mcp-session-id header dropped or missing

Error text / 报错原文

• mcp-session-id header dropped
• missing mcp-session-id
• session not found

What it means

The remote MCP server expects a session header, but a proxy, tunnel, or client path did not preserve it.

Most common causes

• Reverse proxy strips custom headers
• CORS preflight does not allow the header
• Server stores sessions in memory across stateless deploys
• Multiple app instances do not share session storage

Fastest fix

• Reproduce the smallest failing case outside the agent.
• Confirm auth, session, and transport before changing app code.
• Disable unrelated tools or servers and retry once.
• Capture the exact timestamp, client version, and raw error text.

Safe fix

• Keep secrets in environment variables or the platform secret store.
• Use least-privilege scopes and read-only tools by default.
• Add validation around manifests, schemas, and callback URLs.
• Document the working local and production configuration.

What not to do

• Do not paste OAuth tokens or session IDs into public logs.
• Do not bypass TLS, CSP, or permission prompts as a permanent fix.
• Do not enable every MCP tool globally just to make one task pass.

Diagnostic commands

node --version
curl -I "$MCP_SERVER_URL"
echo "$OAUTH_CLIENT_ID"

Related tools

• /tools/mcp-oauth-debugger/ →
• /tools/json-formatter/ →

Related errors

• ChatGPT Apps OAuth flow does not start →
• window.openai.callTool does not trigger OAuth flow →
• ToolError: MCP write action temporarily disabled →
• ChatGPT Developer Mode app not visible →
• Apps SDK widget blocked by Content Security Policy →
• openai/outputTemplate not found →

Sources

• https://platform.openai.com/docs/developer-mode ↗
• https://platform.openai.com/docs/mcp/ ↗
• https://github.com/openai/openai-apps-sdk-examples/issues ↗