{"id":315078,"date":"2026-06-01T11:09:49","date_gmt":"2026-06-01T11:09:49","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/telegram-auth\/"},"modified":"2026-06-02T09:13:36","modified_gmt":"2026-06-02T09:13:36","slug":"sign-in-with-telegram","status":"publish","type":"plugin","link":"https:\/\/ky.wordpress.org\/plugins\/sign-in-with-telegram\/","author":5279457,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"0.1.5","stable_tag":"0.1.5","tested":"7.0","requires":"6.8","requires_php":"8.1","requires_plugins":null,"header_name":"Sign in with Telegram","header_author":"Automattic","header_description":"Let your visitors sign in to WordPress with their Telegram account.","assets_banners_color":"f2f9fa","last_updated":"2026-06-02 09:13:36","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/Automattic\/sign-in-with-telegram","header_author_uri":"https:\/\/automattic.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":67,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"0.1.4":{"tag":"0.1.4","author":"jetpackisbestpack","date":"2026-06-01 11:09:10"},"0.1.5":{"tag":"0.1.5","author":"jetpackisbestpack","date":"2026-06-02 09:13:36"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3556628,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3556628,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3556628,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3556628,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1.4","0.1.5"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3556628,"resolution":"1","location":"assets","locale":"","width":1280,"height":1100},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3556628,"resolution":"2","location":"assets","locale":"","width":1280,"height":1100},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3556628,"resolution":"3","location":"assets","locale":"","width":1008,"height":1212},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3556628,"resolution":"4","location":"assets","locale":"","width":1280,"height":900},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3556628,"resolution":"5","location":"assets","locale":"","width":1280,"height":820}},"screenshots":{"1":"Configure bot credentials, sign-up policy, email handling, and optional permissions.","2":"Instructions show the Redirect URI and Trusted Origin for @BotFather.","3":"The WordPress login form gains a Sign in with Telegram button.","4":"User profiles can connect or disconnect Telegram.","5":"The Users list can show Telegram-verified phone numbers."}},"plugin_section":[],"plugin_tags":[710,602,162353,5921,9171],"plugin_category":[38],"plugin_contributors":[77494,215384,132142],"plugin_business_model":[],"class_list":["post-315078","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-login","plugin_tags-oidc","plugin_tags-sign-in","plugin_tags-telegram","plugin_category-authentication","plugin_contributors-automattic","plugin_contributors-gmjuhasz","plugin_contributors-manzoorwanijk","plugin_committers-automattic","plugin_committers-gmjuhasz","plugin_committers-jetpackisbestpack","plugin_committers-manzoorwanijk"],"banners":{"banner":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/banner-772x250.png?rev=3556628","banner_2x":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/banner-1544x500.png?rev=3556628","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/icon-128x128.png?rev=3556628","icon_2x":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/icon-256x256.png?rev=3556628","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/screenshot-1.png?rev=3556628","caption":"Configure bot credentials, sign-up policy, email handling, and optional permissions."},{"src":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/screenshot-2.png?rev=3556628","caption":"Instructions show the Redirect URI and Trusted Origin for @BotFather."},{"src":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/screenshot-3.png?rev=3556628","caption":"The WordPress login form gains a Sign in with Telegram button."},{"src":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/screenshot-4.png?rev=3556628","caption":"User profiles can connect or disconnect Telegram."