{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibwfpxhejhakcftizyt6nvz4kdxb3xvvksff5twnognnscnxto2ty",
    "uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mpcpyhckxul2"
  },
  "path": "/t/apps-sdk-submission-blocked-mcp-oauth-code-issued-but-chatgpt-never-calls-token-authorize-mcp-modal-hangs/1385089#post_1",
  "publishedAt": "2026-06-28T00:08:28.000Z",
  "site": "https://community.openai.com",
  "textContent": "TL;DR: On the apps-manage MCP step, the “Authorize MCP” flow issues my authorization code correctly, but ChatGPT never redeems it at `/token` (0 token requests in my logs), so the modal spins forever and I can’t complete submission. Server verified spec-correct end-to-end. Looks identical\nto threads 1378808 and 1359324. What’s the fix/workaround — and can OAuth be validated at review via demo credentials so I can still submit?\n\nSetup\n\n  * Remote MCP server: `mcp.rendex.dev/mcp`\n  * Auth: OAuth 2.1 — authorization code + PKCE (S256) + Dynamic Client Registration\n\n\n\nWhat happens\nOn the apps-manage MCP step, “Authorize MCP” opens my login in a new tab (not a popup). I log in; my server authorizes and 302-redirects the code to the exact callback ChatGPT supplied — `chatgpt.com/connector/oauth/{callback_id}` — with the state relay (`openai_platform_oauth_relay__…`)\nechoed back unchanged and the resource param preserved. But ChatGPT never calls my `/token` endpoint (logs show 0 token requests), and the “Authorize MCP” modal spins indefinitely.\n\nServer verified correct\n\n  * Discovery: `/.well-known/oauth-authorization-server` + `/.well-known/oauth-protected-resource` (root and `/mcp`-scoped) → 200\n  * DCR works; `/token` live with CORS allowed for `chatgpt.com`\n  * PKCE S256; resource → aud bound per RFC 8707\n  * The authorization code IS issued — it’s just never redeemed; the callback abandons the flow.\n\n\n\nAlready ruled out (browser side)\nClean Chrome window, no extensions, popups + third-party cookies allowed for `chatgpt.com` and `platform.openai.com` — no change, same 0-token behavior.\n\nQuestions\n\n  1. Is this the known apps-manage callback / state-relay issue (cf. 1378808, 1359324)? Server-side fix or setting I’m missing?\n  2. The authorize step opens in a new tab rather than a popup — could that break the opener/postMessage handshake the modal waits on? Anything I can influence server-side?\n  3. Since the live flow won’t resolve, can OAuth be validated during review via demo credentials / a manual review path, so I can complete submission despite the scan not finishing?\n\n\n\nHappy to share full request logs and grant test access to the server.",
  "title": "Apps SDK submission blocked — MCP OAuth code issued but ChatGPT never calls /token (Authorize MCP modal hangs)"
}