Hi Carlos, I’m glad you like it.

I’m not a security expert, but 2 thoughts:

• the call to your function is done from telegram site, is hard from someone to call this URL, they will have to guess: the service you are using (hosting, aws, firebase, the server), the server firebase assigned your function and the name of the function, I used router for de example but you can use any name
• You can be extra sure by adding, domain control, ( no calls from outside telegram servers), add a URL passphrase in the hook or add https auth, https://github.com/firebase/functions-samples/blob/master/authorized-https-endpoint/README.md