AI Platform

Shipping a SaaS Product Inside ChatGPT with a Remote MCP Server

A remote MCP server that lets ChatGPT users connect their account and run a SaaS product's AI agents as tools, with full OAuth 2.0, PKCE, dynamic client registration, and a 108-test suite covering the whole flow.

108
tests passing across the full flow
OAuth 2.0
DCR + PKCE + IdP-backed login
7
agent tools exposed to ChatGPT
Multi-tenant
ChatGPT user mapped to the right account

The challenge

The client already had a multi-agent SaaS product and wanted its users to reach those agents from directly inside ChatGPT. That meant meeting the remote-MCP and OAuth requirements of a third-party LLM client exactly: secure account linking, correct discovery metadata, and safe mapping of a ChatGPT user to the right tenant account.

Architecture

ChatGPT

  • Third-party client

OAuth 2.0

  • Dynamic registration
  • PKCE, IdP login

Remote MCP server

  • 7 annotated tools
  • User to tenant map

HMAC bridge

  • Signed requests
  • Async polling

Backend agents

  • Existing fleet
ChatGPT authenticates through the OAuth flow, then each tool call is authenticated, mapped to a tenant, and bridged to the existing backend over a signed API.

What we built

We built a remote MCP server on FastMCP that exposes the product's agent fleet as MCP tools, each annotated with read-only and destructive hints so the client can reason about their effects.

We implemented the full OAuth 2.0 surface a remote MCP client expects: dynamic client registration, PKCE, an identity-provider-backed authorize, callback, and token flow, and the protected-resource, authorization-server, and OpenID Connect discovery endpoints.

Bearer-auth middleware maps an authenticated ChatGPT user to their tenant account, then bridges each tool call to the existing backend over an HMAC-signed API, polling the agent run asynchronously and returning formatted results. Logs redact user identifiers.

We covered the complete path, from ChatGPT to OAuth to MCP tool call to agent run to result, with a 108-test suite so the integration could ship with confidence.

Stack

PythonFastMCPOAuth 2.0 / PKCEAWS CognitoHMAC-SHA256pytest