Login
The dashboard authenticates with the Telegram Login Widget. Your Telegram account is the only credential. There is no separate password to manage.
How sign-in works
- Open
https://<your-id>.hanai.systems. - Tap the Telegram Login Widget on the page.
- Approve the login request inside the Telegram app on your phone or desktop.
- The widget posts a signed payload back to the dashboard. The signature is verified against your bot token.
- A session cookie is set and you land on the dashboard home.
Both GET /auth/telegram and POST /auth/telegram are supported, so the widget works regardless of how Telegram routes the callback.
Only authorised users
Only the Telegram user IDs configured during provisioning can sign in. Other accounts that attempt the flow are rejected even if Telegram itself authorises them.
”Bot domain invalid”
If you see this error, your operator hasn’t run the BotFather /setdomain step yet. They run it once, against your bot, with your subdomain as the argument. Refresh the page after.
Session
| Item | Value |
|---|---|
| Session secret | Auto-generated during provisioning and persisted to your age vault. |
| Storage | dashboard.sqlite on the VPS. |
| Cookie | Signed with the session secret. |
Signing out
Closing the browser ends the session client-side. To force-invalidate sessions across all devices, ask your operator to rotate SESSION_SECRET in the vault.
Next
- Dashboard tour — what’s behind the login.
- Domain & TLS — the subdomain the widget binds to.
- Telegram setup — the bot side of the same connection.