ネットワークログイン新規登録

Connecting Telegram

How to route Haubot notifications to a private 1:1 Telegram chat with our bot. The deep-link flow, why a few events are not routable to Telegram, and what to do if your Telegram session is compromised.

Last updated 2026-04-27

Telegram is the personal pager channel. A private 1:1 chat between you and our bot — only you see the messages, nobody else, no team broadcast.

This article walks through connecting it, what the bot does and doesn't do, and what to think about if your Telegram account is ever compromised.

Setup: the connect flow

Connecting Telegram is a deep-link round-trip. You don't paste a URL or copy a token — you open a one-time link, press Start in Telegram, and come back. The full flow:

  1. Sign in to Haubot.
  2. Navigate to Dashboard → Settings → Notifications.
  3. Find the Connected channels section at the top of the page. The Telegram card has a Connect button.
  4. Click Connect. A modal explains what's about to happen: "We'll open a one-time chat with our Telegram bot. Press Start in Telegram, then come back here — connection appears automatically."
  5. Click Open Telegram. Your browser opens a new tab to a t.me/... URL, which redirects into the Telegram app (mobile) or Telegram Web. If you're not signed in to Telegram on that device, you'll be prompted.
  6. The bot's chat opens with a single Start button at the bottom. Press it.
  7. The bot replies in the chat: "Connected ✓ — Haubot notifications you enable for this chat will appear here."
  8. Switch back to the Haubot tab. Within a few seconds the modal closes and the Telegram card flips to Connected.

The deep-link contains a one-time random token. Pressing Start in Telegram is what tells our backend "this Telegram chat belongs to this Haubot user". The token is single-use and expires 10 minutes after you click Connect.

If you don't press Start within 10 minutes

The modal waits 60 seconds for the connection to appear, then shows: "Didn't receive confirmation. The link may have expired. Generate a new one and press Start in Telegram."

Click Generate a new link — that mints a fresh token and re-opens the deep-link. Old links stop working at the same moment.

You can mint up to 5 links per hour. If you somehow blow through that, the form briefly disables; wait, then try again.

What the bot does

The bot has one job: it's our delivery endpoint for notifications you've enabled on the Telegram channel. Specifically:

  • Listens for /start <token> in private chats — the message Telegram sends our bot when you press Start on the deep-link. The bot consumes the token and connects your account. No other commands.
  • Sends notification messages to you — short plain-text messages with a 🔔 prefix and the event title.

The bot does not:

  • Read your other Telegram messages or contacts.
  • Work in groups, supergroups or channels — only in your private 1:1 chat. If you add the bot to a group, it replies "Haubot only supports private chats. Open a 1:1 chat with the bot to connect." and ignores the group.
  • Reply to anything other than /start. If you type Hello to it, you'll get no reply.

What gets sent to Telegram (and what doesn't)

Telegram is a private channel — only you see it. So the privacy concerns that apply to Discord (broadcasting to a team channel) don't apply here. The matrix is much more permissive: 29 of 32 event types can be routed to Telegram.

The 3 events that are blocked:

EventWhy blocked on Telegram
OTP_LOGIN_REQUESTEDYour sign-in OTP. Routing it to Telegram means anyone who controls your Telegram session can sign in to Haubot — that defeats the second factor.
EMAIL_VERIFICATION_REQUESTEDThe verification link in this email lets the holder verify a new email address against your account. Routing it to Telegram = account-takeover risk if Telegram is compromised.
PASSWORD_RESET_REQUESTEDSame reasoning: a password-reset link routed to Telegram = account-takeover risk.

These three are intentionally always-off and locked on the Telegram column in your matrix. The lock icon shows the reason.

Notice that post-event security signals — PASSWORD_CHANGED, EMAIL_CHANGED, LOGIN_NEW_DEVICE — are NOT blocked. Those are notifications about state changes that already happened, not credential-bearing payloads. Telegram-as-pager is exactly the right shape for them: "hey, your password just changed at 14:32 — was that you? If not, contact support immediately."

