All configuration for ChatGPT Local Agent MCP lives in a privateDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/chatgpt-local-agent-mcp/llms.txt
Use this file to discover all available pages before exploring further.
.env file that you create inside your install folder by copying .env.example. The install folder is %LOCALAPPDATA%\chatgpt-local-agent-mcp by default — never commit this file or share it, as it contains OAuth secrets and controls what tools are exposed to ChatGPT. The sections below document every supported variable, its type, its default value, and what it does.
Server Binding
These variables control the network address the MCP server listens on and the public URL it advertises in OAuth metadata and resource discovery.The hostname or IP address the HTTP server binds to. The default binds to loopback only, which means the server is not reachable from other machines. Do not change this to
0.0.0.0 or a public interface unless you are intentionally exposing the server and have auth fully configured.The TCP port the server listens on. Must be a positive integer. Change this only if port
8789 is already occupied on your machine.The base URL the server advertises in OAuth protected resource metadata and authorization server discovery. For local-only use, the default loopback URL is correct. For a remote ChatGPT connector with Cloudflare Tunnel, set this to your HTTPS public hostname (e.g.
https://mcp.your-domain.example). When AUTH_REQUIRED=true and the URL is not localhost, HTTPS is enforced.When
true, the server trusts X-Forwarded-For and related reverse-proxy headers for rate limiting and IP extraction. Only set this to true if the server sits behind a trusted reverse proxy that you control. Setting it true when the server is directly internet-facing allows IP spoofing.Authentication
These variables control the authentication system: whether auth is required, PKCE enforcement, rate limiting on the auth endpoints, and the in-memory store limits for auth codes and tokens.Master switch for authentication. When
true, all requests to the MCP endpoint require a valid OAuth access token. Set to false only for a localhost-only smoke test before OAuth is configured — the server enforces that AUTH_REQUIRED=false cannot be combined with a public HTTPS URL, a Cloudflare Tunnel, or a non-loopback bind address.When
true, the OAuth authorization code flow requires PKCE (code_challenge / code_verifier). Leave this enabled. Disabling it weakens the authorization code flow and should only be considered for debugging against a client that does not support PKCE.The synthetic identity login used when
AUTH_REQUIRED=false. This value appears in journals and logs to identify the actor. Only relevant for local smoke tests — it has no effect when AUTH_REQUIRED=true.Maximum number of requests allowed per IP address within the rate-limit window on authentication endpoints. Requests above this threshold receive a
429 Too Many Requests response.Maximum number of IP-keyed rate-limit buckets kept in memory simultaneously. Limiting this prevents unbounded memory growth from large numbers of distinct IPs hitting the auth endpoints.
The sliding window duration in milliseconds for the auth rate limiter. The default is 60 seconds. Each IP’s request count resets after this period.
Maximum number of in-flight OAuth authorization requests (pending state entries) the server holds in memory. Excess entries are rejected to prevent memory exhaustion from abandoned flows.
Maximum number of issued authorization codes the server keeps in memory before older ones are evicted. Each code is short-lived and consumed on token exchange.
Maximum number of active access tokens the server holds in memory simultaneously. This is intentionally small — the server is designed for a single authorized ChatGPT connector, not many concurrent clients.
How often (in milliseconds) the auth store scans for and removes expired codes, tokens, and pending entries. The default is 60 seconds.
GitHub OAuth
GitHub is used as the identity provider. You sign in with GitHub, the server checks your login against the allowlist, and then issues a local MCP authorization code. These credentials come from your GitHub OAuth App — they are separate from the ChatGPT connector OAuth credentials below.The Client ID from your GitHub OAuth App. Required when
AUTH_REQUIRED=true. The GitHub OAuth App callback URL must be set to https://your-public-host.example/callback.The Client Secret from your GitHub OAuth App. Required when
AUTH_REQUIRED=true. Keep this value secret.Comma-separated list of GitHub usernames that are permitted to complete authentication. After a successful GitHub login, the server checks the authenticated username (case-insensitive) against this list before issuing a local authorization code. Required when
AUTH_REQUIRED=true. Example: alice,bob.ChatGPT Connector OAuth
ChatGPT connects to this MCP server as an OAuth client. These credentials are configured in the ChatGPT connector settings and then mirrored here. They are completely separate from your GitHub OAuth credentials.The OAuth client ID that ChatGPT presents when initiating the authorization flow. This value is assigned when you create the ChatGPT MCP connector. Required when
AUTH_REQUIRED=true.The OAuth client secret that ChatGPT presents at the token endpoint. Required when
AUTH_REQUIRED=true. If the connector is deleted and recreated, ChatGPT may issue a new secret — update this value and restart the server.Comma-separated list of allowed OAuth redirect URIs. ChatGPT provides a redirect URI during the authorization request; the server rejects any URI not in this list. Non-localhost URIs must use HTTPS. Required when
AUTH_REQUIRED=true. If ChatGPT gives you a new redirect URI after recreating the connector, add it here.Space-separated list of MCP scopes included in access tokens by default. The default grants all ten scopes. Narrow this list to limit which tool categories ChatGPT can access without requiring per-session scope negotiation. See Security — Scopes for the full scope reference.
