<p>To make this possible, the client generates a permanent authorization key using <strong>p_q_inner_data</strong> and a temporary key using <strong>p_q_inner_data_temp</strong>. (See <ahref="/mtproto/auth_key">Creating an Authorization Key</a> for more info.) These 2 operations may be done in parallel and even using the same connection. The client must save an <strong>expires_at</strong> unix timestamp <code>expires_at = time + expires_in</code>.</p>
<p><strong>Important</strong>: in order to achieve PFS, the client must <strong>never</strong> use the permanent auth_key_id directly. Every message that is sent to MTProto, must be encrypted by a <strong>temp_auth_key_id</strong>, that was bound to the <strong>perm_auth_key_id</strong>.</p>
<p>An unbound <strong>temp_auth_key_id</strong> may only be used with the following methods:</p>
<p>In order to bind a temporary authorization key to the permanent key the client creates a <ahref="/method/auth.bindTempAuthKey#binding-message-contents">special binding message</a> and executes the <ahref="/method/auth.bindTempAuthKey">auth.bindTempAuthKey</a> method using <strong>temp_auth_key</strong>. Once <strong>auth.bindTempAuthKey</strong> has been executed successfully, the client may signUp / signIn using other auth.* methods and continue using the API as usual; the client must also <ahref="/api/invoking#saving-client-info">rewrite client info</a> using <ahref="/method/initConnection">initConnection</a> after each binding. Each permanent key may only be bound to <strong>one</strong> temporary key at a time, binding a new temporary key overwrites the previous one.</p>
<p>Once the temporary key expires, the client needs to generate a new temporary key using <strong>p_q_inner_data_temp</strong>. Then it needs to re-bind that new temporary key to the initial permanent key. A new key can also be generated in advance, so that the client has a new key ready by the time the old one has expired.</p>
<p>For additional security, the client can store the temporary authorization key in RAM only and never save it in persistent storage.</p>
<p>A temporary authorization key may expire at any moment before <strong>expires_at</strong>, since such keys are also stored only in the RAM on the server-side. Be prepared to handle resulting MTProto errors correctly (non-existent auth_key_id results in a 404 error).</p></div>
</div>
</div>
</div>
<divclass="footer_wrap">
<divclass="footer_columns_wrap footer_desktop">
<divclass="footer_column footer_column_telegram">
<h5>Telegram</h5>
<divclass="footer_telegram_description"></div>
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.