# ChatGPT MCP Connector OAuth: “OAuth state not found” — callback fails before token exchange
**Category:** ChatGPT Apps SDK / Bugs
**Tags:** mcp, connector, oauth, chatgpt-app
## Summary
ChatGPT’s own OAuth callback endpoint (`/backend-api/aip/connectors/links/oauth/callback`) returns 404 with `{“detail”:“OAuth state not found”}` during MCP connector setup. The entire OAuth discovery, DCR, and authorization flow completes successfully — ChatGPT generates the state, the user authenticates, and `code` + `state` are returned correctly — but ChatGPT’s backend cannot find the state it created. **The token exchange never happens** because the failure occurs before ChatGPT calls our `/oauth/token` endpoint.
This also reproduces with **OpenAI’s own `openai-mcpkit` TypeScript scaffold** using Auth0, confirming it is a platform-side issue.
## Environment
- **Plan:** ChatGPT Business
- **Developer Mode:** Enabled (Workspace Settings → Permissions & Roles → Connected Data)
- **App creation:** Workspace Settings → Apps → Create
- **MCP Server:** Cloudflare Worker at `mcp.auto.dev` (also tested with mcpkit scaffold via ngrok)
- **Auth Provider:** Custom OAuth 2.1 provider (id.org.ai) + Auth0 (for scaffold test)
- **Browser:** Chrome 146 on macOS
## What Works
-
`POST /` → 401 with `WWW-Authenticate: Bearer resource_metadata=“…”` header
-
`GET /.well-known/oauth-protected-resource` → 200 with valid metadata
-
`GET /.well-known/oauth-authorization-server` → 200 with valid metadata
-
`GET /.well-known/openid-configuration` → 200 with valid metadata
-
`POST /oauth/register` (DCR) → 201 with `client_id`
-
`GET /oauth/authorize` → 302 redirect to auth provider
-
User authenticates and consents
-
Auth provider redirects back to `chatgpt.com/connector/oauth/{id}?code=…&state=…`
-
Both `code` and `state` parameters present and correctly formatted
## What Fails
-
`POST chatgpt.com/backend-api/aip/connectors/links/oauth/callback → **\*\*404\*\*** \{“detail”:“OAuth state not found”}`
-
`GET chatgpt.com/backend-api/aip/connectors/links/oauth/state/{state_id} → **\*\*404\*\*** \{“detail”:“OAuth state not found”}`
-
No `POST /oauth/token` request ever reaches our server (verified via Cloudflare Workers tail logs and ngrok request inspector)
## Steps to Reproduce
1. Enable developer mode in workspace settings
2. Go to Apps → Create
3. Enter MCP Server URL, select OAuth authentication
4. ChatGPT discovers OAuth endpoints, performs DCR — all succeeds
5. Click Create → redirected to auth provider
6. Authenticate and consent
7. Redirected back to ChatGPT with valid `code` and `state`
8. **Error: “Something went wrong with setting up the connection”**
9. Browser console shows 404 on ChatGPT’s own callback/state endpoints
## Evidence: Server Logs (Cloudflare Workers Tail)
```
POST / 401 Unauthorized
GET /.well-known/oauth-protected-resource 200 OK
GET /.well-known/oauth-authorization-server 200 OK
GET /.well-known/openid-configuration 200 OK
GET /.well-known/oauth-authorization-server 200 OK
GET /.well-known/openid-configuration 200 OK
POST /oauth/register 201 Created
GET /oauth/authorize?.. 302 Redirect
← (no POST /oauth/token ever appears)
```
ChatGPT never reaches the token exchange step. The failure is entirely within ChatGPT’s backend state lookup.
## Evidence: Reproduced with OpenAI’s Own Scaffold
To rule out our server implementation, we cloned `openai/openai-mcpkit` (TypeScript scaffold), configured it with Auth0 (DCR enabled, default audience set, social connection), ran it locally via ngrok, and attempted the same connector setup flow. **Same result — “Something went wrong with setting up the connection.”**
ngrok request log from the scaffold:
```
POST /mcp 401 Unauthorized
GET /.well-known/oauth-protected-resource/mcp 404 Not Found
GET /mcp/.well-known/oauth-protected-resource 404 Not Found
GET /.well-known/oauth-protected-resource 200 OK
```
Discovery works (fallback to root path), but the connector still fails at the callback step.
## State Parameter Analysis
The state ChatGPT generates is base64-encoded JSON:
```json
{
“csrf”: “d06387cf7d5ba96b92b2587474bcd495691b2d14b059d584dca621669df3ed06”,
“s”: “oauth_s_69da6d33622081919e8b5e43c89ff601”
}
```
This state is preserved correctly through the auth flow — the exact same value appears in the redirect back to ChatGPT. ChatGPT’s backend simply cannot find the state record at `oauth_s_69da6d33622081919e8b5e43c89ff601`.
## Related Threads
- [ChatGPT MCP OAuth: callback timeout on token exchange]( ChatGPT MCP OAuth: callback timeout on token exchange (authorization code issued) ) (Sep 2025 — unresolved)
- [MCP Connector Creation Timeout - OAuth Callback Failing]( MCP Connector Creation Timeout - OAuth Callback Failing ) (Jan 2026 — unresolved)
- [ChatGPT Custom MCP OAuth fails to get tools when auth enabled]( ChatGPT Custom MCP OAuth fails to get tools when auth enabled ) (Jul 2025 — OpenAI acknowledged: “we are seeing posts in the Community forum about this, so we want to make sure we fix the issue if this is on our side”)
## Our Server Compliance Checklist
We’ve verified every requirement from the [OpenAI Auth Guide]( Authentication – Apps SDK | OpenAI Developers ):
| Requirement | Status |
|—|—|
| Protected resource metadata |
(base + /mcp paths) |
| OAuth AS metadata |
(base + /mcp paths) |
| OIDC discovery |
(base + /mcp paths) |
| HTTP 401 + WWW-Authenticate header |
|
| Per-tool securitySchemes |
(all 15 tools) |
| Dynamic Client Registration |
|
| PKCE (S256) |
|
| Resource parameter (RFC 8707) |
|
| Streamable HTTP transport |
|
| HTTPS |
|
## Questions for OpenAI
1. What causes `{“detail”:“OAuth state not found”}` on the callback? Is there a TTL on OAuth state, or is it tied to a specific backend instance?
2. Is this a known issue with the Business plan? The Help Center docs mention Business/Enterprise/Edu support.
3. Are there any server-side requirements not documented in the Apps SDK auth guide that could prevent state from being stored?
4. Can the team investigate the state storage for connector `eRvU93QmvGwc` on account `727a535d-e95d-4bb6-9f54-9961cca52582`?