Use when implementing Telegram Login — embedding the Login Widget, handling callback or redirect auth flows, or validating login data server-side. Also use when verifying HMAC-SHA256 signatures, checking auth_date freshness, or integrating Telegram identity into an existing auth system.
| Model | Source |
|---|
| inherit | pack: telegram |
| Item | Value |
|---|
| Widget version | ?22 (current) |
| Auth method | HMAC-SHA256 — bot token as key |
| Data freshness | Reject auth_date older than 86400s (1 day) |
| Domain setup | BotFather /setdomain — exact match required |
| Docs | core.telegram.org/widgets/login |
Full Reference
┏━ 🔧 telegram-login ━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Telegram Login Widget + auth reference ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
| Item | Value |
|---|
| Widget version | ?22 (current) |
| Auth method | HMAC-SHA256 — bot token as key |
| Data freshness | Reject auth_date older than 86400s (1 day) |
| Domain setup | BotFather /setdomain — exact match required |
| Docs | core.telegram.org/widgets/login |
| File | Contents |
|---|
reference/widget.md | Widget embedding — callback mode, redirect mode, config attributes, user data shape |
reference/validation.md | Server-side validation — HMAC-SHA256 algorithm, Node.js + Python examples, auth_date check, security rules |
Usage: Read the reference file matching your current task. Each file has working code examples and inline gotchas.
- NEVER trust client-side data — always validate the
hash server-side before creating a session
- Always check
auth_date — reject logins older than 86400 seconds
- Bot token is the signing key — never expose it client-side