OpenAI unveils Secure MCP Tunnel for private enterprise AI access

The OpenAI Secure MCP Tunnel offers a breakthrough for private enterprise AI access, enabling internal servers to reach powerful tools like ChatGPT and Codex. It uses an outbound-only HTTPS architecture, eliminating the need to expose private endpoints or alter inbound firewall rules for secure data retrieval.

How the Secure MCP Tunnel Works

The tunnel client, running within your private network, initiates a secure outbound HTTPS connection to OpenAI's API. It polls for pending requests, forwards them to your internal MCP server, and sends the responses back over the same secure channel, ensuring no inbound traffic is ever required.

To implement the tunnel, teams first create a hosted tunnel endpoint through OpenAI. Then, they run the tunnel-client on a host within their private network that can reach the target Model Context Protocol (MCP) server. According to the official developer guide, this design ensures the private MCP server's address is never exposed.

For advanced configurations, network teams can integrate the tunnel-client with outbound proxies, use custom CA bundles, and enforce mutual TLS (mTLS) for the connection to the internal MCP server. OpenAI also offers a component named Harpoon, which allows customers to pre-define a list of allowed HTTP destinations, preventing AI agents from accessing unauthorized network hosts.

Key Enterprise Use Cases

Reports highlight three primary motivations for enterprise adoption:

• Connect Private Systems: Integrate AI agents with on-premise knowledge bases, ticketing systems, and other internal services that are not exposed to the public internet.
• Govern AI Access: Centralize and audit all MCP traffic through a single, secure endpoint that enforces organization-wide access policies.
• Secure Production Workloads: Pair the tunnel with keyless authentication methods to eliminate long-lived secrets from CI/CD pipelines, reducing security risks.

This technology addresses a growing demand for secure AI integration with regulated data as organizations increasingly seek to connect their private systems with AI capabilities.

Security Features and Limitations

OpenAI emphasizes several core security design principles:

• No Inbound Exposure: All connections are initiated from inside the private network.
• Org-Scoped Authorization: Access is managed and restricted at the organization level.
• Encrypted Transport: Traffic is secured using outbound-only TLS.
• Client Certificate Support: Optional client certificates can be used for the control plane.
• Internal mTLS: Mutual TLS is supported between the client and the private MCP server.

However, the official documentation does not currently list specific compliance certifications like SOC 2 or ISO 27001 for the tunnel feature itself. Additionally, while OAuth discovery traffic can pass through the tunnel, the authorization server is not tunneled automatically, potentially requiring a public callback route for isolated network segments.

Pricing and Availability

The Secure MCP Tunnel is presented as a generally available feature with no additional subscription fees. Usage is metered through standard API token pricing for any tool calls made through the connection. The openai/tunnel-client binary is publicly available for download from GitHub. The lack of a formal "GA" or "beta" label may suggest that OpenAI is treating it as a supported platform feature while retaining the flexibility to evolve the protocol.