Path B is the full remote connector setup. It is only for after Path A succeeds. If the local server has not been verified clean — dashboard reachable, health endpoint responding, smoke checks passing — do not start here. The remote setup introduces multiple moving parts (tunnels, two OAuth layers, allowlists, HTTPS endpoints) and you need a known-good local baseline before layering them on top. The goal of Path B is to connect ChatGPT to your local MCP server through an authenticated HTTPS endpoint. The extra friction compared to Path A is deliberate. This path connects a remote client to local machine capabilities. That should stay explicit, supervised, and a bit boring on purpose.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/chatgpt-local-agent-mcp/llms.txt
Use this file to discover all available pages before exploring further.
Target architecture
Additional requirements
Beyond the requirements for Path A, you will need:- Cloudflare Tunnel (or another HTTPS tunnel)
- A domain with DNS managed by Cloudflare
cloudflaredinstalled locally- A GitHub OAuth App
- ChatGPT connector OAuth values (
OAUTH_CLIENT_ID,OAUTH_CLIENT_SECRET,OAUTH_REDIRECT_URIS) - A public HTTPS MCP endpoint
- A GitHub login allowlist
The two OAuth layers
Before walking through the steps, it is important to understand that Path B involves two completely separate OAuth relationships. Mixing them up is the most common source of configuration errors.GitHub OAuth — your identity
GitHub is the identity provider. When you (the human operator) authorize the MCP server, you sign in with GitHub. The server receives the GitHub callback, checks your login against Relevant
ALLOWED_GITHUB_LOGINS, and then issues a local MCP authorization code.GitHub callback URL:.env keys:ChatGPT connector OAuth — the MCP client
ChatGPT is the OAuth client talking to this MCP server. The
OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET are credentials that identify ChatGPT as the MCP client to the local server — they are not GitHub credentials.Relevant .env keys:Steps
Configure the public base URL
Update your The
.env with the public hostname that Cloudflare Tunnel will expose. This must be an HTTPS URL pointing to your tunnel-backed domain:CLOUDFLARED_CONFIG path should point to the local cloudflared configuration file you will set up in the Cloudflare Tunnel step. See Cloudflare Tunnel setup for the full tunnel configuration.CLOUDFLARE_TUNNEL_NAME defaults to chatgpt-local-agent-mcp in .env.example. You can change it to match your own tunnel name.Enable auth for remote use
Remote use must always run with auth enabled:When
AUTH_REQUIRED=true, the following values all become required: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, ALLOWED_GITHUB_LOGINS, OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, and OAUTH_REDIRECT_URIS. The server will not start if any are missing.Create a GitHub OAuth App
In your GitHub account, create a new OAuth App under Settings → Developer settings → OAuth Apps.Set the authorization callback URL to:Once created, copy the client ID and generate a client secret, then add them to
.env:ALLOWED_GITHUB_LOGINS is a comma-separated list of GitHub usernames that are permitted to complete authentication. Only logins on this list will receive a local MCP authorization code after a successful GitHub sign-in.Configure ChatGPT connector OAuth
When you add the MCP connector in ChatGPT, ChatGPT will provide you with an OAuth client ID, client secret, and redirect URI. These are the credentials that identify ChatGPT as the MCP client to your local server — they are not GitHub credentials.Add them to The server exposes OAuth metadata at:The server does not support dynamic client registration.
.env:OAUTH_REDIRECT_URIS is a comma-separated list. Non-loopback redirect URIs must use HTTPS.If you delete the ChatGPT connector and recreate it, ChatGPT may provide a different redirect URI. Update
OAUTH_REDIRECT_URIS to match the new value. A mismatch here will cause /authorize to return invalid_request.Start the local server and cloudflared
Before connecting ChatGPT, verify all of the following are true:If the public hostname returns a Cloudflare
- The local MCP server is listening on
http://127.0.0.1:8789 cloudflaredis running and connected- The public hostname reaches the local server
- The Cloudflare tunnel dashboard shows at least one active replica
- The dashboard and health checks at the public URL are clean
530 error, the tunnel route is likely configured correctly but the local cloudflared connector is not running. See the Cloudflare Tunnel guide for troubleshooting.Connect ChatGPT
In ChatGPT, add a new connector using the MCP endpoint:ChatGPT will initiate the OAuth flow. You will be redirected to GitHub to sign in, and the server will check your login against
ALLOWED_GITHUB_LOGINS before issuing an authorization code.If
/mcp returns 401 without a token, that is expected and correct behavior for a protected MCP endpoint. The OAuth flow is the intended path to obtaining a token.Next steps
Cloudflare Tunnel
Full steps for creating a Cloudflare Tunnel, configuring DNS, and writing the cloudflared ingress config file.
OAuth Model
Deep dive into how the two OAuth layers work, what the server checks at each stage, and how scopes are issued.