mammothcoding / maxoxide
Synchronous PHP library for the Max messenger Bot API.
Requires
- php: >=7.4
- ext-curl: *
- ext-json: *
Requires (Dev)
- phpunit/phpunit: ^9.5 || ^10.0
README
Readme in different languages: EN · RU
maxoxide-php
A synchronous PHP library for building bots on the Max messenger platform. Inspired by the Rust library maxoxide.
Requires PHP 7.4+, the curl and json extensions. No third-party runtime dependencies.
This PHP version is aligned with the Rust maxoxide 2.3.0 API surface: the current platform-api2.max.ru host, automatic Russian Trusted Root CA handling, update chat ID extraction, channel lookup by public link, filtered polling, message markup parsing, new dialog updates, contact hash/max_info helpers, chat buttons, typed sender actions, media helpers, open_app/clipboard buttons, and image photos upload payloads.
Installation
composer require mammothcoding/maxoxide
Quick start
<?php require 'vendor/autoload.php'; use Maxoxide\Bot; use Maxoxide\Context; use Maxoxide\Dispatcher; $bot = Bot::fromEnv(); // reads MAX_BOT_TOKEN from the environment $dp = new Dispatcher($bot); $dp->onCommand('/start', function (Context $ctx) { if ($ctx->update->message !== null) { $ctx->bot->sendMarkdownToChat( $ctx->update->message->chatId(), 'Hello!' ); } }); $dp->onMessage(function (Context $ctx) { if ($ctx->update->message !== null) { $text = $ctx->update->message->text() ?? '(no text)'; $ctx->bot->sendTextToChat($ctx->update->message->chatId(), $text); } }); $dp->startPolling();
MAX_BOT_TOKEN=your_token php examples/echo_bot.php
TLS Trust For platform-api2.max.ru
The current official MAX API host uses a certificate chain rooted in Russian Trusted Root CA. The default cURL client created by new Bot(...) and Bot::fromEnv() keeps TLS verification enabled and prepares that trust automatically:
- first it tries to download the fresh PEM from the official
gu-st.ruURL; - if that download fails, it falls back to the embedded
Russian Trusted Root CAcopy shipped with the package; - the CA is merged with the detected system CA bundle when one is available, not used to disable certificate verification.
Unlike the Rust client, the PHP client does not accept an externally built HTTP client. Every supported Bot construction path applies the same TLS setup to API and upload cURL handles, and a custom constructor timeout does not bypass it.
Project structure
maxoxide-php/
├── composer.json -- dependencies and PSR-4 autoloading
├── README.md
├── README.ru.md
├── bootstrap.php -- manual bootstrap for running examples from source tree
├── src/
│ ├── MaxException.php -- the single exception type
│ ├── Types.php -- data types: User, Chat, Message, Button, Keyboard, ...
│ ├── Update.php -- Update, Callback, UpdatesResponse, RawUpdatesResponse
│ ├── Bot.php -- cURL HTTP client, API methods, file uploads
│ ├── Dispatcher.php -- Dispatcher, Context, filters, long polling
│ ├── Webhook.php -- WebhookReceiver with no framework dependency
│ └── certs/russian_trusted_root_ca.pem -- embedded TLS trust fallback
├── examples/
│ ├── echo_bot.php -- echo bot via long polling
│ ├── keyboard_bot.php -- inline keyboard and callback buttons
│ ├── dispatcher_filters_bot.php -- composable filters, raw hooks, tasks
│ ├── media_bot.php -- upload-and-send helpers for media/files
│ ├── webhook_bot.php -- webhook receiver example
│ └── live_api_test.php -- interactive harness against the real MAX API
└── tests/
├── TypesTest.php -- unit tests for types, filters, serialization
└── BotSendMessageTest.php -- regression tests for POST /messages dispatch
API methods
| Method | Description |
|---|---|
getMe() |
Bot info |
editMyInfo(body) |
Edit bot profile, commands, or avatar via PATCH /me |
sendTextToChat(chatId, text) |
Send plain text to a dialog/group/channel by chatId |
sendTextToUser(userId, text) |
Send plain text to a user by global MAX userId |
sendMarkdownToChat(chatId, text) |
Send Markdown to a dialog/group/channel |
sendMarkdownToUser(userId, text) |
