Notes on OpenAI's AppSDK
OpenAI's dev day was today. While I wrote up a short summary of what was announced on bluesky, one of the major announcements was the AppSDK for ChatGPT. It looks like OpenAI plans to position ChatGPT as a platform for the future not unlike the Google Play and Apple Apps stores, except within ChatGPT.
The platform builds on MCP encouraging developers to expose MCP servers that ChatGPT can discover for capabilites but goes further in allowing developers to inject custom UI components that customers can interact with.
The general workflow appears to be
- Your MCP server backend exposes tools ChatGPT can call. Each tool has a JSON schema interface that defines inputs and outputs, along with additional widget metadata.
- A user will interact with ChatGPT and invoke your app (by name usually), which will cause ChatGPT to invoke a tool call to your MCP server. This is where you are expected to handle the business logic.
- Your MCP server now has the option to respond with widget output data which ChatGPT can embed inline in the conversation.
OpenAI provides some design guidelines the expect from Apps
Conversational: Experiences should feel like a natural extension of ChatGPT, fitting seamlessly into the conversational flow and UI.
Intelligent: Tools should be aware of conversation context, supporting and anticipating user intent. Responses and UI should feel individually relevant.
Simple: Each interaction should focus on a single clear action or outcome. Information and UI should be reduced to the absolute minimum to support the context.
Responsive: Tools should feel fast and lightweight, enhancing conversation rather than overwhelming it.
Accessible: Designs must support a wide range of users, including those who rely on assistive technologies.
It's worth noting that this comes right after the announcment of the Agent Commerce Protocol which I assume this builds on in some way, although I didn't see the reference when browsing through. So that creates the incentive for developers to build new experiences on the platform
This is interesting and legitimizes MCP in a way that we haven't seen yet. Before you run off and begin rolling out your own MCP server, it's worth noting that MCP has a pretty large attack surface[1] and deployments must be designed with security in mind.
Bithead, XL. (2025) MCP security exposed: What You Need to know now. live.paloaltonetworks.com. Available at: https://live.paloaltonetworks.com/t5/community-blogs/mcp-security-exposed-what-you-need-to-know-now/ba-p/1227143 (Accessed: 2025-10-7). ↩︎