Defaults: what arrives without you doing anything

Once you connect Telegram, the matrix has a sensible set of defaults so it's useful immediately. You'll start receiving (default-on):

  • Account state changes — password/email changed, sign-in from a new device.
  • Listings you own — published, rejected, expired, sold.
  • Vault activity on listings you own — access requested, approved, denied, revoked, snapshot created.
  • Reviews you receiveREVIEW_RECEIVED, REVIEW_RESPONSE_RECEIVED.

Default-off (you opt in if you want them):

  • Auction activity — bid received, outbid, won, lost. Auctions can fire many notifications in a short window; we leave it to you to decide if you want them on Telegram.
  • Network activity — likes, comments, follows. High-volume, low signal — a typical user finds these noisy on Telegram.
  • Direct messagesMESSAGE_RECEIVED is allowed but default-off. If you turn it on, expect a Telegram message every time someone DMs you on Haubot.
  • Platform / legal — announcements, terms updates, etc. Allowed but default-off because email is the canonical channel for these.

You can tick any of the default-off rows in the matrix at any time.

Disconnecting

  1. Dashboard → Settings → Notifications → Telegram card → Disconnect.
  2. Confirm.

The connection's status flips to Revoked. We stop sending notifications to that chat. The row stays in our database for audit.

You can also disconnect from Telegram's side: in the bot chat, type /start (or use Telegram's Block bot menu). That doesn't update our state automatically, but the next delivery to that chat will fail with HTTP 403 ("bot blocked"), and after a few consecutive failures we mark the connection as Failed on our side. The cleanest path is disconnect-on-Haubot first.

If you reconnect later by repeating the deep-link flow with the same Telegram chat, the existing connection reactivates in place — your matrix preferences for Telegram are preserved (we match by a hash of the chat ID, so the same chat = the same row).

What to do if your Telegram session is compromised

Unlike a Discord webhook URL (where the URL itself is the auth), the destination on Telegram is your Telegram account. If someone gains access to your Telegram session — SIM swap, stolen phone that's still signed in, a session token leaked from your machine — they can read everything in your chat with our bot.

What they can read in your chat with our bot:

  • The notifications we've already sent you (and the ones we send in the future, until you act).

What they cannot do, even with full access to your Telegram session:

  • Take over your Haubot account using OTP / verification / reset links delivered to Telegram — those three events are locked-off on the Telegram column (see above).
  • Connect new accounts. Connecting requires a live Haubot session, not a Telegram session.

What to do

  1. In Telegram: open Settings → Devices, revoke all sessions you don't recognize. Rotate your Telegram password / 2FA.
  2. In Haubot: disconnect the Telegram channel. Notifications stop flowing to that chat immediately.
  3. Reconnect later when you've regained sole control of your Telegram account, by repeating the deep-link flow.

If you're worried someone may have used your Telegram-readable notifications to learn things about your account state — for example, they saw "new device sign-in" notifications and now know which IPs you're typically signing in from — change your Haubot password and review your active Haubot sessions in Account & security.

Common questions

Why does Telegram say "Bot domain invalid" or won't open the link? The deep-link uses our bot's username. If the link won't open, copy it and paste into Telegram's search bar — that should resolve to the same bot. If the bot doesn't appear at all, it's likely a temporary Telegram outage; wait and try again.

The bot replied "This connect link is invalid or expired." Either the token expired (10-minute TTL), it was already used (single-use, atomic), or it's a token you didn't generate (someone else's link). Generate a fresh one in your settings and try again. The bot deliberately gives the same generic message in all three cases — that's a security feature so an attacker probing tokens learns nothing about which ones are real.

Can I connect more than one Telegram chat? You can connect the bot to one chat per Telegram account. If you have multiple Telegram accounts on the same device, you can connect them as separate Haubot connections. Each appears as its own row in your Connected channels list with its own matrix-preference state.

Can I get the messages in a language other than English? Today, no. Telegram messages are English-only in v1, same gap as Discord. We're tracking it for a future release.

Can I add the bot to a Telegram group? You can, but it'll politely refuse: it only operates in private 1:1 chats. There's no way to broadcast Haubot notifications to a Telegram group — that's intentional. For a team broadcast, use Discord instead.

A test send worked but real events don't appear. Check the matrix — make sure the rows you care about have the Telegram cell ticked. Most events are default-on for Telegram once connected, but a few you may have toggled off explicitly.

Related articles