},{"src":"https:\/\/ps.w.org\/sign-in-with-telegram\/assets\/screenshot-5.png?rev=3556628","caption":"The Users list can show Telegram-verified phone numbers."}],"raw_content":"<!--section=description-->\n<p>Sign in with Telegram lets your visitors log in with their Telegram account \u2014 no extra password to remember, no new account to create. Unlike older Telegram-login plugins that rely on a script embedded from Telegram (which modern privacy-focused browsers often block), this plugin uses <a href=\"https:\/\/core.telegram.org\/bots\/telegram-login\">Telegram's standard OpenID Connect login<\/a>: a secure redirect to Telegram and back. It works reliably in every browser, including ones with strict tracker blocking turned on.<\/p>\n\n<h4>Features<\/h4>\n\n<ul>\n<li><strong>\"Sign in with Telegram\" button<\/strong> on the standard <code>wp-login.php<\/code> screen, as a <code>[telegram_signin_button]<\/code> shortcode anywhere on your site, or as a Block Editor block.<\/li>\n<li><strong>Account linking<\/strong> from the user profile screen \u2014 existing WordPress users can connect or disconnect their Telegram account.<\/li>\n<li><strong>Profile sync<\/strong> \u2014 display name and avatar from the user's Telegram profile flow through to the WordPress profile automatically.<\/li>\n<li><strong>No automatic account merging<\/strong> \u2014 a Telegram identity can only attach to an existing WordPress user through an explicit click-to-link action from a logged-in session, so a stranger who happens to share an email address can never take over an account.<\/li>\n<li><strong>Secure by default<\/strong> \u2014 uses the same kind of modern, signed redirect flow that \"Sign in with Google\" and \"Sign in with Apple\" use. No shared bot-token secret on your server, no manual key rotation.<\/li>\n<li><strong>Settings page<\/strong> in wp-admin where you paste the bot's Client ID + Client Secret, pick the default role for new users, and optionally collect the visitor's verified phone number or request permission for your bot to message them directly.<\/li>\n<\/ul>\n\n<h4>How it compares to the legacy Login Widget<\/h4>\n\n<p>Telegram's older Login Widget (used by most existing Telegram-login plugins on the directory) is <strong>not<\/strong> OAuth or OpenID Connect. It loads a JavaScript file from telegram.org that renders Telegram's button on your page and then hands the auth result either to a JavaScript callback or to a server URL. Either mode still needs the embedded script to render the button in the first place. That setup is increasingly fragile:<\/p>\n\n<ul>\n<li>Browsers with strict third-party-script blocking \u2014 Brave with default shields, Firefox Enhanced Tracking Protection on Strict, Safari Lockdown Mode, uBlock Origin filter lists \u2014 frequently block the embedded script outright, so the button never renders and visitors have no way to start the flow.<\/li>\n<li>The widget's authentication hash is an HMAC-SHA256 over your bot token, so anyone who wants to verify a login has to hold a copy of that secret. There's no standard JWT \/ JWKS story to lean on.<\/li>\n<li>Key rotation is manual \u2014 changing the HMAC key means rotating the bot token in BotFather and updating it on every server that verifies logins.<\/li>\n<\/ul>\n\n<p>Sign in with Telegram uses Telegram's newer OpenID Connect provider instead \u2014 a standard server-side redirect flow with a properly signed RS256 <code>id_token<\/code>. No third-party scripts on your pages, no shared bot-token secret with verifiers, automatic key rotation via JWKS. It behaves the same regardless of how privacy-locked-down the visitor's browser is.<\/p>\n\n<h3>External services<\/h3>\n\n<p>This plugin connects to Telegram's OpenID Connect provider at <code>oauth.telegram.org<\/code> so visitors can sign in with their Telegram account. No data is sent to Telegram unless a visitor actively starts a sign-in.<\/p>\n\n<p>What is sent, and when:<\/p>\n\n<ul>\n<li><strong>Sign-in start.