Security & webhook validation
Gategram takes a security-first approach. Every webhook is validated, every transaction is verified, and we never touch payment credentials.
Webhook validation
HMAC-SHA256 signature verification
Every incoming webhook from Telegram is validated using HMAC-SHA256 with the bot token as the secret key. This cryptographically proves that the webhook originated from Telegram and was not tampered with in transit. Invalid signatures are rejected immediately.
initData validation
When creators interact through the Mini App, we validate Telegram’s initData payload. This confirms the user’s identity comes directly from Telegram’s authentication system, preventing impersonation.
Payment amount verification
Before confirming any pre_checkout_query, Gategram verifies the payment amount matches the product’s price in the database. This prevents manipulation of the payment amount between the invoice creation and checkout confirmation.
Data handling
Minimal data collection
Gategram stores only what's needed: Telegram user IDs, product metadata, and transaction records. We don't collect emails, phone numbers, or personal data beyond what Telegram provides.
No payment credentials
All payment processing happens through Telegram's Stars system. Gategram never sees, stores, or processes credit card numbers, bank details, or payment credentials.
Content isolation
Product content (the text, links, or files creators upload) is stored separately from transaction data and delivered only to verified buyers.
Rate limiting
API endpoints are rate-limited to prevent abuse, brute force attempts, and denial of service. Excessive requests are blocked automatically.
Infrastructure
HTTPS everywhere
All communication between Telegram, Gategram, and users is encrypted with TLS.
Input validation
All user inputs are validated and sanitized before processing to prevent injection attacks.
UUID product IDs
Product IDs are cryptographically random UUIDs, not sequential integers. This prevents enumeration attacks.
Dependency auditing
Dependencies are regularly audited for known vulnerabilities using automated security scanning.
Questions about security?
Reach out via the bot or check the docs for technical details.