How do Telegram bots work?
This article is more technical than journalistic in nature, and is intended for those who have absolutely no idea, but really want to figure out and understand the mechanics of how bots work in messengers - particularly in Telegram.
We understand that it would probably be more convenient for you to talk about bots starting with the bot interface, the way it is usually found in the messenger itself. However, this would not be entirely correct. First, bots can be without an interface. Second, their interfaces can be completely different. In any case, talking about bots through their interface would be inconsistent and not systematic.
Let's start with the fact that each bot is a certain piece of code - a script. For those who have at least a little idea of how the Internet works, we can give a simple analogy: a bot is actually a website, only without the web page itself (more precisely, its web page is the bot's buttons that you see in the messenger)... A simple Bot, like a simple website, can consist of several lines of text (code) and perform some specific small task. Such small static bots, like static websites, do not change their data when used. They only execute the program embedded in them (if you are familiar with the concept of Web 1.0, then this is it). Just like large websites - portals, a large and complex bot can be an independent full-fledged application with all the attributes corresponding to it - an internal structure and its own database (and sometimes several of those) - allowing the bot to behave differently for different users depending on the previously saved data (this is already the concept of Web 2.0).
In order for the bot script to work and interact with users, it must be located on a server connected to the Internet.
Yes - as you can see, bots are not stored in Telegram, moreover, there is no talk of any Telegram yet.
So, the script stored on the server - is the bot's logic - it defines what it "knows" and "can do". At the same time, the way you access the bot - is its interface.
You can contact the bot in different ways, for example, using API (Application Programming Interface) - the program interface of the application. In other words, a certain set of instructions or commands with a certain syntax (language) that the bot understands. Most often, these commands look like links to the Internet with additional parameters. Such a "link", contains the bot's address, the necessary data and parameters. The bot, receiving such commands, responds in the way it was programmed to respond.
To be fair, it should be noted that any request to the bot is made using its API - there is essentially no other way to contact the bot. However, within the frame of this article, at the level at which the subject is being discussed here, let's divide the interfaces for contacting the bot into two types:
1. The program interface of the application - API.
2. The user interface of the application - UI.
The UI (User Interface) - can be presented as buttons that will be shown to the user through the client (application) that the user will use to interact with the bot (in our case, the Telegram client). The user interface may not be presented visually at all. That is, the bot can work inline and not have any buttons, be controlled using text sent by the user to the chat (for example, support chat-bots), or using a set of commands with a pre-agreed syntax. There are bots that are so highly specialized that they do not require control at all. For example, a bot that deletes system messages from Telegram groups. Such a bot can simply be added to the chat and it will immediately start doing its job - it does not need any settings and it does not have any interface.
So, what do we have at the moment... We have a certain script (bot), which is located on a server connected to the Internet. This script has its own internal logic and an interface for accessing it from the outside. The interface will be shown to you in Telegram, and the logic will be executed on the server where this code is stored.
Now we move on to Telegram.
The main function of a bot in Telegram, and its concept in general, is to receive some request from a user, process it and return some information, or perform an action in accordance with the received request (command).
Since Telegram is a messenger, communication in it occurs using messages (text). Telegram users communicate with each other using text - in personal messages (chats) or in groups. From this point of view, a bot can be imagined as one of the interlocutors. Bots can also work in groups and you can also start a personal chat with them. Thus, bots created for Telegram are actually robots that receive text messages and are able to react to those messages. All these buttons and commands that you see "in bots" are nothing more than a way to send the bot the text of a message. By pressing a button, you simply send a message with its name to the chat. For the Bot, it does not matter whether you pressed a button in a chat with it, sent a command or simply sent a message with the text corresponding to the text on the button - the only thing the bot will see is the message (text), and it will react to it if such a reaction is programmed in it by the developer.
So, the bot script is stored on a server on the Internet, and the user can access its functionality using text messages in the chat, which will be transmitted to the bot by the Telegram client.
The question arises: how does Telegram know where to send the user's messages - to which server on the Internet? How can Telegram link the user, their request and the bot code located on a remote server somewhere on the Internet? In order to answer this question, let's look at the process of creating a bot in Telegram.
All bots that can work via Telegram and have their own Address there, are created using a special bot: @BotFather.
Its main task is to assign a new bot with: Telegram ID, Secret Key and associate them with the Telegram Address. Of course, @BotFather has other functions, but in this article we will only consider this one.
Telegram ID : is a sequence of numbers, in fact, it is the bot's serial number. This number allows you to uniquely identify the bot. It cannot be changed, you can only delete the bot and create a new one.
Secret Key : this is a set of Latin letters and numbers. Knowing this secret key tells Telegram that you are the owner of this bot. Do not post this key in public places. The Secret Key can be changed, in particular if it has become known to someone else.
Bot address in Telegram : this is a word or a sequence of Latin letters and numbers. The Bot address begins with "@" and ends with the word "bot". It may contain the underscore character "_". In general, it is also impossible to change the Bot address, as well as its ID.
There are rumors that there is a possibility to change the bot address through Telegram support itself, however, we do not know how effective this method is.
So, when creating a new bot, you will specify its Address yourself, and BotFather will generate and send you its Token.
