Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicprp7j7xjsf5aojocia4zacshz6oxgqpepvxlkmuszprex3nlvmi",
    "uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mjjrcklzm432"
  },
  "path": "/t/chatgpt-app-submissions-domain-verification-step-does-not-support-subpath-hosted-mcp-servers/1379021#post_1",
  "publishedAt": "2026-04-15T09:48:46.000Z",
  "site": "https://community.openai.com",
  "tags": [
    "https://api.openai.com/v1/dashapi/versions/xxxx/domain/verify"
  ],
  "textContent": "Hi all — sharing a finding that may help others building MCP apps where the server is hosted on a subpath rather than the domain root.\n\n**The issue:**\n\nWhen submitting an app with an MCP server URL that includes a subpath (e.g., `https://example.com/api/mcp`), the domain verification step sends the challenge request to:\n\n\n    GET https://example.com/.well-known/openai-apps-challenge\n\n\n…rather than the expected:\n\n\n    GET https://example.com/api/mcp/.well-known/openai-apps-challenge\n\n\nThe verifier always strips the path and checks the root domain, regardless of the MCP URL or challenge base URL configured in the submission form.\n\n**Additional observations:**\n\n  * Setting the challenge base URL to include a subpath (e.g., `https://example.com/api/mcp`) returns: _“Domain verification URL hostname must be the MCP hostname or a parent hostname” or sometimes “Token mismatch / Did not return a 200 OK”_ — even though the hostnames match. The path component is not a hostname, so this error seems inconsistent with the stated rule.\n  * Inspecting the API request sent to OpenAI on the webform when clicking “Verify Domain” confirms the full subpath **is** included in the payload in the `token_url` attribute sent to “https://api.openai.com/v1/dashapi/versions/xxxx/domain/verify”. The path appears to be stripped server-side.\n  * Setting the challenge base URL to just the root domain (`https://example.com`) and hosting the token at `/.well-known/openai-apps-challenge` does work.\n\n\n\n**Why this matters:**\n\nThis affects any MCP server hosted on a subpath — which is common for platforms that serve multiple services on the same domain. Requiring the verification token at the root `/.well-known/` path may not be feasible when the root domain is shared across different services, features or people.\n\n**Reproduction steps:**\n\n  1. Create a new app in the Developer Dashboard\n  2. Set MCP server URL to a subpath (e.g., `https://example.com/api/mcp`)\n  3. Host the verification token at `https://example.com/api/mcp/.well-known/openai-apps-challenge`\n  4. Attempt domain verification\n  5. Observe the challenge request goes to the root `/.well-known/` path instead\n\n\n\n**Workaround:** Host the verification token at the root domain path (`/.well-known/openai-apps-challenge`). This may not be practical for all deployments.\n\nWould be great if the verification step could respect the MCP URL subpath when constructing the challenge request.\n\nHappy to provide more details privately if helpful — will email support@openai.com with a reference to this post.",
  "title": "ChatGPT App Submission's Domain verification step does not support subpath-hosted MCP servers"
}