Skip to main content
Bot security enables safe deployment of PraisonAI agents across messaging channels with built-in protection against abuse and unauthorized access.
Secure defaults landed in PraisonAI #2038. group_policy now defaults to mention_only (was respond_all), and praisonai doctor --only gateway_security FAILs on channels with no allowed_users, allowlist, or blocklist. Set GATEWAY_AUTH_TOKEN for non-loopback gateway deployments.
Field name is allowed_users, not allowlist. The gateway YAML parser only recognizes allowed_users: and allowed_channels:. Examples using allowlist: will silently produce a bot with no enforcement. (Fixed in PR #1791.)
unknown_user_policy defaults to "deny" — an empty allowed_users silently drops inbound DMs from unknown users unless you also set unknown_user_policy: "pair" (with owner_user_id) or "allow". At startup the gateway logs:
If you see this warning and expected messages to flow through, either populate allowed_users or change the policy.
Secure baseline for new configs (passes gateway_security):

Quick Start

1

Basic Security Setup

In YAML configuration:
2

Advanced Security Config


How It Works


Security Model

OpenClaw-style security for messaging bots. This guide covers DM pairing, allowlists, and safe defaults across Telegram, Discord, Slack, WhatsApp, and other channels.
PraisonAI treats inbound DMs as untrusted input by default. Production deployments should use explicit pairing and allowlists to prevent abuse, spam, and prompt injection from unknown senders.

Safe Defaults by Channel

Telegram

Recommended production config:
Security features:
  • ✅ User allowlist by platform-native user ID (Telegram: numeric ID; Discord: snowflake; Slack: U…)
  • ✅ Group mention-only policy
  • ✅ Built-in command filtering — /help, /status, /new and custom commands respect allowed_users (PR #1835)
  • ✅ Empty allowed_users now defers to unknown_user_policy (parity with Discord/Slack, PR #1885).

Discord

Recommended production config:
Security features:
  • ✅ User/guild allowlist support (user ID format: Discord snowflake)
  • ✅ Role-based restrictions
  • ✅ Thread-safe message handling
  • ⚠️ DMs from unknown users are processed by default

Slack

Recommended production config:
Security features:
  • ✅ User/channel allowlist (user ID format: Slack U…)
  • ✅ Enterprise Grid support
  • ✅ Socket mode security
  • ✅ Built-in DM filtering (mentions required)

WhatsApp

Recommended production config:
Security features:
  • Strong default security - allowlist required for DMs
  • ✅ Phone number + group allowlists
  • ✅ Built-in self-chat detection
  • ✅ Automatic spam filtering
WhatsApp has the strongest security defaults and serves as the reference implementation for other channels.

Admin Users & Per-Command Access

Layer command-level restrictions on top of user allowlists: admin_users grants full command access; user_allowed_commands limits everyone else to a comma-separated list. /help and /whoami are always permitted.

Command Access Control

Full guide to admin_users and user_allowed_commands

Owner-DM Pairing

The pairing system is now shipped and enables owner-approval for unknown users with inline Approve/Deny buttons sent directly to your DM. For production deployments, use owner-DM pairing to authorize unknown users dynamically:

1. Set Callback Secret

Without PRAISONAI_CALLBACK_SECRET, inline-button callbacks will not work across restarts. Set this in production.

2. Configure Unknown User Policy

3. Owner Approval Workflow

When an unknown user messages your bot:
  1. Bot generates a pairing code
  2. Owner receives DM with inline Approve/Deny buttons
  3. Owner clicks Approve → User is permanently approved
  4. Owner clicks Deny → Request is rejected
CLI Fallback: If owner_user_id is not set, the bot replies:

4. Manual Approval (CLI)

Owners can approve pairing requests manually:

Choosing unknown_user_policy

Pick the policy that matches how open your bot should be: All three values are read per-channel from gateway.yaml — see Bot Gateway → Channel Security.

Gateway Pairing

For production deployments, use gateway pairing to authorize channels dynamically with the shipped pairing system:
The gateway secret is optional - if unset, a per-install secret is auto-generated at <store_dir>/.gateway_secret with 0600 permissions and reused across restarts.

Enable Pairing Policy

Approve Pairing Requests

When unknown users DM your bot, they receive pairing codes. Approve them via CLI:

Manage Pairings

For detailed pairing documentation, see the Bot Pairing guide.

List Pending Requests

List all pending pairing codes waiting for approval:
Response Schema:
Canonical keys (code, channel_type, channel_id, created_at) are the stable contract. The channel, user_id, user_name, and age_seconds aliases are provided for UI consumers and should not be relied on for scripting — use the canonical keys.

CLI Commands

Use the praisonai pairing commands to manage pairings from the command line:
Available Commands: Platform values: telegram, discord, slack, whatsapp Pairing Flow:

7. REST API

The gateway exposes REST endpoints for pairing management: Example Usage:
All endpoints are authenticated and rate-limited. Rate limits are applied per client IP with separate buckets for pairing_pending, pairing_approve, and pairing_revoke operations.

