跪拜 Guibai
← All articles
Programmer

The Hidden Complexity of Wiring AI Agents into Telegram, WhatsApp, and WeChat

By Harries ·
Read original on juejin.cn ↗ Google Translate ↗ Alt translation

As AI agents move from demos to production, the chat interface is becoming the default user interface. Western developers building multi-tenant agent systems will face the same permission and isolation challenges described here — and the OpenClaw design patterns offer a practical reference for handling them before they become production incidents.

Summary

Connecting an AI agent to a chat app like Telegram, WhatsApp, or WeChat Work looks deceptively simple: receive a message, send a reply. But the real engineering challenge lies in the permission and routing layer that sits between the chat channel and the agent.

OpenClaw, a framework for building agent gateways, treats chat channels as entry points that must be paired with a full access control system. The design space includes DM policies (pairing, allowlist, open), group policies (whether @-mention is required), session isolation (preventing Alice's context from leaking into Bob's conversation), and agent bindings (routing different users or groups to different agents with their own tools and models).

Each chat platform introduces its own quirks. Telegram uses long polling by default and requires careful handling of Privacy Mode and group chat IDs. WhatsApp relies on a web channel that starts automatically after linking a session. WeChat Work requires an external plugin for login and media handling, and must not be confused with personal WeChat or simple webhook integrations. The article walks through concrete JSON configurations for each platform, showing how to set up policies for DM, groups, and session isolation.

Takeaways
OpenClaw's channel layer standardizes external messages and routes them to an agent, but a secure integration requires eight separate design concerns: login, DM policy, group policy, allowlist, mention gating, session isolation, agent binding, and tool policy.
Telegram bots use long polling by default; webhook is optional. Group chat requires handling Privacy Mode, admin permissions, and the distinction between group chat IDs and user IDs.
WhatsApp integration uses a web channel that starts automatically after linking a session, with configuration for text chunk limits, media size limits, and health monitoring.
WeChat Work requires an external plugin (`@tencent-weixin/openclaw-weixin`) for login, Tencent iLink API, media upload/download, and account monitoring — none of this is in the OpenClaw core.
DM policy options are pairing (one-time code + manual approval), allowlist (only configured senders), open (everyone), and disabled. Production recommendation: pairing or allowlist for personal assistants, allowlist + requireMention for team groups, open + narrow tool permissions for public bots.
Session isolation must be explicitly configured. Default DM shares a single session; enabling `dmScope: "per-channel-peer"` isolates by user, and `dmScope: "per-account-channel-peer"` isolates by user and account.
Multi-agent setups use bindings to route specific channel accounts, groups, or users to different agents, each with its own workspace, agent directory, auth profiles, session store, skills, and model config.
Group chats require two layers of control: whether the group can trigger the bot, and which individuals in the group can trigger it. Starting with `requireMention: true` is the safest default.
Conclusions

The hardest part of chat agent integration is not the API — it's the permission model. Most developers will spend more time on pairing flows and session isolation than on message formatting.

The distinction between DM pairing and group sender authorization is a common source of bugs. Pairing a user in DM does not automatically authorize them in a group context.

Group tool permissions are a shared delegated authority — if one group member can trigger a tool that reads files or runs commands, all members effectively share that capability. This is a security boundary that is easy to overlook.

The WeChat ecosystem is fragmented: personal WeChat, WeChat Work bots, and enterprise app callbacks are three different integration models with different APIs and plugins. Assuming they are interchangeable is a recipe for integration failure.

Session isolation is a privacy and correctness requirement, not just a nice-to-have. Without it, multi-tenant bots will leak context between users — a hard failure mode that is difficult to debug after deployment.

Concepts & terms
Channel (in OpenClaw)
A component that standardizes messages from an external chat platform (Telegram, WhatsApp, WeChat) and routes them to an agent. The channel handles login, message formatting, and platform-specific quirks, but does not enforce permissions or session boundaries by itself.
Pairing (DM policy)
An access control mode where an unknown sender receives a one-time code and must be manually approved by an administrator before they can interact with the agent. This is a common pattern for personal assistants in production.
Session isolation (dmScope)
A configuration that determines whether multiple users sharing the same bot get separate conversation contexts. Without isolation, messages from different users can leak into each other's sessions. OpenClaw supports per-channel-peer and per-account-channel-peer scopes.
Agent binding
A routing mechanism that maps a specific channel account, group, or user to a specific agent instance. Each agent can have its own workspace, tools, model configuration, and session store, enabling multi-tenant or multi-purpose setups on a single gateway.
requireMention
A group chat setting that requires the bot to be @-mentioned before it processes a message. This prevents the bot from reacting to every message in a busy group and is the recommended starting point for group integrations.
Source: juejin.cn ↗ Google Translate ↗ Backup ↗