Model Context Protocol — MCP Apps: UI components inside agent chats

2026-01-30 • Category: Security

• What shipped: The MCP project announced MCP Apps as the first official MCP extension, letting tools return interactive UI components instead of only text.
• Mechanism: Tools attach UI metadata (a resourceUri) and the host renders the UI resource via a ui:// scheme.
• Execution model: UI runs in a sandboxed iframe, with bidirectional communication using JSON-RPC over postMessage.
• Why now: It standardizes patterns pioneered by MCP-UI and the OpenAI Apps SDK, aiming for “write once, run across clients.”
• Use cases: dashboards, configuration wizards, document review, live system monitoring — basically anything that’s painful as a back-and-forth prompt loop.
• Security posture (as described): sandboxing + auditable messages + optional user consent for UI-initiated tool calls + host review of templates.
• Client support: the post lists Claude (web/desktop), Goose, VS Code Insiders, and ChatGPT “starting this week,” plus more to come.
• Dev entry point: there’s an SDK package (@modelcontextprotocol/ext-apps) and a quickstart + examples.

Why it matters

• Agents become “real apps”: This pushes agent workflows from chat-only into richer, stateful interactions — which accelerates adoption in enterprise automation.
• New attack surface: Any “UI-from-a-tool” feature is effectively running code you didn’t write. Sandboxing helps, but trust and review remain central.
• Standardization pressure: Once multiple major clients support the same UI extension, the ecosystem will move faster (and so will security mistakes).

What to do

1. For host/client builders: ship with strict sandbox flags by default; require explicit consent for UI-initiated tool calls; log every JSON-RPC message.
2. For tool authors: treat UI code as part of your supply chain; publish signed releases, pin dependencies, and document the permissions your UI expects.
3. For security teams: add “MCP UI resources” to threat models and reviews (content security policy, origin isolation, token handling, clickjacking, SSRF via tool calls).
4. For operators: allowlist MCP servers; don’t connect random public servers to privileged tools/data; keep a kill-switch (disable UI rendering) for incident response.

Sources

• MCP blog (primary): MCP Apps - Bringing UI Capabilities To MCP Clients
• Docs: MCP Apps Guide
• SDK: @modelcontextprotocol/ext-apps
• GitHub: modelcontextprotocol/ext-apps