[oAuth and GPT Actions] - 5 things I have learned (oAuth only)

Hi there,

I just figured out how to use oAuth to allow custom GPT Actions to access private endpoints.

I used Django as my external service and django-oauth-toolkit as the oAuth service for my external service.

I learned five things so I want to share with everyone here:

  1. test your oauth server using postman first

  2. you must fill in the scope in the oAuth form in GPT actions regardless so don’t leave it empty unless your oauth can handle scope= in your get params

  3. gpt actions cannot handle PKCE so your oauth server need to turn it off if it’s on by default

  4. when you test your gpt with oauth, don’t do it within the preview page, there’s some weird redirection issues. Test it by opening your gpt as if you’re a new user in a fresh browser tab.

  5. if you delete or deliberately expire the access token in your oauth backend, then gpt has no way of re-requesting the access token (This is now solved at this thread here).

This is how I fill up the oAuth settings within the custom GPT Action

This is a demonstration of what happens when I deliberately delete or expire the access token on my oAuth server side

I will do a end-to-end, step-by-step, no steps skipped youtube tutorial of what I did to achieve this.

Will update here once it’s done later this week.


Hi, did you come up with that YT video?

1 Like

I am doing now. hope to get it out by end of week


Thanks for taking the time to put all this together. Super helpful.


@KimSia No worries. Just wanted to let you know that these provided me the starting points I was looking for, turning weeks of experimental approach to hours of guided progress. :slight_smile:

1 Like

@KimSia Is there anyway a custom GPT once published can be used by different users with different API keys to talk to an API service? these users might have api service running in different servers but all of them will be using same endpoints.

Currently I was able to access my test API through the API key type authentication with custom header name. I tried todo some prompt engineering to update or replace the API key with user provided but that experiment failed.

Thank you for sharing. I’m just about to test the oAuth flow.

1 Like

Hello @KimSia

Thanks for putting this together. I was wondering if you’ve ever released the video.

I’m trying to build a private custom GPT to work with Microsoft Graph API for my stuff. Primarily my OneNote. I’m able to initiate the sign in sequence from within GPT, but after I allow the app to connect to my Microsoft account and am redirected back to the GPT editor, I get an error of “missing access token”.

Will your video cover this?

This error is either:

  1. because there is an error in the 2nd step of the oauth process (if you’re doing it manually on your server like yourserver.com)
  2. or because the oauth server (microsoft 2nd step) is not sending the required access_token parameter back to openai (if you’re doing it via the microsoft server)

If you’re doing it manually (i.e. the method #1), ensure that your first endpoint accepts GET requests, and your second endpoint accepts POST requests. I.e when you’re passing the code parameter into the second endpoint to exchange it for the access_token your endpoint must extract it from the body of the request, not query params. This is because Openai sends the first request as GET and the second as POST and there is no way to change that.

Also, if you’re doing it manually (i.e. the method #1) ensure that your GET function parses the ‘state’ param that openai sends and then returns the same state param back as part of the redirect uri.

There might be other stuff, these are just what comes to my mind. If you do method #1 put console.logs all over your functions and see what is getting in and out.

Good luck.

Sorry everyone. I was busy with client work.

Instead of youtube, I am doing it as a series of Loom videos. I cannot presume that everyone has the same level of proficiency so I will do a pretty step-by-step series of videos.

Those who are more advanced may choose to skip steps, but then if you get stuck, that’s on you.

I planned to have 510 videos all on loom. In future, I may iteratively improve them based on feedback or add more such as those targeting on Windows OS


Videos (took me ~6 hrs to record and document, so pls be kind):

I spent a lot of time redoing the steps to make sure everything works as smoothly as possible.

There’s still a chance I made some mistakes that you get stuck in.

if so, please create an issue on the github repo or write here.

I’m sorry that I only finished up to the point where we have the app working on localhost with postman acting as the client.

I expect to roll out the last 2 stages later this week.


I have worked on a similar project and have open-sourced the code so that anyone who is new to auth and would want to protect their api can quickly get started and add authentication to their app by self-hosting it GitHub - Anil-matcha/GPT-Auth: GPT Auth provides a user-friendly solution to quickly setup oauth for your custom GPT and self-host it.

1 Like

I took a very quick glance and added your repo link here

Thanks for sharing, Anil :slight_smile:

1 Like

See [oAuth and GPT Actions] - 5 things I have learned - #11 by KimSia

I aimed to be comprehensive rather than concise for personal reasons.

So far I have only recorded up to the point where you can run the oauth on your localhost and using postman as the client.

