Mini App origin lockdown: what changes on 20 July 2026

From 20 July 2026 Telegram switches on a new protection for every Mini App: Telegram.WebApp methods stop working on pages opened inside a Mini App from a different domain. If your funnel ends in a Mini App and opens an offer, a payment page or an intermediate page on another domain inside it, check that funnel before the date. Leadgram's own surfaces are unaffected: tracking links, the hosted landing, events and postbacks work exactly as before.

What changes on 20 July

Bot API 10.2 (announced 14 July 2026) hardens Mini App security: calls to Mini App methods from an origin other than the Mini App's own domain are blocked. Until now, any page opened inside your Mini App's webview could call Telegram.WebApp.* - expand the window, close the app, show the MainButton, send data to the bot. From 20 July that is allowed only for pages on the domain the Mini App is registered on in BotFather. The protection turns on automatically for every Mini App, with no action from the owner.

What does NOT break: third-party pages still open inside the webview, ordinary links and HTTP redirects still work, t.me links and deep links carry on as before, server-side events still fire. Exactly one thing is blocked - calling Telegram methods from a foreign domain.

Who this affects

Check your funnel if any of these is true:

  • Inside your Mini App the user moves to pages on another domain - an advertiser's offer, a payment page, an intermediate page - and those pages call Telegram.WebApp.* (typical candidates: close(), expand(), MainButton, sendData(), openLink(), HapticFeedback).
  • The Mini App URL in BotFather points not at your app's real domain but at a redirect: a tracker, a shortener, an intermediate page. The registration domain and the domain where the code actually runs won't match, and methods break for the whole app.

It doesn't affect you if your funnel ends at a bot start or a channel join, if your Mini App lives entirely on one domain, or if you send miniapp_launch to Leadgram over S2S - server-side calls have nothing to do with a webview protection.

Don't use a Leadgram tracking link as the Mini App URL in BotFather. Our redirect works, but the Mini App ends up registered on the tracker's domain, and after 20 July Telegram methods on your real domain will be blocked. To attribute launches, pass the click id through start_param and record a miniapp_launch event - see Mini Apps.

How to check your funnel

  1. Open your Mini App in Telegram Desktop or web.telegram.org and walk the user's path to the end - to the offer, the payment page, the final screen.
  2. At every step look at the page's domain (DevTools are available in the desktop and web clients). Write down every domain that differs from the one set in BotFather.
  3. For each foreign domain, check the page's code for window.Telegram.WebApp. Grepping the sources for Telegram.WebApp is faster than any amount of clicking.
  4. If no foreign domain makes such calls, you're not affected and there's nothing to do.
  5. If some do, you have two options: move the calls onto the registered domain (the right one) or disable the protection (the last resort, below).

The most common painless fix: a page on a foreign domain only calls close() or openLink(). Replace them with an ordinary https://t.me/... link or a redirect - the behaviour is nearly identical, and the page stops depending on the WebApp bridge.

Opting out through BotFather

If you can't rework the funnel in time, Telegram left an opt-out. It lives in BotFather's own Mini App: open @BotFather, launch its Mini App, pick your bot and turn the origin protection off in the Mini App settings. By disabling it you accept, on Telegram's terms, responsibility for making sure your Mini App has no links to untrusted sites.

Treat the opt-out as a painkiller, not a cure: it restores the "any page inside the webview controls the app" behaviour, which is exactly the hole Telegram is closing. The right end state is all Telegram.WebApp calls living on the registered domain, with the protection on.

What about Leadgram's surfaces

We checked every product surface that touches Telegram:

  • Tracking links and redirects - a server-side 302, not a line of client-side Telegram code. Unaffected.
  • Hosted landing - delivers into Telegram through tg:// and a t.me link, uses no Mini App methods. Unaffected.
  • The Mini App snippet - reads launch parameters only and posts them to our backend, never calling Telegram.WebApp methods. Unaffected by design, see Mini Apps.
  • The miniapp_launch event over S2S - accepted through the events API; a browser-side protection has no bearing on it. Unaffected.
  • Postbacks, CAPI, Flows - server-side mechanics, outside the scope of the change. Unaffected.

Nothing needs reconfiguring in Leadgram. The only thing on your side is to walk your own Mini App funnel through the checklist above, if you have one.