Bug: ChatGPT MCP connector prompts for reauthentication despite valid tokens with offline_access scope

ChatGPT Apps SDK
1

Summary

ChatGPT’s MCP connector intermittently prompts for reauthentication after 4-5 consecutive tool calls, despite the server receiving valid tokens with proper scopes including offline_access. After providing auth through the “Continue” prompt, ChatGPT stops using tool calls entirely and responds with text only.

Environment

  • Custom MCP server with OAuth 2.0/OIDC (Keycloak)
    • Using @modelcontextprotocol/sdk for Node.js
      • All OAuth metadata endpoints returning correct values
        • offline_access scope properly configured and granted

      • Server-Side Evidence

    • Server logs show all token verifications succeed - no 401 errors:
  • json
  • {
  • “event”: “token_verified”,
  • “client_id”: “chatgpt-mcp-connector”,
  • “oauth_scopes”: [“openid”, “mcp:tools”, “email”, “offline_access”, “profile”],
  • “expires_at”: 1768959536
  • }
  •
    • Tokens include offline_access scope ✓
      • Token expiry is 12+ hours in the future ✓
        • No authentication failures logged ✓
          • Server health remains OK throughout ✓

        • Observed Behavior

        1. MCP connector works for 4-5 tool calls
          1. ChatGPT shows “Continue” / reauthentication prompt
            1. User clicks Continue and re-authenticates
              1. ChatGPT immediately responds with text instead of using tools

              2. Related Reports

            3. This appears related to other reported OIDC issues:
            4. Stateless server: token refresh works after short idle, but reconnect loop after long idle
            5. ChatGPT’s MCP connector intermittently prompts for reauthentication after 4-5 consecutive tool calls, despite the server receiving valid tokens with proper scopes including offline_access. After providing auth through the “Continue” prompt, ChatGPT stops using tool calls entirely and responds with text only.

          3. Environment

          • Custom MCP server with OAuth 2.0/OIDC (Keycloak)
            • Using @modelcontextprotocol/sdk for Node.js
              • All OAuth metadata endpoints returning correct values
                • offline_access scope properly configured and granted

              • Server-Side Evidence

            • Server logs show all token verifications succeed - no 401 errors:
          • json
          • {
          • “event”: “token_verified”,
          • “client_id”: “chatgpt-mcp-connector”,
          • “oauth_scopes”: [“openid”, “mcp:tools”, “email”, “offline_access”, “profile”],
          • “expires_at”: 1768959536
          • }
        • Tokens include offline_access scope ✓
          • Token expiry is 12+ hours in the future ✓
            • No authentication failures logged ✓
              • Server health remains OK throughout ✓

            • Observed Behavior

            1. MCP connector works for 4-5 tool calls
              1. ChatGPT shows “Continue” / reauthentication prompt
                1. User clicks Continue and re-authenticates
                  1. ChatGPT immediately responds with text instead of using tools

Related Reports

This appears related to other reported OIDC issues:

  • Token refresh works after short idle, but reconnect loop after long idle
  • OIDC Authentication Failure

  • Request

Could the ChatGPT team investigate the client-side OAuth/session handling? The server-side implementation is working correctly (tokens valid, no errors), suggesting the issue is in how ChatGPT manages MCP sessions or token refresh.

1 Like
2

Update: Root Cause Identified

After implementing comprehensive request header logging on the MCP server, I’ve identified the root cause of this issue.

The Problem

ChatGPT is not persisting the Mcp-Session-Id header between tool call batches. After approximately 30 seconds, ChatGPT drops the session ID and sends a fresh initialize request, which triggers the “Continue / Do not continue” prompt on the client side.

Evidence from Server Logs

Here’s what the logs show:

13:08:37 - Tool calls #1 and #2 (successful):slight_smile: ```json

{

“event”: “mcp_request_headers”,

“headers”: {

"mcp_session_id": "3c0708d1-e974-4383-a91c-b97b50235ad1"
  },
  "is_initialize": false
}
```

**13:09:08** (31 seconds later) - Tool call #3:
```json
{
  "event": "mcp_request_headers",
  "headers": {
    "mcp_session_id": null
  },
  "is_initialize": true
}
```

### Key Findings

1. **Authentication is working perfectly** - All token verifications succeed, no 401 errors
2. **Server sessions persist** - The original session (`3c0708d1-...`) still existed and was valid
3. **ChatGPT dropped it** - ChatGPT sent `null` instead of the existing session ID
4. **This triggers re-auth prompts** - When ChatGPT sends an `initialize` request (creating a new session), its client interprets this as "requesting new permissions"

### Why This Happens

The ~30 second interval suggests ChatGPT either has:
- An internal session timeout
- A connection reconnection behavior that clears session storage
- A bug in how it persists the `Mcp-Session-Id` header across requests

### Conclusion

**This is a ChatGPT MCP client bug, not an OAuth/OIDC configuration issue.** The server-side implementation is working correctly - tokens verify, sessions persist, and everything is healthy. The issue is entirely on ChatGPT's side failing to remember the session ID it received from the MCP server.

Unfortunately, there's nothing that can be fixed on the MCP server side - this needs to be addressed in the ChatGPT MCP connector implementation.
3

Thanks for the clear write-up and logs — this is very well investigated. The timing and header evidence make it pretty clear that authentication and server-side session handling are working as expected, and that the issue is the MCP client dropping Mcp-Session-Id between batches. The ~30s gap strongly suggests a client-side persistence or reconnect bug rather than anything fixable on the server. This should be valuable for the ChatGPT MCP connector team to look into.