<\/strong> When a visitor clicks the \"Sign in with Telegram\" button, their browser is redirected to <code>oauth.telegram.org<\/code> with the bot's Client ID, the requested scopes (always <code>openid<\/code> and <code>profile<\/code>; additionally <code>phone<\/code> and \/ or <code>telegram:bot_access<\/code> if you enabled those in <strong>Settings \u2192 Sign in with Telegram<\/strong>), a random <code>state<\/code>, a random <code>nonce<\/code>, and a PKCE <code>code_challenge<\/code> (SHA-256). The only user-specific traffic at this step is the browser redirect itself. If the discovery cache is cold (see below), building the redirect URL also triggers an anonymous server-side GET of the discovery document \u2014 no user data in that request.<\/li>\n<li><strong>Sign-in callback.<\/strong> After the visitor approves the sign-in on Telegram's side, Telegram redirects them back to your site with an authorization <code>code<\/code>. The plugin then makes a single server-to-server POST to Telegram's token endpoint, sending the Client ID + Client Secret (as HTTP Basic auth), the <code>code<\/code>, the matching PKCE <code>code_verifier<\/code>, and the redirect URI. Telegram responds with a signed <code>id_token<\/code> containing the visitor's Telegram identifier, name, profile picture URL, and (if the <code>phone<\/code> scope was granted) phone number.<\/li>\n<li><strong>Discovery + JWKS lookup.<\/strong> The first sign-in after activation (and again after the local cache expires, 12 hours) triggers a one-off, anonymous GET to Telegram's OpenID Connect discovery document and JSON Web Key Set (JWKS) at <code>oauth.telegram.org<\/code>. Both responses are cached in WordPress transients. If a later <code>id_token<\/code> references a signing key that isn't in the cache (Telegram rotated keys), the JWKS is re-fetched once; a short cooldown prevents repeated refresh attempts. No user data is sent in any of these requests.<\/li>\n<\/ul>\n\n<p>This service is provided by Telegram. Refer to Telegram's <a href=\"https:\/\/telegram.org\/tos\">Terms of Service<\/a> and <a href=\"https:\/\/telegram.org\/privacy\">Privacy Policy<\/a> for details on how Telegram handles the sign-in.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Install and activate the plugin.<\/li>\n<li>Open <a href=\"https:\/\/t.me\/BotFather\">@BotFather<\/a> in Telegram and launch its mini app from the attachment menu (the paperclip icon in the chat).<\/li>\n<li>Pick your bot under <strong>My bots<\/strong>, then open <strong>Login widget<\/strong>. If your bot is still on the legacy widget, click <strong>Switch to OpenID Connect Login<\/strong> and confirm.<\/li>\n<li>Register the callback URL under <strong>Redirect URIs<\/strong> \u2014 <code>https:\/\/yoursite.com\/wp-login.php?action=telegram_signin_callback<\/code> \u2014 and add the matching site origin (<code>https:\/\/yoursite.com<\/code>) to <strong>Trusted Origins<\/strong>. HTTPS is required.<\/li>\n<li>Copy the <strong>Client ID<\/strong> and <strong>Client Secret<\/strong> that BotFather shows you and paste them into <strong>Settings \u2192 Sign in with Telegram<\/strong> in wp-admin.<\/li>\n<li>Optionally drop the <strong>Telegram Login Button<\/strong> block on your homepage, or add the <code>[telegram_signin_button]<\/code> shortcode anywhere you want a sign-in button.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"where%20do%20i%20get%20the%20client%20id%20and%20client%20secret%3F\"><h3>Where do I get the Client ID and Client Secret?<\/h3><\/dt>\n<dd><p>Open <a href=\"https:\/\/t.me\/BotFather\">@BotFather<\/a> in Telegram and launch its mini app from the attachment menu. Pick your bot under <strong>My bots<\/strong>, go to <strong>Login widget<\/strong>, and if you haven't already, click <strong>Switch to OpenID Connect Login<\/strong> and confirm. BotFather then shows the Client ID and Client Secret and lets you register the <strong>Redirect URIs<\/strong> and <strong>Trusted Origins<\/strong> your site will use. The Client Secret is <strong>not<\/strong> the bot token \u2014 they're different values, and the settings page warns you if you paste the wrong one.<\/p><\/dd>\n<dt id=\"do%20my%20visitors%20need%20to%20install%20anything%3F\"><h3>Do my visitors need to install anything?