MCP Apps (SEP-1865): The UI Spec That Just Killed Custom Agent Frontends

By Sanjay Saini |  Published: May 9, 2026 |  5 min read
MCP Apps UI Spec SEP-1865 Explained
Key Takeaways:
  • Native UI Delivery: The sep-1865 specification allows MCP servers to push interactive UI components directly to the client chat window.
  • Cost Reduction: Drastically reduces engineering overhead by eliminating the need for standalone web apps.
  • Component Sandboxing: Enforces strict security boundaries, preventing raw HTML injection and XSS vulnerabilities.
  • Manifest Driven: Relies on a standardized mcp apps manifest for seamless discovery and rendering.

SEP-1865 lets MCP servers ship their own UI directly into Claude, ChatGPT, and Cursor. This is the spec walkthrough no vendor blog post is willing to publish.

If you are a product manager trying to accelerate agile team AI adoption, building bespoke React frontends for every internal AI tool is a massive drain on resources.

The backend integration problem was solved by the framework detailed in our comprehensive MCP server guide 2026 (Model Context Protocol). Now, the presentation layer is catching up.

Understanding the SEP-1865 Specification

The legacy model of AI interaction was purely text-based. An MCP server would execute a function and return raw JSON.

The LLM would then attempt to format that data using markdown tables or code blocks. This led to poor user experiences for complex data.

The sep-1865 specification completely rewrites this interaction model. It allows the server to dictate exactly how its data should be visualized.

Instead of plain text, the server sends declarative UI blueprints. The host client (like Claude Desktop) interprets these blueprints and renders native-feeling widgets.

Component Schema vs Arbitrary HTML

A major question for enterprise security teams is whether this new standard introduces vulnerabilities. Can MCP Apps render arbitrary HTML?

No. To maintain strict security standards, the spec uses a rigid, predefined component schema.

Developers cannot inject <script> tags, CSS files, or raw DOM elements. You construct your interfaces using standardized JSON-based components (e.g., DataGrid, InteractiveChart, or ActionForm).

This guarantees that the mcp ui rendering is safe and visually cohesive with the host application.

Authentication and Security Boundaries

An embedded mcp app frontend operates within a heavily restricted sandbox. It cannot access the host client's DOM, read local browser storage, or hijack the user's active session.

Furthermore, these UI components are barred from making direct outbound network calls. All data mutations or fetch requests must route back through the authenticated MCP server backend.

This zero-trust architecture avoids the security pitfalls seen in earlier, looser plugin systems.

When evaluating the mcp vs function calling difference enterprise architectures, this frontend sandboxing makes MCP the clear winner for compliance-heavy environments.

The Role of the MCP Apps Manifest

Every visual tool requires an mcp apps manifest. This critical JSON file lives at the root of your MCP server deployment.

It defines the UI entry points, required component capabilities, and overarching application metadata. Host applications read this manifest during the initial handshake.

Without a valid manifest, the host client will fall back to standard text-based outputs.

This file acts as the bridge between mcp apps vs chatgpt plugins, providing a highly structured, predictable deployment mechanism.

Conclusion

The sep-1865 specification is the final nail in the coffin for standalone, one-off AI dashboards.

By pushing the UI layer down to the protocol level, engineering teams can build complex, interactive agentic workflows in a fraction of the time.

Stop building custom React wrappers for your LLMs and start leveraging the native capabilities of MCP Apps.

About the Author: Sanjay Saini

Sanjay Saini is an Enterprise AI Strategy Director specializing in digital transformation and AI ROI models. He covers high-stakes news at the intersection of leadership and sovereign AI infrastructure.

Connect on LinkedIn

Create Pro-Quality AI Videos in Minutes. Try HeyGen

HeyGen AI Tool

We may earn a commission if you buy through this link. (This does not increase the price for you)

Frequently Asked Questions (FAQ)

What is the MCP Apps SEP-1865 specification and when was it formalized?

Formalized in late 2025, SEP-1865 is an extension to the Model Context Protocol. It standardizes how MCP servers can deliver custom, interactive UI components directly into the chat interfaces of AI clients, effectively eliminating the need for separate, custom-built frontends.

How do MCP Apps differ from regular MCP servers that only expose tools and resources?

Regular MCP servers return raw data (JSON or text) for the LLM to parse and summarize. MCP Apps return structured UI definitions alongside the data, allowing the AI client to render interactive dashboards, forms, and graphs natively in the chat.

Which AI clients support MCP Apps UI rendering as of 2026?

As of 2026, the primary adopters include Claude Desktop, enterprise tiers of ChatGPT, and developer-focused environments like Cursor. Other platforms are rapidly building translation layers to support the SEP-1865 component schema within their own proprietary frontends.

Can MCP Apps render arbitrary HTML or are they restricted to a component schema?

They are strictly restricted to a declarative component schema. To prevent XSS attacks and maintain visual consistency, servers pass JSON representations of UI elements (like buttons and tables) rather than raw HTML, CSS, or executable JavaScript.

How do MCP Apps handle authentication when embedded inside a host application?

Authentication is handled via OAuth 2.1 at the server backend, not the UI layer. The host AI client manages the user session and passes a secure, scoped bearer token to the MCP backend with each interaction, maintaining a zero-trust boundary.

What does an MCP Apps manifest file look like and where is it published?

The manifest is a structured JSON file hosted at the root of the MCP server. It declares the app's name, version, required OAuth scopes, and the specific UI entry points it supports, acting as the primary discovery mechanism for host clients.

Are MCP Apps a replacement for ChatGPT Plugins and Custom GPTs?

Yes, particularly for enterprise and complex developer use cases. While Custom GPTs rely on basic text output, MCP Apps provide a much richer, protocol-standardized way to build interactive extensions that are not locked into a single vendor's ecosystem.

How do I monetize an MCP App through the official directory or registry?

Monetization is typically handled via the provider's own backend API gateways. You can gate premium UI components or advanced tool access behind subscription tiers verified via the OAuth token, though direct app-store billing within the registry is still evolving.

What are the security boundaries between an MCP App and the host AI client?

The boundaries are extremely strict. The rendered UI cannot access the host application's DOM, read local storage, or monitor user input outside its specific component frame. All interactions are strongly typed and marshaled through the protocol layer.

Can MCP Apps make outbound network calls or are they sandboxed to the server backend?

The frontend UI components are heavily sandboxed and cannot make direct outbound network calls (like `fetch` or `XHR`) from the user's browser. Any required data fetching must trigger an action sent to the MCP server backend.

Sources & References