OpenAI Apps SDK Submission Checklist

This document provides a comprehensive checklist for submitting CorpusIQ to the OpenAI Apps SDK directory.

Pre-Submission Requirements

Organization Setup

• [ ] OpenAI organization verified (individual or business verification)
• [ ] User has ‘Owner’ role in the OpenAI organization
• [ ] Organization does NOT use EU data residency (currently not supported for app submission)

Technical Requirements

MCP Server Deployment

• [ ] MCP server deployed to public HTTPS domain (not localhost/testing domains)
• [ ] Server accessible from ChatGPT (test connectivity)
• [ ] HTTPS certificate valid and trusted
• [ ] Server responds to health check endpoint (GET /)
• [ ] MCP endpoint accessible (POST /mcp)

CORS Configuration

• [ ] CORS configured to allow https://chat.openai.com
• [ ] CORS headers properly set in responses
• [ ] Preflight (OPTIONS) requests handled correctly

OAuth 2.1 Implementation

• [ ] OAuth provider selected and configured (Auth0, Okta, Cognito, custom, etc.)
• [ ] /.well-known/oauth-protected-resource endpoint implemented
• [ ] /.well-known/oauth-authorization-server endpoint implemented
• [ ] OAuth metadata URLs updated with actual domain and provider
• [ ] Authorization server supports PKCE (code_challenge_method: S256)
• [ ] Token validation implemented for MCP endpoints
• [ ] Proper scopes defined and documented
• [ ] OAuth consent screen configured with clear permissions
• [ ] 401 Unauthorized responses include WWW-Authenticate header

Security

• [ ] Debug mode disabled (CORPUSIQ_DEBUG_MODE=false)
• [ ] Rate limiting configured appropriately
• [ ] Security headers enabled (X-Content-Type-Options, X-Frame-Options, etc.)
• [ ] Input validation working for all tools
• [ ] Error handling doesn’t expose internal details
• [ ] Logging configured (but doesn’t log sensitive data)
• [ ] HTTPS only (no HTTP endpoints)
• [ ] Content Security Policy (CSP) defined for widget HTML

MCP Implementation

• [ ] All tools listed correctly in list_tools handler
• [ ] All tools have proper schemas with required fields
• [ ] Tool descriptions are clear and accurate
• [ ] Tool annotations set correctly (destructiveHint, openWorldHint, readOnlyHint)
• [ ] Widget resource registered and accessible
• [ ] Widget HTML loads correctly in ChatGPT
• [ ] Tool invocations return proper responses
• [ ] Error responses use isError=true flag
• [ ] StructuredContent format matches widget expectations

Testing Requirements

Developer Mode Testing

• [ ] Developer Mode enabled in ChatGPT settings
• [ ] Connector created successfully in ChatGPT
• [ ] ChatGPT discovers MCP server capabilities
• [ ] All tools listed in ChatGPT

Functional Testing

• [ ] corpus_search tool works correctly
  • [ ] Accepts query parameter
  • [ ] Returns search results
  • [ ] Results display in widget
  • [ ] Error handling works (empty query, too long query, etc.)
• [ ] open_connectors tool works correctly
  • [ ] Opens connectors interface
  • [ ] Displays all available connectors
  • [ ] UI renders properly
• [ ] Widget functionality tested
  • [ ] Search tab works
  • [ ] Connectors tab works
  • [ ] Tab switching works
  • [ ] Styling renders correctly in ChatGPT
  • [ ] JavaScript functionality works (bridge to window.openai)

Edge Cases

• [ ] Empty or invalid inputs handled gracefully
• [ ] Very long queries handled (validation/truncation)
• [ ] Network errors handled with user-friendly messages
• [ ] Rate limiting works (returns 429 with Retry-After header)
• [ ] Concurrent requests handled properly
• [ ] Tool timeouts handled gracefully

Performance Testing

• [ ] Response times acceptable (sub-second for most operations)
• [ ] Widget loads quickly
• [ ] No memory leaks during extended use
• [ ] Server stable under load

Documentation Requirements

Code Documentation

• [ ] README.md complete with:
  • [ ] Clear description of app purpose
  • [ ] Installation instructions
  • [ ] Configuration guide
  • [ ] Testing instructions
  • [ ] Deployment guide
  • [ ] API/tool documentation
  • [ ] Troubleshooting section
• [ ] OAuth configuration documented
• [ ] Security best practices documented
• [ ] Code comments for complex logic

