Runlayer Joins Anthropic, OpenAI, & Google as AAIF Founding Member ->
Back to blog
Jan 30, 2026
 • 
Tal Peretz

MCP Apps highlight the power of protocol governance

Yesterday, Anthropic launched MCP Apps. Tools can now return interactive UIs that render directly in the conversation through dashboards, forms, visualizations, and multi-step workflows.

Given that this introduces an entirely new UI surface, security teams might worry that it creates a new attack vector. That concern is reasonable, but it’s rooted in the wrong mental model. If teams already have the correct MCP security practices (e.g. using middleware like Runlayer), then they are covered from the start.

What Are MCP Apps?

MCP apps are not a new application framework or execution environment. It is an official extension, and the first of its kind. To deliver MCP Apps, Anthropic built on the existing MCP-UI community and partnered with OpenAI. This week itself, Claude, ChatGPT, Goose, JetBrains, Google DeepMind and VS Code have all announced support for MCP Apps.

At a high level, MCP Apps let tools return HTML and JavaScript bundles that render rich, interactive interfaces directly inside Claude. This allows tools from partners like Asana, Figma, Slack, and Box to surface dashboards, forms, and other visual interfaces inline, so users can explore data and take action without leaving the app.

Additionally, MCP Apps aren't just static HTML. They're bidirectional. The @modelcontextprotocol/ext-apps SDK gives UI components a set of hooks to communicate back to the host and server (e.g. app.ontoolresult, app.callServerTool() , and app.updateModelContext()). UIs can open links in the user's browser and log events for debugging. All of this happens over JSON-RPC via postMessage, which means every interaction can be traced.

Why This Isn’t a New Security Risk

MCP Apps feel novel simply because of how the resources are presented. However, the mechanics are actually quite similar to what we’re used to. Here’s what happens when an MCP server is extended to support MCP Apps:

  • MCP servers register a tool with _meta.ui.resourceUri pointing to a UI resource
  • The UI is an HTML/JS bundle served via resources/read with a special scheme (i.e. ui://charts/interactive)
  • User interactions within the UI trigger normal tool calls back to the same MCP server

What’s important to note here is that MCP Apps don’t introduce a new execution path. Partners like Asana, Figma, Slack, and Box run their own MCP servers (e.g. mcp.asana.com/sse and mcp.figma.com/mcp), which communicate with Claude over the same MCP protocol and are treated like any other third-party integration.

This means that Runlayer customers are already secure. All tool definitions (including _meta.ui.resourceUri), tool calls from the UI widget, resource fetches for HTML/JS bundles, OAuth tokens, and auth headers are intercepted by Runlayer. MCP Apps didn't change what flows through the protocol; it just shifted the output from plaintext to HTML/JS.

Why Sandboxed iFrames?

MCP Apps render UI from third-party servers in sandboxed iframes with tightly restricted permissions. The UI does not run inside the host application, and therefore, has no direct access to the host's internal APIs.

This is great design. The underlying data remains governed by MCP itself, and the interactive surface doesn’t give access to the host application (e.g. nefarious Javascript cannot “hack” Claude).

Protocol-Level Governance

The immediate security guarantees of MCP Apps is a great demonstration of protocol-level governance. Just because MCP upgraded its output optionality doesn’t mean that the entire ecosystem needs to reinvent security.

For Runlayer customers, they can still use MCP Apps today without worrying about new types of attacks. All of the existing mechanisms (e.g. tool calls, resource fetches) pass through the same controls that are already configured.

What MCP Apps Enable

MCP Apps are most powerful in workflows where users benefit from seeing and navigating structures visually. Operations like filtering data or reviewing documents are inherently more difficult to perform through a text-based interface. MCP Apps address this by allowing MCP tools to become interactive. For example:

  • Data Exploration. A sales analytics tool returns an interactive dashboard. Users filter by region, drill down into accounts, and export reports without translating each action into another prompt.
  • Configuration Tooling. A deployment tool presents dependent form fields. When a user selects “production,” additional security options appear; selecting “staging” updates the defaults directly in the UI.
  • Design UI. A design tool (such as Figma) returns a visual mock-up of a new application view. Users use the prototyping features to walk through the app’s layout (instead of interpreting static screenshots).
  • Document review. A contract analysis tool displays a PDF with highlighted clauses. Users approve or flag sections inline, and those decisions are immediately reflected in the model’s context.
  • Live Metrics. Because MCP Apps support bidirectional hooks, tools can surface real-time data such as live metrics, with updates flowing between the UI and the MCP server.

These interactions reflect the shift we are seeing with MCP apps. Instead of describing what to do, users can simply do it.

