Apps SDK submission blocked — MCP OAuth code issued but ChatGPT never calls /token (Authorize MCP modal hangs)
TL;DR: On the apps-manage MCP step, the “Authorize MCP” flow issues my authorization code correctly, but ChatGPT never redeems it at /token (0 token requests in my logs), so the modal spins forever and I can’t complete submission. Server verified spec-correct end-to-end. Looks identical
to threads 1378808 and 1359324. What’s the fix/workaround — and can OAuth be validated at review via demo credentials so I can still submit?
Setup
- Remote MCP server:
mcp.rendex.dev/mcp - Auth: OAuth 2.1 — authorization code + PKCE (S256) + Dynamic Client Registration
What happens
On the apps-manage MCP step, “Authorize MCP” opens my login in a new tab (not a popup). I log in; my server authorizes and 302-redirects the code to the exact callback ChatGPT supplied — chatgpt.com/connector/oauth/{callback_id} — with the state relay (openai_platform_oauth_relay__…)
echoed back unchanged and the resource param preserved. But ChatGPT never calls my /token endpoint (logs show 0 token requests), and the “Authorize MCP” modal spins indefinitely.
Server verified correct
- Discovery:
/.well-known/oauth-authorization-server+/.well-known/oauth-protected-resource(root and/mcp-scoped) → 200 - DCR works;
/tokenlive with CORS allowed forchatgpt.com - PKCE S256; resource → aud bound per RFC 8707
- The authorization code IS issued — it’s just never redeemed; the callback abandons the flow.
Already ruled out (browser side)
Clean Chrome window, no extensions, popups + third-party cookies allowed for chatgpt.com and platform.openai.com — no change, same 0-token behavior.
Questions
- Is this the known apps-manage callback / state-relay issue (cf. 1378808, 1359324)? Server-side fix or setting I’m missing?
- The authorize step opens in a new tab rather than a popup — could that break the opener/postMessage handshake the modal waits on? Anything I can influence server-side?
- Since the live flow won’t resolve, can OAuth be validated during review via demo credentials / a manual review path, so I can complete submission despite the scan not finishing?
Happy to share full request logs and grant test access to the server.
Discussion in the ATmosphere