Skip to main content
Glama

tg-mcp

An MCP server that exposes a Telegram user account (not a bot) over a streamable HTTP endpoint, built with FastMCP and Telethon.

It's multi-account: anyone can register a login on the server and link their own Telegram account to it. Each account maps to exactly one linked Telegram account, and tools always act on the caller's own linked account — never someone else's.

Tools

Tool

Description

get_me

Info about the logged-in account

list_dialogs

Recent dialogs (chats, groups, channels) with ids for the other tools

get_chat_history

Recent messages from a chat, newest first

send_message

Send a text message (optionally as a reply)

search_messages

Search messages in one chat or across the whole account

chat arguments accept a numeric id, an @username, a phone number, or "me" (Saved Messages).

Related MCP server: telegram-archive-mcp

Authentication

The MCP endpoint is protected by a self-hosted OAuth 2.1 authorization server (no third-party IdP). When an MCP client connects, it's redirected through a browser flow:

  1. Sign in or register with a username and password.

  2. Link Telegram (first time only): enter your phone number, the code Telegram sends you, and your two-factor password if you have one set. This is the same handshake the official Telegram apps use — nothing is stored until it succeeds.

  3. The client gets back an access/refresh token pair (JWT, 1h/30d) scoped to your account.

Registration is open: anyone who can reach the /login page can create an account, but every account is only ever able to act on the Telegram account they personally linked to it. If you don't want that, put the server behind something that gates access first (reverse proxy auth, a gateway like ContextForge, network-level restriction, etc.) — this server doesn't do invite codes itself.

Linked Telegram sessions are stored encrypted at rest (Fernet, key from MCP_SESSION_ENCRYPTION_KEY). A leaked database dump is not enough to hijack an account; a leaked database dump plus the encryption key is.

Requirements

Setup

uv sync
cp .env.example .env

Fill in .env:

  • TELEGRAM_API_ID / TELEGRAM_API_HASH — from my.telegram.org

  • MCP_BASE_URL — how clients actually reach this server (used as the OAuth issuer)

  • MCP_DB_URL — Postgres connection string

  • MCP_OAUTH_JWT_SECRETpython -c "import secrets; print(secrets.token_urlsafe(32))"

  • MCP_SESSION_ENCRYPTION_KEYpython -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

Tables are created automatically on startup (no migration step).

Running

Local (requires a reachable Postgres, see MCP_DB_URL):

python -m tg_mcp
# -> http://127.0.0.1:8000/mcp

Docker Compose (bundles Postgres):

docker compose up --build

The image binds to 0.0.0.0:8000 inside the container; credentials are read from .env.

Configuration

All settings come from the environment (or .env).

Variable

Default

Description

TELEGRAM_API_ID

API id from my.telegram.org

TELEGRAM_API_HASH

API hash from my.telegram.org

MCP_HOST

127.0.0.1

HTTP bind host

MCP_PORT

8000

HTTP port

MCP_PATH

/mcp

HTTP endpoint path

MCP_BASE_URL

http://127.0.0.1:8000

Externally reachable base URL (OAuth issuer/audience, login links)

MCP_DB_URL

postgresql+asyncpg://tgmcp:tgmcp@localhost/tgmcp

Async SQLAlchemy URL for Postgres

MCP_DB_ECHO

false

Log SQL statements

MCP_OAUTH_JWT_SECRET

(insecure default)

Signs OAuth access/refresh tokens — change this

MCP_SESSION_ENCRYPTION_KEY

Fernet key encrypting stored Telegram sessions

Connecting an MCP client

A ready-to-use config is in .mcp.json:

{
  "mcpServers": {
    "tg-mcp": {
      "type": "http",
      "url": "http://127.0.0.1:8000/mcp"
    }
  }
}

Clients that support the MCP OAuth flow will open a browser to /login automatically on first connection.

Project layout

tg_mcp/
├── server.py               # FastMCP app, lifespan, mounts the tool sub-servers
├── oauth.py                 # OAuth 2.1 authorization server: login/register + Telegram linking
├── telegram_login.py        # phone/code/2FA handshake used by the linking flow
├── client.py                 # per-account Telethon client cache + FastMCP dependency
├── auth.py                   # password hashing, session encryption, caller resolution
├── config.py                  # pydantic-settings (TELEGRAM_* and MCP_*)
├── db.py                      # async engine/session, schema creation
├── models.py                  # Pydantic result models returned by tools
├── orm/                       # SQLAlchemy models: User, OAuthClient, RevokedToken
├── dao/                       # data-access objects
├── utils/                     # OAuth protocol helpers
└── tools/                     # one FastMCP sub-server per tool
    ├── get_me.py
    ├── list_dialogs.py
    ├── get_chat_history.py
    ├── send_message.py
    └── search_messages.py

The connected Telethon client for the calling account is provided to tools through a FastMCP dependency (TelegramClientDep), so each tool just declares client: TelegramClient = TelegramClientDep.

Development

ruff check .
ruff format --check .

CI (GitHub Actions) runs ruff and, on main/tags, builds and pushes a multi-arch image to GHCR.

F
license - not found
-
quality - not tested
B
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/MyrikLD/tg-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server