Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreif4pnivvdwny7gchloury53x2vxh6q3whaqkdvne4ofv6un3q4hu4",
    "uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mjaqggnl6q52"
  },
  "path": "/t/chatgpt-mcp-connector-oauth-oauth-state-not-found-callback-fails-before-token-exchange/1378808#post_1",
  "publishedAt": "2026-04-11T20:06:59.000Z",
  "site": "https://community.openai.com",
  "tags": [
    "chatgpt.com/backend-api/aip/connectors/links/oauth/callback",
    "chatgpt.com/backend-api/aip/connectors/links/oauth/state/{state_id}",
    "ChatGPT MCP OAuth: callback timeout on token exchange (authorization code issued)",
    "MCP Connector Creation Timeout - OAuth Callback Failing",
    "ChatGPT Custom MCP OAuth fails to get tools when auth enabled",
    "Authentication – Apps SDK | OpenAI Developers"
  ],
  "textContent": "**# ChatGPT MCP Connector OAuth: “OAuth state not found” — callback fails before token exchange**\n\n****Category:**** ChatGPT Apps SDK / Bugs\n\n****Tags:**** mcp, connector, oauth, chatgpt-app\n\n**## Summary**\n\nChatGPT’s own OAuth callback endpoint (`/backend-api/aip/connectors/links/oauth/callback`) returns 404 with `{“detail”:“OAuth state not found”}` during MCP connector setup. The entire OAuth discovery, DCR, and authorization flow completes successfully — ChatGPT generates the state, the user authenticates, and `code` + `state` are returned correctly — but ChatGPT’s backend cannot find the state it created. ****The token exchange never happens**** because the failure occurs before ChatGPT calls our `/oauth/token` endpoint.\n\nThis also reproduces with ****OpenAI’s own `openai-mcpkit` TypeScript scaffold**** using Auth0, confirming it is a platform-side issue.\n\n**## Environment**\n\n- ****Plan:**** ChatGPT Business\n\n- ****Developer Mode:**** Enabled (Workspace Settings → Permissions & Roles → Connected Data)\n\n- ****App creation:**** Workspace Settings → Apps → Create\n\n- ****MCP Server:**** Cloudflare Worker at `mcp.auto.dev` (also tested with mcpkit scaffold via ngrok)\n\n- ****Auth Provider:**** Custom OAuth 2.1 provider (id.org.ai) + Auth0 (for scaffold test)\n\n- ****Browser:**** Chrome 146 on macOS\n\n**## What Works**\n\n-  `POST /` → 401 with `WWW-Authenticate: Bearer resource_metadata=“…”` header\n\n-  `GET /.well-known/oauth-protected-resource` → 200 with valid metadata\n\n-  `GET /.well-known/oauth-authorization-server` → 200 with valid metadata\n\n-  `GET /.well-known/openid-configuration` → 200 with valid metadata\n\n-  `POST /oauth/register` (DCR) → 201 with `client_id`\n\n-  `GET /oauth/authorize` → 302 redirect to auth provider\n\n-  User authenticates and consents\n\n-  Auth provider redirects back to `chatgpt.com/connector/oauth/{id}?code=…&state=…`\n\n-  Both `code` and `state` parameters present and correctly formatted\n\n**## What Fails**\n\n-  `POST chatgpt.com/backend-api/aip/connectors/links/oauth/callback` → **\\*\\*404\\*\\*** \\`{“detail”:“OAuth state not found”}`\n\n-  `GET chatgpt.com/backend-api/aip/connectors/links/oauth/state/{state_id}` → **\\*\\*404\\*\\*** \\`{“detail”:“OAuth state not found”}`\n\n-  No `POST /oauth/token` request ever reaches our server (verified via Cloudflare Workers tail logs and ngrok request inspector)\n\n**## Steps to Reproduce**\n\n1. Enable developer mode in workspace settings\n\n2. Go to Apps → Create\n\n3. Enter MCP Server URL, select OAuth authentication\n\n4. ChatGPT discovers OAuth endpoints, performs DCR — all succeeds\n\n5. Click Create → redirected to auth provider\n\n6. Authenticate and consent\n\n7. Redirected back to ChatGPT with valid `code` and `state`\n\n8. ****Error: “Something went wrong with setting up the connection”****\n\n9. Browser console shows 404 on ChatGPT’s own callback/state endpoints\n\n**## Evidence: Server Logs (Cloudflare Workers Tail)**\n\n```\n\nPOST / 401 Unauthorized\n\nGET /.well-known/oauth-protected-resource 200 OK\n\nGET /.well-known/oauth-authorization-server 200 OK\n\nGET /.well-known/openid-configuration 200 OK\n\nGET /.well-known/oauth-authorization-server 200 OK\n\nGET /.well-known/openid-configuration 200 OK\n\nPOST /oauth/register 201 Created\n\nGET /oauth/authorize?.. 