How to get a Telegram bot token from BotFather

Every Telegram bot needs one secret string to work. Here's how to create your bot and grab its token in under a minute — no website, no sign-up form, just BotFather inside Telegram.

A Telegram bot token is the secret key you get from @BotFather: open BotFather, send /newbot, choose a display name and a username ending in "bot", and BotFather replies with a token like 123456789:AAH.... That token is your bot's ID and password rolled into one — your code sends it on every Bot API call. Keep it private, and revoke it in BotFather with /revoke if it ever leaks.

How to get a Telegram bot token, step by step

Open @BotFather. In any Telegram app, search for @BotFather and open the chat. Make sure it's the official one with the blue verified checkmark — BotFather is Telegram's own bot for managing bots.
Send /newbot. BotFather walks you through two quick prompts.
Pick a display name. This is what users see at the top of the chat — anything you like, e.g. My Cool Service.
Pick a username. It must be unique across Telegram and end in bot, e.g. mycoolservice_bot. This becomes your bot's t.me/… link.
Copy the token. BotFather replies with a line like Use this token to access the HTTP API: 123456789:AAH.... That long string is your bot token.

That's it — you now have a live bot. To point your code at it, you call the Bot API at https://api.telegram.org/bot<TOKEN>/METHOD. A quick sanity check is the getMe method:

https://api.telegram.org/bot123456789:AAH.../getMe

If it returns your bot's details, the token works. From there, see how to build a Telegram bot to wire up real commands and replies.

Keep your bot token secret

Anyone holding your token can fully control your bot — read messages it receives, send messages as it, and change its settings. Treat it exactly like a password:

Never paste the token into client-side code, a public GitHub repo, a screenshot, or a support chat.
Store it in an environment variable or a secrets manager, not hard-coded in source.
If the token ever leaks, revoke it immediately (see below) — there's no harm in regenerating.

How to regenerate or revoke a bot token

If a token is compromised, you don't delete the bot — you rotate the token:

Open @BotFather and send /mybots (or /token to fetch, /revoke to rotate).
Pick the affected bot, then choose API Token → Revoke current token.
BotFather instantly invalidates the old token and gives you a new one. Update your deployment with the new value.

The old token stops working the moment you revoke it, so rotate first and update your config second to close the gap.

Bot token vs api_id / api_hash — what's the difference?

These two get mixed up all the time, so it's worth being precise about how to get an api_id on Telegram versus a bot token:

Bot token	api_id & api_hash
From @BotFather, in Telegram.	From my.telegram.org, signed in with your phone number.
For the HTTP Bot API — the simple way most bots are built.	For the lower-level MTProto client API (Telethon, TDLib, custom clients, userbots).
Identifies a bot account.	Identifies an application that talks to Telegram on a user's behalf.

For the vast majority of projects you only need a bot token — the Bot API covers commands, messages, payments, inline buttons, and more, and every Bot API bot is fully within Telegram's Terms of Service. You only reach for api_id / api_hash when you're building a client that acts as a normal Telegram user rather than a bot.

Frequently asked questions

What is a Telegram bot token?

A Telegram bot token is the secret string that BotFather hands you when you create a bot. It looks like 123456789:AAH...xyz and acts as both the bot's ID and its password. Your code sends it on every Bot API request so Telegram knows which bot is calling and that the call is authorised.

Where do I get a bot token?

From @BotFather inside Telegram. Open BotFather, send /newbot, choose a display name and a username ending in bot, and BotFather replies with your token. There is no website or sign-up form — the token only comes from BotFather.

Is the bot token the same as api_id and api_hash?

No, and people conflate them constantly. The bot token is for the HTTP Bot API and comes from BotFather. The api_id and api_hash are for the lower-level MTProto client API (Telethon, TDLib, building your own client) and come from my.telegram.org. Most bots only need the token.

I lost or leaked my token — what now?

Open BotFather, send /mybots, pick the bot, and choose API Token → Revoke current token (also reachable via /token and /revoke). The old token stops working immediately and you get a fresh one. Always revoke if a token ever lands in a public repo, a screenshot, or a chat.

Do bot tokens expire?

No. A token stays valid until you revoke it in BotFather. There is no expiry and no refresh step, which is exactly why you should treat it like a password and keep it out of client-side code and version control.

More Telegram bot guides

Bot development service Subscription bot Payment bot AI / ChatGPT bot Music bot Channel search bot Best Telegram bots What is a Telegram bot?How to build a bot How to add & use a bot