MiniApps
Build web-based Mini Apps that run inside the Umotu mobile app with a secure provider bridge (window.umotu). Users can connect, sign, pay with UMT/stables, and share PoH status with explicit permissions.
How it works
- Mini Apps are standard web apps (HTML/JS) loaded in an in‑app WebView container.
- Only approved origins run (strict allowlist). Navigation off origin is blocked.
- A minimal provider
window.umotuis injected to request wallet capabilities. - Users must approve each capability per app. Decisions can be remembered and later revoked.
Registry (manifest)
Add your app to the registry with an id, entry URL, and declared permissions.
{
id: 'market',
name: 'Local Market',
entryUrl: 'https://merchant.example.com/app',
permissions: ['readAddress', 'poh', 'sign', 'pay']
}Internal reference: apps/mobile/src/miniapps/registry.ts
Permissions
readAddress: request accounts (connect)sign: personal_sign and eth_signTypedData_v4send: eth_sendTransaction (native)poh: umotu_getPohStatus (current PoH status)pay: umotu_pay (token payments, gasless when enabled)
Apps can only request capabilities they declare. Users approve per origin; decisions can be remembered and revoked in the app.
Provider API
All calls use a single method: await window.umotu.request({ method, params })
eth_requestAccounts→string[]eth_chainId→0x…(hex)personal_sign,eth_signTypedData_v4→ signatureeth_sendTransaction→ tx hashumotu_getPohStatus→{ wallet, human }umotu_pay→ userOp hash (gasless) or tx hash (fallback)
// Connect wallet
const [addr] = await window.umotu.request({ method: 'eth_requestAccounts' });
// Read chain id (hex)
const chainId = await window.umotu.request({ method: 'eth_chainId' });
// Check PoH status
const poh = await window.umotu.request({ method: 'umotu_getPohStatus' });
// Sign a message
const sig = await window.umotu.request({ method: 'personal_sign', params: ['hello from mini app', addr] });
// Send a transaction (native ETH value and optional data)
const txHash = await window.umotu.request({ method: 'eth_sendTransaction', params: [{ to: '0x...', value: '0x0' }] });
// Pay with UMT or a stable (gasless when enabled)
await window.umotu.request({ method: 'umotu_pay', params: [{ token: '0xToken', to: '0xMerchant', amount: '5.00' }] });Quick start (HTML)
<!doctype html>
<html>
<head><meta charset="utf-8"><title>Mini App</title></head>
<body>
<button id="connect">Connect</button>
<pre id="out"></pre>
<script>
async function main() {
const out = (msg) => { const el = document.getElementById('out'); el.textContent += msg + '
'; };
try {
const [addr] = await window.umotu.request({ method: 'eth_requestAccounts' });
out('Connected: ' + addr);
const poh = await window.umotu.request({ method: 'umotu_getPohStatus' });
out('PoH: ' + JSON.stringify(poh));
} catch (e) { out('Error: ' + (e?.message || e)); }
}
document.getElementById('connect').onclick = main;
</script>
</body>
</html>Example included in this repo: /miniapps/example. When the explorer runs locally on port 3021, open https://umotu.com/miniapps/example/index.html in your browser. To load it inside the mobile app, add its origin to the Mini Apps registry while developing (e.g., http://localhost:3023).
Optional SDK
Include a tiny helper SDK to simplify calls and provider detection:
<script src="/miniapps/sdk/umotu.js"></script>Usage:
if (!window.Umotu?.hasProvider()) throw new Error('Run inside Umotu');
const [addr] = await window.Umotu.connect();
const { wallet, human } = await window.Umotu.getPohStatus();
const sig = await window.Umotu.signMessage(addr, 'hello');
const tx = await window.Umotu.sendTransaction({ to: addr, value: '0x0' });
await window.Umotu.pay({ token: '0xToken', to: '0xMerchant', amount: '1.23' });Events
The SDK lets you subscribe to Umotu provider events:
const off = window.Umotu.on('accountsChanged', (accounts) => {
console.log('Accounts changed:', accounts);
if (!accounts || accounts.length === 0) {
// Disconnected by user
}
});
// later: off();Safety model
- Strict origin allowlist: only approved Mini Apps can load; off‑origin nav blocked.
- Explicit permission prompts per capability with optional remember.
- Hardened WebView: incognito, single window, no shared cookies.
- Transaction previews: on‑device gas/fee estimates; signature JSON inspect.
Publish your Mini App
Submit your manifest (id, name, entryUrl, permissions) and a short description. The Umotu Foundation reviews apps for safety and lists approved origins in the registry. Business sandbox first, then production.
While the public submission portal is being built, contact the team with your details to be added to the registry.