Cloudflare Tunnel
Cloudflare Tunnel is the recommended way to expose the local MCP server to ChatGPT over HTTPS without opening inbound firewall ports. These variables control whether the server starts a localcloudflared process and how it is configured.
When
true, the server attempts to start or monitor a Cloudflare Tunnel using the cloudflared binary. Cannot be combined with AUTH_REQUIRED=false.Optional absolute path to the
cloudflared executable. If empty, the server looks for cloudflared on the system PATH. Example: C:\tools\cloudflared.exe.Path to the
cloudflared configuration YAML file. Required when CLOUDFLARE_TUNNEL_ENABLED=true and using a locally managed named tunnel. Example: C:\Users\you\.cloudflared\config.yml.The name of the Cloudflare Tunnel. Used for display and identification in dashboard output. Change this if you have multiple tunnels and need to distinguish them.
Filesystem & Workspace
These variables control where the server starts, how much of the filesystem it can reach, what policy mode ceiling applies, and where it stores journals and backups.The initial working directory used for relative paths and shell commands. If empty or not set, falls back to
Documents\GitHub inside the current user’s home directory (e.g. C:\Users\you\Documents\GitHub on Windows). This does not restrict filesystem access on its own — use GPT_FS_MCP_WORKSPACE_PROFILES_JSON for that.The highest policy mode the server will permit across all tool calls. Valid values are
read, annotate, suggest, write, patch, delete, and destructive. Setting this to a lower value like write prevents tools from deleting files even if the client requests it. See Security — Policy Modes for the full hierarchy.When
true, all filesystem and shell operations are checked against the declared workspace profiles. Paths outside every profile’s rootPath are rejected. Set to false only if you are intentionally running without profile-based path restrictions.A JSON array of workspace profile objects. Each profile defines a
rootPath, a name, an optional label, allowedPolicyModes, backupPolicy (none | manual | snapshot), and secretDenyGlobs. When empty, the server auto-generates one profile per detected drive root on Windows (e.g. C:\, D:\), giving full-machine access. Define explicit profiles to restrict access to specific folders or repos.Path to the JSONL operation journal file. The server appends a structured log entry for each MCP tool call, redacting common secret-looking fields. Relative paths are resolved from the server’s working directory (the install folder).
Directory where file backups are written before destructive operations. Relative paths are resolved from the install folder.
Comma-separated list of absolute paths that are treated as untrusted content sources. Files read from these paths are handled with additional caution. Useful for marking directories that contain user-generated or third-party content that should not be treated as trusted instructions.
Shell & Process
These variables control whether shell and process execution tools are available and how they behave relative to workspace boundaries. See Command Policies for the full policy reference.Controls the
shell tool’s access to paths outside declared workspace profiles. Valid values: disabled (tool is unavailable), workspace_guarded (checks working directory and path references against profiles), full (no path restriction beyond scopes and policy mode). See Command Policies.Controls
start_process tool access relative to workspace profiles. Same three values as GPT_FS_MCP_SHELL_POLICY. Note: stop_process and process_kill are governed by scope and policy mode checks, not by this command policy gate. See Command Policies.Maximum time in milliseconds a shell command is allowed to run before it is forcibly terminated. The default is 120 seconds (2 minutes). Increase this for long-running build commands; lower it for tighter latency control.
Limits & Sizing
These variables cap the size of request bodies, file backups, tool output, and screenshot data. They protect against accidental or intentional requests that would transfer very large amounts of data.Maximum allowed size in bytes for incoming HTTP request bodies. When unset, defaults to 150% of
GPT_FS_MCP_MAX_OUTPUT_BYTES (i.e. ceil(200000 * 1.5) = 300000). Must be at least 110% of GPT_FS_MCP_MAX_OUTPUT_BYTES. The server enforces this relationship at startup.Maximum size in bytes of a single file that will be backed up before a destructive operation. Files larger than this limit are not backed up.
Maximum size in bytes for a single tool’s text output. Responses that exceed this limit are truncated before being returned to the MCP client.
Maximum allowed pixel area (width × height) for a captured screenshot. Screenshots that would exceed this area are rejected or scaled down.
Maximum file size in bytes for a single screenshot image.
Maximum width or height in pixels for a captured screenshot. Either dimension exceeding this value causes the screenshot to be rejected or resized.
Maximum number of screenshot files the server will retain on disk. Older files are rotated out when the count exceeds this limit.
Browser
These variables control browser automation sessions managed via Playwright. Browser tools are high-risk because they can interact with visible browser UI and active authenticated sessions.Time in milliseconds of inactivity after which an idle browser session is automatically closed. The default is 30 minutes (1,800,000 ms).
Maximum number of browser console and network log entries retained per session. Older entries are dropped when the limit is reached.
Maximum number of browser screenshot files retained on disk. Older files are rotated out when the count exceeds this limit.
Maximum file size in bytes for a single browser screenshot.
Maximum number of concurrent browser sessions the server will manage. Requests to open a new session when the limit is reached are rejected.
Development
Node.js environment mode. Valid values are
development and production. Setting AUTH_REQUIRED=false is only permitted when NODE_ENV is development or unset. Set to production for any deployment reachable from outside your local machine.When
true, the server exposes additional runtime diagnostic information in HTTP responses and logs. Do not enable this in production — it may leak internal state.