Security

Apps SDK – Authentication (OAuth 2.1 + PKCE)

Official guide to integrate OAuth 2.1 with PKCE per MCP authorization spec.

Overview

The Apps SDK supports OAuth 2.1 with PKCE for authenticating users when apps need to access customer-specific data or perform write actions. This guide covers integrating with your own authorization server, implementing the required endpoints, and handling the OAuth flow with ChatGPT acting as the client.

Key Points

OAuth 2.1 with PKCE for secure user authentication

Required for apps that access customer data or perform write actions

Supports integration with existing authorization servers

ChatGPT acts as the OAuth client with dynamic registration

Requires specific endpoints: discovery, token, and registration

Implements authorization code + PKCE flow for security

Prerequisites

Understanding of OAuth 2.1 and PKCE concepts

Access to an authorization server (Auth0, Okta, Cognito, or custom)

Knowledge of MCP authorization specification

Basic understanding of web security principles

Step-by-Step Guide

1Set up your authorization server with required endpoints

2Configure discovery metadata and OAuth endpoints

3Implement dynamic client registration endpoint

4Configure your MCP server with AuthSettings

5Test the OAuth flow with ChatGPT

6Handle access tokens in your MCP server requests