Problem
Currently, GoClaw requires users to provide an OpenAI API key to use GPT models. This creates two significant friction points:
- Separate billing: Users with an active ChatGPT Plus/Pro/Team subscription must also pay for a separate OpenAI API plan to use GoClaw — effectively paying twice for the same capability.
- Key management overhead: API keys must be generated, stored, rotated, and kept secure. There is no per-user, session-scoped authentication.
Meanwhile, Claude Desktop's MCP connectors already support OAuth 2.1 authentication flows, allowing users to connect third-party MCP servers using their existing subscriptions. OpenAI's Apps SDK also implements the MCP authorization spec with OAuth 2.1, enabling ChatGPT to act as an OAuth client.
Proposed Solution
Implement an MCP OAuth Provider in GoClaw that:
- Exposes GoClaw as an OAuth 2.1 protected resource server
- Enables users to authenticate via their existing ChatGPT/OpenAI account (Plus, Pro, Team, Enterprise)
- Issues access tokens scoped to the authenticated user's subscription
- Allows GoClaw to route LLM requests through the user's own subscription billing
This mirrors the OAuth flow that Claude Desktop MCP connectors already support — but for the OpenAI side.
Background: How Claude Desktop MCP OAuth Works (Reference)
To understand the target behavior, here is how Claude Desktop currently handles OAuth with MCP servers:
Components
| Component |
Role |
| MCP Server |
Protected resource server; exposes tools, verifies tokens on each request |
| Authorization Server |
Identity provider (Auth0, Okta, etc.) that issues tokens and publishes discovery metadata |
| Client (ChatGPT/Claude Desktop) |
Acts on behalf of the authenticated user; supports dynamic client registration + PKCE |
OAuth Metadata Endpoints Required
- Protected resource metadata at
GET /.well-known/oauth-protected-resource:
{
"resource": "https://goclaw.example.com",
"authorization_servers": ["https://auth.openai.com"],
"scopes_supported": ["model:gpt-4o", "model:gpt-4o-mini", "files:read"],
"resource_documentation": "https://docs.goclaw.sh/oauth"
}
- Authorization server metadata at
GET /.well-known/oauth-authorization-server (or OpenID Connect discovery at /.well-known/openid-configuration):
{
"issuer": "https://auth.openai.com",
"authorization_endpoint": "https://auth.openai.com/v1/oauth/authorize",
"token_endpoint": "https://auth.openai.com/v1/oauth/token",
"registration_endpoint": "https://auth.openai.com/v1/oauth/register",
"code_challenge_methods_supported": ["S256"],
"scopes_supported": ["model:read", "model:run"]
}
-
Dynamic Client Registration (DCR): The client (ChatGPT) registers itself automatically via registration_endpoint to get a client_id per connector.
-
PKCE flow: All flows use S256 code challenge method.
OpenAI OAuth 2.1 Specifics
OpenAI exposes OAuth endpoints that align with the MCP authorization spec:
| Field |
OpenAI Value |
| Authorization server |
https://auth.openai.com |
| Authorization endpoint |
https://auth.openai.com/v1/oauth/authorize |
| Token endpoint |
https://auth.openai.com/v1/oauth/token |
| Client registration |
https://auth.openai.com/v1/oauth/register |
Reference: OpenAI Apps SDK Authentication
Redirect URI
Production redirect URI for ChatGPT:
https://chatgpt.com/connector/oauth/{callback_id}
Legacy redirect (for already-published apps):
https://chatgpt.com/connector_platform_oauth_redirect
Proposed Architecture for GoClaw
Option A: GoClaw as OAuth Client (Connect to OpenAI via OAuth)
GoClaw acts as an OAuth 2.1 client, authenticating users via their OpenAI/ChatGPT account:
User → GoClaw → OpenAI OAuth → ChatGPT subscription
- User clicks "Connect OpenAI Account" in GoClaw UI
- GoClaw redirects to
https://auth.openai.com/v1/oauth/authorize
- After consent, OpenAI returns an authorization code
- GoClaw exchanges the code for an access token
- GoClaw uses the access token to make API calls billed to the user's subscription
Pros: Clean separation, user controls their own billing
Cons: Requires OpenAI OAuth app registration and approval
