret key of the IM bot, the developer has the opportunity to verify the signature of the parameters and make sure that they were indeed issued to the specified user.
Also, the signature verification operation is fast enough and does not require large server resources.
Sending to Server
In order to authorize the user on the server, the developer needs to transmit the initialization data that was specified when launching the Mini App. To make life easier for yourself, the developer can transmit them at each request to the server, after which the signature verification is carried out on the server side.
Validating
Init data validation is one of the most important parts in communication between client and server. It's validity guarantees, that init data can be trusted and used in the future code execution.
Knowing, that init data is presented as query parameters list, to validate them, developer should follow the steps:
Iterate over all key-value pairs and create an array of string values in format {key}={value}. Key hash should be excluded, but memoized. It represents the init data sign and will be used in the final step of the validation process.
Sort the computed array in the alphabetical order.
Create HMAC-SHA256 using key WebAppData and apply it to the IM Bot token, that is bound to your Mini App.
Create HMAC-SHA256 using the result of the 3-rd step as a key. Apply it to the pairs array joined with linebreak (\n) received in the 2-nd step and present the result as hex symbols sequence.
Compare the hash value received in the 1-st step with the result of the 4-th step.
If these values are equal, passed init data can be trusted.
Parameters List
| Parameter | Type | Description |
|---|---|---|
| auth_date | Number | The date the initialization data was created. Is a number representing a Unix timestamp. |
| hash | String | Initialization data signature. |
| start_param | String | Optional. The value of the startattach or startapp query parameter specified in the link. It is returned only for Mini Apps opened through the attachment menu. |
| user | WebAppUser | Optional. An object containing data about the current user. |
WebAppUser
| Parameter | Type | Description |
|---|---|---|
| id | number | A unique identifier for the user or bot or OpenWeb3 Id. |
| is_bot | Boolean | Optional. True, if this user is a bot. Returns in the receiver field only. |
| first_name | String | First name of the user or bot. |
| last_name | String | Optional. Last name of the user or bot. |
| username | String | Optional. Username of the user or bot. |
| language_code | String | Optional. IETF language tag of the user's language. Returns in user field only. |
| photo_url | String | Optional. URL of the user’s profile photo. The photo can be in .jpeg or .svg formats. Only returned for Mini Apps launched from the attachment menu. |