On June 26, 2026, OpenAI published the Secure MCP Tunnel — a customer-operated tunnel client that bridges private or on-prem MCP servers to ChatGPT, Codex, the Responses API, and AgentKit, without exposing those servers to the public internet.
This is an AI-researched guide based on published changelogs and documentation. ChatForest does not have hands-on access to these tools.
The problem it solves
Public MCP servers work fine for demo tools and open data. But enterprise MCP servers often sit behind corporate firewalls for good reasons: they hold internal databases, proprietary APIs, compliance-sensitive data, or are simply not designed to absorb inbound traffic from the open internet.
Before Secure MCP Tunnel, the only way to connect such a server to ChatGPT or the Responses API was to either punch a hole in the firewall (a security and compliance problem) or duplicate the MCP server on a public host (an operational and sync problem).
How it works
The tunnel inverts the direction of connectivity. Instead of OpenAI calling inbound to your server, your environment initiates an outbound call.
- You run
tunnel-clientinside your private network, alongside the MCP server. tunnel-clientestablishes an outbound HTTPS connection to OpenAI’s tunnel control plane.- When a ChatGPT or Responses API request needs your MCP server, OpenAI queues that request at the hosted tunnel endpoint.
tunnel-clientretrieves the request from the queue, forwards it to your local MCP server, and streams the response back through the same outbound channel.
The transport is long-polling over standard HTTPS — no WebSocket, no custom protocol, no open inbound ports. Enterprise firewalls and outbound HTTPS proxies handle it without changes.
Quick setup
Download tunnel-client from platform.openai.com/settings/organization/tunnels or the openai/tunnel-client GitHub releases. The binary is open-source so your security team can review what runs inside the protected network.
For a stdio MCP server:
export CONTROL_PLANE_API_KEY="sk-..."
tunnel-client init \
--sample sample_mcp_stdio_local \
--profile local-stdio \
--tunnel-id tunnel_0123456789abcdef0123456789abcdef \
--mcp-command "python /path/to/server.py"
For an HTTP MCP server:
tunnel-client init \
--profile internal-http \
--tunnel-id tunnel_... \
--mcp-server-url https://mcp.internal.example.com/mcp
Run tunnel-client doctor --profile <profile> --explain to validate your configuration before testing. The local admin UI at /ui on loopback shows health, readiness, and tunnel status.
Supported products
Once running, the tunnel is selectable as a connector source in:
- ChatGPT (web) — requires developer-mode workspace permission; workspace admin grants it in Permissions & Roles → Connected Data
- Codex — available in the Codex plugin interface with guided configuration
- Responses API — reference the tunnel endpoint as an MCP server URL
- AgentKit — same connector reference as Responses API
Enterprise networking features
tunnel-client is designed to work inside enterprise network environments without infrastructure changes:
| Requirement | How tunnel-client handles it |
|---|---|
| Outbound HTTPS proxy | Configurable proxy setting in the profile |
| Custom CA bundle | Pass custom CA certificates for TLS validation |
| Control-plane client certificates | mTLS to mtls.api.openai.com:443 (optional, replaces API-key auth) |
| MCP-side mTLS | Configure client certs for the MCP server connection |
| Kubernetes | Run as a sidecar or dedicated deployment alongside the MCP server |
| systemd | Drop-in unit file for bare-metal or VM deployments |
Harpoon: narrow HTTP callouts into private networks
Beyond MCP, tunnel-client includes an embedded server called Harpoon that exposes configured internal HTTP endpoints by label. Supported agent flows (not all OpenAI surfaces) can call those labeled targets through the tunnel with bounded request/response limits.
This is not a general proxy. It’s scoped to exactly the HTTP targets you register in the Harpoon configuration — useful for agent steps that need to hit an internal REST API without running a full MCP server.
Permissions needed
| Scope | Permission |
|---|---|
| Create or edit a tunnel | Tunnels Read + Manage |
Run tunnel-client or select tunnel in a connector |
Tunnels Read + Use |
| Connect tunnel to ChatGPT | Developer-mode workspace permission (admin grant) |
Decision guide
Use Secure MCP Tunnel when:
- The MCP server holds private or compliance-sensitive data that must not be publicly reachable
- The server lives inside a corporate VPC, on-prem data center, or developer laptop
- The team wants OpenAI products to call internal APIs without restructuring network access
Skip the tunnel when:
- The MCP server is already public and stateless (e.g., a weather API wrapper, a public search tool)
- You’re prototyping locally and will deploy publicly before going to production
Migration path from a public MCP server:
- Replace the public endpoint with a
tunnel-clientprofile pointing to your local server - Update your connector configuration in ChatGPT or the Responses API to reference the tunnel endpoint instead
- Take down the public endpoint when traffic has moved
Open-source client
The openai/tunnel-client binary is open-source, which matters for organizations with strict supply-chain review requirements. Security teams can audit the code running inside protected networks before deployment.