They are mutually exclusive. While a webhook is enabled, getUpdates returns 409. Use polling for development, webhook for production.
Overview
Pick one delivery mode. Polling actively pulls; webhook gets pushed. setWebhook and deleteWebhook are high-risk controlled operations — do not run them casually against a production bot.
getUpdates parameters
offset— last maxupdate_id + 1to avoid re-consuming.limit— 1 to 100, default 100.timeout— 0 to 50 seconds of long polling.allowed_updates— type filter, e.g.["message"].
A successful response marks that batch as consumed. Undelivered pending updates are retained at most 24 hours.
curl -s -X POST "https://call.mp.net/bot/bot${MPCHAT_BOT_TOKEN}/getUpdates" \
-H "Content-Type: application/json" \
-d '{"offset":0,"timeout":30,"limit":50,"allowed_updates":["message"]}'
Configuring a webhook
curl -s -X POST "https://call.mp.net/bot/bot${MPCHAT_BOT_TOKEN}/setWebhook" \
-H "Content-Type: application/json" \
-d '{"url":"https://example.com/mp-bot/webhook","secret_token":"YOUR_WEBHOOK_SECRET"}'
url— required, must be HTTPS. An empty string is equivalent todeleteWebhook.secret_token— optional; when set, requests carry theX-MpChat-Bot-Api-Secret-Tokenheader.max_connections,allowed_updates— optional tuning and type filter.
Before saving, the server sends an HTTPS reachability probe; your endpoint must return any 2xx (even for an empty body).
Validating secret_token (server pseudo-code)
const incoming = req.headers["x-mpchat-bot-api-secret-token"];
if (incoming !== process.env.WEBHOOK_SECRET) {
return res.status(401).end();
}
Choosing a mode
Local development: getUpdates; confirm no webhook with
getWebhookInfo.Production: webhook +
secret_tokenvalidation.Switching: verify in a test environment before running
setWebhookagainst the target bot.
Related
Group joins arrive as message.new_chat_members, leaves as message.left_chat_member, and pins as message.pinned_message when visible to the bot.
