Telegram
Telegramsaas3 credentials
Bot API Token
telegram / bot-token
Telegram Bot API tokens authenticate HTTPS requests for a bot. Telegram documents that each bot receives a unique authentication token when it is created and shows the token embedded in /bot<token>/ API URLs.
Looks like
example123456789:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
TELEGRAM_BOT_TOKEN, BOT_TOKENhttps://api.telegram.org/bot<token>/METHOD_NAME.env files, bot config files, deployment manifests, systemd units
CI/CD variables, cloud secret managers, hosted bot settings
bot scripts, webhook handlers, notebooks, committed examples
request URLs, webhook debug logs, bot framework logs, reverse-proxy logs
Notes
Anyone with the bot token can call Bot API methods as that bot. Rotate leaked bot tokens through BotFather or the managed-bot token replacement flow where applicable.
MTProto api_id / api_hash
telegram / mtproto-api-id-api-hash
Telegram MTProto client applications use api_id and api_hash parameters obtained from my.telegram.org API development tools. Telegram documents that these parameters are required for user authorization.
Looks like
patternapi_hash\s*[:=]\s*[a-f0-9]{32}api_id\s*[:=]\s*[0-9]+Location
TELEGRAM_API_ID, TELEGRAM_API_HASHTelethon/Pyrogram config, .env files, client app config
CI/CD variables, cloud secret managers, hosted app settings
MTProto clients, automation scripts, committed examples
client debug logs and failed authorization traces
Notes
api_hash is the sensitive half of the pair. A client still needs the user's phone authorization flow or existing session to act as a user.
MTProto Session String / File
telegram / mtproto-session-string
Telegram MTProto client libraries commonly persist user or bot sessions after authorization. These sessions are not a Bot API token, but they can allow a client to continue acting as the authorized Telegram account.
Location
Telethon .session files, Pyrogram session files, local bot/client state
TELEGRAM_SESSION, STRING_SESSIONSQLite session databases used by MTProto client libraries
CI/CD variables and secret stores holding string sessions
committed session strings, notebooks, automation scripts
backups, container images, bot deployment bundles
Notes
Session artifacts can outlive the original login flow. Revoke sessions from Telegram account settings or regenerate bot credentials if exposed.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.