An open standard for transparent agent–app control
App Use is portable on purpose. There is no assumption about which agent, framework, or vendor sits on the other end. Any agent that speaks the Model Context Protocol (MCP) can describe, read, and drive any application that exposes an App Use surface. We publish the protocol openly so the whole industry can adopt it.
Four layers, one wire
Each layer owns one job. Together they let an agent describe and drive any participating app — without bespoke per-app integration.
AppSpec
A declarative document the app publishes: its screens, the drivable elements on each (text boxes, buttons, lists), named multi-step flows, events, and the action catalogue. Each element carries a purpose, validation, supported actions, and whether it is secret.
MCP transport
The app hosts the standard app.* tools over a loopback SSE MCP server with a per-instance bearer token. Describe, read a screen, get or set a value, invoke an action, navigate — all over one wire.
Hub brokerage
A hub aggregates many running apps into one MCP surface: apps.list, apps.launch, apps.stop, and app.call to route a tool to the right instance. One agent connection drives every app.
Federation (optional)
Many hubs across devices form one cluster. An agent connected to any hub can transparently drive apps on every other — over mutually-authenticated TLS on the LAN, or an end-to-end-encrypted relay across the internet.
A small, predictable tool set
Every App Use app answers the same vocabulary, so an agent learns it once and drives anything. Each tool carries a risk level; write and execute tools route through the consent gate.
| Tool | What it does | Risk |
|---|---|---|
app.describe | Return the AppSpec | read |
app.read_screen | Snapshot the current screen state | read |
app.get_value | Read one element's value | read |
app.set_value | Set an element's value | write |
app.invoke | Trigger a button / action | execute |
app.navigate | Move to another screen | write |
apps.list / app.call | Hub: enumerate + route to an instance | broker |
Safe by construction
Capability scopes
Every token carries one of three scopes — ReadOnly, ReadWrite, or Admin — and each tool is gated by the minimum scope it needs. A read-only agent physically cannot invoke an action.
Human-in-the-loop consent
Before any write or execute tool runs, an in-process consent gate can pause for a human decision: Allow once, Allow for the session, or Block. The operator sees exactly which action is pending.
Tamper-evident audit
Every call is appended to a durable, HMAC hash-chained log. Editing or deleting a past entry breaks the chain on the next verification — so the record of what an agent did is trustworthy.
Secret redaction
Elements marked secret are redacted everywhere — reads, snapshots, the live feed, and the audit log — so passwords and keys never leak through the surface.
Encrypted across devices
Hub-to-hub traffic on a LAN runs over mutually-authenticated TLS pinned to a private cluster CA. Across the internet, a Noise-IK handshake encrypts every frame end-to-end — even the relay sees only opaque bytes.
Fast revocation
Signed, monotonic revocation lists propagate across a cluster within about 60 seconds, so a compromised credential is a single lever to pull.
The full specification is being published
The complete wire format — the AppSpec schema, the full app.* and apps.* tool reference, the audit-log format, and the federation peer contract — is being prepared for open publication here. Want early access or to help shape the spec? Get in touch.