Labsco
chigwell logo

Telegram MCP Server

β˜… 1,300

from chigwell

Interact with the Telegram messaging service to send and receive messages.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredAdvanced setup

A Telegram integration for Claude, Cursor, and other MCP-compatible clients. It exposes Telegram account, chat, message, contact, media, folder, and admin operations through the Model Context Protocol using Telethon.

πŸ€– MCP in Action

Basic Telegram MCP usage in Claude:

Asking Claude to analyze chat history and send a response:

Message sent successfully:

Contents

  • What It Can Do

  • Requirements

  • Quick Start

  • MCP Client Configuration

  • Multi-Account Setup

  • Device Identity

  • Proxy Support

  • File Path Security

  • Docker

  • Development

  • Security Notes

  • Troubleshooting

  • License

What It Can Do

The server currently includes 80+ MCP tools grouped into these areas:

  • Accounts: list configured accounts and route tool calls by account label.

  • Chats and groups: list chats, inspect metadata, create groups/channels, join or leave chats, invite users, manage admins, bans, default permissions, slow mode, topics, invite links, common chats, read receipts, and message links.

  • Messages: send, schedule, edit, delete, forward, pin, unpin, mark read, reply, search, inspect context, create polls, manage reactions, inspect inline buttons, and press inline callbacks.

  • Contacts: list, search, add, delete, block, unblock, import, export, inspect direct chats, and find recent contact interactions.

  • Media: send files, download media, upload files, send voice notes, stickers, GIFs, and inspect message media.

  • Profile and privacy: get your own account info, update profile fields, set or delete profile photos, inspect privacy settings, get user info/photos/status, and manage bot commands.

  • Folders and drafts: list, create, update, reorder, and delete Telegram folders; save, list, and clear drafts.

All tool results that include Telegram user-controlled content are sanitized and, where practical, returned as structured JSON.

Device Identity

These optional variables control how the client appears in Telegram under Settings > Devices (the active-sessions list):

Copy & paste β€” that's it
TELEGRAM_DEVICE_MODEL=Telegram MCP
TELEGRAM_SYSTEM_VERSION=1.0
TELEGRAM_APP_VERSION=1.0

If left unset, Telethon falls back to the host platform (for example arm64). Because these values are re-sent on every connection, a long-running server would otherwise overwrite the name chosen during login on each reconnect, so set them to keep a stable, recognisable device name. The same variables are read both by the session string generator (at login) and by the server (on every connect), so set them in the same place as your other credentials.

Proxy Support

Route Telegram traffic through a proxy by setting the TELEGRAM_PROXY_* environment variables. Supported types are socks5, socks4, http, and mtproxy.

SOCKS and HTTP proxies require the optional python-socks package:

Copy & paste β€” that's it
uv sync --extra proxy
# or
pip install python-socks

Single-account configuration:

Copy & paste β€” that's it
TELEGRAM_PROXY_TYPE=socks5
TELEGRAM_PROXY_HOST=127.0.0.1
TELEGRAM_PROXY_PORT=1080
TELEGRAM_PROXY_USERNAME=optional_user
TELEGRAM_PROXY_PASSWORD=optional_pass
TELEGRAM_PROXY_RDNS=true

MTProxy:

Copy & paste β€” that's it
TELEGRAM_PROXY_TYPE=mtproxy
TELEGRAM_PROXY_HOST=mtproxy.example
TELEGRAM_PROXY_PORT=443
TELEGRAM_PROXY_SECRET=ee0123456789abcdef...

Per-account overrides use the same _<LABEL> suffix as session variables and take precedence over the unsuffixed defaults:

Copy & paste β€” that's it
TELEGRAM_PROXY_TYPE=socks5
TELEGRAM_PROXY_HOST=127.0.0.1
TELEGRAM_PROXY_PORT=1080

TELEGRAM_PROXY_TYPE_WORK=http
TELEGRAM_PROXY_HOST_WORK=proxy.work.example
TELEGRAM_PROXY_PORT_WORK=3128

Misconfigured proxy settings (unknown type, missing host/port, invalid port, missing MTProxy secret, or a missing python-socks package) cause the server to fail fast at startup with a clear error message instead of silently bypassing the proxy.

File Path Security

File-path tools are disabled until allowed roots are configured. This affects tools such as send_file, download_media, upload_file, send_voice, send_sticker, set_profile_photo, and edit_chat_photo.

Allowed roots can come from:

  • Server CLI arguments, used as a fallback.

  • MCP client Roots, when supported by the client.

Security behavior:

  • Client MCP Roots replace server CLI roots when available.