Option B: GoClaw as OAuth Resource Server (MCP OAuth Provider)
GoClaw implements the MCP OAuth spec, allowing external clients (ChatGPT, Claude Desktop) to authenticate with their OpenAI subscription to access GoClaw agents:
External MCP Client → GoClaw (resource server) → OpenAI API (via user's subscription)
- GoClaw exposes
/.well-known/oauth-protected-resource
- MCP client (Claude Desktop with OpenAI connector) authenticates via OpenAI OAuth
- GoClaw receives and validates the OAuth token
- GoClaw routes LLM requests using the user's OpenAI subscription
Pros: Enables GoClaw to be used as an MCP server by external AI clients
Cons: More complex, less directly actionable for the stated use case
Option C (Recommended): Option A + MCP Connector Support
Implement both:
- GoClaw as OAuth client: Connect to OpenAI via OAuth (Option A) — the primary ask
- GoClaw as MCP OAuth resource server: Expose GoClaw agents as MCP servers with OAuth (Option B) — future extensibility
Technical Implementation Details
1. OAuth 2.1 Flow
1. User initiates: GET /oauth/connect?provider=openai
2. GoClaw redirects to authorization endpoint with PKCE parameters
3. User authenticates + consents at OpenAI
4. OpenAI redirects back with authorization code
5. GoClaw exchanges code + verifier for access token
6. GoClaw stores token, associates with user session
7. LLM requests use the OAuth access token instead of API key
2. Token Storage
| Field |
Value |
access_token |
OAuth access token |
refresh_token |
For token renewal |
expires_at |
Token expiration timestamp |
scope |
model:gpt-4o, model:gpt-4o-mini, etc. |
user_id |
OpenAI user/account ID |
Tokens should be stored encrypted in PostgreSQL (GoClaw's existing multi-tenant DB).
3. Configuration Schema
{
"providers": {
"openai_oauth": {
"enabled": true,
"client_id": "${OPENAI_CLIENT_ID}",
"client_secret": "${OPENAI_CLIENT_SECRET}",
"authorization_endpoint": "https://auth.openai.com/v1/oauth/authorize",
"token_endpoint": "https://auth.openai.com/v1/oauth/token",
"scopes": ["model:read", "model:run"],
"redirect_uri": "https://your-goclaw-domain.com/oauth/callback/openai"
}
}
}4. GoClaw Agent Config (per-agent OAuth override)
{
"agent_id": "my-agent",
"llm": {
"provider": "openai",
"model": "gpt-4o",
"auth_mode": "oauth", // NEW: use OAuth instead of api_key
"oauth_user_id": "session" // session-scoped, or "固定" for shared
}
}5. Multi-tenant Isolation
- Each GoClaw user authenticates their own OpenAI account via OAuth
- Tokens are stored per-user, encrypted
- LLM requests are routed through the authenticated user's subscription
- GoClaw's existing multi-tenant isolation ensures tokens are not leaked between tenants
Comparison: GoClaw vs. Claude Desktop MCP Connectors
| Feature |
Claude Desktop MCP |
GoClaw (Current) |
GoClaw (Proposed) |
| OAuth authentication |
✅ |
❌ |
✅ |
| Per-user session tokens |
✅ |
❌ |
✅ |
| Existing subscription reuse |
✅ |
❌ |
✅ |
| Separate API key required |
N/A |
✅ |
❌ (optional) |
| MCP server support |
✅ |
Partial |
✅ (full) |
| Multi-tenant isolation |
N/A |
✅ |
✅ |
| Token encryption at rest |
✅ |
✅ |
✅ |
Use Cases
- Individuals: Use GoClaw with their existing ChatGPT Plus subscription — no separate API key needed
- Teams: Team members each authenticate via their own OpenAI account; billing is tracked per user
- Enterprises: Organizations with OpenAI Enterprise contracts can delegate access to GoClaw agents without exposing org-level API keys
- MCP Ecosystem: GoClaw agents can be exposed as MCP servers that external AI clients (Claude Desktop, Cursor, etc.) connect to using OAuth
Milestones (Suggested)
References
Problem
Currently, GoClaw requires users to provide an OpenAI API key to use GPT models. This creates two significant friction points:
Meanwhile, Claude Desktop's MCP connectors already support OAuth 2.1 authentication flows, allowing users to connect third-party MCP servers using their existing subscriptions. OpenAI's Apps SDK also implements the MCP authorization spec with OAuth 2.1, enabling ChatGPT to act as an OAuth client.
