SokkoSokko
← Back to blog

Connect an AI Agent to Telegram Without BotFather (1 Scan)

Sokko Team8 min read

Connect AI agent to Telegram without BotFather: two paths

There are two paths to give your AI agent a Telegram presence. The classic one runs through BotFather, Telegram's official bot-for-making-bots. The newer one lets you connect an AI agent to Telegram without BotFather at all: you scan a QR code once, confirm in the app, and a bot token flows into your agent automatically.

Both produce the same end result, a working bot token your agent uses to send and receive messages. They differ in how much manual copy-paste you do and how well they fit an automated hosting setup. This guide covers both, honestly, so you can pick the right one. If your goal is to reach that agent on the go afterward, pair this with our piece on how to control an AI agent from your phone.

First, a quick note on what a token even is. Telegram gives every bot a secret string like 123456:ABC-DEF.... Whoever holds that token can act as the bot. So the whole exercise, either path, is really "safely obtain a token and hand it to your agent." Telegram's own intro to bots is a good primer if you're new to this.

The traditional BotFather flow

BotFather has been the standard for years and it still works. Here's the full sequence:

  1. Open Telegram and search for @BotFather (the one with the blue verified check).

  2. Send /newbot.

  3. Give it a display name when prompted (for example, "Ops Agent").

  4. Give it a username ending in bot (for example, myops_agent_bot).

  5. BotFather replies with the token. Copy it.

  6. Paste the token into your agent's config or environment.

That's it. For a one-off personal project, it's fine. Where it gets tedious is at scale or in automation: every new agent means a human opening Telegram, typing commands, copying a secret, and pasting it into a config file by hand. That manual token handoff is the exact step the no-BotFather flow removes.

Where the BotFather flow trips people up

The steps read cleanly, but a few things bite in practice:

  • Username collisions. The username must be globally unique and end in bot. Popular names are long gone, so you cycle through variations until one sticks.

  • Clipboard leaks. Copying a live credential and pasting it into a file means the token passes through your clipboard, your shell history if you're careless, and possibly a commit. Each hop is a place it can leak.

  • No audit trail. Nothing records which human created which bot for which agent. At one bot that's fine. At twenty it's a mess.

A minimal config after BotFather

However you get the token, your agent config ends up looking something like this:

telegram:
  bot_token: "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11"
  mode: long_polling
  allowed_chat_ids:
    - 987654321

Keep that token out of git. Treat it like a password, because it is one.

Connect an AI agent to Telegram without BotFather

Here's the one-scan alternative. Instead of you talking to BotFather, your hosting platform drives the bot creation for you. You scan a QR code, tap to confirm in Telegram, and the new bot's token is delivered straight to your agent. No copy-paste, no manual /newbot.

The steps

  1. In your hosting dashboard, choose "Connect Telegram" for the agent.

  2. A QR code appears, and it's only valid for a few minutes.

  3. Open Telegram on your phone and scan the QR (or tap the link if you're already on the device).

  4. Telegram opens the bot-creation prompt. Confirm the new bot.

  5. The child bot is created and its token flows into your agent automatically. Nothing to copy.

The whole thing takes well under a minute. You never see the raw token, which is arguably safer, since it goes machine-to-machine instead of through your clipboard and a config file.

What happens when you scan

It helps to know why this isn't magic. The bot is still created inside Telegram, under your own account, with your consent. The confirmation you tap is Telegram asking "do you want to create this bot?" Nothing is created behind your back.

You scan, you confirm, and the new bot's token is delivered straight to your agent, machine-to-machine, so it never touches your clipboard. The link is short-lived, so a QR that leaks or lingers in a screenshot can't be reused later. You keep the convenience of automation without handing your Telegram login to anyone; the platform never signs in as you.

How the QR flow compares

BotFather flowNo-BotFather one-scan
Steps for you6 manual (type, copy, paste)1 scan + 1 confirm
Handles the tokenYou copy/paste itAuto-delivered to the agent
TimeA few minutesUnder a minute
Good forOne-off, full manual controlFast onboarding, many agents
Session limitNoneQR expires after a few minutes

When you'd still use BotFather

The no-BotFather path is faster, but be honest about the cases where the classic flow is the right call:

  • You want to reuse an existing bot. If you already have a bot with history, followers, or a set username, BotFather is where you manage it. The QR flow creates a fresh bot.

  • You need BotFather-only settings. Commands lists, inline mode, bot description and about text, or transferring ownership are configured through BotFather.

  • Your agent isn't on a platform that offers the QR flow. If you're self-hosting from scratch, BotFather is the universal fallback that always works.

There's no shame in either. The QR flow optimizes for speed and automation; BotFather optimizes for manual control and full settings access. Pick per situation, and know you can always open BotFather later to tweak a bot the QR flow created.

A common worry: does the child bot still belong to you? Yes. It is created under your Telegram account, so you keep full ownership and can manage or delete it from BotFather at any time. The one-scan flow just automates the creation and token handoff; it does not put the platform between you and your bot afterward.

Security: the token is the whole game

Whichever path you took, the security story reduces to one sentence: whoever holds the token is the bot. Guard it accordingly.

  • Never commit it. Put it in an injected secret or an environment variable, not a tracked file. Scan your history if you suspect it slipped in.

  • Rotate on suspicion. If a token might have leaked, revoke it through BotFather and issue a new one. Bots are cheap; a compromised one isn't worth keeping.

  • Allowlist senders. A token lets your bot talk to anyone, and anyone can find and message it. Have the agent respond only to chat IDs you trust and ignore the rest.

The one-scan flow helps here by keeping the token off your clipboard entirely, but the habits above still apply once it's live.

After you're connected

Once the token is in place, the mechanics are the same regardless of which path you took. Your agent either long-polls Telegram or receives webhooks, then handles each message. A tiny handler looks like this:

def on_message(msg):
    if msg.from_id not in ALLOWED_IDS:
        return
    if msg.text == "/status":
        return agent.status_summary()
    return agent.handle(msg.text)

Two things to get right afterward:

  • Persist the token and message state. If your host wipes the disk on restart, you'll lose the token and any offset tracking and have to reconnect. That's why durable storage matters; see persistent state for AI agents.

  • Deploy somewhere always-on. A bot that only answers when your laptop is awake isn't much of a bot. Our guide to deploying your first agent covers doing this properly.

Quick troubleshooting

If the connection doesn't behave, start here:

  • QR expired. The link is only valid for a few minutes. If you were slow, generate a fresh one and scan again.

  • Bot replies to no one. Check your allowlist. If it's empty or wrong, every message gets dropped by your own filter.

  • Duplicate replies. You're probably not advancing the update offset (or running two pollers). Track the offset and run a single consumer.

  • Silence after a redeploy. The token or offset didn't persist. Confirm they live on durable storage, not an ephemeral disk.

If you want more background on the platform itself, the Telegram overview on Wikipedia is a decent neutral starting point.

How Sokko fits

Sokko is managed AI-agent hosting, and the no-BotFather flow described above is exactly how onboarding works on it. You scan, you confirm in the Telegram app, and the new bot's token is delivered to your agent automatically, no clipboard involved. That token lands in an agent that runs in its own private, isolated space, with your API keys and tokens kept in secure storage and its files saved across restarts, so a redeploy never costs you the connection. It works with the chat-facing runtimes (OpenClaw and Hermes), you bring your own model keys or use Sokko credits with no token markup, hosting is available in the US or EU and GDPR-ready, and plans start from about $12/month per agent. If the manual BotFather dance is the thing slowing you down, that one-scan connection is the part Sokko handles for you.