Quick Start: Testing RFC7591 with Cloudflare Tunnel

This guide walks you through testing the RFC7591 implementation with OpenAI.

Prerequisites

• Python 3.8+ with your virtual environment activated
• cloudflared CLI installed (Download here)

Step 1: Configure Environment

1. Copy the example environment file:

   Copy-Item .env.example .env
   

2. Edit .env and update these values (you’ll update the URLs after starting the tunnel):

   CORPUSIQ_ALLOW_DYNAMIC_CLIENT_REGISTRATION=true
   CORPUSIQ_CORS_ALLOW_ORIGINS_CSV=https://chat.openai.com,https://chatgpt.com
   CORPUSIQ_DEBUG_MODE=true  # For testing only
   

Step 2: Start the MCP Server

# Make sure your virtual environment is activated
& .venv\Scripts\Activate.ps1

# Start the server
uvicorn corpusiq.app:app --host 0.0.0.0 --port 8000 --reload

The server should start on http://localhost:8000.

Step 3: Start Cloudflare Tunnel

Open a new PowerShell terminal and run:

cloudflared tunnel --url http://localhost:8000

You’ll see output like:

2026-01-02T... INF |  https://random-name-abc.trycloudflare.com

Copy this URL - this is your tunnel URL!

Step 4: Update Environment with Tunnel URL

1. Stop the MCP server (Ctrl+C)
2. Edit .env and replace all your-domain.com values with your tunnel URL:

   CORPUSIQ_OAUTH_RESOURCE_URL=https://random-name-abc.trycloudflare.com
   CORPUSIQ_OAUTH_ISSUER=https://random-name-abc.trycloudflare.com
   CORPUSIQ_OAUTH_AUTHORIZATION_ENDPOINT=https://random-name-abc.trycloudflare.com/authorize
   CORPUSIQ_OAUTH_TOKEN_ENDPOINT=https://random-name-abc.trycloudflare.com/token
   CORPUSIQ_OAUTH_JWKS_URI=https://random-name-abc.trycloudflare.com/.well-known/jwks.json
   CORPUSIQ_OAUTH_REGISTRATION_ENDPOINT=https://random-name-abc.trycloudflare.com/register
   

3. Restart the MCP server:

   uvicorn corpusiq.app:app --host 0.0.0.0 --port 8000 --reload
   

Step 5: Test the Endpoints

Test 1: Health Check

curl https://your-tunnel-url.trycloudflare.com/

Should return:

{
  "status": "ok",
  "service": "CorpusIQ Apps SDK",
  ...
}

Test 2: OAuth Metadata (RFC 8414)

curl https://your-tunnel-url.trycloudflare.com/.well-known/oauth-authorization-server

Should return metadata including:

{
  "issuer": "https://your-tunnel-url.trycloudflare.com",
  "registration_endpoint": "https://your-tunnel-url.trycloudflare.com/register",
  ...
}

Test 3: Client Registration (RFC7591)

$body = @{
    client_name = "Test Client"
    redirect_uris = @("https://example.com/callback")
    grant_types = @("authorization_code")
    response_types = @("code")
} | ConvertTo-Json

Invoke-RestMethod -Uri "https://your-tunnel-url.trycloudflare.com/register" `
    -Method POST `
    -Body $body `
    -ContentType "application/json"

Should return (status 201):

{
  "client_id": "client_abc123...",
  "client_secret": "secret_xyz789...",
  "client_name": "Test Client",
  "redirect_uris": ["https://example.com/callback"],
  "client_id_issued_at": 1704240000,
  "client_secret_expires_at": 1711996800,
  ...
}

Step 6: Connect to OpenAI

1. Go to ChatGPT
2. Navigate to Settings → Integrations → Apps
3. Click “Connect App” or “Add Custom App”
4. Enter your Cloudflare tunnel URL: https://your-tunnel-url.trycloudflare.com
5. OpenAI will:
   • Discover your OAuth metadata via /.well-known/oauth-authorization-server
   • See the registration_endpoint
   • Automatically register itself via POST /register
   • Receive client credentials

Step 7: Monitor the Logs

Watch your MCP server terminal. You should see:

INFO - OAuth authorization server metadata requested
INFO - Client registration request received: OpenAI ChatGPT
INFO - Client registered successfully: client_abc123... (OpenAI ChatGPT)
INFO - Client redirect URIs: ['https://chat.openai.com/callback']

Troubleshooting

“Server does not support RFC7591”

• Verify Step 5 tests pass (especially Test 2 and Test 3)
• Ensure CORPUSIQ_ALLOW_DYNAMIC_CLIENT_REGISTRATION=true
• Check server logs for errors

“Connection refused” or “502 Bad Gateway”

• Ensure MCP server is running on port 8000
• Ensure Cloudflare tunnel is running and forwarding to localhost:8000
• Check firewall settings

“Invalid redirect URI”

• OpenAI must send at least one redirect_uri
• This is usually automatic; if it fails, check OpenAI’s documentation

“CORS error” in browser

• Verify CORPUSIQ_CORS_ALLOW_ORIGINS_CSV includes https://chat.openai.com
• Restart the server after changing .env

Registration succeeds but authorization fails

• This is expected! The current implementation only handles registration
• Full OAuth flow (authorization, token exchange) requires additional implementation
• See RFC7591_IMPLEMENTATION.md for production considerations

Next Steps

For a production deployment:

1. Implement client storage - Currently credentials are generated but not persisted
2. Implement authorization endpoint - Handle OAuth authorization flow
3. Implement token endpoint - Issue access tokens
4. Set up JWKS - For token verification
5. Use a permanent domain - Don’t rely on temporary Cloudflare tunnels
6. Consider using an OAuth provider - Auth0, Keycloak, or similar

See RFC7591_IMPLEMENTATION.md for detailed production guidance.

Useful Commands

# Check if server is running
curl http://localhost:8000/

# View server logs with timestamps
uvicorn corpusiq.app:app --host 0.0.0.0 --port 8000 --log-level info

# Test with debug endpoints (if DEBUG_MODE=true)
curl http://localhost:8000/debug/ping
curl http://localhost:8000/debug/tools

Additional Resources

• RFC7591 Specification
• RFC8414 OAuth Metadata
• Cloudflare Tunnel Docs
• OpenAI Apps Documentation