Proposed Solution
Implement an MCP OAuth Provider in GoClaw that:
This mirrors the OAuth flow that Claude Desktop MCP connectors already support — but for the OpenAI side.
Background: How Claude Desktop MCP OAuth Works (Reference)
To understand the target behavior, here is how Claude Desktop currently handles OAuth with MCP servers:
Components
OAuth Metadata Endpoints Required
GET /.well-known/oauth-protected-resource:{ "resource": "https://goclaw.example.com", "authorization_servers": ["https://auth.openai.com"], "scopes_supported": ["model:gpt-4o", "model:gpt-4o-mini", "files:read"], "resource_documentation": "https://docs.goclaw.sh/oauth" }GET /.well-known/oauth-authorization-server(or OpenID Connect discovery at/.well-known/openid-configuration):{ "issuer": "https://auth.openai.com", "authorization_endpoint": "https://auth.openai.com/v1/oauth/authorize", "token_endpoint": "https://auth.openai.com/v1/oauth/token", "registration_endpoint": "https://auth.openai.com/v1/oauth/register", "code_challenge_methods_supported": ["S256"], "scopes_supported": ["model:read", "model:run"] }Dynamic Client Registration (DCR): The client (ChatGPT) registers itself automatically via
registration_endpointto get aclient_idper connector.PKCE flow: All flows use
S256code challenge method.OpenAI OAuth 2.1 Specifics
OpenAI exposes OAuth endpoints that align with the MCP authorization spec:
https://auth.openai.comhttps://auth.openai.com/v1/oauth/authorizehttps://auth.openai.com/v1/oauth/tokenhttps://auth.openai.com/v1/oauth/registerReference: OpenAI Apps SDK Authentication
Redirect URI
Production redirect URI for ChatGPT:
Legacy redirect (for already-published apps):
Proposed Architecture for GoClaw
Option A: GoClaw as OAuth Client (Connect to OpenAI via OAuth)
GoClaw acts as an OAuth 2.1 client, authenticating users via their OpenAI/ChatGPT account:
https://auth.openai.com/v1/oauth/authorizePros: Clean separation, user controls their own billing
Cons: Requires OpenAI OAuth app registration and approval
Option B: GoClaw as OAuth Resource Server (MCP OAuth Provider)
GoClaw implements the MCP OAuth spec, allowing external clients (ChatGPT, Claude Desktop) to authenticate with their OpenAI subscription to access GoClaw agents:
/.well-known/oauth-protected-resourcePros: Enables GoClaw to be used as an MCP server by external AI clients
Cons: More complex, less directly actionable for the stated use case
Option C (Recommended): Option A + MCP Connector Support
Implement both:
Technical Implementation Details
1. OAuth 2.1 Flow
2. Token Storage
access_tokenrefresh_tokenexpires_atscopemodel:gpt-4o,model:gpt-4o-mini, etc.user_idTokens should be stored encrypted in PostgreSQL (GoClaw's existing multi-tenant DB).
3. Configuration Schema
{ "providers": { "openai_oauth": { "enabled": true, "client_id": "${OPENAI_CLIENT_ID}", "client_secret": "${OPENAI_CLIENT_SECRET}", "authorization_endpoint": "https://auth.openai.com/v1/oauth/authorize", "token_endpoint": "https://auth.openai.com/v1/oauth/token", "scopes": ["model:read", "model:run"], "redirect_uri": "https://your-goclaw-domain.com/oauth/callback/openai" } } }4. GoClaw Agent Config (per-agent OAuth override)
{ "agent_id": "my-agent", "llm": { "provider": "openai", "model": "gpt-4o", "auth_mode": "oauth", // NEW: use OAuth instead of api_key "oauth_user_id": "session" // session-scoped, or "固定" for shared } }5. Multi-tenant Isolation
Comparison: GoClaw vs. Claude Desktop MCP Connectors
Use Cases
Milestones (Suggested)
References