<\/h3><\/dt>\n<dd><p>No. Telegram's OpenID Connect provider works through a normal browser redirect \u2014 visitors are sent to Telegram's login page, approve the sign-in, and land back on your site. They don't need the Telegram desktop \/ mobile app open or any browser extension.<\/p><\/dd>\n<dt id=\"will%20it%20work%20in%20browsers%20with%20strict%20privacy%20or%20tracker%20blocking%3F\"><h3>Will it work in browsers with strict privacy or tracker blocking?<\/h3><\/dt>\n<dd><p>Yes. The plugin doesn't load any third-party scripts on your pages. Sign-in happens through a server-side redirect, the same way \"Sign in with Google\" or other OpenID Connect integrations do. Browsers that block <code>telegram.org<\/code>'s Login Widget script (Brave on default shields, Firefox ETP on Strict, Safari with Lockdown Mode, etc.) handle this flow fine.<\/p><\/dd>\n<dt id=\"how%20does%20this%20handle%20email%20addresses%3F\"><h3>How does this handle email addresses?<\/h3><\/dt>\n<dd><p>Telegram's OIDC provider doesn't supply an email claim, so the plugin creates new users without an email by default. Settings let you instead require a synthetic placeholder email (so password recovery still nominally works), or block sign-ups entirely and only allow existing WordPress users to connect their Telegram account from the profile screen.<\/p><\/dd>\n<dt id=\"is%20my%20visitor%27s%20password%20ever%20sent%20to%20telegram%3F\"><h3>Is my visitor's password ever sent to Telegram?<\/h3><\/dt>\n<dd><p>No. The plugin doesn't touch WordPress passwords. Sign-in happens entirely through Telegram's authentication system; your WordPress site receives a signed token verifying that the user is who they say they are.<\/p><\/dd>\n<dt id=\"where%20can%20i%20find%20the%20source%20code%3F\"><h3>Where can I find the source code?<\/h3><\/dt>\n<dd><p>The plugin is developed in the open at <a href=\"https:\/\/github.com\/Automattic\/sign-in-with-telegram\">github.com\/Automattic\/sign-in-with-telegram<\/a>. The repository contains the full TypeScript source for the React-based settings UI and the Block Editor block, the build tooling (npm scripts driving <a href=\"https:\/\/www.npmjs.com\/package\/@wordpress\/build\">@wordpress\/build<\/a>), and the test suite. Issues and pull requests are welcome.<\/p><\/dd>\n<dt id=\"where%20is%20the%20user%27s%20phone%20number%20stored%3F\"><h3>Where is the user's phone number stored?<\/h3><\/dt>\n<dd><p>When the <code>phone<\/code> scope is granted, Telegram returns the phone number as a claim in the signed <code>id_token<\/code>. The plugin stores that value in its own usermeta key \u2014 <code>telegram_signin_phone<\/code>. Read the verified value via <code>Automattic\\Telegram\\SignIn\\Phone::for_user( $user_id )<\/code>, and hook the <code>telegram_signin_phone<\/code> filter to redact or normalize it. Site authors on WooCommerce can surface the verified value as the customer's billing phone by hooking <code>woocommerce_customer_get_billing_phone<\/code>.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>0.1.5<\/h4>\n\n<ul>\n<li>Ship block.json so the editor block registers on wp.org installs.<\/li>\n<\/ul>\n\n<p>For the full version history, see <a href=\"https:\/\/github.com\/Automattic\/sign-in-with-telegram\/blob\/trunk\/CHANGELOG.md\">the changelog on GitHub<\/a>.<\/p>","raw_excerpt":"Add Telegram login to your WordPress site. Visitors sign in with their existing Telegram account \u2014 no new password to remember.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/315078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=315078"}],"author":[{"embeddable":true,"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/automattic"}],"wp:attachment":[{"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=315078"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=315078"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=315078"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=315078"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=315078"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ky.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=315078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}