Less than two months after OpenAI launched a new Apps SDK, the industry is moving to standardize how AI agents display interactive interfaces.

Anthropic, OpenAI, and the Model Context Protocol (MCP) open-source community have jointly proposed "SEP-1865," a new extension to the MCP that transforms text-based chatbots into full-stack application runtimes.

By defining a universal standard for rendering widgets like charts and forms, the proposal aims to prevent a fragmented ecosystem where developers must build separate interfaces for every AI platform.

The initiative also introduces mandatory security sandboxing, directly addressing critical security vulnerabilities that have plagued early agent deployments.

Originally designed as a backend utility for connecting data sources, the Model Context Protocol (MCP) is undergoing a fundamental architectural shift.

Introduced as "SEP-1865," the proposal brings a dedicated URI scheme, allowing servers to define visual interfaces alongside their data payloads. The official proposal document defines the new schema:

"UI templates are resources with the ui:// URI scheme, referenced in tool metadata."

"This approach enables hosts to prefetch and review templates before tool execution, improving both performance and security. It also separates static presentation (the template) from dynamic data (tool results), enabling better caching."

Effectively, the change turns the protocol into a delivery mechanism for full-stack applications, moving beyond simple text-based JSON exchanges. Users will no longer need to parse raw data; instead, agents can render interactive bar charts, approval forms, or complex dashboards directly within the chat window.

Under the hood, the system relies on the existing MCP JSON-RPC base protocol over , ensuring it remains transport-agnostic rather than tied to a specific browser implementation.

Architecturally, the system separates static presentation templates from dynamic data, a design choice intended to improve caching performance and reduce latency.

As noted by the core maintainers, this evolution means "the MCP Apps Extension is starting to look like an agentic app runtime: a foundation for novel interactions between AI models, users, and applications."

Security has become the primary driver for this architectural overhaul, following successive vulnerability reports in mid-2025.

Research from The Backslash Security report previously exposed "NeighborJack," a flaw where MCP servers bound to 0.0.0.0 exposed local networks to attackers.

Backslash warned that "when network exposure meets excessive permissions, you get the perfect storm."

Further complicating the perception of MCP security was the "Toxic Agent Flow" discovered in GitHub's MCP server, where agents could be tricked into exfiltrating private repositories. The new specification addresses these communication risks directly:

"Instead of inventing a custom message protocol, UI components communicate with hosts using existing MCP JSON-RPC base protocol over postMessage."

"The initial extension specification supports only text/html content, rendered in sandboxed iframes."

To mitigate these risks, the new standard mandates that all UI content be rendered within sandboxed iframes, strictly limiting the agent's ability to access the host DOM.

Enforcement of a "pre-declaration" model allows host applications (like Claude Desktop or VS Code) to review and approve UI templates before they are ever displayed to the user.

Analyst Simon Willison previously described the stakes, noting that the combination of data access and execution capabilities creates "a lethal trifecta for prompt injection" when an AI agent has access to private data, is exposed to malicious instructions, and can exfiltrate information.

Timing is critical for this proposal, signaling a critical realignment in the AI developer ecosystem, specifically regarding OpenAI's role.

In October, OpenAI launched its own proprietary Apps SDK, threatening to fracture the market into incompatible "walled gardens" for ChatGPT versus other models.

By backing SEP-1865, OpenAI is effectively pivoting to support a universal standard, ensuring developers only need to build an interface once to run it across Claude, ChatGPT, and IDEs like Zed.

Heavily leveraging work from the MCP-UI project, the proposal credits maintainers Ido Salomon and Liad Yosef for proving the viability of the concept.

Without this unification, the industry faced a scenario where every model provider would require bespoke frontend integrations. Emphasizing the urgency of this collaboration, maintainers stated that "lack of standardization creates a real risk of ecosystem fragmentation - something we're working to proactively prevent."

Positioning MCP not just as a backend connector, but as the "USB-C for AI" -- a universal port for both data and interaction, this shift is significant. With IDC projecting 1.3 billion active AI agents by 2028, major hosts including Zed and potentially VS Code are expected to adopt the standard, solidifying it as the default runtime for the next generation of agentic applications.