Skip to main content

Authentication and request model: base URL, token safety, ID rules, rate limits

How MPChat bot requests are authenticated and shaped: the base URL, five token-safety rules, HTTP methods, content types, ID rules, and a 30 req/s rate limit.

Key rule: the bot token lives in the URL path, never in a header or the frontend. Treat it like a password.


Overview

Every Bot API call uses the same base URL shape; the token is a path segment:

https://call.mp.net/bot/bot{MPCHAT_BOT_TOKEN}/{methodName}

Host is call.mp.net; the path is /bot/bot + token + / + the method name (for example getMe, sendMessage).

Token safety rules

  • Not in the frontend — never in WebView, browser, or mobile code.

  • Not in logs — redact it in app logs, APM, and error reporting.

  • Not in version control — add .env to .gitignore; inject via CI secrets.

  • Not in chat — never paste a real token into tickets, IM, or AI conversations.

  • Rotate on leak — revoke immediately in BotFather and replace.

HTTP methods and content types

  • Most write operations are POST. getMe, getUpdates, getWebhookInfo, and getMyCommands also accept GET.

  • application/json for the vast majority of write methods.

  • multipart/form-data for local media uploads (sendPhoto, sendVideo, sendDocument, setChatPhoto).

ID type rules

chat_id, user_id, and message_id accept a JavaScript safe integer (0 to 9007199254740991) or a decimal string in the same range. Store as BIGINT or VARCHAR and mind JSON precision.

Rate limits

Default is 30 requests/second per token; exceeding it returns 429. Production code must implement exponential backoff (see the production checklist).

Pre-request checklist

  • Token read from an environment variable.

  • ID types match the documented rules.

  • POST body is valid JSON.

  • Media methods use a public URL or multipart (no file_id reuse).

Related

Keep separate tokens for test and production bots. A leaked token should be revoked before anything else.

Did this answer your question?