MCP
Tools
Studio supports full tool invocation. You can call any tool, inspect the params, and see the raw response inline.
Studio also reads and displays tool annotations when present:
| Annotation | What it means |
|---|---|
readOnlyHint | Tool has no side effects |
destructiveHint | Tool performs writes or deletions |
idempotentHint | Calling it multiple times has no further effect |
openWorldHint | Tool talks to external services |
Resources
Studio can list and read any MCP resource by URI. Resources with MIME type text/html;profile=mcp-app are recognized as interactive widgets and rendered automatically.
OAuth
Studio supports the full OAuth 2.1 + PKCE flow, including Dynamic Client Registration (RFC 7591) and Server Metadata Discovery (RFC 8414). You can step through the auth flow interactively from the UI.
Other authentication methods supported: Bearer token, custom request headers.
Widgets
Host types
A widget’s host type controls how Studio renders it - which platform APIs are mocked and which CSP profile is applied. Studio supports two host types:
| Host | Description |
|---|---|
| Claude | Renders with the MCP Apps / ext-apps protocol. Supports ui/initialize handshake, tool calls, resource reads, and display mode negotiation. |
| OpenAI / ChatGPT | Renders with the OpenAI widget API. Mocks window.openai and supports the OpenAI Apps SDK. |
The host type is configured per widget or per session. When a widget sends a ui/initialize request, Studio detects it automatically.
Display modes
Studio supports three display modes for widget rendering:
| Mode | Description |
|---|---|
inline | Default. Widget renders inline in the Studio panel. Available for both host types. |
fullscreen | Widget expands to fill the screen. Available for both host types. |
pip | Picture-in-picture. Claude host only. |
CSP sandbox
All widgets run inside a sandboxed iframe with a Content Security Policy derived from the widget’s own metadata. Allowed domains for scripts, connections, and redirects are declared by the widget - Studio enforces them strictly. Nothing outside those declared domains can be reached.
Questions, bugs, or feedback?
Reach the team at [email protected] . Bug reports, feature requests, and questions are all welcome.