On this page
Put Coworker to work on your stack.
Connect Salesforce, Slack, Jira and run your first agent in minutes.
Get started freeFree for 14 days
Enterprise AI
ChatGPT MCP: How to Connect MCP Servers to ChatGPT in 2026
How ChatGPT MCP works in 2026: which plans support it, how to connect an MCP server step by step, the security model, and the limits OpenAI documents.
ChatGPT MCP support lets you connect ChatGPT to outside tools and data through the Model Context Protocol, the open standard Anthropic created in November 2024 and OpenAI adopted in March 2025. The short version of how it works today: individual users on paid plans can connect remote MCP servers through Developer Mode, Business and Enterprise workspaces can publish vetted MCP apps org-wide, and developers can attach any MCP server to the Responses API.
The details shift fast (OpenAI folded the app directory into a unified Plugins directory on July 9, 2026, so most older tutorials show stale menus), and one important capability question is genuinely ambiguous in OpenAI's own docs. This guide reflects what OpenAI's documentation says as of July 16, 2026, with the ambiguity flagged rather than papered over.
What is MCP, in one paragraph?
The Model Context Protocol is an open standard that lets any AI assistant connect to any tool or data source through a common client/server interface, the way USB-C lets any device use any accessory. Anthropic open-sourced it in November 2024, OpenAI adopted it across its products in March 2025, and in December 2025 Anthropic donated MCP's governance to the vendor-neutral Agentic AI Foundation. It is neutral infrastructure now, not a single vendor's project: the same MCP server can serve ChatGPT, Claude, Cursor, and anything else that speaks the protocol. For the broader context on what agents do with these connections, see AI agent use cases.
Which ChatGPT plans support MCP?
| Plan | Built-in connectors | Connect your own MCP server (Developer Mode) | Full MCP with write actions | Publish apps org-wide |
|---|---|---|---|---|
| Free | Limited | No | No | No |
| Plus | Yes | Yes | Ambiguous (see below) | No |
| Pro | Yes | Yes | Read/fetch only per OpenAI's help center | No |
| Business | Yes (on by default) | Yes, admin-controlled | Yes (beta) | Yes |
| Enterprise / Edu | Yes (admin enables) | Yes, RBAC-controlled | Yes (beta) | Yes, with RBAC |
The ambiguity, stated plainly: OpenAI's developer guide says Developer Mode gives "full MCP client support for all tools, both read and write" to Pro, Plus, Business, Enterprise, and Education accounts. OpenAI's more recently updated help center article says full MCP is "only available to Business and Enterprise/Edu users, currently" and that Pro users get read/fetch only. These appear to describe two different mechanisms that share a name (a personal developer toggle vs. workspace-published apps), but OpenAI has not reconciled them explicitly. If write actions on a personal plan matter to you, test in your own account before building on it.
Two more plan facts worth knowing: MCP apps are web only (not mobile), and agent mode will not use custom MCP apps at all; deep research can use them read-only.
How to connect an MCP server to ChatGPT (Developer Mode)
For an individual paid account, per OpenAI's developer guide:
- On ChatGPT web, open Settings and enable Developer Mode (currently under Security and login; menu wording has shifted across rollouts).
- Go to Settings, then Plugins (or chatgpt.com/plugins), hit the plus button, and create an app pointing at your MCP server's URL.
- The server must be remote: a public HTTPS endpoint speaking SSE or Streamable HTTP, with OAuth, no-auth, or mixed auth. ChatGPT cannot reach a server on your laptop or private network directly; OpenAI's separate Secure MCP Tunnel exists for exactly that case.
- Your app appears under Drafts, then in the composer's Developer Mode tool, where you pick which apps a conversation can use.
- Toggle individual tools on or off from the app's settings page, and hit Refresh whenever the server's tool definitions change.
For Business/Enterprise workspaces, the flow runs through admin controls instead: an admin enables custom MCP connectors in workspace settings, creates the app (endpoint URL, auth, a Scan Tools step), tests it as a draft, then publishes it workspace-wide. Enterprise admins additionally get per-action controls and RBAC over who sees which app. Tool definitions freeze at approval time, so server-side changes require a manual admin refresh.
Developers wiring MCP into the API directly: add an `mcp` tool to a Responses API call with a `server_url` (GitHub's official server, for example, is `https://api.githubcopilot.com/mcp/`) or a `connector_id` for OpenAI's prebuilt connectors (Gmail, Google Drive, SharePoint, Teams, Outlook, Dropbox, Google Calendar). Approval is required by default before data flows to any server; you can relax it per tool once you trust the server.
Coworker
Put Coworker to work on your actual stack
Connect Salesforce, Slack, Jira and run your first agent in minutes.
The security model, in OpenAI's own words
OpenAI is unusually blunt about MCP risk, which is to its credit. Developer Mode is labeled "elevated risk" in its own docs: "It's powerful but dangerous." The specific risks it names are prompt injection from malicious or compromised servers, model mistakes on write actions that could destroy data, and servers built to exfiltrate whatever enters the model's context.