Doctor Security Check

Use the built-in doctor to audit your bot security configuration:
The security check flags:
  • Missing allowlists - channels without allowlist/blocklist
  • ⚠️ Permissive group policies - respond_all in production
  • ⚠️ Missing gateway secret - pairing codes won’t persist
  • Secure configuration - allowlists + mention-only policies
Example output:

Self-Hoster Security Checklist

Before going public with your bot:
  • Allowlist configured for each channel
  • Unknown sender behavior defined (block/ignore/process)
  • Group policies set to mention_only or command_only
  • Blocklist configured for known spam sources
  • Built-in commands (/help, /status, /new) verified to respect allowlist
  • admin_users set for owner/admin user IDs
  • user_allowed_commands configured to limit regular users to read-only commands
  • Empty allowed_users is intentional and paired with unknown_user_policy: "allow", or allowed_users is non-empty.
  • PRAISONAI_GATEWAY_SECRET set
  • PRAISONAI_CALLBACK_SECRET set (for inline buttons)
  • unknown_user_policy configured (deny/pair/allow)
  • owner_user_id set for inline approvals
  • Pairing workflow tested and verified
  • Revocation process documented
  • Dangerous tools require approval (not auto-approved)
  • Approval backend configured (Slack/Telegram/HTTP)
  • Tool risk levels reviewed and appropriate
  • Approval timeout configured
  • Bot security doctor check passing
  • Audit logging enabled (praisonai.security.enable_audit_log)
  • Injection defense active (enable_injection_defense() — returns before_tool + before_agent hook IDs)
  • Rate limiting configured for API calls
  • Bot tokens stored securely (not in code)
  • Environment variables encrypted at rest
  • Network access restricted (firewall rules)
  • Regular security updates scheduled

Common Security Patterns

1. Staged Rollout

Start with restrictive settings and gradually open access:

2. Multi-Channel Security

Maintain consistent security across channels with unique tokens and role-specific access: Unique token per channel (CRITICAL):
Shared allowlists across platforms:
Role-specific access control:
In a workforce setup, each Telegram/Discord/Slack bot must come from a separate BotFather/Developer Portal registration. Sharing tokens between channels is a FAIL in praisonai doctor validation.

3. Environment-Based Security

Different security levels per environment:

Security Headers & API Protection

When running bot gateways, enable security headers:

Advanced: Custom Security Hooks

Implement custom security logic with hooks:

Troubleshooting

Pairing Issues

Problem: Pairing codes not working Solution:
  1. Check PRAISONAI_GATEWAY_SECRET is set
  2. Verify code hasn’t expired (5 min default)
  3. Ensure code typed exactly (case sensitive)
Problem: Pairing lost after restart Solution:
  1. Set PRAISONAI_GATEWAY_SECRET env var
  2. Codes without persistent secret are temporary
Problem: praisonai pairing approve reports “Invalid or expired code” even though a code was just generated from the UI Solution:
  1. Upgrade to the latest praisonai version (fix included in 2026-04-22 release)
  2. Older builds had a duplicate internal method that stripped the canonical code key when the UI pairing banner was loaded

Allowlist Issues

Problem: Bot not responding to allowed users Solution:
  1. Check exact user ID format (username vs numeric ID)
  2. Verify allowlist syntax in YAML
  3. Run praisonai doctor for validation
Problem: Bot responding to blocked users Solution:
  1. Check allowlist is configured (not just blocklist)
  2. Verify group_policy setting
  3. Check if user has alternate access path
Problem: Unauthorized users can still invoke /help, /status, or /new Solution: Upgrade to the PraisonAI release that includes PR #1835. Earlier versions enforced the allowlist only on plain-text messages, not on command handlers. Problem: After upgrading PraisonAI my Telegram bot stopped replying to everyone, including the owner. Solution: PR #1885 fixed a Telegram bug where empty allowed_users bypassed unknown_user_policy. Either add your user ID to allowed_users, or set unknown_user_policy: "allow" if you actually want the bot to respond to anyone. Default is "deny".

Best Practices

  • Use explicit allowlists for all channels
  • Regularly review and update allowed users
  • Implement role-based access where possible
  • Log all access attempts for audit trails
  • Store tokens in environment variables
  • Rotate secrets regularly
  • Use encrypted storage for sensitive data
  • Never commit secrets to version control
  • Implement per-user rate limits
  • Set global request quotas
  • Monitor for unusual activity patterns
  • Implement exponential backoff for failed requests
  • Enable audit logging
  • Monitor security events
  • Set up alerting for suspicious activity
  • Regular security reviews

Agent Configuration

Core agent setup and configuration

Gateway Setup

Multi-channel gateway configuration

By following these security practices, your PraisonAI bots will operate safely in production while maintaining the flexibility to serve legitimate users. Regular security audits help ensure your configuration stays secure over time.