MCP.directory
Updated May 2026Infrastructure guide17 min read

OpenAI Secure MCP Tunnels: Full Guide (2026)

OpenAI Secure MCP Tunnel gives your team a practical way to keep MCP servers private while still letting ChatGPT, Codex, and the Responses API call them. This walkthrough covers architecture, setup, trust boundaries, hardening, operational pitfalls, and where tunnel mode fits against direct remote MCP.

Diagram-style illustration of a private MCP server connected to OpenAI through an outbound-only tunnel client.
On this page · 15 sections
  1. One-sentence definition
  2. Why this exists now
  3. Mental model and data path
  4. Smallest end-to-end setup
  5. Deep dive: each moving part
  6. What teams get wrong
  7. Wrong vs right patterns
  8. Common mistakes
  9. Performance and scaling notes
  10. Who this is for
  11. Community and contrarian view
  12. The verdict
  13. FAQ
  14. Glossary
  15. All sources and links

One-sentence definition

Secure MCP Tunnel is an outbound-only relay pattern where a customer-run daemon (tunnel-client) pulls MCP requests from OpenAI, forwards them to a private MCP server, and returns responses without exposing that server on the public internet.

Why this exists now

The adoption blocker for remote MCP in enterprises has not been protocol support; it has been network policy. Security teams often reject opening inbound firewall rules to internal tool servers, even when OAuth and mTLS are available, because public reachability still expands the attack surface and operational burden.

Secure MCP Tunnel addresses that exact boundary: OpenAI-hosted products keep a normal MCP request path, while the customer environment only makes outbound HTTPS calls. In practical terms, this means no public DNS for the MCP server, no inbound NAT rules, and no externally reachable MCP endpoint to maintain.

Mental model and data path

Treat the tunnel as two linked surfaces with one identity (tunnel_id):

  • OpenAI side: an OpenAI-hosted MCP tunnel endpoint used by ChatGPT connectors, Codex, or API-backed surfaces.
  • Customer side: tunnel-client running close to your private MCP server.
OpenAI product (ChatGPT / Codex / Responses)
                |
                v
OpenAI-hosted MCP tunnel endpoint (/v1/mcp/{tunnel_id})
                ^
                |  outbound HTTPS long-poll + response
                |
tunnel-client in customer network
                |
                v
private MCP server (stdio or streamable-http)

The queue-and-poll shape matters: the private server is not listening to internet traffic. The daemon pulls work, then posts results back. This is why tunnel mode can satisfy stricter network controls while preserving MCP semantics.

Smallest end-to-end setup

This is the shortest operational path from private MCP to an OpenAI product surface.

# 1) Set tunnel identity and runtime key
export CONTROL_PLANE_TUNNEL_ID="tunnel_0123456789abcdef0123456789abcdef"
export CONTROL_PLANE_API_KEY="sk-..."

# 2) Init a profile that points to local stdio MCP
tunnel-client init   --sample sample_mcp_stdio_local   --profile local-stdio   --tunnel-id "$CONTROL_PLANE_TUNNEL_ID"   --mcp-command "python /path/to/server.py"

# 3) Validate before runtime
tunnel-client doctor --profile local-stdio --explain

# 4) Start daemon
tunnel-client run --profile local-stdio

In ChatGPT connector settings, choose Tunnel mode and select or paste the same tunnel_id. You do not expose your internal MCP URL in connector setup.

Deep dive: each moving part

1) Identity and permissions model

Two control responsibilities are split by design:

  • Runtime key for the long-running daemon (CONTROL_PLANE_API_KEY) with tunnel read/use.
  • Admin key for tunnel CRUD workflows (OPENAI_ADMIN_KEY) with manage scope.

Keep these separate. Reusing admin keys in long-lived daemons creates unnecessary blast radius.

2) Control plane polling behavior

tunnel-client long-polls OpenAI control-plane endpoints for work, then posts responses using request IDs. This introduces backpressure controls at both queue and daemon layers, with defaults like max inflight request windows.

Opinionated takeaway: tune concurrency only after observing real tool latency and MCP server limits. Prematurely raising inflight values often hurts stability more than throughput.

3) MCP-side transport flexibility

The private-side hop can still be stdio or streamable-http. That means tunnel mode is not a rewrite of your MCP implementation; it is a reachability pattern in front of it.

For local compute servers and agents on the same host, stdio is usually simplest. For internal shared MCP services, streamable- http with internal auth and optional mTLS can fit better.

4) mTLS and cert boundary gotchas

There are two certificate contexts that teams mix up:

  • CONTROL_PLANE_CLIENT_CERT / CONTROL_PLANE_CLIENT_KEY for the OpenAI hop.
  • MCP_CLIENT_CERT / MCP_CLIENT_KEY for the private MCP hop.

Do not reuse certs across those links. The onboarding docs call this out because it is a frequent enterprise onboarding failure.

5) Observability and operations

Unlike ad-hoc SSH tunnels, tunnel-client includes operator-friendly endpoints (/healthz, /readyz, /metrics) and an admin UI. This is crucial for production because connector setup can look healthy while runtime routing is not.

Treat readiness as a gating signal for connector tests. If/readyz is not healthy, debugging in ChatGPT UI is usually wasted effort.

