phidea
← ChatGPT nano build guide
Reference · page 5 / 6

# 5. Testing & publishing

Part 5 of 6. ← Guardrails · Index · Next → Pitfalls & resources

5.1 Pre-submission checklist

Go through every item. Reviewers will.

Server & tools

  • [ ] MCP Inspector connects; every tool lists, validates, and returns in <3s on the happy path.
  • [ ] Every tool has accurate title, description, input schema, and annotations (readOnlyHint / destructiveHint / openWorldHint / idempotentHint).
  • [ ] structuredContent contains only task-relevant fields (no trace IDs, timestamps, session IDs).
  • [ ] Tool names are verb-first (get_order_status, create_booking), not nouns.
  • [ ] Tool descriptions are accurate and free of marketing language.

Widget

  • [ ] _meta.ui.domain is set; CSP connectDomains / resourceDomains are tight; frameDomains is empty unless truly needed.
  • [ ] Widget renders in light and dark themes; respects window.openai.theme and safeArea.
  • [ ] Widget has no alert / prompt / confirm / clipboard calls.
  • [ ] Widget survives a tool error (readable UI, not blank iframe).
  • [ ] Destructive actions show an explicit confirmation step.

Auth

  • [ ] Unauthenticated call returns 401 + WWW-Authenticate.
  • [ ] Expired token triggers a visible re-auth.
  • [ ] Scopes enforced per tool server-side.
  • [ ] /.well-known/oauth-protected-resource reachable.
  • [ ] registration_endpoint exposed on the authorization server (DCR works).

Safety

  • [ ] Prompt-injection QA: "Ignore previous instructions…" in user input and in fetched third-party data does not cause destructive behaviour.
  • [ ] Rate-limit smoke test at ~10× expected user QPS; server returns 429 with Retry-After.

Submission metadata

  • [ ] Privacy policy live at a stable URL and linked in the submission.
  • [ ] Demo account works with sample data, no MFA, no forced sign-up.
  • [ ] Works on ChatGPT web and iOS/Android (test both if your UI is non-trivial).
  • [ ] Customer-support contact reachable.
  • [ ] Screenshots reflect real app behaviour.

5.2 Submission flow

1. Platform Dashboard → Apps → Create. Requires Owner role or api.apps.write. 2. Fill the app draft: - Name, category, description. - Privacy policy URL (must be live). - Supported locales (start with en). - Demo credentials. - Screenshots. - Production MCP server URL (HTTPS, stable, low-latency). 3. Submit for review. Status updates come via email. 4. No public review SLA. Plan for days, not hours. 5. One version per app in review at a time. You can have multiple apps per org.

5.3 After approval — distribution

  • Approved apps appear in ChatGPT's in-product directory.
  • Invoked by name ("Figma, turn this sketch into a diagram") or surfaced proactively by the model.
  • Availability is gated by market/language of the underlying service; English-first today.
  • Monetisation: OpenAI has stated developer monetisation is coming but has not published pricing or revenue-share terms yet. Today, commerce = external physical-goods checkout on your domain.