What is access_hash in telegram API?

Question

When you contacts.resolveUsername, the result always contains both id and access_hash. It creates confusion for API users, as to why you are only able to resolve a user/chat/channel only by their username or by their (id, access_hash) pair (eg. here and here).

I tried searching the telegram API homepage for info, but found no info about the meaning of access_hash.

I really am confused as to why you would need something more than id (or username). I'd like to know the nature of this access_hash:

1. Does it change over time?
2. Does it mean anything at all?
3. Is it safe to store in the database and be certain that it's constant?
4. Does it differ from account to account (e.g. I called contacts.resolveUsername from account #1 and then from #2, do I get the same number?)?

I know libs like pyrogram, telethon store this access_hash inside their local sqlite databases. This way they make it possible to call high level functions which require both id and access_hash using only id.

Answer 1

The access_hash values commonly appear in Telegram's API when access to something should be "restricted" in some way. You can find access_hash for users, channels, or even media objects.

I'll be using Telethon for the examples below, but the same applies to any library interacting with Telegram's API.

Does it change over time? Probably not. To the best of my knowledge, the access_hash does not change over time. I have not heard of any reports from users claiming that the access_hash has changed.

It is impossible to know for sure, as that would require access to the code the Telegram servers are using for this (and they could change their implementation at any time), but I've been working with Telegram for a very long time, and I can confidently say it likely never changes.

Does it mean anything at all? Not by itself. It's just a random-looking number. However, it is proof that you have access to a particular object, whether that's an user, channel, or media.

If the access_hash didn't exist, you could try guessing random IDs, which would for example make it possible to enumerate every user registered to Telegram!:

for user_id in range(1_000_000):
    await client.get_entity(user_id)

Thankfully, the above code won't work, because in order to fetch user information, the access_hash needs to be known. But since it's random, and different for each account, it's pretty much impossible to guess. Thus, the access_hash keeps your account safe (as long as there's no way to "reach" it by other means, e.g. via a message forwarded from you, or your participation in public groups).

Is it safe to store in the database and be certain that it's constant? Yes. Telethon v1 for example stores the access_hash inside its .session file, which lets you use just the id to refer to users and channels, as long as the library has "seen" (and cached) their access_hash before.

If you've saved an access_hash before, you can reuse it later on your own:

from telethon import types

CHANNEL = types.InputPeerChannel(channel_id=..., access_hash=...)

Does it differ from account to account? Yes. The access_hash is unique to each account. For example, if Account_A fetches Channel_X, it may have id=123, access_hash=456. But if Account_B fetches the same Channel_X, it may have id=123, access_hash=789.

This means you cannot fetch an access_hash in Account_A and then try using it in Account_B, as it won't work (stickers seem to have been an exception at some point).

Every account will see the same ID for the same thing (messages appear to be an exception, but in reality they follow the same rules; they're duplicated for each account unless they occur inside a channel, so the "same" message can appear to have a different ID.)