What teams get wrong first

1) They think tunnel mode removes auth design work. It removes inbound exposure, not authorization discipline. You still need scope boundaries, key lifecycle controls, and least- privilege server behavior.

2) They treat tunnel setup as a one-time integration task. In reality, it is runtime infrastructure. You need health checks, restart strategy, and ownership for key/cert rotation.

3) They confuse “private network” with “safe by default.” Tool injection, over-broad write operations, and weak prompt boundaries can still happen entirely inside private perimeter.

Wrong vs right patterns

Wrong: one shared high-privilege key for admin and runtime

This couples blast radius to uptime. A leaked runtime process key can become a tunnel-management compromise.

Right: strict key role separation and rotation policy

Runtime key for daemon only, admin key for explicit tunnel operations, both scoped by workspace context.

Wrong: opening health endpoint broadly on untrusted network segments

Operations visibility endpoints are useful, but still an attack surface if overexposed.

Right: bind health/admin to loopback or trusted operator subnet

Keep remote access deliberate and auditable, not default.

Common mistakes

  • Creating the tunnel in one workspace and configuring connector in another, so tunnel selection never appears.
  • Assuming a healthy daemon implies healthy MCP server; always validate actual tool execution path.
  • Running multiple active daemons on the same tunnel id without explicit architecture intent.
  • Logging raw request/response payloads in production, which can leak sensitive content and tokens.
  • Ignoring upstream MCP auth hardening because tunnel mode “feels internal”; token validation and scope control still apply.

Performance and scaling notes

Secure MCP Tunnel adds one queue + poll relay hop. In exchange for private reachability, you accept a small latency tax versus direct in-network calls. In most enterprise assistant workflows, this is acceptable compared to the governance win of no public ingress.

  • Keep MCP tool handlers idempotent where possible; retries are easier to reason about when queue edges are involved.
  • Start with default inflight settings and measure before tuning.
  • Use readiness probes in container runtimes to avoid routing work to a daemon that cannot reach MCP backend.

Who this is for

Best fit

  • Private or on-prem MCP servers behind strict firewalls.
  • Teams that need ChatGPT/Codex/Responses access without public ingress.
  • Organizations with security review requirements for inbound exposure.

Not always best

  • Public-first MCP services already hardened for remote OAuth flows.
  • Ultra-low-latency internal agent loops where extra relay hops are unacceptable.
  • Teams without operational ownership for daemon lifecycle and key rotation.

Community and contrarian view

OpenAI Developer relations framed this release in plain operational terms: private MCP servers can stay inside customer networks while OpenAI products connect through outbound-only HTTPS. That message resonated because it maps directly to enterprise security approvals.

The contrarian take is useful: tunnel mode solves perimeter exposure, but it is not an all-in-one MCP security framework. The broader MCP security discussion still emphasizes token audience binding, no token passthrough, and strict authorization handling for HTTP-based MCP servers.

The verdict

Our take

Use Secure MCP Tunnel when network policy blocks inbound exposure and you need OpenAI product integration now. It is the most practical bridge for private MCP in enterprises. Skip it only when your server is intentionally public with strong remote auth already in place and relay overhead adds no value.

Frequently asked questions

Is Secure MCP Tunnel replacing MCP OAuth for remote servers?

No. Secure MCP Tunnel is a transport pattern for private-network reachability. OAuth still matters when you expose remote MCP over HTTP directly. Tunnel mode reduces public exposure by removing inbound server access.

Do I need to open any inbound firewall ports?

No. The core design is outbound-only from your environment to OpenAI over HTTPS. Your private MCP server stays internal and is reached locally by tunnel-client.

Can I point ChatGPT directly to my internal MCP server URL instead of tunnel mode?

Not for private network hosts that are not publicly reachable. Tunnel mode is specifically for that scenario. In current UI, you select Tunnel and provide or choose a tunnel id.

What is the most common production failure after initial setup?

Running tunnel-client with the wrong identity or scope: using a key without tunnel Use permission, or creating a tunnel in one workspace and configuring the connector in another. Both look like healthy local config but no traffic.

Can one tunnel id be used by multiple tunnel-client instances?

OpenAI guidance in onboarding docs is one active tunnel-client per tunnel id unless support explicitly advises otherwise. Multiple active consumers can produce hard-to-debug queue and routing behavior.

Does tunnel mode eliminate all MCP security risks?

No. It shrinks network exposure, but tool-level risks remain: over-scoped tool actions, weak input validation, token handling mistakes, and prompt-injection paths through model/tool workflows.

Glossary

Secure MCP Tunnel

OpenAI-managed tunnel path for private MCP reachability.

tunnel-client

Customer-run daemon that polls, forwards, and responds.

tunnel_id

Identity tying connector-side target to daemon-side polling.

Control plane

OpenAI endpoints used by tunnel-client for poll/response.

Runtime key

API key used by long-running tunnel-client process.

Admin key

Higher-privilege key for tunnel management APIs.

Outbound-only

Connection model where private network initiates traffic only.

PRMD

OAuth Protected Resource Metadata used for auth server discovery.

All sources and links

Primary sources

Community and launch signal

Security and protocol context

Related on MCP.Directory

Keep reading

Auth

OAuth 2.1 for remote MCP servers

Read

Protocol

What is the Model Context Protocol?

Read

Directory

Remote MCP servers

Browse