ChatGPT MCP Connector OAuth: "OAuth state not found" — callback fails before token exchange

# ChatGPT MCP Connector OAuth: “OAuth state not found” — callback fails before token exchange

**Category:** ChatGPT Apps SDK / Bugs

**Tags:** mcp, connector, oauth, chatgpt-app

## Summary

ChatGPT’s own OAuth callback endpoint (`/backend-api/aip/connectors/links/oauth/callback`) returns 404 with `{“detail”:“OAuth state not found”}` during MCP connector setup. The entire OAuth discovery, DCR, and authorization flow completes successfully — ChatGPT generates the state, the user authenticates, and `code` + `state` are returned correctly — but ChatGPT’s backend cannot find the state it created. **The token exchange never happens** because the failure occurs before ChatGPT calls our `/oauth/token` endpoint.

This also reproduces with **OpenAI’s own `openai-mcpkit` TypeScript scaffold** using Auth0, confirming it is a platform-side issue.

## Environment

- **Plan:** ChatGPT Business

- **Developer Mode:** Enabled (Workspace Settings → Permissions & Roles → Connected Data)

- **App creation:** Workspace Settings → Apps → Create

- **MCP Server:** Cloudflare Worker at `mcp.auto.dev` (also tested with mcpkit scaffold via ngrok)

- **Auth Provider:** Custom OAuth 2.1 provider (id.org.ai) + Auth0 (for scaffold test)

- **Browser:** Chrome 146 on macOS

## What Works

- :white_check_mark: `POST /` → 401 with `WWW-Authenticate: Bearer resource_metadata=“…”` header

- :white_check_mark: `GET /.well-known/oauth-protected-resource` → 200 with valid metadata

- :white_check_mark: `GET /.well-known/oauth-authorization-server` → 200 with valid metadata

- :white_check_mark: `GET /.well-known/openid-configuration` → 200 with valid metadata

- :white_check_mark: `POST /oauth/register` (DCR) → 201 with `client_id`

- :white_check_mark: `GET /oauth/authorize` → 302 redirect to auth provider

- :white_check_mark: User authenticates and consents

- :white_check_mark: Auth provider redirects back to `chatgpt.com/connector/oauth/{id}?code=…&state=…`

- :white_check_mark: Both `code` and `state` parameters present and correctly formatted

## What Fails

- :cross_mark: `POST chatgpt.com/backend-api/aip/connectors/links/oauth/callback → **\*\*404\*\*** \{“detail”:“OAuth state not found”}`

- :cross_mark: `GET chatgpt.com/backend-api/aip/connectors/links/oauth/state/{state_id} → **\*\*404\*\*** \{“detail”:“OAuth state not found”}`

- :cross_mark: No `POST /oauth/token` request ever reaches our server (verified via Cloudflare Workers tail logs and ngrok request inspector)

## Steps to Reproduce

1. Enable developer mode in workspace settings

2. Go to Apps → Create

3. Enter MCP Server URL, select OAuth authentication

4. ChatGPT discovers OAuth endpoints, performs DCR — all succeeds

5. Click Create → redirected to auth provider

6. Authenticate and consent

7. Redirected back to ChatGPT with valid `code` and `state`

8. **Error: “Something went wrong with setting up the connection”**

9. Browser console shows 404 on ChatGPT’s own callback/state endpoints

## Evidence: Server Logs (Cloudflare Workers Tail)

```

POST / 401 Unauthorized

GET /.well-known/oauth-protected-resource 200 OK

GET /.well-known/oauth-authorization-server 200 OK

GET /.well-known/openid-configuration 200 OK

GET /.well-known/oauth-authorization-server 200 OK

GET /.well-known/openid-configuration 200 OK

POST /oauth/register 201 Created

GET /oauth/authorize?.. 302 Redirect

                                           ← (no POST /oauth/token ever appears)

```

ChatGPT never reaches the token exchange step. The failure is entirely within ChatGPT’s backend state lookup.

## Evidence: Reproduced with OpenAI’s Own Scaffold

To rule out our server implementation, we cloned `openai/openai-mcpkit` (TypeScript scaffold), configured it with Auth0 (DCR enabled, default audience set, social connection), ran it locally via ngrok, and attempted the same connector setup flow. **Same result — “Something went wrong with setting up the connection.”**

ngrok request log from the scaffold:

```

POST /mcp 401 Unauthorized

GET /.well-known/oauth-protected-resource/mcp 404 Not Found

GET /mcp/.well-known/oauth-protected-resource 404 Not Found

GET /.well-known/oauth-protected-resource 200 OK

```

Discovery works (fallback to root path), but the connector still fails at the callback step.

## State Parameter Analysis

The state ChatGPT generates is base64-encoded JSON:

```json

{

“csrf”: “d06387cf7d5ba96b92b2587474bcd495691b2d14b059d584dca621669df3ed06”,

“s”: “oauth_s_69da6d33622081919e8b5e43c89ff601”

}

```

This state is preserved correctly through the auth flow — the exact same value appears in the redirect back to ChatGPT. ChatGPT’s backend simply cannot find the state record at `oauth_s_69da6d33622081919e8b5e43c89ff601`.

## Related Threads

- [ChatGPT MCP OAuth: callback timeout on token exchange]( ChatGPT MCP OAuth: callback timeout on token exchange (authorization code issued) ) (Sep 2025 — unresolved)

- [MCP Connector Creation Timeout - OAuth Callback Failing]( MCP Connector Creation Timeout - OAuth Callback Failing ) (Jan 2026 — unresolved)

- [ChatGPT Custom MCP OAuth fails to get tools when auth enabled]( ChatGPT Custom MCP OAuth fails to get tools when auth enabled ) (Jul 2025 — OpenAI acknowledged: “we are seeing posts in the Community forum about this, so we want to make sure we fix the issue if this is on our side”)

## Our Server Compliance Checklist

We’ve verified every requirement from the [OpenAI Auth Guide]( Authentication – Apps SDK | OpenAI Developers ):

| Requirement | Status |

|—|—|

| Protected resource metadata | :white_check_mark: (base + /mcp paths) |

| OAuth AS metadata | :white_check_mark: (base + /mcp paths) |

| OIDC discovery | :white_check_mark: (base + /mcp paths) |

| HTTP 401 + WWW-Authenticate header | :white_check_mark: |

| Per-tool securitySchemes | :white_check_mark: (all 15 tools) |

| Dynamic Client Registration | :white_check_mark: |

| PKCE (S256) | :white_check_mark: |

| Resource parameter (RFC 8707) | :white_check_mark: |

| Streamable HTTP transport | :white_check_mark: |

| HTTPS | :white_check_mark: |

## Questions for OpenAI

1. What causes `{“detail”:“OAuth state not found”}` on the callback? Is there a TTL on OAuth state, or is it tied to a specific backend instance?

2. Is this a known issue with the Business plan? The Help Center docs mention Business/Enterprise/Edu support.

3. Are there any server-side requirements not documented in the Apps SDK auth guide that could prevent state from being stored?

4. Can the team investigate the state storage for connector `eRvU93QmvGwc` on account `727a535d-e95d-4bb6-9f54-9961cca52582`?

Hey @crisner1978, appreciate you for bringing this to our attention. We’re going to dig into this and see what’s driving it. We’ll share an update once we learn more.

~Sunny

Hey crisner1978, Apologies for the delay but want to confirm before we dig into this issue if the you are still facing it? if yes, please let us know and we are happy to review it.