Technical

Running a Telegram Bot Behind an MTProto Proxy

A practical guide for developers running Telegram bots in restricted regions or on flaky cloud providers.

MTProto Proxy Engineers · Censorship Circumvention Researchers

Published April 27, 2026 Updated May 15, 2026 8 min read 348 words

When bots need a proxy

Most Telegram bots run on cloud servers in countries with unrestricted internet, so they reach Telegram's API directly. But there are several cases where a proxy helps: hosting in Iran or Russia where the public IP cannot reach Telegram, hosting on a budget VPS where Telegram has been temporarily de-peered, or implementing per-bot routing for compliance reasons. TGFast supports bot connections natively — the proxy does not distinguish bots from users.

tdlib configuration

tdlib (the official Telegram client library) supports proxies via the "addProxy" method. In Python with python-telegram-bot or pyrogram, set the proxy parameter in the client constructor: Pyrogram Client("session", proxy={"hostname": "your TGFast card hostname", "port": YOUR_PORT, "secret": "dd9eed..."}). In JavaScript with grammY, use the "client_options" parameter.

Get a free TGFast proxy

Browse the live country grid on the home page and tap any card to connect Telegram in one second — no signup, no logs.

Open the fleet

Bot API vs MTProto

Telegram offers two APIs: the simpler HTTP-based Bot API (api.telegram.org) and the lower-level MTProto API. The Bot API is just plain HTTPS, so it works through any standard HTTP proxy or directly. MTProto bots (built with tdlib, telethon, pyrogram, gramjs) speak MTProto natively and benefit from a proper MTProto proxy. TGFast supports MTProto only.

Webhook vs polling

Bots using webhooks need a public IP to receive callbacks; the proxy does not help receive webhooks (only outbound calls). For webhook bots, host on a cloud provider in a non-restricted country. For polling bots (which initiate requests to Telegram), TGFast works perfectly.

Stay updated

Join @FastTGProxyMT for instant alerts when servers move or new proxies launch.

Join Telegram Channel

Rate limits and proxies

Telegram applies rate limits per bot, not per IP, so the proxy does not change your bot's effective limits. However, if many bots share a single proxy IP, Telegram may apply IP-level rate limits in extreme cases (millions of requests per minute). For typical bots this is not a concern.

Reliability tips

In your bot code, implement automatic proxy failover: try a higher-throughput TGFast proxy first, fall back to a TGFast proxy if a higher-throughput TGFast proxy fails three times in a row. This pattern handles the rare TGFast server maintenance window without bot downtime.

Sample Python code

For pyrogram:

from pyrogram import Client
app = Client("my_bot", proxy={"hostname": "your TGFast card hostname", "port": YOUR_PORT, "secret": "dd2c5725f73d928965920444b9fc33fce7"})
app.run()

Frequently Asked Questions

How is MTProto different from SOCKS5 or Shadowsocks?

MTProto is Telegram's native protocol, so traffic looks indistinguishable from a normal Telegram connection to deep packet inspection. SOCKS5 is a generic proxy with a recognizable handshake; Shadowsocks adds obfuscation but still requires the operator to defend their port and keys against probing. MTProto with Fake-TLS adds a TLS-1.3-mimicking handshake that has proven the hardest of the three to fingerprint.

Why does the secret start with "dd" or "ee"?

The leading byte is a magic prefix that tells the Telegram client which obfuscation mode to negotiate. "dd" enables MTProto 2.0 random padding to defeat traffic analysis; "ee" indicates Fake-TLS mode where the entire session is wrapped in a TLS 1.3 handshake. Both are interoperable with all modern Telegram clients.

Can a network operator detect that I am using an MTProto proxy?

A determined operator can sometimes flag suspicious flows by timing analysis, but the encrypted payload itself is opaque. Fake-TLS makes detection significantly harder because the handshake mimics a real HTTPS site (including SNI, ALPN and certificate exchange). Even when flagged, blocking is per-IP, not per-protocol — which is why TGFast rotates IPs continuously.

Does an MTProto proxy add real cryptography or only obfuscation?

Both. The MTProto 2.0 transport adds AES-256-IGE encryption between client and server with per-session keys derived from the shared secret, and Fake-TLS wraps that channel inside a real TLS 1.3 handshake. Even if the proxy operator were malicious, they could not decrypt the inner Telegram session — that key is negotiated end-to-end with Telegram's data centres.

How does TGFast pick which servers to deploy and where?

We monitor latency and packet loss from probe nodes in 14 cities across the regions hit hardest by Telegram restrictions. New servers are spun up where the median latency to nearby ISPs falls below 80 ms and where the upstream provider has historically resisted ISP take-down requests. Capacity is rebalanced weekly.