mini apps
connect telegram mini apps to a yaebal bot through web app buttons, backend validation, and bot api callbacks.
open a mini app
inline keyboards can open a web app url inside telegram. use https in production.
await ctx.reply("open the app", {
reply_markup: new InlineKeyboard().webApp("open", "https://app.example.com"),
});send from your backend
a mini app usually talks to your web backend. after validating the request, that backend can use the bot api to message the user or update bot-side state.
// backend endpoint called by your mini app
export async function handleMiniAppAction(userId: number, action: string) {
await bot.api.call("sendMessage", {
chat_id: userId,
text: "action received: " + action,
});
}web app data messages
if the mini app sends data back through telegram, it arrives as a message service field.
bot.on("message", async (ctx) => {
const data = ctx.message?.web_app_data;
if (!data) return;
await ctx.reply("mini app sent: " + data.data);
});security checklist
- validate telegram init data on your backend before trusting user identity.
- do not put bot tokens in the mini app frontend.
- treat
web_app_data.dataas untrusted input. - use short-lived server-side state for checkout or privileged actions.
- log only safe user ids and action names, not full init data strings.