We run an MCP server with OAuth 2.0 (discovery, authorization code + PKCE, dynamic client registration, refresh_token). ChatGPT completes the flow and we return 200 from our token endpoint with access_token and refresh_token, but ChatGPT never sends a GET request to our MCP SSE URL with that Bearer token. The user sees “Something went wrong with setting up the connection” and tools never load. Our MCP also supports API key in the URL; with the key, the SSE URL works with no auth and returns tools. The failure is specific to OAuth, where ChatGPT never sends the issued token to the SSE URL.
We do see: discovery (200), register (201), authorize (302), callback (302), token (200). We do not see GET to our SSE URL with Authorization: Bearer from ChatGPT after that. The same token works when we use it in MCP Inspector against our SSE URL.
We’ve tried both origin-only and path-qualified resource, added refresh_token support and persistence, and confirmed PKCE and redirect URIs. Our implementation aligns with the OAuth/MCP patterns used by other MCP providers.
Can you confirm whether there is a known issue or a required step (e.g. refresh flow or specific token usage) that would cause the client to receive the token but never call the MCP SSE URL with it? What is the expected sequence immediately after a 200 token response?