MCP Security

MCP Apps: Interactive UI Components Come to AI Assistants

Aaron Bregg with AI Assist January 28, 2026 4 min read 46 views

On January 26, 2026, the Model Context Protocol (MCP) team announced a significant expansion to the protocol: MCP Apps. This new official extension allows MCP tools to return interactive UI components that render directly within AI conversations. Instead of just text responses, tools can now present dashboards, forms, visualizations, and multi-step workflows right in the chat interface.

For those of us in healthcare security, this represents both an opportunity and a new surface area to understand from a risk perspective.

What Are MCP Apps?

MCP Apps extend the existing MCP framework by enabling tools to return rich, interactive interfaces rather than plain text. When a tool declares a UI resource, the host application (like Claude or ChatGPT) renders it in a sandboxed iframe, allowing users to interact with it directly within their conversation.

Think of it this way: previously, if you asked an AI assistant to analyze sales data, it would return text describing the results. With MCP Apps, that same tool could return an interactive dashboard where you filter by region, drill down into specific accounts, and export reports—all without leaving the conversation or typing additional prompts.

Some practical examples of what MCP Apps enable:

  • Data exploration: Interactive charts and dashboards that update as you filter and sort
  • Configuration wizards: Forms with dependent fields that reveal additional options based on selections
  • Document review: PDF viewers with highlighting where users can approve or flag sections inline
  • Real-time monitoring: Live metrics dashboards that update without requiring tool re-execution

How It Works (Technical Overview)

The architecture relies on two key MCP primitives. First, tools include metadata pointing to a UI resource using a new ui:// scheme. Second, the MCP server hosts UI resources containing bundled HTML and JavaScript. When the AI assistant calls the tool, the host fetches this resource and renders it in a sandboxed iframe, with bidirectional communication happening via JSON-RPC over postMessage.

The SDK (@modelcontextprotocol/ext-apps) provides an App class that handles UI-to-host communication. Apps can receive tool results, call server tools from the UI, and update the model's context—enabling the AI to remain aware of user actions within the interactive component.

Security Model

Running UI code from external MCP servers means executing code you didn't write within your client environment. The MCP Apps specification addresses this through multiple layers:

  • Iframe sandboxing: All UI content runs in sandboxed iframes with restricted permissions
  • Pre-declared templates: Hosts can review HTML content before rendering
  • Auditable messages: All UI-to-host communication flows through loggable JSON-RPC
  • User consent: Hosts can require explicit approval for UI-initiated tool calls

The announcement emphasizes that hosts can block suspicious content before it renders. However, the specification also notes that users should continue to proactively and thoroughly vet MCP servers before connecting them.

Practitioner Notes

From a healthcare security perspective, MCP Apps introduce considerations worth monitoring as this capability matures:
  • PHI in interactive components: If clinical tools adopt MCP Apps for data visualization, understanding how PHI flows through the iframe sandbox and postMessage channels becomes relevant
  • Server vetting: The explicit guidance to vet MCP servers aligns with existing third-party risk management practices, but the interactive UI component adds another dimension to evaluate
  • Audit logging: The auditable JSON-RPC communication could support compliance requirements if properly captured and retained

This capability is still new, and healthcare-specific implementations will likely require additional controls beyond the base specification. As adoption grows, expect vendor assessments to include questions about MCP App security configurations.

Current Client Support

MCP Apps are currently supported in:

  • Claude (web and desktop)
  • ChatGPT (starting this week)
  • Goose
  • Visual Studio Code Insiders

JetBrains and AWS (via Kiro) have indicated they are exploring support for their platforms as well.

Getting Started

For those interested in exploring MCP Apps:

The examples repository includes working implementations for 3D visualization (Three.js), interactive maps, PDF viewing, real-time system monitoring dashboards, and more.

Bottom line: MCP Apps represent a meaningful evolution in how AI assistants can present information and gather user input. For healthcare organizations evaluating MCP adoption, understanding this capability—and its security model—will be increasingly important as the ecosystem develops.