TeleWatchdog
TeleWatchdog is a Cloudflare Workers Telegram join-request watchdog for private groups.
It reviews join requests with a simple pipeline:
- Check whether the applicant has an avatar.
- Check whether the applicant has a bio.
- If either is missing, require verification.
- If both exist, ask an AI model for a binary decision.
- If the AI returns
approve, accept the join request immediately. - Otherwise, send a verification message with a Telegram Web App button.
Users who need verification can choose either:
Cloudflare TurnstileTelegram WebApp BiometricManager
If verification is not completed within 10 minutes, a scheduled task declines the request and cleans up the stored state.
Features
- Telegram
chat_join_requestwebhook support - Cloudflare Worker deployment model
- Telegram Web App verification page
- Turnstile verification
- Telegram biometric verification via
BiometricManager - AI-based binary profile review
- Automatic cleanup of expired verification records
- Automatic deletion of verification messages after success or timeout
Stack
Cloudflare WorkersCloudflare KVTelegram Bot APICloudflare Turnstile- OpenAI-compatible chat completion API
Project Structure
src/index.ts Main Worker implementation
package.json Project metadata and scripts
tsconfig.json TypeScript config
wrangler.toml.example Example Wrangler config
Required Secrets
Set these with wrangler secret put:
BOT_TOKENTG_WEBHOOK_SECRETAI_BASE_URLAI_API_KEYTURNSTILE_SECRET
Required Variables
Set these in wrangler.toml:
AI_MODELTURNSTILE_SITE_KEYVERIFICATION_ORIGIN
KV Setup
Create a KV namespace:
npx wrangler kv namespace create PENDING_JOINS
Copy the returned namespace id into your wrangler.toml.
Local Setup
npm install
copy wrangler.toml.example wrangler.toml
Then edit wrangler.toml and add your real values.
Deploy
npx wrangler deploy
Telegram Webhook
After deployment, configure the webhook to point to:
https://your-worker-domain/telegram/webhook
Example PowerShell:
$botToken = "YOUR_BOT_TOKEN"
$secret = "YOUR_TG_WEBHOOK_SECRET"
$body = @{
url = "https://your-worker-domain/telegram/webhook"
secret_token = $secret
allowed_updates = @("chat_join_request")
} | ConvertTo-Json -Compress
Invoke-RestMethod -Method Post -Uri "https://api.telegram.org/bot$botToken/setWebhook" -ContentType "application/json" -Body $body
Telegram Permissions
The bot must:
- be added to the target group
- be an administrator
- have permission to approve join requests
The group must be configured to require approval for join requests.
Verification Flow
Auto-approve path
- user has avatar
- user has bio
- AI returns
approve - request is approved immediately
- no message is sent to the user
Verification path
- avatar missing, or
- bio missing, or
- AI returns
challenge, or - AI request fails
Then:
- a single verification message is sent
- user opens the Telegram Web App
- user completes Turnstile or biometric verification
- the bot approves the request
- the verification message is deleted
- KV records are deleted
Timeout path
- request stays pending for 10 minutes
- scheduled Worker declines the join request
- verification message is deleted
- KV records are deleted
Notes
- Telegram biometric verification here uses
Telegram.WebApp.BiometricManager, not WebAuthn. - Telegram Web App
initDatais verified server-side before accepting either verification method. - Public repository users should create their own Worker domain, Turnstile site, KV namespace, and AI credentials.
License
Add your preferred license before publishing if needed.