Policy & ecosystem constraints (know the ground rules)
- Preview status & submissions. Apps SDK is available for building/testing now; public submissions open later this year.
- Plan & geo availability. Apps appear in ChatGPT for logged-in users outside the EEA, Switzerland, and the UK; Business/Enterprise/Edu do not yet support Apps in the ChatGPT client (Dev Mode still works).
- App store standards. Apps must follow OpenAI usage policies, be appropriate for all audiences, and meet App Developer Guidelines to be listed.
Security architecture essentials (what your reviewers will look for)
- Least privilege & consent. Limit scopes, storage, and network permissions; require explicit user consent—and rely on ChatGPT confirmation prompts for potentially destructive actions.
- Authentication. Use OAuth 2.1 with PKCE (or equivalent) when connecting external accounts; verify scopes on every tool call.
- MCP server hardening. Treat your Model Context Protocol (MCP) server like production: validate inputs server-side, assume prompt-injection attempts, and keep audit logs. See MCP security best practices.
- Sandboxed components & CSP. UI widgets run in a sandboxed iframe under a strict Content Security Policy; components can’t access privileged browser APIs (e.g., clipboard). Align any outbound
fetchwith CSP allow-lists.
Data privacy & retention (before Privacy signs off)
- Published privacy policy (required). Submissions must include a clear privacy policy; operate strictly within it.
- Data minimization. Include only data required for the current prompt; avoid embedding secrets/tokens in component props.
- Sensitive data prohibition. Do not collect PCI, PHI, government IDs, API keys, or passwords via your tools.
- Retention & deletion. Decide and publish a retention policy; honor deletion requests promptly; redact PII from logs.
Write actions, egress, and approvals (where most risks live)
- Mark write tools. Clearly label any tool that changes external state as a write action; read-only tools must be side-effect-free.
- Human confirmation. Require user confirmation for irreversible operations; surface any data egress (posting, emailing, uploading) as write actions so the client can gate with approval.
Identity, permissions & third-party terms
- Clear permission prompts. Be transparent about all requested permissions, limited to necessity; provide demo credentials for review.
- Respect third-party terms. Don’t scrape or integrate APIs without authorization; never bypass rate limits or access controls.
Testing, logging & operational readiness
- Developer Mode & MCP Inspector. Test discovery, tool payloads, and UI across web/mobile; use API Playground or MCP Inspector for raw request/response debugging.
- Monitoring & alerts. Track anomalous traffic, failed auth attempts, and error spikes; keep dependencies patched.
- Golden prompts for security QA. Share injection prompts with QA to probe weak spots early.
Distribution governance (what Product/Legal will ask)
- Developer verification & support contact. Submissions must come from verified developers and include support contact details.
- Change control. After listing, tool names/signatures/descriptions are locked; changing or adding tools requires re-submission.
Control-by-control mapping (use this in your SSO/security review)
| Control area | What to show your reviewers | Source |
|---|---|---|
| Least privilege | Scopes & network allow-lists limited to necessity | (OpenAI Developers) |
| Consent & confirmations | UX screens + logs for account linking & destructive actions | (OpenAI Developers) |
| Sensitive data | Evidence you block PCI/PHI/IDs/API keys/passwords | (OpenAI Developers) |
| AuthN/AuthZ | OAuth 2.1 + PKCE, scope checks per call | (OpenAI Developers) |
| Sandbox & CSP | Component CSP config; proof privileged APIs are blocked | (OpenAI Developers) |
| Retention & logging | Published retention policy; PII-redacted logs | (OpenAI Developers) |
| Third-party terms | Contracts or docs proving authorized API use | (OpenAI Developers) |
| Plan/geo limits | Rollout plan accounting for current plan/region constraints | (OpenAI Developers) |
| Submission readiness | Developer verification, support channels, test evidence | (OpenAI Developers) |
How we help (in one sprint-ready package)
We implement contract-first MCP tools, OAuth 2.1/PKCE, CSP-sandboxed components, and a submission-ready privacy & permissions posture—tested in Developer Mode with MCP Inspector—so Security, IT, and Legal can sign off quickly. Our deliverables map 1:1 to OpenAI’s Security & Privacy guide and App Developer Guidelines.