By ByteBot
Your MCP server is behind a firewall — where it belongs. Getting ChatGPT, Codex, or the Responses API to reach it without cutting a hole in that firewall is a genuine enterprise blocker: security teams reject inbound port requests on principle, and your network team will schedule the review for Q3 2027. On May 27, 2026, OpenAI shipped the fix: Secure MCP Tunnel, a GA enterprise feature that connects private MCP servers to OpenAI products through an outbound-only HTTPS channel. No inbound ports. No public endpoint. No painful security review.
How the OpenAI Secure MCP Tunnel Works
The core mechanism is a small binary called tunnel-client that runs inside your network, wherever it can already reach your private MCP server. It opens a persistent outbound HTTPS connection to OpenAI’s control plane and long-polls for work. When a supported product — ChatGPT, Codex, the Responses API, or AgentKit — needs to call one of your MCP tools, the request is queued in the tunnel. tunnel-client picks it up, forwards the JSON-RPC request to your private server over stdio or HTTP, and posts the response back through the same channel.
The architectural insight: your MCP server never initiates a connection to anything. It never touches the public internet. From your security team’s perspective, this is identical to any other outbound HTTPS from an internal host — already allowed by most corporate networks, no negotiation required.
Context matters here. Early 2026 saw 8,000+ MCP servers accidentally exposed publicly — most binding to 0.0.0.0:8080 with no authentication. Enterprises learned the lesson fast: MCP servers must stay private. The polling model is the only approach that survives contact with real corporate security postures.
What You Can Connect
Secure MCP Tunnel works with four OpenAI surfaces:
- ChatGPT web — via custom connector settings (choose Tunnel when creating a connector)
- Codex — gives your AI coding agent access to internal tools and APIs
- Responses API — tool use in server-side agent workflows against private data
- AgentKit — agent-builder access to internal systems without API gateway overhead
Internal databases, private REST APIs, knowledge bases, and ticketing systems all become callable MCP tools without any network exposure.
Setup: Five Steps to Connect a Private MCP Server
Getting the OpenAI secure MCP tunnel running is more straightforward than the architecture suggests:
- Create a tunnel in Platform Tunnels to get a
tunnel_id - Download the
tunnel-clientbinary from the openai/tunnel-client GitHub repo (v0.0.9 is current) - Run
tunnel-client initto write your first profile, thentunnel-client doctorto validate it - Start
tunnel-clientinside the network that can reach your private MCP server - In ChatGPT, create a custom connector, choose Tunnel, and select your
tunnel_id
The tunnel-client doctor command deserves mention: it validates your config and explains what is missing before you attempt a run. A small detail that pays off when debugging enterprise network configurations.
Enterprise Networking: Proxy, mTLS, and Custom CA Support
tunnel-client was designed for real enterprise networks. It supports outbound proxy configuration — and when you set an explicit proxy for a route, it ignores environment proxy rules including NO_PROXY, which is the correct behavior. Custom CA bundles for private PKI environments are also supported. For stronger guarantees, mTLS is available on both legs: the control-plane connection (traffic automatically routes to mtls.api.openai.com) and the MCP-side connection between tunnel-client and your internal server.
Without these features, you would be filing IT exceptions for weeks. With them, a single-host deployment behind a corporate proxy is a realistic Day 1 path.
OpenAI vs Anthropic MCP Tunnels: What Is Actually Available Today
Anthropic launched MCP tunnels in research preview in May 2026 — same outbound-only principle, different architecture (a gateway component with an independent mTLS layer where Anthropic’s infrastructure cannot read payloads). It works with Claude Managed Agents and the Messages API. The catch: research preview means you request access and wait.
OpenAI’s Secure MCP Tunnel is GA for enterprise customers. If your production stack runs on ChatGPT, Codex, or the Responses API, you can deploy this week. That is the practical difference for most engineering teams evaluating both options today. The New Stack’s comparison of both approaches is worth reading if you are still undecided.
What This Means for Enterprise MCP Adoption
Both major AI providers now offer private MCP tunnel solutions. The pattern has converged: outbound-only connections from a customer-controlled agent, forwarding requests to servers that stay fully private. The blocker — we cannot expose MCP to the internet — now has a documented, production-ready solution on OpenAI’s side and a preview on Anthropic’s. If your team has been holding off on MCP adoption because of network architecture concerns, the unblocking argument just arrived. The official OpenAI documentation has full setup details and deployment patterns for Kubernetes and VM-based environments.
