AI
When to Use a UI Instead of Text
MCP apps return real UI components instead of plain text. Scheid argued that UIs beat text when handling thousands of data points, credit card entry, or drag-and-drop actions. A graph beats a CSV every time. Branded experiences keep the company identity visible inside the AI. Credit card forms in a secure portal prevent leaking data into the model context. MCP gives the AI access to mutate state, not just read it. That statefulness is the sweet spot for MCP apps.
Real-Time Goes Through the Iframe, Not MCP
MCP is a request-response protocol with no built-in real-time facility. Resource notifications exist but are not a websocket replacement. Scheid’s workaround: the iframe’s CSP connect-src allow list. Websockets and HTTP2 both work inside that allow list. They provide full bidirectional streaming. One maintainer told Scheid this is off-label usage. “You can’t rely on it unless it’s in the spec,” the maintainer said. Scheid asked maintainers to either keep the allow list or add websocket-like functionality to the app bridge.
Four Places State Can Live
State lives in four places: the authoritative server (Postgres, GitHub, Reboot), React local state inside the iframe, the model context, and chat messages. Scheid’s advice: invest in the authoritative state server from day one. React state is risky because the window may reload unexpectedly. Update model context and send message are powerful but dangerous. Scheid built a payment flow where the model context told the AI an error occurred while the app retried and succeeded. The payment ran twice. “These can be finicky, difficult to debug,” he said.
Tool Descriptions Must Chain Multi-Step Workflows
Scheid showed a tweet workshop built with Reboot. Its tool descriptions include instructions like “after calling this call show progress with the returned task ID to see real-time progress.” Descriptions must be as carefully written as production code. Without explicit chaining instructions, models may not call the next tool. He distinguished display tools (return a UI) from data tools (update state). The description is where multi-step orchestration belongs. Session IDs vary by client: Claude keeps one per conversation; ChatGPT issues a new ID per tool call. Scheid recommends using user ID with OAuth instead.
Q&A
Can two users interact with the same UI element, like reserving airplane seats? Yes, Reboot supports atomic distributed transactions that touch multiple data types at once. ▶ Watch (22:33)
Can Reboot wrap an existing Django app? No, Reboot is a framework with its own syntax; it is not compatible with Django. ▶ Watch (23:10)
How does authorization work inside a rendered widget? Reboot uses an anonymous OAuth flow; behavior varies by client. ChatGPT shows a spinner; GitHub or Google flows redirect to a login page. Desktop apps may require copying a code. ▶ Watch (23:47)
Do you automate testing across client behavioral differences? Automated testing is crucial for production stability across clients, and the behavior changes frequently. ▶ Watch (25:07)
Notable Quotes
there’s no real real time with MCP Riley Scheid · ▶ Watch (3:08)
you can’t rely on it unless it’s in the spec Riley Scheid · ▶ Watch (5:02)
we’re very much in the user agent days of the web Riley Scheid · ▶ Watch (16:55)
these can be finicky, difficult to debug Riley Scheid · ▶ Watch (12:35)
Key Takeaways
- Use the iframe’s CSP connect-src allow list for websocket-based real-time communication.
- Keep authoritative state in a durable server, not in React local state or model context.
- Write tool descriptions as explicit multi-turn orchestration instructions for the model.
- Test session behavior on every client because implementations vary widely.
About the Speaker(s)
Riley Scheid is a full stack engineer and human Swiss Army Knife with a decade of professional experience. He is a founding engineer at Reboot, an open-source framework for building MCP apps and full-stack applications.