Token : a combination of ID and Key - separated by a colon.
Example of Telegram ID: 123556789
Example of Secret Key: Whyf4653vhiy5f3f48ij5gh54sf3t7jh54f68
Example of Address: @Address777_Bot
Example of Token: 123556789:Whyf4653vhiy5f3f48ij5gh54sf3t7jh54f68
This combination of ID and Key in Telegram is called: Token, Secret Key, API or API Key.
Either way, this data allows you to uniquely identify your bot in Telegram and contact Telegram on behalf of this bot - confirming your rights with the Secret Key you possess.
Let's summarize the intermediate results. We have a bot code on a remote server, Telegram has the ability to transmit user requests to this bot in the form of text messages. We created a Telegram bot address for users and received a personal Identifier (ID) and Secret Key for the bot.
How do you tie them together and make them work?
We need Telegram, having received a message from a user, to be able to pass it on to a bot living on a remote server, and the bot, having processed the received request, to return its response to Telegram, which, in its turn, will show it to the user as a message...
This is how we smoothly approached the concept of Webhooks.
In order for Telegram to be able to access the bot code on the remote server and receive responses from it, Webhooks are used. How do Webhooks work?
We transferring the Bot's Token we've created (a combination of ID and Secret Key) to a remote server, which, using a special request, establishes a Webhook - that is, a connection with Telegram. Webhook allows Telegram to transmit messages from the user to the bot's code on the remote server, because with Webhook set, Telegram knows the IP address of the remote server to contact. In other words, the remote server, setting Webhook for Telegram, introduces itself using ID and confirms its rights to this ID using Secret Key, and also provides Telegram with its IP address on the Internet for communication.
In general, the user-to-bot communication chain looks like this:
1. The user sends messages to the chat with the Bot Address.
2. Telegram, having the association of the Address and the Bot ID, accesses the Webhook, which stores the IP address of the remote server with the bot code, and passes the request to it.
3. The bot on the remote server processes the request and returns a response to Telegram, which, in its turn, presents the response as a message in the chat.
So, Webhook allows Telegram to contact a remote server when necessary, without waiting for a separate request from this server. This is necessary so that the bot user can initiate interaction with the bot himself, and Telegram knows, and most importantly, can immediately send his requests to the desired address. This makes the interaction instantaneous.
For the sake of completeness, it should be noted that the bot can interact with Telegram without Webhooks. This model of work can be used if the bot is not very active and it will be enough if it asks Telegram itself to get a list of requests from users. There are bots whose work does not involve receiving information from the user at all, the bot itself sends some data with the frequency it needs. Such bots also work without Webhooks.
Only ONE Webhook can be set per one Telegram bot ID. This way, Telegram always knows which remote server with the code to contact.
You have set up a Webhook - a connection between Telegram and a remote server. What will happen if you also try to set up a Webhook on another remote server using your ID and Key? Let's imagine that you have placed your Secret Key in the public space and someone else wants to connect to Telegram on behalf of your bot using their own remote server. Knowing your Token, that is, the bot ID and Secret Key, they can also contact Telegram from their server and set up their Webhook.
Anyone who knows the correct combination of ID and Secret Key (Token) is considered the Bot's Owner by Telegram and gets all the corresponding privileges.
As we wrote above, Telegram can store only one Webhook for one bot, so all user requests will be transmitted to the remote server that LAST set the Webhook in Telegram.
The old (previous) Webhook is always overwritten by the new one.
Therefore, all requests from your users will be forwarded to the attacker's remote server, and you and your the users will see the interface of OTHER bot.
In this case, it may seem that you have lost your bot, but this is not entirely true. You are still the Owner of the bot, because its Address and ID are still associated with your Telegram account. That is, at any time you can change the Token (Secret Key) and the attacker, not knowing the new Secret Key, will lose the ability to communicate with Telegram on behalf of your bot.
It should be noted that temporary loss of access to the bot is NOT always of a criminal nature. Moreover, it is quite rare precisely because it is easily fixed by changing the Token.
Sometimes you can encounter such behavior if you create a bot simultaneously on several third-party constructors, or when creating a bot on a constructor you send a Token to some web service to work via API.
When you create and launch a bot on your server, you yourself setting a Webhook for Telegram using your Token, giving them the ability to interact. When creating a bot on the constructor, the constructor creates the code for your bot on ITS OWN server and, accordingly, communicates with Telegram, YOU must provide the constructor with the existing Token to create a Webhook. After providing the Token to the constructor, it immediately creates a Webhook for Telegram. If you provide this Token to several constructors or web services at the same time, each of them will overwrite the Webhook for Telegram to its own. In general, the service that last recorded its Webhook in Telegram will always work, but there may be options. One way or another, the behavior of your bot may become unpredictable.
For more information, see the article "Bot menu disappears and appears by itself". For the purposes of this article, the main idea you need to understand is that a bot is a program code running on a remote server and connected to Telegram via Webhook, which allows it to transmit user requests and return bot responses. The one who installed Webhook last - is considered being "a bot" for Telegram. Therefore, you should not use the same Token in different services at the same time, and when switching to a new service, it is better to change the Token.
Now you know how bots work in Telegram.