Authentication
Different API modules use different authentication methods.
Bot API — Bot Token
Bot API uses Token authentication. The Token is included in the request URL path:
POST https://api.example.com/bot{token}/sendmessageThe Token is issued by BotFather when creating the Bot. The server validates the Token and identifies the Bot accordingly.
WARNING
The Token is the Bot's sole credential. Keep it safe and never expose it.
Wallet API — RSA Signature
Wallet API uses request header signature authentication with the following HTTP headers:
| Header | Description |
|---|---|
X-bot-Id | Bot ID |
X-Timestamp | Unix timestamp (seconds) |
X-Sign | RSA signature |
X-Nonce | Unique message ID (replay protection) |
Signature Generation
The signature data is assembled in this format:
signData = botId + "\n" + method + "\n" + path + "\n" + timestamp + "\n" + nonce + "\n" + canonicalJSONbotId— Bot IDmethod— HTTP method (POST)path— Request path (e.g.,/safew/wallet-info)timestamp— Same asX-Timestampnonce— Same asX-NoncecanonicalJSON— Canonical JSON of the request body
Sign the signData with the RSA private key and Base64-encode the result into X-Sign.
Timestamp Validation
The server checks whether the timestamp is within a 5-minute validity window. Requests exceeding this window will be rejected.
Replay Protection
The server checks whether X-Nonce has been used before. Duplicate requests will be rejected.
Response Signature
Wallet API responses also include signature headers:
| Header | Description |
|---|---|
X-Resp-bot-Id | Bot ID |
X-Resp-Timestamp | Response timestamp |
X-Resp-Request-Id | Request ID (same as X-Nonce) |
X-Resp-Sign | Response signature |