I’m trying to confirm the Telegram Bot login hash in my C# app. I’ve sorted the URL params, joined them with newlines, and used SHA256 for the bot token. But my calculated hash doesn’t match the one from Telegram.
Here’s what I’m unsure about:
- Should I decode the photo_url before hashing?
- Do I need to make the whole string lowercase?
My code removes the hash param, sorts the rest, and joins them. Then it hashes the bot token and uses HMACSHA256 to create a new hash. But it’s not working right.
Here’s a simplified version of what I’m doing:
var dataString = string.Join("\n", sortedParams.Select(p => $"{p.Key}={p.Value}"));
var secretKey = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(botToken));
var calculatedHash = new HMACSHA256(secretKey).ComputeHash(Encoding.UTF8.GetBytes(dataString));
Any ideas on what I’m doing wrong? Thanks for any help!
I encountered a similar issue when implementing Telegram Bot authentication. The key is to use the raw bot token directly, not a hashed version. Also, ensure you’re not modifying the case of any parameters - Telegram’s authentication is case-sensitive.
For the photo_url, use it exactly as received without any decoding. Double-check that you’re including all parameters except the ‘hash’ in your sorting and concatenation process.
If you’re still having trouble, try logging the intermediate steps (sorted params, concatenated string) to compare with Telegram’s expected format. This helped me pinpoint where my implementation diverged from the spec.
hey jess, i ran into this too. make sure you’re using the raw bot token, not the hashed version. also, don’t lowercase anything - telegram is case-sensitive. for the photo_url, use it as-is without decoding. hope this helps! let me know if you still have trouble
I’ve dealt with this exact problem in my own projects. One thing that tripped me up was the order of operations. Make sure you’re creating the HMAC instance with the raw bot token first, then applying it to your sorted and concatenated parameter string.
Here’s a snippet that worked for me:
var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(botToken));
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(dataString));
var hashString = BitConverter.ToString(hash).Replace("-", "").ToLower();
Also, double-check that you’re including the correct parameters. Some, like ‘auth_date’, are easy to overlook but crucial for the hash to match.
Lastly, if you’re testing with example data from Telegram’s docs, remember those might be outdated. Always verify with fresh data from an actual login attempt.