Tick every box before go-live. Most production incidents come from leaked tokens, missing retries, or auto-executing high-risk methods.
Overview
A pre-launch checklist grouped by concern. Pair it with the smoke test at the end.
Token security
Token only in secret management / environment variables, never in the repo.
Separate tokens for production and test bots.
CI/CD injects secrets; nothing printed to build logs.
A documented token-leak rotation SOP exists.
Webhook security
HTTPS public URL.
secret_tokenset and theX-MpChat-Bot-Api-Secret-Tokenheader validated.The webhook endpoint does not expose admin interfaces.
Verify in a test environment before running
setWebhookon production.
Rate limits and retries
Client-side throttle at or below 30 req/s per token.
Exponential backoff on
429and500; no retry on400/401/403; reconcile polling vs webhook on409.Bound concurrency for batch operations.
Log redaction
No token, full
initData, or sensitive user fields in logs.Error reporting has redaction rules.
Access logs do not store the full webhook URL with its secret.
High-risk APIs (DocOnly, require approval + rollback)
logOut,leaveChat,deleteMessage(s),banChatMember,setWebhook,deleteWebhook.Deployment pipelines contain no automatic calls to these.
The runbook records the approver and rollback steps.
Smoke test
getMe— token valid.getWebhookInfo— URL correct.Simulate a user message — webhook receives the update.
sendMessage— reply succeeds.(If applicable)
initDataverification passes.
Related
Also verify idempotency: assess the business side effects of a repeated sendMessage, and persist a webhook update before returning 200.
