Telegram Bot Token: What It Is and How to Keep It Safe (2026)

Every Telegram bot is controlled through a unique credential called a bot token. This token is the master key to your bot — whoever holds it can read every message your bot receives, send messages as your bot, and fully control its behavior. Understanding what it is, how to get one, and critically, how to keep it secure is fundamental knowledge for any Telegram bot developer.

This guide covers the complete lifecycle of a Telegram bot token: creation, usage, security best practices, and what to do if your token is compromised. For context on creating your first bot, also see our guide to BotFather: Complete Guide to Creating Telegram Bots and browse Developer Tools.

What Is a Telegram Bot Token?

A Telegram bot token is a unique alphanumeric string that authenticates your bot with the Telegram Bot API. Every request your bot makes to the API — sending messages, receiving updates, uploading files — must include this token in the URL.

What a token looks like:

1234567890:ABCdefGHIjklMNOpqrsTUVwxyz1234567

The structure is: {bot_id}:{random_secret}

• Bot ID: A numeric identifier unique to your bot (the part before the colon)
• Secret: A 35-character random string generated by Telegram (the part after the colon)

The token is used in every API call. For example, sending a message uses the endpoint:

https://api.telegram.org/bot{YOUR_TOKEN}/sendMessage

If you strip or modify either part of the token, all API calls will fail with a 401 Unauthorized error.

How to Get Your Bot Token from BotFather

@BotFather is Telegram's official bot for creating and managing bots. Getting a token is a simple 2-minute process:

1. Open @BotFather: Search for BotFather in Telegram. The official bot has a blue verification checkmark.
2. Send /newbot: Type and send the /newbot command.
3. Choose a display name: BotFather asks for a name that users will see (e.g. "My Weather Bot"). This can contain spaces and any characters.
4. Choose a username: Must end in "bot" and contain only letters, numbers, and underscores (e.g. my_weather_bot). Must be unique across all Telegram bots.
5. Receive your token: BotFather sends a message containing your token. This is the only time it's shown — copy it immediately.

BotFather also lets you manage existing bots with commands like /mybots (list all your bots), /token (regenerate token), and /deletebot (permanently delete a bot).

How to Use Your Bot Token

The token is used in one of two ways depending on your architecture:

Direct API Calls (REST)

Include the token in the API base URL:

curl -X POST \
  "https://api.telegram.org/bot1234567890:ABC.../sendMessage" \
  -H "Content-Type: application/json" \
  -d '{"chat_id": 123456, "text": "Hello!"}'

Via a Bot Framework

Most frameworks accept the token as a constructor argument:

# Python (python-telegram-bot)
from telegram.ext import Application
app = Application.builder().token("YOUR_TOKEN").build()

// Node.js (grammy)
const { Bot } = require("grammy");
const bot = new Bot("YOUR_TOKEN");

// PHP (irazasyed/telegram-bot-sdk)
$telegram = new Telegram('YOUR_TOKEN');

Never hardcode the token as a string literal in your source code. Use environment variables instead (see Security section below).

Bot Token Security: Common Mistakes to Avoid

Mistake 1: Committing tokens to GitHub

This is the most common — and most catastrophic — security mistake. Bots that scrape GitHub for exposed tokens find them within minutes of a commit. Once found, attackers can impersonate your bot, read all messages it receives, and spam users through it.

The fix: Use environment variables. Store your token in a .env file and add .env to your .gitignore before the first commit.

# .env file (never commit this)
TELEGRAM_BOT_TOKEN=1234567890:ABCdef...

# Access in Python:
import os
token = os.environ["TELEGRAM_BOT_TOKEN"]

# Access in Node.js:
const token = process.env.TELEGRAM_BOT_TOKEN;

Mistake 2: Including tokens in client-side code

Never put your bot token in JavaScript that runs in a browser, a mobile app's source code, or any place that users can inspect. Bot tokens should only exist server-side.

Mistake 3: Sharing tokens in team chats

Pasting your token in a Slack channel, Discord server, or even a private Telegram group is risky. Use a secrets manager (HashiCorp Vault, AWS Secrets Manager, GitHub Secrets for CI/CD) to share credentials securely with teammates.

Mistake 4: Using the same token in development and production

Create a separate bot for development and testing. Use your production token only in production. This way, if your dev environment is compromised, your production bot remains safe.

Mistake 5: Not rotating tokens after personnel changes

When a developer who had access to the token leaves your team, regenerate it immediately. Stale access is a silent risk.

What to Do If Your Token Is Leaked

If you suspect your token has been exposed, act immediately:

1. Regenerate the token via BotFather:
   • Open @BotFather
   • Send /mybots
   • Select your bot
   • Select "API Token" → "Revoke current token"
   • BotFather issues a new token; the old one stops working instantly
2. Update all deployment environments: Immediately update the token in your server's environment variables, CI/CD secrets, and any other system that uses it.
3. Audit recent activity: Use the Telegram Bot API to check getUpdates for unusual activity. Look for messages you didn't send or unexpected command usage.
4. Check your git history: If the token was committed, even a single time, rewrite the git history to remove it (or treat the repository as permanently compromised and start fresh). Use tools like git-filter-repo or BFG Repo Cleaner.
5. Alert your users: If unauthorized messages were sent through your bot, notify your user base about the incident.

Advanced Security: Restricting Token Usage

Telegram doesn't currently offer IP allowlisting for bot tokens (unlike some other APIs). However, you can implement application-level controls:

• Validate incoming webhook requests: When using webhooks, Telegram includes your bot token in the URL path — verify it in your handler. Optionally, set a secret token via setWebhook's secret_token parameter (available since Bot API 6.0) which Telegram sends in a request header you can validate.
• Monitor for unusual patterns: Set up logging for API calls. Unusual spikes in sendMessage calls or messages to unexpected chat IDs indicate possible token compromise.
• Rotate regularly: Regardless of any suspected breach, regenerate your token every 6–12 months as a hygiene practice.

FAQ

Can I have multiple tokens for one bot?

No. Each bot has exactly one active token at a time. When you regenerate a token, the old one is immediately revoked. There is no way to have two valid tokens simultaneously for the same bot.

Does the token give access to my bot's user data?

The token gives access to everything your bot can see: all messages sent to the bot in private chats, all messages in groups where the bot is a member, the users' names and IDs, and more. It does not give access to Telegram account credentials, phone numbers (unless explicitly shared), or messages in chats the bot is not part of.

My token stopped working. What happened?

The most common causes: (1) you accidentally regenerated it via BotFather, (2) someone with access regenerated it, (3) there's a typo in your implementation. Open BotFather, run /mybots, select your bot, and check the current token matches what you have in your code.

Is the bot ID (the number before the colon) sensitive?

The bot ID itself is not sensitive — it's publicly visible in the token of any message your bot sends. The secret (after the colon) is what's sensitive. Without both parts, the token doesn't work.

How long does a bot token last?

Indefinitely. Tokens don't expire on their own. They only become invalid when you regenerate them via BotFather or when the bot is deleted. There is currently no expiry-based rotation mechanism built into the Bot API.