Telegram Bot Token
Detects Telegram Bot API tokens: the numeric bot ID, a colon, and a 35-character [A-Za-z0-9_-] secret. A leaked bot token grants full control of the bot -- reading its message traffic, sending messages to every chat it belongs to, and hijacking any workflow automation built on it.
- Type
- regex
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: the shape is structurally pinned by three independent production detectors (35-character secret, numeric-ID:secret layout consistent with Telegram's own Bot API docs example) and Telegram Bot Token appears in GitHub's secret-scanning pattern set, which matches on the bare shape. The evidentiary split on the secret's first letter is disclosed honestly: gitleaks pins a case-sensitive leading A, but TruffleHog and Kingfisher impose no letter constraint and TruffleHog's test fixture contains a valid B-starting secret -- so this pattern follows the 2-of-3 no-pin majority. It is a digits:string layout rather than a literal vendor prefix -- log lines or ratio-like data (epoch:hash) can approximate it -- and both regex-first scanners (TruffleHog, gitleaks) choose to context-gate it in their rules, so the value-only tier is discovery-grade and the recommended confidence tier requires Telegram keywords in proximity.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_-])[0-9]{7,12}:[A-Za-z0-9_-]{35}(?![A-Za-z0-9_-])
Corroborative evidence keywords
telegram, telegram.org, api.telegram.org, TELEGRAM_BOT_TOKEN, BotFather, bot token, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database (+39 more)
Proximity: 300 characters
Should match
1234567890:AABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh— Telegram bot token (10-digit bot ID + colon + A-leading 35-char secret)TELEGRAM_BOT_TOKEN=98765432:AAzyxwvutsrqponmlkjihgfedcba9876543— Labelled bot token in the canonical env var (8-digit bot ID)telegram bot token: 123456789:AAabcdefghijklmnopqrstuvwxyz0123456— Bot token with a preceding Telegram label (9-digit bot ID)987654321:BbcABCDEFGHIJK-abcdefghijklmnopq012— B-starting secret (mirrors the shape of TruffleHog's own valid test fixture; only gitleaks pins a leading A)
Should not match
123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11— Telegram's own documentation placeholder token (6-digit ID below the 7-digit floor; 34-char secret below the 35-char pin)1234567890:AABCDEFGHIJKLMNOPQRSTUVWXYZabc— Secret far too short (30 chars, not 35)1234567890:AABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghi— Secret too long (36 chars, not 35)the telegram bot token is stored with BotFather— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Log or data lines of the form <epoch>:<token> where a 10-digit timestamp is followed by a 35-character [A-Za-z0-9_-] string. Mitigation: The exact 35-character length and boundary lookarounds make coincidental matches rare; the recommended confidence tier additionally requires Telegram keywords in proximity, and the value-only tier is discovery-grade.
- A token embedded in the canonical URL form https://api.telegram.org/bot<token>/... is NOT detected because the digits are glued to the word "bot". Mitigation: Documented as a known limitation shared by all three production detectors (identical word-boundary behavior); the surrounding api.telegram.org text still triggers keyword-level review.
- Documentation or examples showing placeholder <digits>:<secret> tokens. Mitigation: Telegram's own docs placeholder uses a 6-digit ID and does not match; require corroborative Telegram keywords and check for placeholder markers.
References
- Telegram Bot API docs (token example 123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11 in Authorizing your bot)
- TruffleHog production Telegram detector (label-gated [0-9]{8,10}:[a-zA-Z0-9_-]{35}, no letter pin; its test fixture includes a valid B-starting secret)
- gitleaks.toml telegram-bot-api-token rule ([0-9]{5,16}:(?-i:A)[a-z0-9_-]{34}; the only scanner that pins a leading A)
- Kingfisher production Telegram rule (label-gated [0-9]{7,10}:[A-Z0-9_-]{35} case-insensitive)
- Supported secret scanning patterns - GitHub Docs (Telegram Bot Token in the scanned pattern set)