lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Telegram

Telegramsaas3 credentials

Credentials3 documented
01

Bot API Token

telegram / bot-token

Telegram Bot API tokens authenticate HTTPS requests for a bot. Telegram documents that each bot receives a unique authentication token when it is created and shows the token embedded in /bot<token>/ API URLs.

generated on installsecrettoken

Looks like

example
example

Telegram Bot API token format documented by Telegram

123456789:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
TELEGRAM_BOT_TOKEN, BOT_TOKEN
public interface
https://api.telegram.org/bot<token>/METHOD_NAME
config file

.env files, bot config files, deployment manifests, systemd units

secret store

CI/CD variables, cloud secret managers, hosted bot settings

source code

bot scripts, webhook handlers, notebooks, committed examples

logs

request URLs, webhook debug logs, bot framework logs, reverse-proxy logs

Notes

Anyone with the bot token can call Bot API methods as that bot. Rotate leaked bot tokens through BotFather or the managed-bot token replacement flow where applicable.

02

MTProto api_id / api_hash

telegram / mtproto-api-id-api-hash

Telegram MTProto client applications use api_id and api_hash parameters obtained from my.telegram.org API development tools. Telegram documents that these parameters are required for user authorization.

user definedsecretAPI key

Looks like

pattern
pattern

Telegram API hash value in application configuration

api_hash\s*[:=]\s*[a-f0-9]{32}
pattern

Telegram API ID value; api_id and api_hash are useful as a pair

api_id\s*[:=]\s*[0-9]+

Location

environment
TELEGRAM_API_ID, TELEGRAM_API_HASH
config file

Telethon/Pyrogram config, .env files, client app config

secret store

CI/CD variables, cloud secret managers, hosted app settings

source code

MTProto clients, automation scripts, committed examples

logs

client debug logs and failed authorization traces

Notes

api_hash is the sensitive half of the pair. A client still needs the user's phone authorization flow or existing session to act as a user.

03

MTProto Session String / File

telegram / mtproto-session-string

Telegram MTProto client libraries commonly persist user or bot sessions after authorization. These sessions are not a Bot API token, but they can allow a client to continue acting as the authorized Telegram account.

generated on installsecrettoken

Location

config file

Telethon .session files, Pyrogram session files, local bot/client state

environment
TELEGRAM_SESSION, STRING_SESSION
database

SQLite session databases used by MTProto client libraries

secret store

CI/CD variables and secret stores holding string sessions

source code

committed session strings, notebooks, automation scripts

artifact

backups, container images, bot deployment bundles

Notes

Session artifacts can outlive the original login flow. Revoke sessions from Telegram account settings or regenerate bot credentials if exposed.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.