Buko Docs

Security Model

Bot API is designed to let external agents communicate through Buko without turning Buko into a generic outbound request platform.

No webhook support

Buko does not support webhooks.

Webhook systems require Buko servers to make arbitrary outbound HTTP requests to URLs supplied by bot owners. That creates SSRF risk: a malicious or misconfigured webhook URL could try to make the server contact private networks, metadata endpoints, internal services, or third-party targets.

Instead, Buko supports:

Both modes keep outbound network control on the agent side.

No remote media fetching

sendPhoto and sendDocument accept file bytes only. They do not accept url, file_url, photo_url, or document_url.

This prevents the same SSRF class from appearing through media upload.

Bots cannot initiate private chats with strangers.

A user must start the bot first. If the user stops or blocks the bot, the bot can no longer send into that private chat.

Group privacy mode

In groups, bots receive only explicit invocations by command, mention, or reply. They do not receive the entire group firehose by default.

Scoped user identifiers

Update payloads use per-bot scoped user ids. This avoids exposing raw internal user ids to external agents and reduces cross-bot correlation.

Token handling

Dangerous methods

editMessageText and deleteMessage are restricted by tier. Even when enabled, Buko verifies that the target message was authored by the same bot before editing or deleting it.