Join Channel
All systems online Zero logs · zero tracking 99.9% uptime · 30-day avg 180+ countries served 3,184 online now
Technical

MTProto Proxy Secret Explained: Why It Starts With "dd" or "ee"

Demystifying the long hex string at the heart of every MTProto proxy — what it does, how it is generated, and why the prefix matters.

MTProto Proxy Engineers · Censorship Circumvention Researchers
Published Updated 8 min read 455 words

The anatomy of a secret

An MTProto secret is a hexadecimal string of 33 or 34 characters. The first two characters are a prefix that signals which obfuscation variant the server supports, followed by 32 random hex characters representing 16 bytes of pseudorandom data, and optionally a few extra bytes encoding the impersonated SNI hostname for the "ee" variant.

Why "dd" and what it means

The "dd" prefix selects the standard random-padded MTProto obfuscation introduced in 2018. It instructs the server and client to wrap each MTProto packet in an extra layer of randomized padding so that no two packets look alike to a packet inspector, even when they carry similar payloads. The 16 random bytes are used as a session-specific seed for an AES-CTR keystream that further scrambles the inner protocol identifier.

Get a free TGFast proxy

Browse the live country grid on the home page and tap any card to connect Telegram in one second — no signup, no logs.

Open the fleet

Why "ee" and "fake TLS"

The "ee" prefix selects the newer "fake TLS" obfuscation introduced in 2020. With this variant, the very first packet of every connection mimics a valid TLS 1.3 ClientHello to a configurable hostname (e.g. www.google.com). To DPI systems looking for "non-TLS traffic on port 443", the connection appears to be a regular HTTPS handshake. This is significantly harder to block without disrupting other web traffic. TGFast supports both variants; we issue "dd" by default and "ee" on request.

Is the secret a password?

Not really. Anyone with the same secret connects to the same proxy with the same identity. The secret is more like a key for the obfuscation envelope than an authentication token. There is no per-user authentication in MTProto proxies — they accept all clients that present a valid envelope. This is a design choice that prioritises censorship resistance over access control.

Stay updated

Join @FastTGProxyMT for instant alerts when servers move or new proxies launch.

Join Telegram Channel

Can I generate my own secret?

If you run your own MTProto proxy server (e.g. mtg, mtprotopy, or an official Telegram-published binary), you can generate secrets locally with openssl rand -hex 16 and prepend "dd" or "ee" plus a hostname blob. Self-hosting is great for power users but defeats the censorship-resistance benefit unless you also rotate IPs. TGFast saves you that work.

Secret rotation policy

TGFast secrets are stable for the lifetime of each server (typically 6-18 months). We rotate IPs much more frequently than secrets because IP-based blocking is the primary threat. If a secret ever needs to change, we announce it 7 days in advance on @FastTGProxyMT.

Common secret mistakes

Three frequent errors: (1) copying a secret with leading or trailing whitespace; (2) typing a lowercase "L" instead of the digit "1" or vice versa (the secret is hex so digits are always 0-9); (3) accidentally truncating the secret when copying from a chat message that wraps onto two lines. Always use the copy button on the website to avoid all three.

Frequently Asked Questions

MTProto is Telegram's native protocol, so traffic looks indistinguishable from a normal Telegram connection to deep packet inspection. SOCKS5 is a generic proxy with a recognizable handshake; Shadowsocks adds obfuscation but still requires the operator to defend their port and keys against probing. MTProto with Fake-TLS adds a TLS-1.3-mimicking handshake that has proven the hardest of the three to fingerprint.
The leading byte is a magic prefix that tells the Telegram client which obfuscation mode to negotiate. "dd" enables MTProto 2.0 random padding to defeat traffic analysis; "ee" indicates Fake-TLS mode where the entire session is wrapped in a TLS 1.3 handshake. Both are interoperable with all modern Telegram clients.
A determined operator can sometimes flag suspicious flows by timing analysis, but the encrypted payload itself is opaque. Fake-TLS makes detection significantly harder because the handshake mimics a real HTTPS site (including SNI, ALPN and certificate exchange). Even when flagged, blocking is per-IP, not per-protocol — which is why TGFast rotates IPs continuously.
Both. The MTProto 2.0 transport adds AES-256-IGE encryption between client and server with per-session keys derived from the shared secret, and Fake-TLS wraps that channel inside a real TLS 1.3 handshake. Even if the proxy operator were malicious, they could not decrypt the inner Telegram session — that key is negotiated end-to-end with Telegram's data centres.
We monitor latency and packet loss from probe nodes in 14 cities across the regions hit hardest by Telegram restrictions. New servers are spun up where the median latency to nearby ISPs falls below 80 ms and where the upstream provider has historically resisted ISP take-down requests. Capacity is rebalanced weekly.

Related Reading

Technical

MTProto vs SOCKS5: Which Telegram Proxy Should You Use?

A clear comparison of MTProto and SOCKS5 proxies for Telegram — speed, security, censorship resistance, ease of setup.

Read article
Technical

How MTProto 2.0 Works: A Plain-English Deep Dive

Understand exactly what happens when your phone connects to a Telegram MTProto proxy — packets, keys, obfuscation and all.

Read article
Technical

MTProto vs Shadowsocks vs V2Ray: Which Is Best in 2026?

A 2026 comparison of the three most popular censorship-circumvention protocols, with real benchmarks.

Read article
Connect Telegram Proxy Now