How to get a bot API token

A Telegram bot API token is a unique authentication string that allows your applications to interact with Telegram's Bot API. You can get one in under a minute by messaging @BotFather — Telegram's official bot for creating and managing bots — and using the /newbot command.

What Is a Bot API Token?

A bot API token is a string that looks like 7204583149:AAHtGnkEL-JKR3v_qM8XbFpYzW2dLsNcUo0. It consists of two parts separated by a colon: the bot's unique numeric ID and a cryptographic hash. This token serves as both the bot's identifier and its password — anyone who has the token can fully control the bot.

Telegram's Bot API uses this token to authenticate every request your code makes. Whether you're sending messages, setting up webhooks, or managing channel posts, the token must be included in each API call. Without a valid token, the API rejects all requests with a 401 Unauthorized error.

Why You Need a Bot API Token

  • Channel automation: Post content, moderate comments, and manage your channel programmatically
  • Webhook integrations: Connect your Telegram channel to external services like tgchannel.space for automatic web publishing
  • Custom bots: Build interactive bots for your community with inline keyboards, commands, and more
  • Analytics and monitoring: Track channel activity and gather statistics through API calls

Step-by-Step Guide to Getting Your Token

Step 1: Open @BotFather

Open Telegram on any device (mobile, desktop, or web) and search for @BotFather in the search bar. Make sure you select the verified account with a blue checkmark next to the name. Tap Start if this is your first interaction.

Step 2: Create a New Bot

Send the command /newbot to BotFather. You can either type it or tap it from the command menu.

Step 3: Choose a Display Name

BotFather will ask you to choose a name for your bot. This is the display name that users see in chats and can contain spaces, emoji, and any characters. For example:

  • My Channel Publisher
  • Tech News Autopost
  • Sales Notification Bot

Step 4: Choose a Username

Next, BotFather asks for a username. This must be unique across all of Telegram and must end with the word bot (case-insensitive). It can only contain Latin letters, numbers, and underscores. Examples:

  • my_channel_publisher_bot
  • tech_news_autopost_bot
  • SalesNotifyBot

If the username is already taken, BotFather will ask you to try another one. Short, descriptive usernames tend to be taken, so consider adding your brand name or a unique prefix.

Step 5: Copy Your Token

Once the username is accepted, BotFather responds with a congratulations message containing your HTTP API token. It looks like this:

Use this token to access the HTTP API:
7204583149:AAHtGnkEL-JKR3v_qM8XbFpYzW2dLsNcUo0

Copy this entire string carefully — you'll need it for any API integration.

Step 6: Verify the Token Works

You can quickly verify your token by opening this URL in a browser (replace YOUR_TOKEN with the actual token):

https://api.telegram.org/botYOUR_TOKEN/getMe

A successful response returns JSON with your bot's details:

{
  "ok": true,
  "result": {
    "id": 7204583149,
    "is_bot": true,
    "first_name": "My Channel Publisher",
    "username": "my_channel_publisher_bot"
  }
}

Managing Your Token

Regenerating a Compromised Token

If your token is leaked or compromised, immediately revoke it by sending /revoke to @BotFather. Select the affected bot from the list, and BotFather issues a new token. The old token stops working instantly — any service using it will lose access.

Viewing Existing Tokens

Send /mybots to @BotFather to see all your bots. Select a bot, then tap API Token to view its current token. You can also use /token followed by selecting the bot.

Configuring Bot Settings

While in @BotFather, you can customize your bot further with these commands:

Command Purpose /setdescription Set the bot's bio visible on its profile /setabouttext Set the short "About" text /setuserpic Upload a profile picture /setcommands Define the bot's command menu /setprivacy Toggle group privacy mode /deletebot Permanently delete the bot

Using the Token for Channel Automation

Once you have the token, the most common use case is connecting a bot to your Telegram channel for automation. Here's how:

  1. Add the bot as a channel administrator. Open your channel settings, go to Administrators, and add your bot by its username. Grant it the permissions it needs — typically Post Messages at minimum.