  • Empty client Roots are treated as deny-all by default. Some clients implement the Roots capability but advertise an empty list, which disables file tools even when server CLI roots are configured. Set TELEGRAM_ALLOW_SERVER_ROOTS_FALLBACK=1 to fall back to the server CLI roots in that case (opt-in; the default stays deny-all).

  • Paths are resolved through real paths and must stay inside an allowed root.

  • Traversal, wildcard-like, shell-like, and null-byte path patterns are rejected.

  • Relative paths resolve under the first allowed root.

  • Downloads default to <first_root>/downloads/.

  • Size and extension limits are enforced for sensitive media tools.

Run with allowed roots:

Copy & paste β€” that's it
uv run main.py /data/telegram /tmp/telegram-mcp

From an MCP client configuration, pass the same roots after main.py:

Copy & paste β€” that's it
{
 "mcpServers": {
 "telegram-mcp": {
 "command": "uv",
 "args": [
 "--directory",
 "/full/path/to/telegram-mcp",
 "run",
 "main.py",
 "/data/telegram",
 "/tmp/telegram-mcp"
 ],
 "env": {
 "TELEGRAM_API_ID": "your_api_id_here",
 "TELEGRAM_API_HASH": "your_api_hash_here",
 "TELEGRAM_SESSION_STRING": "your_session_string_here"
 }
 }
 }
}

Docker

Build the image:

Copy & paste β€” that's it
docker build -t telegram-mcp:latest .

Run with Compose:

Copy & paste β€” that's it
docker compose up --build

Run directly:

Copy & paste β€” that's it
docker run -it --rm \
 -e TELEGRAM_API_ID="YOUR_API_ID" \
 -e TELEGRAM_API_HASH="YOUR_API_HASH" \
 -e TELEGRAM_SESSION_STRING="YOUR_SESSION_STRING" \
 telegram-mcp:latest

For multiple accounts, pass variables such as TELEGRAM_SESSION_STRING_WORK and TELEGRAM_SESSION_STRING_PERSONAL.

Development

The implementation is split into a small compatibility entrypoint and modular package code:

Copy & paste β€” that's it
main.py # historical entrypoint and compatibility exports
telegram_mcp/runtime.py # shared MCP setup, account routing, validation, file safety
telegram_mcp/runner.py # application startup
telegram_mcp/tools/ # tool modules grouped by domain
sanitize.py # output sanitization helpers
tests/ # pytest suite

Run tests:

Copy & paste β€” that's it
uv run pytest

Run tests with coverage:

Copy & paste β€” that's it
uv run pytest --cov --cov-report=term-missing --cov-report=xml

Coverage is configured in pyproject.toml with an 80% minimum gate for deterministic unit-testable core modules. GitHub Actions runs the same coverage command and uploads coverage.xml.

Run formatting checks:

Copy & paste β€” that's it
uv run black --check .
uv run flake8 .

Security Notes

  • Never commit .env, session strings, or .session files.

  • A Telegram session string grants access to the account it belongs to.

  • The telegram-mcp package name on PyPI is not controlled by this project. Avoid PyPI-based telegram-mcp install commands unless ownership changes and the package is verified.

  • This repository includes a best-effort startup guard that refuses installed telegram-mcp distributions without a source checkout or direct git/file install record. That guard cannot run when the unrelated PyPI package itself is launched, so use clone-based or explicit git installs.

  • Prefer session strings over file sessions when running multiple server instances.

  • By default, Telegram API calls go directly from your machine/container to Telegram. If TELEGRAM_PROXY_* is configured, Telegram traffic is routed through the configured SOCKS/HTTP/MTProxy proxy instead.

  • User-generated Telegram content is sanitized before being returned to MCP clients.

Prompt Injection Protection

Telegram messages, display names, chat titles, and button labels are untrusted content. The server mitigates prompt-injection risk with:

  • Structured JSON output for user-controlled data where practical.

  • sanitize_user_content(), sanitize_name(), and sanitize_dict() for control-character stripping, invisible-character stripping, and length limits.

  • MCP content annotations marking returned content as user audience data.

  • Tool descriptions that warn clients not to treat returned Telegram fields as model instructions.

  • No brittle keyword-based filtering.

Contributing

  • Fork and clone the repository.

  • Install dependencies and git hooks:

  • uv sync

  • uv run pre-commit install --hook-type pre-commit --hook-type pre-push

  • Create a focused branch.

  • Add or update tests when behavior changes.

  • Run checks locally:

  • uv run pre-commit run --all-files

  • uv run pre-commit run --hook-stage pre-push --all-files

  • Open a pull request with a concise description.

License

This project is licensed under the Apache 2.0 License.

Acknowledgements

Maintained by @chigwell and @l1v0n1. PRs welcome.

Star History

Contributors