Telegram Mini App Security Lab

Verified initData, visible user fields, no login-code capture.

The Mini App forwards Telegram initData to FastAPI, where the server verifies the official hash before showing user data or sending a bot message.

Telegram context

Missing

Server verification

Waiting

Verified User Data

These fields are trusted only after backend hash verification.

Waiting for trusted Telegram initData from the Mini App runtime.

Bot Message Test

A normal bot message will be sent to the verified Telegram user ID.

Phone Number Request

Telegram will show a native prompt; the number is sent to the bot only after user approval.

Raw initData

Masked preview for lab inspection. Full initData is sent only to your backend.

No initData available outside Telegram.

Phone number is separate from initData and requires the user to press Telegram's Share contact button.