  2. Configure the webhook or polling. Services like tgchannel.space use webhooks: you provide your bot token, and the platform registers a webhook URL so that every new channel post is automatically forwarded for processing and web publishing.

  3. Test the connection. Post a test message in your channel and verify it's received by your integration.

Important: A bot must be an administrator of the channel to receive updates about new posts. Simply being a member is not enough.

Token Security Best Practices

Your bot token is essentially a password. Treat it with the same level of care:

  • Never commit tokens to public repositories. Use environment variables or secrets managers instead. If your code is on GitHub, use GitHub Secrets or a .env file that's listed in .gitignore.
  • Use environment variables in production. Store the token as BOT_TOKEN or TELEGRAM_BOT_TOKEN in your deployment environment rather than hardcoding it.
  • Restrict bot permissions. When adding a bot to a channel, only grant the permissions it actually needs. A publishing bot doesn't need Delete Messages or Edit Messages from Others.
  • Rotate tokens periodically. Even without a known compromise, regenerating your token every few months is a good security habit, especially for high-value channels.
  • Use one bot per purpose. Instead of reusing a single bot across multiple projects, create dedicated bots. This limits the blast radius if a token leaks.

Tips & Best Practices

  • Name your bots descriptively. When managing multiple bots, clear names like techblog_publisher_bot save time versus generic names like my_bot_123.
  • Save your token immediately. BotFather won't proactively show it again — you'd need to use /mybots to retrieve it later.
  • Test with getMe first. Before integrating the token into any service, verify it works with the simple getMe API call to avoid debugging connection issues caused by a typo in the token.
  • Keep @BotFather chat accessible. Pin the BotFather chat or save it to avoid searching for it when you need to manage your bots.
  • Set up bot commands with /setcommands. Even for channel-only bots, defining commands helps if users interact with the bot directly.

Common Mistakes

Mistake 1: Sharing the token publicly
Why it's wrong: Anyone with the token can send messages as your bot, delete content, or spam your channel's subscribers.
How to avoid: Store tokens in environment variables, never paste them in public chats, forums, or commit them to version control. If exposed, immediately /revoke through @BotFather.

Mistake 2: Using the wrong @BotFather
Why it's wrong: Scam accounts impersonating BotFather exist and may steal your information.
How to avoid: Only interact with the verified @BotFather account (user ID 93372553) that displays a blue verification checkmark.

Mistake 3: Forgetting to add the bot as a channel admin
Why it's wrong: The bot will have a valid token but won't receive any channel updates, making it seem like the integration is broken.
How to avoid: After creating the bot, go to your channel's Administrators section and explicitly add the bot with appropriate permissions.

Mistake 4: Hardcoding the token in application code
Why it's wrong: If the codebase is shared, pushed to a repository, or accessed by unauthorized personnel, the token is compromised.
How to avoid: Use environment variables (ENV['BOT_TOKEN']) or encrypted credentials (like Rails' credentials.yml.enc).

Mistake 5: Not revoking old tokens
Why it's wrong: Unused bots with active tokens remain potential security vulnerabilities.
How to avoid: Periodically audit your bots with /mybots and either delete unused bots with /deletebot or revoke their tokens.

Frequently Asked Questions

How many bots can one Telegram account create?
A single Telegram account can create up to 20 bots through @BotFather. If you need more, you'll need to contact Telegram support or use a different account.

Can I use the same bot token for multiple channels?
Yes, a single bot can be added as an administrator to multiple channels simultaneously. However, for better security and isolation, it's recommended to use separate bots for separate channels or projects.

Does the token expire?
No, Telegram bot tokens do not expire automatically. A token remains valid until you explicitly revoke it through @BotFather using the /revoke command or delete the bot entirely.

Can I change my bot's username after creation?
Yes, send /setusername to @BotFather and select the bot you want to rename. The new username must still end with bot and be unique across Telegram. Note that the token remains the same after a username change.

What happens if I delete and recreate a bot with the same name?
The new bot will have a completely different token and numeric ID. Any services configured with the old token will stop working and must be updated with the new token. The old username may or may not be available for reuse immediately.