Skip to main content
Per-command access control layers on top of user allowlists — admins run any command, regular users only run commands you explicitly permit.

Quick Start

1

Restrict regular users in YAML

channels:
  telegram:
    token: ${TELEGRAM_BOT_TOKEN}
    allowed_users: "123,456"
    admin_users: "123"
    user_allowed_commands: "help,status"
User 123 is admin (all commands). User 456 may only run help, status, and whoami.
2

Same setup in Python

from praisonaiagents import Agent
from praisonaiagents.bots import BotConfig
from praisonai.bots import TelegramBot

agent = Agent(name="assistant", instructions="Be helpful")
bot = TelegramBot(
    token="YOUR_TOKEN",
    agent=agent,
    config=BotConfig(
        allowed_users="123,456",
        admin_users="123",
        user_allowed_commands="help,status",
    ),
)
3

User checks permissions with /whoami

/whoami

User Information
User ID: 456
Username: alice
Role: User
Allowed commands: help, status, whoami

How It Works

Built-in Commands

CommandDescriptionAlways allowed?
/helpShow help (filtered to caller’s permissions)Yes
/whoamiUser ID, username, role, allowed commandsYes
/statusAgent name, model, platform, uptimeNo
/newReset the conversation sessionNo
/stopCancel the current agent taskNo
ALWAYS_ALLOWED = {"help", "whoami"} — these cannot be locked away from any user.

Configuration

OptionTypeDefaultDescription
admin_usersstrNoneComma-separated user IDs who can run any command
user_allowed_commandsstrNoneComma-separated commands regular users may run. None = no restrictions
When both are unset, behaviour matches pre-PR #2029 (fully open for allowed users).

Choosing a Setup

Best Practices

Per-command access layers on top of user allowlists — it does not replace them.
Both have side effects: resetting state and cancelling tasks.
Shows the exact allow list resolved for the caller.
Register with bot.register_command("ping", handler) then include "ping" in the allowlist for non-admins.

Bot Chat Commands

Built-in and custom commands

Bot Security

DM policy and safe defaults