OAuth - how to know who is the user I am sending access_token to?


I implemented the Oauth flow with my custom GPT and receive successfully logged in green light.

The thing is, that each query I receive at my end, comes with a Bearer token I passed at the previous stage as “access_token”.

SO, I presumed that this is the flow.

But then I realized that the request sent to Token URL is not affiliated with any user.

So in the case when I know it is me debugging the application - it is fine. I just respond with 123456 as “access_token” and then when the query arrives - I know who is Bearer 123456.

But in case there are multiple users - I have no idea how to differentiate between them.

I tried to open all endpoints to POST requests hoping I will receive some linkage between username and access_token, but it didn’t work.

Can I use some help - probably I am missing some step?


The token provided by the OAuth server is a long string containing encrypted information, inside which, the user information or role information should be there.

Then you API Action should decode that token and get the user ID or whatever other required user information you may need.


Not sure if I managed to explain the issue properly as it seems you think that I anticipate to have user credentials at action side.
And of course, thank you for trying to help here!

So, as I said, I am talking about the OAuth server side, not Action side.

Following this guide, after my OAuth server identified the user successfully, it should redirect to callback URL, adding “state” and “code” values to it.

At this stage I receive the green popup message in my custom GPT chat which states that OAuth authentication succeeded.

After that I also receive POST request from chatGPT to TOKEN_URL at my server (remember this one), which I should respond to it with

    "access_token": "<example access token>",
    "token_type": "Bearer",
    "expires_in": 60,
    "refresh_token": "<example refresh token>"

From this moment, all queries which arrive to my server, hold that access_token in the headers.

So, the thing is, that POST request to TOKEN_URL which I mentioned previously - is completely plain. It does not hold any user data. So if there are multiple users, who goes through authentication process at that very moment - I will have no clue which token I am granting to who. Which means- I will not know who sends me the queries.

Another thing is that the guide states that after successful user authentication, the server should POST a JSON object

{ “grant_type”: “authorization_code”, 
“client_id”: [client_id], 
“client_secret”: [client_secret], 
“code”: [the code that was returned with the redirect],
 “redirect_uri”: [the same redirect uri as before] }

which is not happening in my case either.

Will appreciate if somebody managed to identify users from queries and will share.

1 Like

I use Oauth in custom GPT, not in a plugin, but the approach is similar. At the beginning, in the first tests I did, I could not see any user information in the token, but this is up to the Oauth server, I had to configure my Oauth server to include the user data in the token.

So I guess it will depend of setting up correctly your OAuth server. In my case I realized that I had to use the right scope in order to receive user data in the token.

Solved it. As it mentioned here, you have to parse the body with application/x-www-form-urlencoded parser.

1 Like