ChatGPT MCP Connector OAuth: "OAuth state not found" — callback fails before token exchange
# ChatGPT MCP Connector OAuth: “OAuth state not found” — callback fails before token exchange
Category: ChatGPT Apps SDK / Bugs
Tags: mcp, connector, oauth, chatgpt-app
## Summary
ChatGPT’s own OAuth callback endpoint (/backend-api/aip/connectors/links/oauth/callback) returns 404 with {“detail”:“OAuth state not found”} during MCP connector setup. The entire OAuth discovery, DCR, and authorization flow completes successfully — ChatGPT generates the state, the user authenticates, and code + state are returned correctly — but ChatGPT’s backend cannot find the state it created. The token exchange never happens because the failure occurs before ChatGPT calls our /oauth/token endpoint.
This also reproduces with OpenAI’s own openai-mcpkit TypeScript scaffold using Auth0, confirming it is a platform-side issue.
## Environment
Plan: ChatGPT Business
Developer Mode: Enabled (Workspace Settings → Permissions & Roles → Connected Data)
App creation: Workspace Settings → Apps → Create
MCP Server: Cloudflare Worker at
mcp.auto.dev(also tested with mcpkit scaffold via ngrok)Auth Provider: Custom OAuth 2.1 provider (id.org.ai) + Auth0 (for scaffold test)
Browser: Chrome 146 on macOS
## What Works
POST /→ 401 withWWW-Authenticate: Bearer resource_metadata=“…”headerGET /.well-known/oauth-protected-resource→ 200 with valid metadataGET /.well-known/oauth-authorization-server→ 200 with valid metadataGET /.well-known/openid-configuration→ 200 with valid metadataPOST /oauth/register(DCR) → 201 withclient_idGET /oauth/authorize→ 302 redirect to auth providerUser authenticates and consents
Auth provider redirects back to
chatgpt.com/connector/oauth/{id}?code=…&state=…Both
codeandstateparameters present and correctly formatted
## What Fails
POST chatgpt.com/backend-api/aip/connectors/links/oauth/callback→ **404** `{“detail”:“OAuth state not found”}`GET chatgpt.com/backend-api/aip/connectors/links/oauth/state/{state_id}→ **404** `{“detail”:“OAuth state not found”}`No
POST /oauth/tokenrequest ever reaches our server (verified via Cloudflare Workers tail logs and ngrok request inspector)
## Steps to Reproduce
Enable developer mode in workspace settings
Go to Apps → Create
Enter MCP Server URL, select OAuth authentication
ChatGPT discovers OAuth endpoints, performs DCR — all succeeds
Click Create → redirected to auth provider
Authenticate and consent
Redirected back to ChatGPT with valid
codeandstateError: “Something went wrong with setting up the connection”
Browser console shows 404 on ChatGPT’s own callback/state endpoints
## Evidence: Server Logs (Cloudflare Workers Tail)
POST / 401 Unauthorized
GET /.well-known/oauth-protected-resource 200 OK
GET /.well-known/oauth-authorization-server 200 OK
GET /.well-known/openid-configuration 200 OK
GET /.well-known/oauth-authorization-server 200 OK
GET /.well-known/openid-configuration 200 OK
POST /oauth/register 201 Created
GET /oauth/authorize?.. 302 Redirect
← (no POST /oauth/token ever appears)
ChatGPT never reaches the token exchange step. The failure is entirely within ChatGPT’s backend state lookup.
## Evidence: Reproduced with OpenAI’s Own Scaffold
To rule out our server implementation, we cloned openai/openai-mcpkit (TypeScript scaffold), configured it with Auth0 (DCR enabled, default audience set, social connection), ran it locally via ngrok, and attempted the same connector setup flow. Same result — “Something went wrong with setting up the connection.”
ngrok request log from the scaffold:
POST /mcp 401 Unauthorized
GET /.well-known/oauth-protected-resource/mcp 404 Not Found
GET /mcp/.well-known/oauth-protected-resource 404 Not Found
GET /.well-known/oauth-protected-resource 200 OK
Discovery works (fallback to root path), but the connector still fails at the callback step.
## State Parameter Analysis
The state ChatGPT generates is base64-encoded JSON:
{
“csrf”: “d06387cf7d5ba96b92b2587474bcd495691b2d14b059d584dca621669df3ed06”,
“s”: “oauth_s_69da6d33622081919e8b5e43c89ff601”
}
This state is preserved correctly through the auth flow — the exact same value appears in the redirect back to ChatGPT. ChatGPT’s backend simply cannot find the state record at oauth_s_69da6d33622081919e8b5e43c89ff601.
## Related Threads
[ChatGPT MCP OAuth: callback timeout on token exchange]( ChatGPT MCP OAuth: callback timeout on token exchange (authorization code issued) ) (Sep 2025 — unresolved)
[MCP Connector Creation Timeout - OAuth Callback Failing]( MCP Connector Creation Timeout - OAuth Callback Failing ) (Jan 2026 — unresolved)
[ChatGPT Custom MCP OAuth fails to get tools when auth enabled]( ChatGPT Custom MCP OAuth fails to get tools when auth enabled ) (Jul 2025 — OpenAI acknowledged: “we are seeing posts in the Community forum about this, so we want to make sure we fix the issue if this is on our side”)
## Our Server Compliance Checklist
We’ve verified every requirement from the [OpenAI Auth Guide]( Authentication – Apps SDK | OpenAI Developers ):
| Requirement | Status |
|—|—|
| Protected resource metadata | (base + /mcp paths) |
| OAuth AS metadata | (base + /mcp paths) |
| OIDC discovery | (base + /mcp paths) |
| HTTP 401 + WWW-Authenticate header | |
| Per-tool securitySchemes | (all 15 tools) |
| Dynamic Client Registration | |
| PKCE (S256) | |
| Resource parameter (RFC 8707) | |
| Streamable HTTP transport | |
| HTTPS | |
## Questions for OpenAI
What causes
{“detail”:“OAuth state not found”}on the callback? Is there a TTL on OAuth state, or is it tied to a specific backend instance?Is this a known issue with the Business plan? The Help Center docs mention Business/Enterprise/Edu support.
Are there any server-side requirements not documented in the Apps SDK auth guide that could prevent state from being stored?
Can the team investigate the state storage for connector
eRvU93QmvGwcon account727a535d-e95d-4bb6-9f54-9961cca52582?
Discussion in the ATmosphere