Send Markdown to a user by userId |
sendMessageToChat(chatId, body) |
Send a message with attachments or a keyboard by chatId (requestContact / requestGeoLocation buttons are live-confirmed; the chat button is currently platform-limited) |
sendMessageToChatWithOptions(chatId, body, options) |
Send with query options such as disable_link_preview |
sendMessageToUser(userId, body) |
Send a message with attachments or a keyboard by userId (requestContact / requestGeoLocation buttons are live-confirmed; the chat button is currently platform-limited) |
sendMessageToUserWithOptions(userId, body, options) |
Send to a user with query options |
editMessage(mid, body) |
Edit a message |
deleteMessage(mid) |
Delete a message |
getMessage(mid) |
Get a message by ID |
getMessages(chatId, ...) |
Get messages from a chat |
getMessagesByIds(ids, ...) |
Get one or more messages by message IDs |
getVideo(videoToken) |
Get uploaded video metadata and playback URLs |
answerCallback(body) |
Answer an inline button press |
getChats(...) |
Deprecated: MAX stopped supporting GET /chats; store chatId values from updates instead |
getChat(chatId) |
Chat info |
getChatByLink(chatLink) |
Channel info by public link / username, e.g. https://max.ru/channel, channel, or @channel (may return 404 Chat not found by link when the channel is unavailable to the bot) |
editChat(chatId, body) |
Edit title or description |
deleteChat(chatId) |
Delete a chat |
sendAction(chatId, action) |
Typing indicator and other chat actions |
sendSenderAction(chatId, action) |
Send a typed sender action value (typing_on is live-confirmed as visible in group chats) |
sendTypingOn(chatId) / markSeen(chatId) |
Convenience sender actions |
sendSendingImage/Video/Audio/File(chatId) |
Convenience upload indicators |
getPinnedMessage(chatId) |
Get the pinned message |
pinMessage(chatId, body) |
Pin a message |
unpinMessage(chatId) |
Unpin |
getMembers(chatId, ...) |
List chat members |
getMembersByIds(chatId, userIds) |
Get selected chat members |
addMembers(chatId, userIds) |
Add members |
removeMember(chatId, userId) |
Remove a member |
removeMemberWithOptions(chatId, userId, options) |
Remove a member with options such as block=true |
getAdmins(chatId) |
List admins |
addAdmins(chatId, admins) |
Grant administrator rights |
removeAdmin(chatId, userId) |
Revoke administrator rights |
getMyMembership(chatId) |
Get the bot's own membership |
leaveChat(chatId) |
Leave a chat |
getSubscriptions() |
List webhook subscriptions |
subscribe(body) |
Register a webhook |
unsubscribe(url) |
Remove a webhook |
getUpdates(...) |
Run a single long-poll request |
getUpdatesRaw(...) |
Run a raw long-poll request before typed parsing |
getUpdatesWithTypes(..., types) |
Long polling limited to selected update types |
getUpdatesRawWithTypes(..., types) |
Raw JSON long polling limited to selected update types |
getUploadUrl(type) |
Get the MAX upload URL for an attachment type |
uploadFile(type, path, name, mime) |
Full two-step file upload |
uploadBytes(type, bytes, name, mime) |
Same, from raw bytes |
sendImage/Video/Audio/FileToChat(...) |
Upload a local file and send it to a chat |
sendImage/Video/Audio/FileToUser(...) |
Upload a local file and send it to a user |
sendImage/Video/Audio/FileBytesToChat(...) |
Upload bytes and send to a chat |
sendImage/Video/Audio/FileBytesToUser(...) |
Upload bytes and send to a user |
setMyCommands(commands) |
Experimental: no public write endpoint is documented; live API currently returns 404 for /me/commands |
userId vs chatId
These two identifiers are different:
userIdis the global ID of a MAX user.chatIdis the ID of a concrete dialog, group, or channel.- In a private chat,
message->sender->userIdidentifies the user, whilemessage->chatId()identifies the specific dialog with the bot. - Use
sendTextToChat/sendMessageToChatwhen you know the dialog or groupchatId. - Use
sendTextToUser/sendMessageToUserwhen you only know the globaluserId.
