"I installed the Telegram automation tool but what's api_id / api_hash and where do I get it?"
The first barrier for MTProto-based tools like Replyer / Telethon / pyrogram. This post lays out the 5-minute issuance flow on my.telegram.org plus the form rejections and errors people hit, with fixes.
Where api_id / api_hash come from and where they end up, at a glance. From your Telegram account, through my.telegram.org, into Replyer's Wizard.
Bottom line, 5 minutes
- Open https://my.telegram.org
- Enter your Telegram phone number → receive a 5-digit code via Telegram app → enter
- Click [API development tools]
- Fill four fields (App title / Short name / URL / Platform / Description)
- [Create application] → api_id (number) / api_hash (32 chars) appears → store safely
That's it. But first-timers hit form rejections / mysterious errors / verification failures, so the pitfalls follow.
Where each message goes, as a sequence. The verification code arrives via Telegram's Service Notifications chat, not SMS (the most-missed trap).
sequenceDiagram autonumber participant U as Operator participant B as Browser participant T as my.telegram.org participant TG as Telegram app
(Service Notifications) participant R as Replyer Wizard U->>B: visit my.telegram.org/auth B->>T: submit phone number T-->>TG: send 5-digit code (not SMS) TG-->>U: notification "Login code: 12345" U->>B: enter code B->>T: authenticated, open [API development tools] U->>T: fill form
(App title / Short name / Desktop / desc) T-->>B: returns api_id (number) + api_hash (32 chars) Note right of B: Save immediately!
hash hides on refresh U->>R: Wizard step 1 [enter api_id manually] R->>R: ~/Library/Application Support/Replyer/
.session created R-->>U: session ready, auto-reply starts
Step by step
Step 1, open my.telegram.org
Browser to https://my.telegram.org/auth. English-only page. The official domain (my.telegram.org), avoid lookalikes like myTelegram.org or my.telegram.com.
Step 2, identity verification
Enter phone (with country code, e.g. +1 555 123 4567). [Next] sends a 5-digit code to your Telegram app (mobile or desktop), not SMS. Enter it within 5 minutes.
Note: the code arrives as a Telegram message from the Telegram official account (or Service Notifications). Don't wait for SMS.
Step 3, [API development tools]
After login, click [API development tools] in the left menu or inline. First-time visit shows the form. Existing users see their registered applications.
Step 4, four form fields
| Field | Meaning | Example for Replyer |
|---|---|---|
| App title | App display name (not user-facing) | Replyer Personal |
| Short name | Short identifier | replyer |
| URL (optional) | App homepage (blank if none) | https://replyer.xyz or blank |
| Platform | Platform | Desktop |
| Description (optional) | Description | Personal automation tool |
Important: Telegram tracks rate limit and trust per application. Make it clear it's a personal tool, not a public commercial release. Company branding / public distribution / commercial intent raises rejection odds.
Step 5, [Create application]
[Create application] reveals a new page with the credentials:
App api_id: 12345678
App api_hash: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Save immediately (notepad / password manager / Replyer Settings). The api_hash hides on refresh (security). Lost it → create a new application.
Safe credential management
The credentials grant automation rights on your Telegram account = security asset:
- Never commit to public repos like GitHub (search bots pick them up immediately → strangers can operate your account)
- Store inside Replyer Settings (Application Support folder, OS permissions)
- Re-issuable (delete old application + create new) but sessions using old keys are killed
- Don't share (each user issues their own credentials)
Common pitfalls
Where to look when you're stuck. The five most common pitfalls mapped from symptom to cause to fix.
Pitfall 1, "ERROR" or form rejection
Submit returns "ERROR" or rejection message:
- Cause: Platform unselected / Short name taken / suspicious URL / overly terse description
- Fix: change Short name (lowercase / alphanumeric), Platform = Desktop, URL blank or your homepage
Pitfall 2, verification code never arrives
After entering phone, no Telegram code:
- Cause: Telegram app logged into a different account / your account inactive / waiting for SMS by mistake
- Fix: open your Telegram app's Service Notifications chat, look for a 5-digit number
Pitfall 3, "Too many attempts" lockout
3~4 failed submissions stack into a "Too many attempts" 24-hour lockout:
- Fix: wait 24h, retry carefully with a correct form
Pitfall 4, ERROR_AUTHKEY_UNREGISTERED in automation tool
Credentials issued fine but the automation tool reports "AUTHKEY_UNREGISTERED":
- Cause: api_id and api_hash mismatched / an old .session file from different keys
- Fix: re-copy credentials carefully, delete old .session and re-login
Pitfall 5, "Phone number not verified"
API issuance refused because the account is new (less than a week old) or SMS unverified:
- Cause: Telegram throttles API requests from new accounts
- Fix: use the account normally for at least a week + complete SMS verification, then retry
Using the credentials in Replyer
After issuance, the Replyer flow:
- Download Replyer and launch (Wizard auto-starts)
- Wizard step 1 [Add account] → choose [enter api_id manually]
- Paste api_id (number) / api_hash (32 chars)
- Enter phone → receive Telegram code → enter
- Session created → start chatroom auto-reply
Credentials store inside Replyer's Application Support folder. Migrating to a new PC uses .tam-account.json export so you don't relogin.
Frequently asked questions
Q. Is issuing api_id / api_hash legal?
Yes. my.telegram.org is the official Telegram page and anyone can issue credentials for their own account. Legality of automation usage itself in Telegram auto-reply legality.
Q. Can someone else use my credentials?
Technically yes, security-wise absolutely not. Session creation also requires your phone + verification code, but the credentials + a captured verification code would compromise your account. Each user issues their own.
Q. Difference vs Bot API tokens?
api_id / api_hash → user account automation (MTProto). Bot tokens → bot accounts (Bot API). For preserving operator tone in chatrooms, MTProto. For simple bot tasks, the Bot API. Comparison in MTProto vs Bot API.
Q. Does post-issuance usage cause Telegram suspension?
Issuance itself never. Suspension comes from automation patterns (per-hour message count / night-time replies / report accumulation). Safety lines in account ban prevention.
Q. My new account keeps getting rejected, what now?
New accounts (less than a week) face frequent API rejection. Use the account naturally for a week (join chatrooms / message / reply) + complete SMS verification, then retry. Matches the 14-day warmup pattern in the safety guide.
Q. Lost the api_hash, can I recover it?
No (it hides on refresh). Delete the old application + create a new one. Sessions from the old keys die → relogin in Replyer.
Q. Different credentials per Telegram account?
Recommended. Per-account credentials are safer. One application across multiple accounts is technically possible but Telegram tracks rate limit and trust per application, so a report accumulation affects all accounts.
Q. Issue under company / team name?
Technically possible but risky. Telegram monitors application usage patterns. A company-issued key shared by 5 staff → application-level suspension hits all five. Personal accounts + personal credentials are safer.
Next steps
To start auto-replies in your chatroom, download Replyer for your OS and follow the usage manual for the step-by-step guide.
api_id / api_hash carries automation rights for your Telegram account. No external sharing, no GitHub commits, lost ones are only recoverable by re-issuing a new application.