How the Bondify Authentication Flow Works End to End
Understand the full Bondify auth flow from session creation to server-side proof verification, including polling, webhooks, and error handling.
Bondify’s authentication flow replaces passwords and SMS codes with a single tap inside Telegram. When a user wants to sign in, your app creates a session, opens Telegram via a deeplink, and waits while Bondify’s bot asks the user to confirm. Once the user taps ✅ Confirm, your app receives a cryptographically signed proof that you verify server-side before creating a user session. The entire exchange typically completes in under 10 seconds.
In your app — whether a web page, mobile screen, or any other surface — the user taps your “Sign in with Telegram” button. This triggers a call to generate a new Bondify session. If you are using an SDK, the SDK handles the next two steps automatically.
2
Your app creates a session
Call POST /api/v1/generate/public with your project_id:
Store the session_token — you will need it for polling and proof verification.
3
Telegram opens
Your app opens the deeplink in Telegram (the SDK does this automatically). Bondify’s bot sends the user a confirmation message showing your project name and the data it is requesting (profile info, phone number, etc.).
4
User confirms or cancels
Inside Telegram, the user taps either ✅ Confirm to approve the login or ❌ Cancel to decline. No passwords, no SMS — just one tap.
5
Your app polls for the result
While Telegram is open, your app polls POST /api/v1/verify/public every 2 seconds, passing the session_token:
Stop polling as soon as you receive any terminal status: confirmed, cancelled, expired, or used.
6
Your server verifies the proof
Send the proof string to your backend and call verifyProof() from @bondify/server:
import { verifyProof } from '@bondify/server';// In your POST /api/session handler:const user = await verifyProof(proof, process.env.BONDIFY_SECRET_KEY);// user.id, user.telegramId, user.name are now safe to trust
verifyProof() validates the HMAC-SHA256 signature against your project’s secret key. If the proof is invalid or tampered with, it throws — reject the request with a 401.
7
Create your app session
Once verifyProof() returns successfully, you have a verified Telegram identity. Create a cookie, JWT, or database session as you normally would:
// Next.js Server Action example'use server';import { verifyProof } from '@bondify/server';import { cookies } from 'next/headers';export async function createSession(proof: string) { const user = await verifyProof(proof, process.env.BONDIFY_SECRET_KEY!); (await cookies()).set('session', await issueJWT(user));}
Instead of polling, you can configure a Webhook URL on your project to receive real-time push events from Bondify. When the user confirms or cancels in Telegram, Bondify immediately sends a POST request to your endpoint.
Every webhook request includes an X-Bondify-Signature header. Always verify this signature before processing the event:
import crypto from 'crypto';// Use the raw request body string — not re-serialised JSONconst sig = req.headers['x-bondify-signature'] as string;const expected = crypto .createHmac('sha256', process.env.BONDIFY_SECRET_KEY!) .update(rawBody) // rawBody = req.body.toString() before JSON parsing .digest('hex');if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) { return res.status(401).end();}
For full webhook setup instructions, see Webhooks.
When status === 'used', someone already consumed this proof. Generate a new session and do not proceed with the current one:
if (result.status === 'used') { stopPolling(); // Start over — generate a new session const newSession = await generateSession(projectId);}
Never trust telegram_id or telegram_name values passed directly from the client without verifying the proof server-side first. Client-supplied values can be fabricated. Only values returned by a successful verifyProof() call are trustworthy.
