auth.SentCodeTypeApp (In-App Code): If you have active Telegram sessions on other devices, the code is sent as an encrypted message directly to those devices. This is highly preferred as it doesn't rely on less secure SMS channels.
auth.SentCodeTypeCall: An automated voice call reads out the code.
auth.SentCodeTypeFlashCall / auth.SentCodeTypeMissedCall: More advanced methods where the code is derived from the last digits of a quick, missed call.
auth.SentCodeTypeFragment: For +888 anonymous numbers, the code is delivered via the TON blockchain/Fragment platform.
phone_code_hash: Along with the delivery type, the telegram number database server sends a phone_code_hash. This hash is crucial for the next step; it identifies the specific verification attempt.
3. Verification and Session Establishment (auth.signIn):
User Enters Code: You receive the code (via SMS, in-app, call, or Fragment) and enter it into the Telegram client.
Client Sends auth.signIn: Your client sends the phone number, the received phone_code, and the phone_code_hash back to the server using the auth.signIn method.
Server Validation:
The server verifies the phone_code against the phone_code_hash to ensure it matches the code it sent for that specific request.
If the code is correct, the server authenticates the user.
Session Authorization (auth.Authorization): Upon successful verification, the server returns an auth.Authorization object. This object signifies that a new session has been authorized for this device. It includes details like user (your User object) and potentially a future_auth_token for seamless re-login (more on this below).
Device Linking: The device's authorization key is now linked to your Telegram account. Your chats, contacts, and settings are synchronized from the Telegram cloud.
4. Two-Step Verification (2FA) Integration (auth.checkPassword):
SESSION_PASSWORD_NEEDED: After the phone code is verified, instead of immediately authorizing the session, the server returns an SESSION_PASSWORD_NEEDED RPC error.
Client Prompts for Password: The Telegram client then prompts you to enter your 2FA password.
Password Verification (SRP): This password is not sent directly to the server. Telegram uses a secure remote password (SRP) protocol (specifically, a variant of the SRP-6a protocol, implemented with SHA256 and other cryptographic primitives).