302 Redirect\n\n\n                                               ← (no POST /oauth/token ever appears)\n\n\n```\n\nChatGPT never reaches the token exchange step. The failure is entirely within ChatGPT’s backend state lookup.\n\n**## Evidence: Reproduced with OpenAI’s Own Scaffold**\n\nTo rule out our server implementation, we cloned `openai/openai-mcpkit` (TypeScript scaffold), configured it with Auth0 (DCR enabled, default audience set, social connection), ran it locally via ngrok, and attempted the same connector setup flow. ****Same result — “Something went wrong with setting up the connection.”****\n\nngrok request log from the scaffold:\n\n```\n\nPOST /mcp 401 Unauthorized\n\nGET /.well-known/oauth-protected-resource/mcp 404 Not Found\n\nGET /mcp/.well-known/oauth-protected-resource 404 Not Found\n\nGET /.well-known/oauth-protected-resource 200 OK\n\n```\n\nDiscovery works (fallback to root path), but the connector still fails at the callback step.\n\n**## State Parameter Analysis**\n\nThe state ChatGPT generates is base64-encoded JSON:\n\n```json\n\n{\n\n“csrf”: “d06387cf7d5ba96b92b2587474bcd495691b2d14b059d584dca621669df3ed06”,\n\n“s”: “oauth_s_69da6d33622081919e8b5e43c89ff601”\n\n}\n\n```\n\nThis state is preserved correctly through the auth flow — the exact same value appears in the redirect back to ChatGPT. ChatGPT’s backend simply cannot find the state record at `oauth_s_69da6d33622081919e8b5e43c89ff601`.\n\n**## Related Threads**\n\n- [ChatGPT MCP OAuth: callback timeout on token exchange]( ChatGPT MCP OAuth: callback timeout on token exchange (authorization code issued) ) (Sep 2025 — unresolved)\n\n- [MCP Connector Creation Timeout - OAuth Callback Failing]( MCP Connector Creation Timeout - OAuth Callback Failing ) (Jan 2026 — unresolved)\n\n- [ChatGPT Custom MCP OAuth fails to get tools when auth enabled]( ChatGPT Custom MCP OAuth fails to get tools when auth enabled ) (Jul 2025 — OpenAI acknowledged: “we are seeing posts in the Community forum about this, so we want to make sure we fix the issue if this is on our side”)\n\n**## Our Server Compliance Checklist**\n\nWe’ve verified every requirement from the [OpenAI Auth Guide]( Authentication – Apps SDK | OpenAI Developers ):\n\n| Requirement | Status |\n\n|—|—|\n\n| Protected resource metadata |  (base + /mcp paths) |\n\n| OAuth AS metadata |  (base + /mcp paths) |\n\n| OIDC discovery |  (base + /mcp paths) |\n\n| HTTP 401 + WWW-Authenticate header |  |\n\n| Per-tool securitySchemes |  (all 15 tools) |\n\n| Dynamic Client Registration |  |\n\n| PKCE (S256) |  |\n\n| Resource parameter (RFC 8707) |  |\n\n| Streamable HTTP transport |  |\n\n| HTTPS |  |\n\n**## Questions for OpenAI**\n\n1. What causes `{“detail”:“OAuth state not found”}` on the callback? Is there a TTL on OAuth state, or is it tied to a specific backend instance?\n\n2. Is this a known issue with the Business plan? The Help Center docs mention Business/Enterprise/Edu support.\n\n3. Are there any server-side requirements not documented in the Apps SDK auth guide that could prevent state from being stored?\n\n4. Can the team investigate the state storage for connector `eRvU93QmvGwc` on account `727a535d-e95d-4bb6-9f54-9961cca52582`?",
  "title": "ChatGPT MCP Connector OAuth: \"OAuth state not found\" — callback fails before token exchange"
}