Skip to main content

Telegram

Telegram integration within the Zapf ecosystem provides two primary functions:

  1. Identity Verification: Linking a Telegram account to a Nostr pubkey via the Identity Authority (IA).
  2. In-App Tipping: Sending and receiving tips directly within Telegram via the Zap Telegram Bot.

Protocol Implementation

Verification Flow (Bot-Session)

Identity Authorities verify Telegram ownership using a bot-session challenge. The user runs the IA bot command in a public Telegram group, which posts a challenge token. The user submits the message link to confirm they control the account.

  1. Bot command: User runs the IA bot command in a public group.
  2. Challenge: The bot posts a zapf:-prefixed challenge token on their behalf.
  3. Submission: User submits the public message link to the IA.
  4. Verification: The IA fetches the message URL via the Telegram API and confirms the challenge token and message author match the session.
  • User identifier: Stable numeric Telegram User ID (user_id).
  • Resolved fields: username, display name, profile photo.

Evidence Sharing Support

Telegram supports Evidence Sharing. Because verification is backed by a publicly accessible Telegram message URL, any IA can independently re-verify by fetching that URL and confirming the challenge token is present — without the user needing to re-authenticate. See Evidence Sharing.

Zap Telegram Bot

The Zap Telegram Bot acts as a ZSP Proxy Agent. It represents Telegram users on the Nostr network by signing Kind 5523 (Proxy Agent Zap Request) events on their behalf.

Supported Commands

CommandDescription
/zap @user <amount>Initiates a zap to another Telegram user.
/walletDisplays the user's deterministic Lightning Address and claim link.
/helpProvides information about the Zap protocol and the bot.

Technical Architecture

The bot is implemented using the gopkg.in/telebot.v3 library and follows the standard Provider interface within the zapf-bot project. It utilizes the same agent-namespaced BoltDB storage as the Discord provider to track pending zaps and observe NIP-57 receipts.

Security Considerations

  • Bot Verification: Verification is tied to a specific Telegram Bot created via @BotFather. The bot must be a member of the group where challenges are posted.
  • ConnectionKeys: Telegram ConnectionKeys are generated using the stable sub (User ID) provided by Telegram, ensuring that handle changes do not break identity links.