External Publication
Visit Post

Apps SDK submission blocked — MCP OAuth code issued but ChatGPT never calls /token (Authorize MCP modal hangs)

OpenAI Developer Community June 28, 2026
Source

TL;DR: On the apps-manage MCP step, the “Authorize MCP” flow issues my authorization code correctly, but ChatGPT never redeems it at /token (0 token requests in my logs), so the modal spins forever and I can’t complete submission. Server verified spec-correct end-to-end. Looks identical to threads 1378808 and 1359324. What’s the fix/workaround — and can OAuth be validated at review via demo credentials so I can still submit?

Setup

  • Remote MCP server: mcp.rendex.dev/mcp
  • Auth: OAuth 2.1 — authorization code + PKCE (S256) + Dynamic Client Registration

What happens On the apps-manage MCP step, “Authorize MCP” opens my login in a new tab (not a popup). I log in; my server authorizes and 302-redirects the code to the exact callback ChatGPT supplied — chatgpt.com/connector/oauth/{callback_id} — with the state relay (openai_platform_oauth_relay__…) echoed back unchanged and the resource param preserved. But ChatGPT never calls my /token endpoint (logs show 0 token requests), and the “Authorize MCP” modal spins indefinitely.

Server verified correct

  • Discovery: /.well-known/oauth-authorization-server + /.well-known/oauth-protected-resource (root and /mcp-scoped) → 200
  • DCR works; /token live with CORS allowed for chatgpt.com
  • PKCE S256; resource → aud bound per RFC 8707
  • The authorization code IS issued — it’s just never redeemed; the callback abandons the flow.

Already ruled out (browser side) Clean Chrome window, no extensions, popups + third-party cookies allowed for chatgpt.com and platform.openai.com — no change, same 0-token behavior.

Questions

  1. Is this the known apps-manage callback / state-relay issue (cf. 1378808, 1359324)? Server-side fix or setting I’m missing?
  2. The authorize step opens in a new tab rather than a popup — could that break the opener/postMessage handshake the modal waits on? Anything I can influence server-side?
  3. Since the live flow won’t resolve, can OAuth be validated during review via demo credentials / a manual review path, so I can complete submission despite the scan not finishing?

Happy to share full request logs and grant test access to the server.

Discussion in the ATmosphere

Loading comments...