In a major move to clear the largest data privacy and compliance hurdles holding back enterprise AI deployments, OpenAI has officially launched Secure MCP Tunnels.

The new network security architecture, accompanied by a lightweight customer-run daemon called tunnel-client, establishes an outbound-only, encrypted bridge. This architecture allows cloud-hosted OpenAI products—including ChatGPT, Codex, and the Responses API—to securely interact with private, on-premises Model Context Protocol (MCP) servers without requiring companies to modify their inbound firewalls or expose internal APIs to the public internet.

The announcement positions OpenAI directly at the forefront of the zero-trust enterprise AI wave, landing just days after Anthropic introduced its own native tunnel primitives for Claude Managed Agents.

The Architecture: Eliminating the Inbound Attack Surface

Enterprise deployment of autonomous AI agents has historically been bottlenecked by network security constraints. For a cloud-hosted LLM to query a private database, access internal codebase repositories, or orchestrate local dev tools, IT infrastructure teams traditionally had to open inbound firewall ports, configure complex DMZs, or manage fragile IP allowlists. These methods introduce significant security vulnerabilities.

OpenAI’s Secure MCP Tunnels eliminate these risks by reversing the initiation flow:

1. Outbound-Only Connection: Instead of OpenAI reaching into the customer’s network, the on-premises tunnel-client initiates an outbound HTTPS connection to an OpenAI-hosted tunnel endpoint (api.openai.com:443).
2. Long-Polling Mechanics: The client establishes a continuous loop, long-polling the OpenAI control plane (GET /v1/tunnel/{tunnel_id}/poll) for queued tool execution workloads.
3. Local Resolution: When ChatGPT triggers an MCP tool call, the request is queued at the tunnel endpoint. The local client fetches the JSON-RPC request, executes it locally via stdio or streamable HTTP against the private MCP server, and posts the results back out (POST /v1/tunnel/{tunnel_id}/response).

Because the configuration requires zero public DNS entries, no inbound NAT rules, and no public listeners, the private MCP server remains completely hidden from internet scanners and opportunistic exploitation traffic.

[ Private Enterprise Network ]                [ OpenAI Cloud Infrastructure ]
  [ Local MCP Server ]
         ^
         | (Local stdio / HTTP)
  [ tunnel-client ] --(Outbound HTTPS Only)--> [ OpenAI Tunnel Endpoint ] <--> [ ChatGPT / Responses API ]
                      (No Inbound Ports open)

Moving Credentials to the Perimeter

A major security advantage of the tunnel architecture is its impact on credential isolation. In standard managed agent deployments, cloud-hosted models or orchestration frameworks typically hold long-lived authentication tokens (such as GitHub PATs, Salesforce OAuth bearers, or database service account keys) directly within their active environments. This architectural design leaves them vulnerable to credential harvesting via prompt injection or supply chain attacks.

With Secure MCP Tunnels, the cloud-hosted AI agent never sees or holds the target system’s credentials. The core authentication keys remain securely inside the enterprise’s private boundary, held natively by the local MCP server.

When an agent is manipulated via a prompt injection attack, it cannot leak tokens because no tokens exist in its cloud context. The blast radius is tightly restricted to whatever specific action boundaries are programmatically enforced by the local MCP server instance.

Technical Specifications and Tooling

The launch includes a robust enterprise management layer built directly into the OpenAI developer platform and the open-source client repository:

• Granular Permissions: Tunnel access is governed by strict Role-Based Access Control (RBAC). Runtime keys require specialized Tunnels Read + Use principals to long-poll data, while admin management tasks (creating or deleting tunnel IDs) require explicit Tunnels Read + Manage scopes.
• Control Plane mTLS: For organizations requiring heightened compliance baselines, the tunnel-client can be configured to execute strict mutual TLS (mTLS) authentication against mtls.api.openai.com:443.
• Admin UI and Observability: The client daemon embeds a local health server (/healthz, /readyz, and Prometheus /metrics) alongside a lightweight browser administration panel. Operators can dynamically toggle live runtime logs between debug, info, and warn modes on the fly to inspect active JSON-RPC packets without restarting the underlying process.

Deployment On-Ramp

To provision a secure data bridge, developers must generate a valid tunnel_id within their OpenAI Platform console, configure a local runtime API key, and pull the open-source daemon straight from GitHub to point it at their internal system:

Bash

# Export runtime configurations
export CONTROL_PLANE_TUNNEL_ID="tnl_dev_your_unique_id"
export CONTROL_PLANE_API_KEY="sk-proj-your-runtime-key"

# Run the client daemon pointed at a local python-based MCP server
tunnel-client run --command "uv run local-mcp-server"

The service is available immediately across all primary regions. By formalizing this zero-trust secure pipeline, OpenAI is making a clear play to transform ChatGPT from a basic conversational assistant into an authorized enterprise operating system capable of safely navigating deeply nested corporate environments.

To see a practical walkthrough of how these secure data corridors function over outbound-only connections, check out this Technical Overview of Model Context Protocol Tunnels. This guide details how the gateway architecture establishes zero-trust connections to run agentic AI pipelines inside private VPCs without modifying your perimeter firewalls.