Remote MCP returns 401 Unauthorized in ChatGPT App

Error text / 报错原文

• 401 Unauthorized
• remote MCP unauthorized
• invalid token

What it means

ChatGPT reached the remote MCP server, but the server rejected the token, session, or OAuth scope.

Most common causes

• Expired access token
• Wrong audience or issuer
• Missing scope
• Server checks bearer token but client uses session-based auth

Fastest fix

• Reproduce the smallest failing case outside the agent.
• Confirm auth, session, and transport before changing app code.
• Disable unrelated tools or servers and retry once.
• Capture the exact timestamp, client version, and raw error text.

Safe fix

• Keep secrets in environment variables or the platform secret store.
• Use least-privilege scopes and read-only tools by default.
• Add validation around manifests, schemas, and callback URLs.
• Document the working local and production configuration.

What not to do

• Do not paste OAuth tokens or session IDs into public logs.
• Do not bypass TLS, CSP, or permission prompts as a permanent fix.
• Do not enable every MCP tool globally just to make one task pass.

Diagnostic commands

node --version
curl -I "$MCP_SERVER_URL"
echo "$OAUTH_CLIENT_ID"

Related tools

• /tools/jwt-decoder/ →
• /tools/mcp-oauth-debugger/ →

Related errors

• ChatGPT Apps OAuth flow does not start →
• window.openai.callTool does not trigger OAuth flow →
• mcp-session-id header dropped or missing →
• ToolError: MCP write action temporarily disabled →
• ChatGPT Developer Mode app not visible →
• Apps SDK widget blocked by Content Security Policy →

Sources

• https://platform.openai.com/docs/developer-mode ↗
• https://platform.openai.com/docs/mcp/ ↗
• https://github.com/openai/openai-apps-sdk-examples/issues ↗