The mitigations, as documented:
- Approval levels per app: Always ask, Any changes, Important actions (the default: reads happen automatically, consequential writes require confirmation), and Never ask, which OpenAI itself flags as elevated risk.
- Read-only detection relies on the MCP `readOnlyHint` annotation; any tool without it is treated as a write and gated behind confirmation. Approvals can be remembered for one conversation only.
- Trusted servers only: OpenAI recommends official vendor-hosted servers (Stripe's own `mcp.stripe.com`, GitHub's `api.githubcopilot.com/mcp/`) over third-party proxies, and takes malicious-server reports at security@openai.com.
- Enterprise logging: every app call in Enterprise/Edu workspaces lands in the Compliance API and logs.
- The vetting burden is yours: OpenAI states plainly that organizations are responsible for verifying any app or connector they enable, including ones from OpenAI's own registry.
Independent researchers have demonstrated the risk is not hypothetical, including a documented zero-click exfiltration vector against the connector flow (Repello AI). None of this means avoid MCP; it means treat MCP servers like production dependencies, not browser extensions.
The honest limitations
- Setup is a developer task. A remote HTTPS server, OAuth config, and tool scanning are table stakes. The marketing says "connect your tools"; the reality is closer to "deploy and vet an integration."
- No local servers on consumer ChatGPT without the tunnel product.
- Reliability is still uneven. Documented community reports through 2026 include custom apps intermittently vanishing from the directory, OAuth completing but connectors not appearing in chat (reproduced with Stripe's official server), and developers noting the same MCP server behaving better in Claude than ChatGPT. Trade press reported in April 2026 on Pro accounts missing Developer Mode features and a version-over-version regression in tool-calling reliability.
- The feature is moving. OpenAI's help article carries a standing disclaimer that functionality, UI, and permissions may change, and the directory structure itself changed a week before this article's research date.
MCP without the setup project: where Coworker fits
Here is the distinction that matters if you are reading this as an ops or business lead rather than a developer: MCP is the plumbing standard, and someone still has to stand up, secure, and maintain the servers on the other end.
Coworker approaches it from the opposite direction. It maintains the integrations to 50+ workplace tools (Salesforce, Slack, Jira, HubSpot, Google Workspace, GitHub, Notion) with permissions handled, and exposes all of it as a single Coworker MCP server that ChatGPT, Claude Code, Cursor, or any MCP client can plug into. One connection in ChatGPT's Developer Mode, and a prompt like "pull Q1 metrics, top customer wins, and any risks I should flag for the board deck" can draw from Salesforce, Slack, and Jira at once, permission-aware, without you deploying anything.
The honest framing: if you are a developer who wants to build and control your own MCP servers, ChatGPT's Developer Mode plus vendor-official servers is a genuinely good path. If you want the outcome (your company's tools and context available inside every AI assistant your team uses) without becoming the maintainer of that plumbing, that is what Coworker is for, at $29.99 per user per month with a free tier. Get started free, or see how agents use this in practice in the 15 best AI agents and what unified search is.
Frequently asked questions
Does ChatGPT support MCP? Yes. ChatGPT supports connecting remote MCP servers through Developer Mode on paid plans, workspace-published MCP apps on Business/Enterprise/Edu plans, and the `mcp` tool in the Responses API for developers. OpenAI adopted the standard in March 2025.
Which ChatGPT plans can use MCP? Paid plans (Plus, Pro, Business, Enterprise, Edu) can connect MCP servers via Developer Mode on the web. Full write-action MCP is in beta for Business and Enterprise/Edu workspaces; OpenAI's docs currently give conflicting answers on whether Plus/Pro personal accounts get write actions, so test before relying on it.
Can ChatGPT connect to a local MCP server? Not directly. ChatGPT only connects to remote HTTPS MCP servers. For a server on your machine or private network, OpenAI provides a separate Secure MCP Tunnel client.
Is connecting MCP servers to ChatGPT safe? OpenAI labels Developer Mode elevated risk and warns explicitly about prompt injection, destructive write actions, and malicious servers. Mitigations include per-app approval levels, read-only detection, and compliance logging on Enterprise. Connect only servers you or a vendor you trust operates.
What is the difference between ChatGPT connectors and MCP? Connectors (now part of the Plugins directory) are OpenAI's prebuilt, first-party-managed integrations like Gmail and Google Drive. MCP support is the general mechanism that lets you connect any compliant third-party or self-built server, which is where Developer Mode and published apps come in.
What is the easiest way to get my company's tools into ChatGPT via MCP? Use an MCP server that already aggregates your tools. Coworker exposes 50+ connected workplace tools as one permission-aware MCP server that ChatGPT's Developer Mode can connect to in one step, instead of one server per tool.
Related reading
Ready to get started?
Put Coworker to work inside your actual stack
Connect Salesforce, Slack, Jira, whatever you use, and run your first agent in minutes.
Free for 14 days