Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/chatgpt-local-agent-mcp/llms.txt

Use this file to discover all available pages before exploring further.

Path B is the full remote connector setup. It is only for after Path A succeeds. If the local server has not been verified clean — dashboard reachable, health endpoint responding, smoke checks passing — do not start here. The remote setup introduces multiple moving parts (tunnels, two OAuth layers, allowlists, HTTPS endpoints) and you need a known-good local baseline before layering them on top. The goal of Path B is to connect ChatGPT to your local MCP server through an authenticated HTTPS endpoint. The extra friction compared to Path A is deliberate. This path connects a remote client to local machine capabilities. That should stay explicit, supervised, and a bit boring on purpose.

Target architecture

ChatGPT
  -> https://your-public-host.example/mcp
  -> Cloudflare Tunnel
  -> http://127.0.0.1:8789
  -> local MCP server
  -> your Windows PC

Additional requirements

Beyond the requirements for Path A, you will need:
  • Cloudflare Tunnel (or another HTTPS tunnel)
  • A domain with DNS managed by Cloudflare
  • cloudflared installed locally
  • A GitHub OAuth App
  • ChatGPT connector OAuth values (OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OAUTH_REDIRECT_URIS)
  • A public HTTPS MCP endpoint
  • A GitHub login allowlist

The two OAuth layers

Before walking through the steps, it is important to understand that Path B involves two completely separate OAuth relationships. Mixing them up is the most common source of configuration errors.

GitHub OAuth — your identity

GitHub is the identity provider. When you (the human operator) authorize the MCP server, you sign in with GitHub. The server receives the GitHub callback, checks your login against ALLOWED_GITHUB_LOGINS, and then issues a local MCP authorization code.GitHub callback URL:
https://your-public-host.example/callback
Relevant .env keys:
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
ALLOWED_GITHUB_LOGINS=your-github-login

ChatGPT connector OAuth — the MCP client

ChatGPT is the OAuth client talking to this MCP server. The OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET are credentials that identify ChatGPT as the MCP client to the local server — they are not GitHub credentials.Relevant .env keys:
OAUTH_CLIENT_ID=
OAUTH_CLIENT_SECRET=
OAUTH_REDIRECT_URIS=
Keep these two layers completely separate. Do not put the ChatGPT redirect URI into the GitHub OAuth App, and do not use the GitHub credentials in the ChatGPT connector fields.

Steps

1

Configure the public base URL

Update your .env with the public hostname that Cloudflare Tunnel will expose. This must be an HTTPS URL pointing to your tunnel-backed domain:
PUBLIC_BASE_URL=https://mcp.your-domain.example
CLOUDFLARE_TUNNEL_ENABLED=true
CLOUDFLARED_CONFIG=C:\Users\you\.cloudflared\config.yml
The CLOUDFLARED_CONFIG path should point to the local cloudflared configuration file you will set up in the Cloudflare Tunnel step. See Cloudflare Tunnel setup for the full tunnel configuration.
CLOUDFLARE_TUNNEL_NAME defaults to chatgpt-local-agent-mcp in .env.example. You can change it to match your own tunnel name.
2

Enable auth for remote use

Remote use must always run with auth enabled:
AUTH_REQUIRED=true
Never expose the server publicly with AUTH_REQUIRED=false. The server enforces this at startup and will refuse to start with AUTH_REQUIRED=false when CLOUDFLARE_TUNNEL_ENABLED=true or when PUBLIC_BASE_URL is a public HTTPS URL. Treat .env as security-critical regardless of server-side guards.
When AUTH_REQUIRED=true, the following values all become required: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, ALLOWED_GITHUB_LOGINS, OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, and OAUTH_REDIRECT_URIS. The server will not start if any are missing.
3

Create a GitHub OAuth App

In your GitHub account, create a new OAuth App under Settings → Developer settings → OAuth Apps.Set the authorization callback URL to:
https://your-public-host.example/callback
Once created, copy the client ID and generate a client secret, then add them to .env:
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
ALLOWED_GITHUB_LOGINS=your-github-username
ALLOWED_GITHUB_LOGINS is a comma-separated list of GitHub usernames that are permitted to complete authentication. Only logins on this list will receive a local MCP authorization code after a successful GitHub sign-in.
4

Configure ChatGPT connector OAuth

When you add the MCP connector in ChatGPT, ChatGPT will provide you with an OAuth client ID, client secret, and redirect URI. These are the credentials that identify ChatGPT as the MCP client to your local server — they are not GitHub credentials.Add them to .env:
OAUTH_CLIENT_ID=chatgpt-provided-client-id
OAUTH_CLIENT_SECRET=chatgpt-provided-client-secret
OAUTH_REDIRECT_URIS=https://chatgpt.com/aip/g-...
OAUTH_REDIRECT_URIS is a comma-separated list. Non-loopback redirect URIs must use HTTPS.
If you delete the ChatGPT connector and recreate it, ChatGPT may provide a different redirect URI. Update OAUTH_REDIRECT_URIS to match the new value. A mismatch here will cause /authorize to return invalid_request.
The server exposes OAuth metadata at:
/.well-known/oauth-protected-resource
/.well-known/oauth-authorization-server
The server does not support dynamic client registration.
5

Start the local server and cloudflared

Before connecting ChatGPT, verify all of the following are true:
  • The local MCP server is listening on http://127.0.0.1:8789
  • cloudflared is running and connected
  • The public hostname reaches the local server
  • The Cloudflare tunnel dashboard shows at least one active replica
  • The dashboard and health checks at the public URL are clean
https://your-public-host.example/healthz
If the public hostname returns a Cloudflare 530 error, the tunnel route is likely configured correctly but the local cloudflared connector is not running. See the Cloudflare Tunnel guide for troubleshooting.
6

Connect ChatGPT

In ChatGPT, add a new connector using the MCP endpoint:
https://your-public-host.example/mcp
ChatGPT will initiate the OAuth flow. You will be redirected to GitHub to sign in, and the server will check your login against ALLOWED_GITHUB_LOGINS before issuing an authorization code.
If /mcp returns 401 without a token, that is expected and correct behavior for a protected MCP endpoint. The OAuth flow is the intended path to obtaining a token.

Next steps

Cloudflare Tunnel

Full steps for creating a Cloudflare Tunnel, configuring DNS, and writing the cloudflared ingress config file.

OAuth Model

Deep dive into how the two OAuth layers work, what the server checks at each stage, and how scopes are issued.

Build docs developers (and LLMs) love