Short answers for developers, hosts, and reviewers evaluating MCPlet v202603-03.
MCPlet is a code-first convention profile on top of Model Context Protocol and MCP Apps. It defines constrained, single-intent capability units that package business logic with explicit visibility, authentication, and safety boundaries for AI operations.
MCP defines the protocol for tools and resources. MCP Apps defines how hosts render and coordinate UI. MCPlet sits on top of both as a convention profile that adds intent modeling, tool classification, visibility rules, authentication requirements, and host-managed safety boundaries.
MCPlet classifies tools as read, prepare, or action. Read tools are side-effect free and safe for autonomous invocation. Prepare tools gather or validate information before commitment. Action tools cause irreversible side effects and therefore require stronger confirmation and enforcement.
The primary profile is code-first. MCPlet metadata is declared at tool registration time using fields such as _meta.mcpletType, _meta.visibility, _meta.auth, and _meta.ui.
mcplet.yaml may still be used for backward-compatibility defaults, but it is not the single source of truth when code metadata exists.
Protected MCPlets declare authentication in _meta.auth. For model-visible action tools, the host intercepts the call, obtains a Passkey assertion through a browser context, injects the verification material outside business arguments, and the MCPlet backend verifies the assertion before executing the action.
MCPlet currently defines two host profiles. The WebUI Profile targets MCP client or agent shells with MCP Apps rendering. The Agent Profile targets orchestration systems composed of specialized agents and an externally configured LLM, with no required general-purpose UI layer.
Start by choosing a host profile, classifying each tool as read, prepare, or action, registering code-first metadata in _meta, exposing a result schema, and adding Passkey enforcement for protected model-visible actions.
If you want the shortest path, use the getting started guide first, then validate the details against the full specification.
The indexable HTML overview lives at /spec/, but the normative draft source is the markdown file at /files/MCPlet-spec-v202603-03.md. The patent and licensing notice is published separately at /patent-notice.html.
The public draft on this site is currently presented as maintained by the MCPlet Working Group. For review and archival purposes, the canonical normative source remains the raw markdown draft published on the site.
Need the licensing context? Review the intellectual property notice. Need the high-level architecture summary? Read the HTML overview.