window.openai.callTool does not trigger OAuth flow

Error text / 报错原文

• window.openai.callTool does not trigger OAuth flow
• callTool unauthorized
• OAuth not triggered from widget

What it means

A widget calls a tool through the ChatGPT bridge, but the auth challenge is not surfaced back into the UI.

Most common causes

• Bridge call targets a tool not declared for the widget
• Tool result does not return the expected auth challenge
• Widget domain or CSP blocks the bridge
• The app was registered before auth metadata changed

Fastest fix

• Reproduce the smallest failing case outside the agent.
• Confirm auth, session, and transport before changing app code.
• Disable unrelated tools or servers and retry once.
• Capture the exact timestamp, client version, and raw error text.

Safe fix

• Keep secrets in environment variables or the platform secret store.
• Use least-privilege scopes and read-only tools by default.
• Add validation around manifests, schemas, and callback URLs.
• Document the working local and production configuration.

What not to do

• Do not paste OAuth tokens or session IDs into public logs.
• Do not bypass TLS, CSP, or permission prompts as a permanent fix.
• Do not enable every MCP tool globally just to make one task pass.

Diagnostic commands

node --version
curl -I "$MCP_SERVER_URL"
echo "$OAUTH_CLIENT_ID"

Related tools

• /tools/apps-sdk-manifest-validator/ →
• /tools/mcp-oauth-debugger/ →

Related errors

• ChatGPT Apps OAuth flow does not start →
• mcp-session-id header dropped or missing →
• ToolError: MCP write action temporarily disabled →
• ChatGPT Developer Mode app not visible →
• Apps SDK widget blocked by Content Security Policy →
• openai/outputTemplate not found →

Sources

• https://platform.openai.com/docs/developer-mode ↗
• https://platform.openai.com/docs/mcp/ ↗
• https://github.com/openai/openai-apps-sdk-examples/issues ↗