User and ChatMember now expose MAX-style profile fields: firstName, lastName, username, description, avatarUrl, fullAvatarUrl, and commands where applicable. Use displayName() when you need one printable name. The legacy name alias remains available for existing PHP callers.
Replacing Deprecated getChats
MAX stopped supporting GET /chats in June 2026 and announced shutdown for August 2026. There is no replacement endpoint that returns the full chat/channel list for a bot. Store chatId values from updates in your own database, remove them on bot_removed, then call getChat($chatId) and other chat-ID-based methods. getChatByLink() only looks up a known public channel link and is not a full-list replacement.
$dp->onBotAdded(function (Context $ctx) { $chatId = $ctx->update->chatId(); if ($chatId !== null) { // Store $chatId in your database. } }); $dp->onBotRemoved(function (Context $ctx) { $chatId = $ctx->update->chatId(); if ($chatId !== null) { // Remove $chatId from your database. } });
For generic handlers, Update::chatId() returns the chat ID when the typed update carries one.
Dispatcher filters
use Maxoxide\AttachmentKind; use Maxoxide\Filter; $dp->onCommand('/start', $handler); // specific command $dp->onMessage($handler); // any new message $dp->onEditedMessage($handler); // message edit $dp->onCallback($handler); // any callback $dp->onCallbackPayload('btn:ok', $handler); // exact payload $dp->onBotStarted($handler); // first bot start $dp->onBotAdded($handler); // bot added to a chat $dp->onBotStopped($handler); // user stopped the bot $dp->onDialogMuted($handler); // private dialog muted $dp->onMessageChatCreated($handler); // chat button created a chat $dp->onFilter(fn($u) => ..., $handler); // custom predicate $dp->on($handler); // every update $dp->onUpdate( Filter::message() ->andFilter(Filter::chat($chatId)) ->andFilter(Filter::textContains('ping')), $handler ); $dp->onUpdate(Filter::hasAttachmentType(AttachmentKind::FILE), $handler); $dp->onUpdate(Filter::hasMedia(), $handler); $dp->onUpdate(Filter::unknownUpdate(), $handler); $dp->onRawUpdate($handler); // raw JSON for every update $dp->onStart($handler); // once before polling starts $dp->task(300, $handler); // periodic task while polling
The first matching handler wins. Register more specific filters earlier.
Raw handlers always run before typed handlers. Unknown future update types are parsed as Update objects with raw() preserved.
Inline keyboard
use Maxoxide\Button; use Maxoxide\KeyboardPayload; use Maxoxide\NewMessageBody; $keyboard = new KeyboardPayload([ [ Button::callback('Yes', 'answer:yes'), Button::callback('No', 'answer:no'), ], [ Button::link('Website', 'https://max.ru'), Button::clipboard('Copy code', 'promo-123'), ], [ Button::requestContact('Share contact'), Button::requestGeoLocation('Share location'), ], ]); $body = NewMessageBody::text('Are you sure?')->withKeyboard($keyboard); $bot->sendMessageToChat($chatId, $body);
Button::openAppFull($text, $webApp, $payload, $contactId) serializes the official MAX open_app wire model with web_app, optional payload, and optional contact_id.
Request-contact buttons are live-confirmed to deliver vcf_info, hash, and max_info; Attachment::validateHash($token) verifies the VCF hash, and Attachment::phonesFromVcf() is the fallback when vcf_phone is missing. Request-location buttons are live-confirmed to deliver a structured location attachment with coordinates. Button::chatFull(...) follows the documented MAX schema, but current live POST /messages requests reject the documented chat button JSON with 400 Can't deserialize body.
File uploads
MAX uses a two-step upload flow. uploadFile and uploadBytes return a usable attachment token:
use Maxoxide\NewAttachment; use Maxoxide\NewMessageBody; use Maxoxide\UploadType; $token = $bot->uploadFile(UploadType::IMAGE, './photo.jpg', 'photo.jpg', 'image/jpeg'); $body = NewMessageBody::text('Here is a photo!') ->withAttachment(NewAttachment::image($token)); $bot->sendMessageToChat($chatId, $body);
For the common upload-and-send flow, use the helpers:
$bot->sendImageToChat($chatId, './photo.jpg', 'photo.jpg', 'image/jpeg', 'Here is a photo!'); $bot->sendVideoToUser($userId, './clip.mp4', 'clip.mp4', 'video/mp4'); $bot->sendFileBytesToChat($chatId, $bytes, 'report.pdf', 'application/pdf', 'Report');
Image uploads can return a MAX photos token map instead of a single token. The sendImage* helpers preserve that payload automatically and retry briefly while MAX reports the attachment as not processed yet.
