Telegram
Telegram integration within the Zapf ecosystem provides two primary functions:
- Identity Verification: Linking a Telegram account to a Nostr pubkey via the Identity Authority (IA).
- In-App Tipping: Sending and receiving tips directly within Telegram via the Zap Telegram Bot.
Protocol Implementation
Verification Flow (Bot-Session)
Identity Authorities verify Telegram ownership using a bot-session challenge. The user runs the IA bot command in a public Telegram group, which posts a challenge token. The user submits the message link to confirm they control the account.
- Bot command: User runs the IA bot command in a public group.
- Challenge: The bot posts a
zapf:-prefixed challenge token on their behalf. - Submission: User submits the public message link to the IA.
- Verification: The IA fetches the message URL via the Telegram API and confirms the challenge token and message author match the session.
- User identifier: Stable numeric Telegram User ID (
user_id). - Resolved fields:
username, display name, profile photo.
Evidence Sharing Support
Telegram supports Evidence Sharing. Because verification is backed by a publicly accessible Telegram message URL, any IA can independently re-verify by fetching that URL and confirming the challenge token is present — without the user needing to re-authenticate. See Evidence Sharing.
Zap Telegram Bot
The Zap Telegram Bot acts as a ZSP Proxy Agent. It represents Telegram users on the Nostr network by signing Kind 5523 (Proxy Agent Zap Request) events on their behalf.
Supported Commands
| Command | Description |
|---|---|
/zap @user <amount> | Initiates a zap to another Telegram user. |
/wallet | Displays the user's deterministic Lightning Address and claim link. |
/help | Provides information about the Zap protocol and the bot. |
Technical Architecture
The bot is implemented using the gopkg.in/telebot.v3 library and follows the standard Provider interface within the zapf-bot project. It utilizes the same agent-namespaced BoltDB storage as the Discord provider to track pending zaps and observe NIP-57 receipts.
Security Considerations
- Bot Verification: Verification is tied to a specific Telegram Bot created via
@BotFather. The bot must be a member of the group where challenges are posted. - ConnectionKeys: Telegram ConnectionKeys are generated using the stable
sub(User ID) provided by Telegram, ensuring that handle changes do not break identity links.