Codencer provides a minimal single-user OAuth dev front-door for ChatGPT
Developer Mode testing. The public connector path uses codencer-gatewayd;
Relay OAuth dev remains available for direct self-host testing. This is not
enterprise IAM and does not implement refresh tokens.
./bin/codencer setup self-host \
--gateway-url https://gateway.example.com \
--mcp-url https://gateway.example.com/mcp \
--relay-url https://relay.example.com \
--token-env CODENCER_GATEWAY_MCP_TOKEN \
--relay-request-timeout-seconds 300 \
--enable-oauth-dev \
--jsonGenerated secrets are written only under $CODENCER_HOME/tokens with 0600 permissions:
gateway-oauth-client-secretgateway-oauth-operator-code
The Gateway config stores only hashes, issuer/client metadata, scopes, and TTLs.
OAuth dev accepts syntactically valid redirect URIs so an operator can test ChatGPT/custom-MCP setup without running a full IdP. Production deployments must use redirect allowlisting or an external IdP/front door. This dev issuer is not public multi-user production.
GET /.well-known/oauth-authorization-serverGET /.well-known/openid-configurationGET|POST /oauth/authorizePOST /oauth/token
The flow uses authorization code plus PKCE S256. Access tokens are opaque, hashed in memory, scoped, TTL-bound, and audience/resource-bound to /mcp. Refresh tokens are not implemented.
For direct Relay OAuth dev mode, use
codencer setup relay --proxy-timeout-seconds 300 --enable-chatgpt-oauth-dev.
That path is for advanced/direct/debug testing, not the public Gateway-first
connector endpoint.
./bin/codencer setup relay \
--base-url https://relay.example.com \
--proxy-timeout-seconds 300 \
--generate-planner-token \
--chatgpt-dev-noauth \
--jsonThis is explicit dev-only mode. By default it is read-only and limited to fake/test project ids. Real project write tools require:
--allow-real-projects-in-dev-noauthDo not use real-project dev no-auth on a public relay.