I plan a total of 3 stages to make debugging easier:

  1. localhost oAuth endpoint; postman as client :white_check_mark:
  2. cloud-based oAuth endpoint; postman as client
  3. cloud-based oAuth endpoint; GPT as client

I am just done with stage 1, but if you’re technical, then you can easily extrapolate stage 2 and 3 from the current videos.

If not, then please wait till end of week.

I’m unsure what you mean exactly. can you do a loom to show us?

Easier to debug.

In any case, here’s what I do know.

You have a custom GPT (let’s call this GPT-Alice) talking to your server using oAuth.

Let’s also say you have two different users called Bob, and Carol using GPT-Alice and they both have accounts on your server.

When Bob and Carol interact with GPT-Alice, and GPT-ALice needs to send info to your server on oAuth protected endpoints, GPT-Alice will prompt Bob and Carol to login using oAuth.

So Bob and Carol login as per normal.

There’s no different API key.

However, GPT-Alice needs to have its own client ID and client secret generated by your server.

See the Part 5 video at [oAuth and GPT Actions] - 5 things I have learned - #11 by KimSia for more details

I did loom instead. Check here

Oh! I’m not using oAuth actually since I don’t know how oAuth works. I’m just using custom api key in the header.

Example: let’s say I published GPT-Alice, which can be used by Bob & Carol.

  • Bob & Carol can host some services in their own servers and generate their own api keys.
  • Bob & Carol wants to use GPT-Alice with their api keys in the header to talk to their services.

So I was asking is there any way that “custom api key” in the header can be changed by Bob & Carol through a prompt?

Using oAuth is a means to an end.

The end goal is so that when people use my GPT-Alice, they can use it to interact with their data on my Alice service.

E.g. Bob can interact with GPT-Alice to get GPT-Alice to pull Bob’s data from the Alice-service or update Bob’s data on the Alice service. And Carol can do the same etc.

Another example but this time using a famous name like Dropbox to illustrate the same point.

Imagine Dropbox for example coming up with their own GPT.

So Dropbox users can interact with Dropbox GPT to pull their personal Dropbox data or update their personal Dropbox data.

Abstractly, custom GPT is like another client for the service. Like a mobile phone app interacting with the backend service. Which is why GPT store (like apple’s App Store).


  • User (like Bob) <==> ALice-GPT <==> Alice-service (but only access Bob’s Alice-data using oAuth to identify)
  • User (like Bob) <==> ALice-mobileapp <==> Alice-service (but only access Bob’s Alice-data using oAuth to identify)
  • User (like Carol) <==> Dropbox-GPT <==> Dropbox-service (but only access Carol’s Dropbox data using oAuth to identify)
  • User (like Carol) <==> Dropbox-mobileapp <==> Dropbox-service (but only access Carol’s Alice-data using oAuth to identify)

I try to put myself in your shoes.

If I’m adopting your setup, that is, my GPT-Alice also would interact with other people who run their own services with their own servers,

that would also mean my Alice-service should also be able to interact with other people and their services.

What I would do is, I would write code on the service backend to interact with these other services rather than directly with the GPT.

  • User (like Bob) <==> Alice-GPT <==> Alice-service <==> Bob-service

If you can give more details about what you’re trying to do, it will be more useful for the rest of us who are trying to help.

Because I actually cannot imagine a concrete usecase you’re talking about. I’m only thinking abstractly.

I find it easier to imagine Bob setting up their own custom Bob-GPT so that the Bob GPT can talk with the Bob-service and API.

If you describe your usecase in words and you do a /r/GPT/mobile app on your usecase and the whole usecase sounds weird, then maybe something is off.

If you describe your usecase in words and you do a /r/GPT/mobile app on your usecase and the whole usecase makes sense, then there’s still a chance something can work.

I’ve also updated the thread title to make clear this is oAuth only discussion thread. Maybe you will find more help if you write your own thread.

Thank you so much for writing back in detail. I need to learn about oAuth this seems to be an interesting implementation and you’re last statement about each user having their own GPT to talk to their services might be the way to go when using private endpoints with api key.

You’re welcome.

I think this thread might not be the best fit for you at this moment.

I recommend this YouTube video OAuth 2 Explained In Simple Terms (youtube.com)

Here’s a still from that YT.

so for most of us here, we think of Application like the custom GPT we’re all building.

And instead of Facebook, it’s the custom service we want the custom GPT to interact with.

Of course, this means that the User in this diagram is supposed to have an account with the custom service.

If you can draw out what you’re thinking of trying to pull off, (can try draw.io, excalidraw, etc) and post in a separate thread and link here, I promise to take a look at least and give you my thoughts there.

Good luck. Tell us how it goes for you