OpenAI uses a plugin manifest that references an OpenAPI to allow for extending ChatGPT, and introduce more AI capabilities. Providing a ready to go OpenAI Plugin Manifest for API consumers to use when extending ChatGPT will become a new type of application or integration to consider.

Also known as: ai-plugin.json, ChatGPT Plugin Manifest, OpenAI Plugin

Standards

• OpenAI (vendor, deprecated in favor of GPT Actions / MCP) ChatGPT Plugin Manifest (ai-plugin.json) — historical
• OpenAI (vendor) OpenAI GPT Actions (current OpenAI pattern)
• Anthropic (open spec) Model Context Protocol (MCP)
• OpenAPI Initiative OpenAPI 3.x (the API surface the manifest points at)
• IETF OAuth 2.0 Authorization Framework

Well-Known Paths

• /.well-known/ai-plugin.json — ChatGPT Plugin Manifest (historical) — Convention used by the original ChatGPT plugin system to locate the manifest. Not an IANA-registered well-known URI.

Media Types

• application/json — ai-plugin.json is served as JSON.
• application/yaml — The OpenAPI document referenced from the manifest may be JSON or YAML.

OpenAPI Expression

• api.url (ChatGPT Plugin Manifest) — Manifest field pointing to an OpenAPI 3.x document describing the plugin's API.
• auth (ChatGPT Plugin Manifest) — Authentication block — none, user_http, service_http, or oauth.
  Types: none, user_http, service_http, oauth

Governance Rules

• plugin-manifest-schema (OpenAI (historical)) — Manifest must include schema_version, name_for_model, name_for_human, description fields, and a reachable OpenAPI URL.
• plugin-openapi-valid (OpenAI (historical)) — Referenced OpenAPI document must validate and describe only the operations exposed to the model.
• plugin-auth-explicit (Convention) — Manifests with auth.type=none should be limited to read-only, non-sensitive operations.
• plugin-rate-limits-documented (Convention) — OpenAPI document should document rate limits the model should respect.

Risk & Compliance

OWASP:

• OWASP API Security Top 10: API2:2023 Broken Authentication — plugin OAuth flows often misconfigure scopes and redirect URIs
• OWASP LLM Top 10: LLM01 Prompt Injection — tool descriptions and response bodies can carry instructions to the model
• OWASP LLM Top 10: LLM07 Insecure Plugin Design — over-broad operations enable unintended actions on behalf of the user

Compliance:

• SOC 2 CC6.1 — plugin auth tokens are an access surface
• GDPR Art. 6 — lawful basis required when the model acts on personal data on the user's behalf

Security: AI plugins / tools turn an LLM into a confused-deputy client. Scope OAuth tightly, never include destructive operations without explicit user confirmation, treat all model-supplied parameters as untrusted, log every tool call, and assume tool responses may carry prompt-injection payloads. The original ai-plugin.json pattern has been largely superseded — new integrations should target GPT Actions (OpenAI) or MCP (Anthropic and a growing set of clients) rather than the legacy manifest.

Tools

• OpenAI GPT Actions — Current OpenAI tool-calling pattern (replaces ai-plugin.json)
• Model Context Protocol (MCP) — Open tool-calling protocol (MIT)
• MCP servers reference — Reference MCP server implementations (MIT)
• Swagger Editor — Edit the underlying OpenAPI (Apache-2.0)
• Spectral — Lint the underlying OpenAPI (Apache-2.0)

Suggested Metrics

• plugin_tool_call_count — Number of times the model invoked an operation exposed by the manifest.
• plugin_tool_error_rate — Share of tool calls that returned an error.
• plugin_auth_failure_rate — Share of tool calls that failed authentication.
• plugin_user_consent_rate — Share of destructive tool calls confirmed by the user (where confirmation is required).

Example Implementations

• OpenAI — Originator of the ai-plugin.json manifest; now ships GPT Actions.
• Anthropic — Defines and ships the Model Context Protocol (MCP), the open alternative to plugin manifests.

Related Properties

• Openapi
• Json schema

Tags

• Artificial Intelligence
• AI
• Extension
• Plugin

All Community Properties