{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreibwfpxhejhakcftizyt6nvz4kdxb3xvvksff5twnognnscnxto2ty",
"uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mpcpyhckxul2"
},
"path": "/t/apps-sdk-submission-blocked-mcp-oauth-code-issued-but-chatgpt-never-calls-token-authorize-mcp-modal-hangs/1385089#post_1",
"publishedAt": "2026-06-28T00:08:28.000Z",
"site": "https://community.openai.com",
"textContent": "TL;DR: On the apps-manage MCP step, the “Authorize MCP” flow issues my authorization code correctly, but ChatGPT never redeems it at `/token` (0 token requests in my logs), so the modal spins forever and I can’t complete submission. Server verified spec-correct end-to-end. Looks identical\nto threads 1378808 and 1359324. What’s the fix/workaround — and can OAuth be validated at review via demo credentials so I can still submit?\n\nSetup\n\n * Remote MCP server: `mcp.rendex.dev/mcp`\n * Auth: OAuth 2.1 — authorization code + PKCE (S256) + Dynamic Client Registration\n\n\n\nWhat happens\nOn the apps-manage MCP step, “Authorize MCP” opens my login in a new tab (not a popup). I log in; my server authorizes and 302-redirects the code to the exact callback ChatGPT supplied — `chatgpt.com/connector/oauth/{callback_id}` — with the state relay (`openai_platform_oauth_relay__…`)\nechoed back unchanged and the resource param preserved. But ChatGPT never calls my `/token` endpoint (logs show 0 token requests), and the “Authorize MCP” modal spins indefinitely.\n\nServer verified correct\n\n * Discovery: `/.well-known/oauth-authorization-server` + `/.well-known/oauth-protected-resource` (root and `/mcp`-scoped) → 200\n * DCR works; `/token` live with CORS allowed for `chatgpt.com`\n * PKCE S256; resource → aud bound per RFC 8707\n * The authorization code IS issued — it’s just never redeemed; the callback abandons the flow.\n\n\n\nAlready ruled out (browser side)\nClean Chrome window, no extensions, popups + third-party cookies allowed for `chatgpt.com` and `platform.openai.com` — no change, same 0-token behavior.\n\nQuestions\n\n 1. Is this the known apps-manage callback / state-relay issue (cf. 1378808, 1359324)? Server-side fix or setting I’m missing?\n 2. The authorize step opens in a new tab rather than a popup — could that break the opener/postMessage handshake the modal waits on? Anything I can influence server-side?\n 3. Since the live flow won’t resolve, can OAuth be validated during review via demo credentials / a manual review path, so I can complete submission despite the scan not finishing?\n\n\n\nHappy to share full request logs and grant test access to the server.",
"title": "Apps SDK submission blocked — MCP OAuth code issued but ChatGPT never calls /token (Authorize MCP modal hangs)"
}