ChatGPT does not re-trigger OAuth on 401 + WWW-Authenticate for MCP tool calls

My MCP server implements OAuth 2.1 with PKCE. The initial auth flow works perfectly — ChatGPT discovers metadata, completes consent, gets a token, and calls tools.

When the token expires, my server returns:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Bearer resource_metadata=“https://my-server.example.com/.well-known/oauth-protected-resource/openai/marketing”, scope=“dummy:read”

This matches the format in the Apps SDK auth docs and the MCP authorization spec. CORS headers expose WWW-Authenticate.

Expected: ChatGPT re-initiates the OAuth flow.

Actual: ChatGPT tells the user in text that they need to re-authenticate, without launching the OAuth prompt.

Does ChatGPT currently support automatic re-auth on 401 for MCP tool calls? If yes, does it work on the developer mode while testing? Am I missing anything?

Hey @Tarun_Agarwal, appreciate you flagging this. We’re going to take a closer look and dig into what might be causing it. If you’ve noticed any patterns or other error messages, feel free to share, that kind of detail can really help. We’ll report back once we know more

Hey @OpenAI_Support Do we have an update on this?