@BoyangNiu ,Could you please add the URLs below? I am using Microsoft’s service, and I am facing the following challenges:
Authorization URL: https://login.microsoftonline.com/oauth2/v2.0/authorization
Token URL: https://login.microsoftonline.com/oauth2/v2.0/token
API URL: https://sandbox.operations.dynamics.com/data/
I would appreciate your guidance in resolving this issue.
Hi @BoyangNiu I am in the same situation as @ricardomborba I would like to be able to create an Oauth connection with a Dynamics environment. Would it be possible to add it? Or is Microsoft preventing you from doing so because they want to force us to use copilot? 
Hello @BoyangNiu
As many others requested, would it be possible to add the microsoft endpoints to the allowed list?
Same. Could you please add the Microsoft endpoints to the allowed list?
That “ Authorization URL, Token URL, and API hostname must share a root domain ” message appears whenever ChatGPT’s Actions OAuth checker sees that the three key endpoints you entered live on different root domains. OpenAI enforces this for security and to keep phishing risk low, so the assistant UI refuses to save the draft until the check passes.
Here’s how teams are getting past it:
| What’s mismatched? | Quick fix | Notes |
|---|---|---|
| OAuth provider lives on a fully-hosted domain (e.g., auth0.com, login.microsoftonline.com) but your API is on api.my-app.com | Put both the Auth and Token endpoints behind a sub-domain of your own root (auth.my-app.com/authorize, auth.my-app.com/token) and forward/ proxy them to the provider. | You can stand up two tiny reverse-proxy routes in your backend or on an edge service (Cloudflare Workers, Netlify Functions, etc.). Auth0, Cognito, Logto, and others all document this pattern. |
| Auth0 free tier (no custom domains) | Upgrade to a plan that lets you set a custom domain, or move to a provider that does (e.g., Clerk, Logto Cloud, your own FastAPI/Firebase proxy). | Devs hit exactly this roadblock with Auth0’s free tier, because the root must match. |
| AWS Cognito + AppSync / API Gateway | Create custom domains for Cognito and for the API so they share the same root, e.g. auth.example.com and api.example.com. | AWS walkthrough shows the full CDK snippet to wire this up. |
| You’re using a public identity platform (Google, Microsoft) but hosting your own API | Make your backend act as an OAuth facade: expose /auth and /token paths on api.my-app.com, then internally call Google/Microsoft. | Medium guide demonstrates the pattern with FastAPI, keeping everything under one domain. |
| Local testing (localhost, ngrok, etc.) | Use a single HTTPS hostname from ngrok or Cloudflare Tunnels and put every endpoint under that host. | “localhost” won’t pass OpenAI’s validator. |
Why the rule exists
GPT Actions replay user tokens automatically; if the auth endpoints lived on a different root, a malicious actor could swap them out after you publish. For that reason the validator compares the effective top-level domain + one (eTLD+1)—e.g., everything under example.com must match.
Implementation tips
servers:
import express from ‘express’;
import { createProxyMiddleware } from ‘http-proxy-middleware’;
const app = express();
app.use(‘/auth’, createProxyMiddleware({ target: ‘https://your-auth0-domain’, changeOrigin: true }));
app.use(‘/token’, createProxyMiddleware({ target: ‘https://your-auth0-domain’, changeOrigin: true }));
app.listen(443);
Create a consolidated api and use it as a proxy.