Example of how to authenticate to a backend within a widget

[airhorns]

The Apps SDK docs say:

If you already run an API or need multi-user collaboration, integrate with your existing storage layer. In this model:

Authenticate the user via OAuth (see Authentication) so you can map ChatGPT identities to your internal accounts.
Use your backend’s APIs to fetch and mutate data. Keep latency low; users expect components to render in a few hundred milliseconds.

This repo has an example of facilitating the OAuth dance, but, no examples of making authenticated API calls within a widget to the backend. What's the recommended pattern for authenticating those calls made from within the iframe? I know that MCP tool calls can be made with window.openai, but the docs seem to suggest we can also make plain old HTTP API calls within the client side JS -- how should we auth those?

Thanks!

[janwilmake]

I think the recommended pattern is to just use tool calls, as they don't interfere with the context. There seems to be no way to get sensitive data into the html template. The spec recommends against putting sensitive data in _meta. I would be surprised if openai would offer a secondary oauth dance from within the UI.