User-Facing Documentation

• [ ] Privacy policy created and accessible
  • [ ] Data collection practices explained
  • [ ] Data storage and retention policies
  • [ ] Third-party integrations disclosed
  • [ ] User rights (data access, deletion, etc.)
  • [ ] Contact information for privacy concerns
• [ ] Terms of service created (if applicable)
• [ ] Help documentation for end users
• [ ] Clear description of app capabilities and limitations

App Metadata

• [ ] App name finalized and appropriate
• [ ] App description clear and accurate (tells users what the app does)
• [ ] App icon/logo created (if required)
• [ ] Categories/tags selected (if applicable)
• [ ] Screenshots prepared (if required)

Compliance Requirements

OpenAI Policies

• [ ] App complies with OpenAI Usage Policies
• [ ] App complies with OpenAI Developer Terms
• [ ] App doesn’t violate content policy
• [ ] App doesn’t facilitate harmful activities
• [ ] App respects user privacy and data rights

Data Handling

• [ ] User data handled securely
• [ ] No unnecessary data collection
• [ ] Data encrypted in transit (HTTPS)
• [ ] Data encrypted at rest (if storing user data)
• [ ] Data retention policies defined and implemented
• [ ] User consent obtained for data processing
• [ ] GDPR compliance (if applicable)
• [ ] CCPA compliance (if applicable)

Submission Process

Step 1: Final Verification

• [ ] All checklist items above completed
• [ ] App tested in production environment
• [ ] All team members reviewed and approved
• [ ] Rollback plan prepared in case of issues

Step 2: Submission

• [ ] Access OpenAI Platform Dashboard at https://platform.openai.com/
• [ ] Navigate to Apps section
• [ ] Click “Submit App” button
• [ ] Fill in submission form:
  • [ ] App name
  • [ ] App description
  • [ ] MCP server URL (production HTTPS URL)
  • [ ] OAuth metadata (if using OAuth)
  • [ ] Privacy policy URL
  • [ ] Terms of service URL (if applicable)
  • [ ] Support contact information
  • [ ] Categories/tags
  • [ ] Any additional required fields
• [ ] Confirm all compliance checkboxes
• [ ] Submit application

Step 3: Review Process

• [ ] Monitor email for review updates
• [ ] Respond promptly to any questions from OpenAI review team
• [ ] Address any issues or feedback
• [ ] Resubmit if changes requested

Step 4: Publication

Once approved:

• [ ] Review approval notification
• [ ] Click “Publish” button in OpenAI Dashboard
• [ ] Verify app appears in ChatGPT Apps Directory
• [ ] Test app availability for end users
• [ ] Monitor for initial user feedback

Post-Submission

Monitoring

• [ ] Set up monitoring for:
  • [ ] Server uptime
  • [ ] Error rates
  • [ ] Response times
  • [ ] Rate limit hits
  • [ ] OAuth flow failures
• [ ] Configure alerts for critical issues
• [ ] Set up log aggregation and analysis

Maintenance

• [ ] Plan for regular updates and improvements
• [ ] Monitor OpenAI Apps SDK updates and changes
• [ ] Keep dependencies up to date
• [ ] Address user feedback and bug reports
• [ ] Maintain documentation

Support

• [ ] Set up user support channels
• [ ] Create FAQ for common issues
• [ ] Monitor support requests
• [ ] Track and prioritize feature requests

Common Submission Issues

Issue: Organization Not Verified

Solution: Complete organization verification in OpenAI Platform Dashboard before submission.

Issue: Cannot Use Testing Domain

Problem: Submission rejected because using ngrok/cloudflared URL.

Solution: Deploy to permanent HTTPS domain before submission. Tunnels are for development only.

Issue: OAuth Endpoints Not Working

Problem: ChatGPT cannot authenticate users.

Solution:

• Verify well-known endpoints are accessible
• Check OAuth provider configuration
• Test OAuth flow manually
• Review OAuth metadata for correctness

Issue: Rate Limiting Too Restrictive

Problem: Users hitting rate limits frequently.

Solution:

• Increase rate limit settings
• Implement per-user rate limiting (not just per-IP)
• Consider Redis-based rate limiting for scaling

Issue: Widget Not Displaying

Problem: Widget HTML doesn’t render in ChatGPT.

Solution:

• Check Content-Type is correct (text/html+skybridge)
• Verify widget HTML is valid
• Test JavaScript functionality
• Check CSP headers

Issue: Slow Response Times

Problem: Tools take too long to respond.

Solution:

• Optimize backend queries
• Add caching where appropriate
• Review database performance
• Consider async processing for long operations

Resources

• OpenAI Apps SDK Documentation
• Submission Guidelines
• Testing Guide
• OAuth Implementation Guide
• MCP Specification

Revision History

• 2025-12-31: Initial version