Publishing a mini-app#
Publishing does three things: it names your app, gives you the secret you verify launch tokens with, and (optionally) hosts it for you.
App IDs — owner/slug#
Every app has an id of the form owner/slug:
owneris your account username (a namespace account may carry one:, e.g.acme:team).slugmatches^[a-z][a-z0-9-]*$.- Each half is at most 64 characters.
✓ ada/todo ✓ acme:team/notes
✗ com.ada.todo ✗ noslash ✗ /leadingYou may only publish under a namespace you own.
Register#
Registering mints (on first call) the signing secret for your launch tokens.
mafold apps register you/todo \
--url https://todo.example.com \
--name "Todo" \
--capabilities room,chat.send,storageThe result includes your secret:
{ "id": "you/todo", "url": "https://todo.example.com", "secret": "…" }The secret is shown once
The signing secret is returned only on first registration. Store it in your backend's secrets manager immediately. Re-registering the same app (to update the URL, name, or capabilities) keeps the existing secret and returns null for it.
--capabilities is the list your app is allowed to use at runtime — declare only what you need (room, storage, chat.read, chat.send, ui.*; see the SDK reference).
Your app secret#
The secret signs every launch token, and your backend verifies with it — see Authentication. If it leaks, rotate it (the old one stops verifying immediately):
mafold apps rotate-secret you/todoHosting#
You can host the app anywhere — any HTTPS URL works. Mafold also offers free static hosting on *.mafold.app so you don't need your own server for a front-end-only app.
mafold apps deploy --dir ./dist --name todo
# → https://todo-3f2a.mafold.appDeploying uploads your built files and serves them at <name>-<id>.mafold.app. Redeploying the same site replaces it wholesale (files not in the new upload are removed). Current limits per site: 200 files, 5 MB per file, and a small per-account site cap.
Front-end plus a backend
Static hosting serves your front-end. Launch-token verification still needs a backend that holds your secret — host that wherever you like and point your app at it.
Registry rules#
- Identity = Mafold identity. If your app identifies users,
Mafold.auth()/initDataverification is the only permitted way — no own signup forms, no third-party login (Google, email links, …) inside the app. Users are already signed in; use that. Apps that don't need identity at all are welcome. See Authentication. - Declare only the capabilities you use; undeclared capabilities reject at runtime.
- Your app secret stays on your backend — never ship it to the browser.
Putting it together#
- Build your front-end and add the SDK.
mafold apps register you/todo --url … --capabilities …→ save the secret.- Verify
initDataon your backend with the secret (Authentication). - Host the front-end (your own, or
mafold apps deploy). - Open it from a conversation — Mafold hands your page a verified identity and a shared room, and you're multiplayer.