Key rule: the bot token lives in the URL path, never in a header or the frontend. Treat it like a password.
Overview
Every Bot API call uses the same base URL shape; the token is a path segment:
https://call.mp.net/bot/bot{MPCHAT_BOT_TOKEN}/{methodName}
Host is call.mp.net; the path is /bot/bot + token + / + the method name (for example getMe, sendMessage).
Token safety rules
Not in the frontend — never in WebView, browser, or mobile code.
Not in logs — redact it in app logs, APM, and error reporting.
Not in version control — add
.envto.gitignore; inject via CI secrets.Not in chat — never paste a real token into tickets, IM, or AI conversations.
Rotate on leak — revoke immediately in BotFather and replace.
HTTP methods and content types
Most write operations are POST.
getMe,getUpdates,getWebhookInfo, andgetMyCommandsalso accept GET.application/jsonfor the vast majority of write methods.multipart/form-datafor local media uploads (sendPhoto,sendVideo,sendDocument,setChatPhoto).
ID type rules
chat_id, user_id, and message_id accept a JavaScript safe integer (0 to 9007199254740991) or a decimal string in the same range. Store as BIGINT or VARCHAR and mind JSON precision.
Rate limits
Default is 30 requests/second per token; exceeding it returns 429. Production code must implement exponential backoff (see the production checklist).
Pre-request checklist
Token read from an environment variable.
ID types match the documented rules.
POST body is valid JSON.
Media methods use a public URL or multipart (no
file_idreuse).
Related
Keep separate tokens for test and production bots. A leaked token should be revoked before anything else.