Important: the
phototype has been removed from the MAX API. Always useUploadType::IMAGE.
Webhook (without a framework)
// webhook.php -- this file is exposed via your HTTPS URL use Maxoxide\Bot; use Maxoxide\Dispatcher; use Maxoxide\WebhookReceiver; $bot = Bot::fromEnv(); $dp = new Dispatcher($bot); $dp->onCommand('/start', function ($ctx) { $ctx->bot->sendTextToChat($ctx->update->message->chatId(), 'Hello!'); }); // Pass the same secret that you used in SubscribeBody WebhookReceiver::handle($dp, getenv('WEBHOOK_SECRET') ?: null);
Register the webhook once:
use Maxoxide\SubscribeBody; $body = new SubscribeBody('https://your-domain.com/webhook.php'); $body->secret = 'my_secret_123'; $bot->subscribe($body);
MAX requires HTTPS on port 443. Self-signed certificates are not supported.
Error handling
All API errors throw Maxoxide\MaxException:
use Maxoxide\MaxException; try { $bot->sendTextToChat($chatId, 'Hello!'); } catch (MaxException $e) { echo $e->getApiCode(); // HTTP status (0 = network/JSON error) echo $e->getMessage(); // error description }
Global handler for dispatcher callback errors:
use Throwable; $dp->onError(function (Throwable $e) { error_log('[maxoxide] ' . $e->getMessage()); });
Running tests
composer install ./vendor/bin/phpunit tests
Live API test
There is an interactive harness for end-to-end checks against the real API:
php examples/live_api_test.php
At startup it asks for the language, update transport, bot token, and optional settings:
- update transport:
long_pollingorwebhook - bot URL for the tester
- public channel link for the optional
getChatByLinkprobe - webhook URL and secret for subscribe/unsubscribe checks, webhook mode, and restoring temporarily disabled subscriptions
- local webhook listen address when
webhooktransport is selected - path to a local file for
uploadFile - optional paths to image, video, and audio files for media helper checks
- request delay and polling timeout
Then the harness walks through each phase:
Private chat: sending /live to the bot activates the phase. It checks sendTextToChat, sendTextToUser, sendMarkdown*, message markup returned by getMessage, sendMessageToChatWithOptions, inline keyboards with callback/message/contact/location/link buttons, optional open_app, clipboard, opt-in chat button / message_chat_created, answerCallback, editMessage, getMessage, getMessages, getMessagesByIds, and deleteMessage.
Uploads: getUploadUrl for all types, uploadFile, uploadBytes, file helpers for chat/user, byte helpers, optional sendImageToChat, sendVideoToChat, getVideo, sendAudioToChat, and sending uploaded attachments back to the chat.
Updates transport: in long_polling mode the harness checks active webhook subscriptions, can temporarily unsubscribe them, restores them at the end, and probes getUpdatesWithTypes / getUpdatesRawWithTypes. In webhook mode it starts a local receiver and manual waits consume incoming webhook POSTs.
Webhook: getSubscriptions, subscribe, unsubscribe if a webhook URL is provided and the run is not already using webhook transport.
Commands: optional experimental setMyCommands check with explicit confirmation.
Group chat: sending /group_live in a group activates the phase; if no update is received, the harness accepts a manual chatId. It checks getChat, getMembers, getMembersByIds, getAdmins, getMyMembership, typed sender actions, sender-action helpers, pin/unpin, editChat with automatic rollback, optional addAdmins/removeAdmin, addMembers, removeMember, opt-in removeMemberWithOptions(..., block=true), deleteChat, and leaveChat.
Optional dialog events: at the end the harness can wait for bot_stopped, dialog_cleared, dialog_muted, dialog_unmuted, and dialog_removed.
Each step is reported as PASS, FAIL, or SKIP, and the full summary is printed at the end.