What We’re Building Next

Today, Runlayer customers already have full security coverage for MCP apps. Our next steps focus on making that coverage more visible and configurable. Here are some of the enhancements we are working on:

  • Visibility. We’ll make it easy to detect _meta.ui.resourceUri in tool definitions. Servers will be flagged  as "MCP App enabled" in the admin dashboard and UI resource fetches will be logged separately in audit logs.
  • Policy Enforcement. We'll allow IT teams to toggle on/off MCP Apps in admin settings. We’ll also allow users to whitelist specific domains for interactive content (e.g. allow mcp.figma.com but block unknown servers from serving UIs).
  • Content scanning. We'll scan HTML/JS bundles for suspicious patterns before they reach the client. We’ll look for patterns matching for eval(), inline scripts, and external resource loading. While these attack vectors will fall flat given the iframe structure, they can still signal an attempted attack or serve as an early indicator of downstream risks (e.g. a phishing attack).

A Closing Thought

MCP Apps is a meaningful step for the protocol. Interactive UIs inside conversations create better workflows for users and richer context for models.

For security teams, the main takeaway is simple. This is still MCP. The same visibility and control you need for any MCP server applies here. If you're already governing MCP at the protocol layer, you're covered.

Jan 30, 2026
 • 
Tal Peretz
Read more
MCP vs CLI Tools: Which is best for production applications?
CLI tools feel familiar to AI agents, but they break down in production due to brittle syntax, poor state management, and dangerous security assumptions. This post explains why CLI-based agent workflows fail and how a single-tool MCP using a known programming language offers a more reliable and secure alternative.
Jan 25, 2026
 • 
Vitor Balocco
Runlayer Product Update: 1.25.0
This update is about momentum: moving faster in the CLI, getting clearer visibility into what’s running, and debugging with less friction. Expect smoother workflows, better control, and fewer surprises as you build and ship.
Jan 23, 2026
 • 
Engineering
MCP Prompt Injection Attacks: How to Protect Your AI Agents
Two near-invisible prompt injection attacks showed how attackers can bypass default enterprise guardrails and trigger silent, ongoing data exfiltration by exploiting user and model trust. Runlayer blocks these attacks by treating every input as untrusted until it passes continuously updated security models trained on the latest real-world exploits.
Jan 19, 2026
 • 
Jake Moghtader
Cursor Hooks + MCP Security: Official Runlayer Partnership Announcement
Runlayer is an official Cursor Hooks launch partner. With Cursor Hooks, securely allow or deny MCP tool calls with Runlayer's enterprise MCP platform.
Dec 18, 2025
 • 
Marcin Jan Puhacz
The main takeaways from GitHub’s MCP Vulnerability
GitHub’s MCP vulnerability revealed how AI agents can be weaponized through poisoned context in public repositories. This post analyzes the exploit, explains why permissions alone aren’t enough, and shares practical guardrails for preventing and mitigating agent-driven data exfiltration.
Dec 16, 2025
 • 
Vitor Balocco
Runlayer Joins Anthropic, OpenAI, & Google as AAIF Founding Member
The Linux Foundation has launched the Agentic Artificial Intelligence Foundation (AAIF), with Runlayer joining sponsors Anthropic, OpenAI, Google, AWS, Microsoft. AAIF now oversees the Model Context Protocol (MCP), reinforcing MCP as a rising standard for AI agent integration. Runlayer supports AAIF’s open, secure, and scalable AI development mission.
Dec 9, 2025
 • 
Andy Berman
Runlayer Raises $11M to Scale Enterprise MCP Infrastructure
Nov 17, 2025
 • 
Andy Berman
MCP Security Risks: Your AI Agent is Probably Leaking Data Right Now
MCP adoption is accelerating across major platforms, but security risks—like malicious servers, prompt injection, and tool-level exploits—are growing just as fast. This post breaks down real attack scenarios that show how easily data can leak when MCP implementations are trusted by default. It also outlines practical defenses for users and builders, plus why companies need audited MCP catalogs, gateway proxies, and sandboxing to stay secure at scale.
Nov 12, 2025
 • 
Vitor Balocco
Why MCP builders are transitioning from DCR to OAuth CIMD
Over the last year, MCP has surged in adoption. To little surprise, this has introduced some scaling issues. One of these is client registration; previously, systems were rigged together by humans. Today, AI agents discover and interface with MCP servers freely, requiring a new paradigm for client communications.
Nov 7, 2025
 • 
Vitor Balocco
What is Dynamic Client Registration?
Tired of manually registering every AI agent with every OAuth server? Dynamic Client Registration (DCR) lets your agents authenticate with MCP servers at runtime, no human clicks required. Learn how DCR works, when to use it over traditional OAuth, and why it's becoming essential for scalable agentic systems.
Nov 6, 2025
 • 
Vitor Balocco
Agents and Work. Connected.

Runlayer makes it easy to create, host, and scale MCP servers across your organization. Local or remote, every server is secure, discoverable, and simple to manage.

Get an AI summary of this page
OpenAI logo featuring an abstract geometric knot design.Abstract symmetrical starburst shape with multiple elongated rounded spikes radiating from the center in dark gray.Abstract geometric logo consisting of symmetrical angular lines forming a star-like shape.
Solutions
Company
Resources
Connect
© Copyright 2026 Anysource Inc.
SOC 2 Certified
HIPAA Certified
Terms of Service
Privacy Policy