Telegram Mini App Security Lab
Verified initData, visible user fields, no login-code capture.
The Mini App forwards Telegram initData to FastAPI, where the server verifies the official hash before showing user data or sending a bot message.
Telegram context
MissingServer verification
WaitingVerified User Data
These fields are trusted only after backend hash verification.
Waiting for trusted Telegram initData from the Mini App runtime.
Bot Message Test
A normal bot message will be sent to the verified Telegram user ID.
Phone Number Request
Telegram will show a native prompt; the number is sent to the bot only after user approval.
Raw initData
Masked preview for lab inspection. Full initData is sent only to your backend.
No initData available outside Telegram.
Phone number is separate from initData and requires the user to press Telegram's Share contact button.