What is the place to check the header?

This?
https://github.com/botman/driver-telegram/blob/b681bf94a8e1537c385a34131e8de8075c3866c8/src/TelegramDriver.php#L107C21-L107C35

@mpociot to avoid the breaking change you could make this optional.

Tests runs fine on my machine. Seems like to fix it here this needs to be added to the end of the composer.json file:

"config": {
    "allow-plugins": {
        "thecodingmachine/discovery": true
    }
}

and add --ignore-platform-req=composer-plugin-api to tests.yml composer install section.

I'm closing this because it's not implemented correctly.

You should not use TELEGRAM_TOKEN as secret_token but a custom secret as per documentation:

https://core.telegram.org/bots/api#setwebhook

Moreover, it must be possible to enable and disable this feature from the configuration file (i.e. secre_token = null, makes it disabled) and make it working also for existing installations (ie. disabled by default).

Feel free to refactor it and send a new PR.