Skip to main content

Announcing our $20m Series A from GV (Google Ventures) and Workday Ventures Read More

Connect

Connectors Agent Auth MCP Connector Builder

Optimize

Tool Discovery Falcon Engine

Secure

Defender
Connectors

HRIS / HCM

Employee Onboarding Employee Offboarding

Recruiting

Application Screening Interview Scheduling

Customer Support

Ticket Triage Voice Call Summarization

Sales & CRM

Deal Risk Scoring Lead Qualification

Accounting & Finance

Invoice Processing Month-End Accruals

Marketing

Campaign Reports Lead Nurture Sequences
View All AI Agent Use Cases

Developers

Docs Changelog Status

Learn

Blog Case Studies Events Partners
Pricing
Login Book Demo Start Free
Romain Sestier Romain Sestier · · 10 min
Diagram of ChatGPT Enterprise connecting to enterprise systems through an MCP gateway: the OpenAI logo and the Model Context Protocol logo joined by a dashed line through a green gateway node

The Best MCP Gateways for ChatGPT Enterprise in 2026

Table of Contents
Last updated: June 2026. Every ChatGPT capability below is drawn from OpenAI’s public documentation as of June 9, 2026, linked per claim. StackOne is one of the gateways compared; criteria are disclosed so you can check our work. This page covers ChatGPT Enterprise and Business (and Edu, where the behavior is identical). Building with the API instead? That’s covered in our OpenAI Agents SDK guide.

An MCP gateway gives ChatGPT Enterprise one governed, stable app in front of all your business systems — instead of a custom MCP app per system, each with its own credentials, tool churn, and audit gap. It matters because OpenAI’s own apps are search-only today: anything that acts must arrive as a custom MCP app, governed by ChatGPT’s admin plane (approvals, action controls, compliance logs), with the gateway handling everything under it — connectors, per-user credentials, durable audit. Verdict: StackOne for workforce deployments acting on systems of record; Zapier for breadth-first pilots; Pipedream or Composio for developers building their own apps; Merge if you want DLP-style redaction bundled in.

Does ChatGPT Enterprise support MCP?

Yes — with one big caveat: full read-write MCP is in beta, on Business, Enterprise, and Edu plans only, per OpenAI’s custom apps documentation (June 2026). Here’s the verified picture.

Terminology first. On December 17, 2025, OpenAI renamed “connectors” to “apps” — chat connectors became “apps with file search,” deep research connectors “apps with deep research” (OpenAI Help Center, June 2026). If your security review still says “connectors,” it’s the same surface — and what those docs used to call a custom connector is now a custom MCP app: same thing, new name.

OpenAI-built apps don’t write. Per OpenAI’s documentation, OpenAI-built apps “do not support write actions. Use custom MCP apps for write/modify capabilities.” This shapes everything else on this page: search-and-summarize works out of the box; update-the-record, file-the-ticket, run-the-workflow all require a custom MCP app.

How custom MCP apps get in. An admin enables developer mode; a builder supplies the server endpoint and auth, clicks “Scan Tools,” and saves a draft app. Only workspace Admins/Owners can publish to the workspace (custom apps docs). Custom apps are web-only — no mobile. On Pro/Plus, developer mode is limited to read/fetch-level tools; full read-write is the Business/Enterprise/Edu beta (per OpenAI’s help center — its developer docs describe developer mode more broadly). Two documented boundaries to set expectations precisely: agent mode will not use custom apps, and deep research uses them read/fetch-only (developer mode and MCP apps doc).

Technical requirements. Servers must be remote — SSE or streamable HTTP; private-network servers reach ChatGPT via OpenAI’s Secure MCP Tunnel (MCP docs; tunnel docs). Auth: OAuth (including Client ID Metadata Documents and private_key_jwt), No Auth, or Mixed. And one gotcha OpenAI documents itself: if the OAuth provider doesn’t issue refresh tokens (offline_access in its .well-known metadata), “ChatGPT may lose access after the original authorization expires” and users must reauthenticate (developer mode and MCP apps doc; more on this pattern in OAuth for AI agents).

The admin governance plane is genuinely strong. On Enterprise and Edu, all apps are disabled by default (Business: enabled by default); admins control access per app and per group, and gate developer mode to specific individuals (workspace controls, June 2026). Per app, admins set action controls — allow all, read-only, or a custom allowed set — can put regex/range constraints on tool arguments, and can bulk-disable apps, including those with write actions. Most distinctive is the frozen snapshot model: after admin approval, ChatGPT uses a frozen snapshot of the app’s tools; server changes arrive disabled by default, shown as a diff, and apply only when an admin reviews and publishes an update (custom apps docs). Approval prompts default to “Important actions” (Always ask / Any changes / Never ask available — apps docs).

Compliance posture. App activity is captured in OpenAI’s Compliance Logs Platform — immutable, 30-day retention, with OpenAI recommending continuous export to your SIEM (partners: Purview, Netskope, Varonis, Zenity); conversations flow through the Compliance API (compliance docs). SOC 2 Type 2, and no training on business data by default (“we do not train our models on any data accessed from apps” — enterprise privacy).

On tool counts: no documented hard cap, but OpenAI warns “exposing many tools to the model can result in high cost and latency” and provides per-app tool toggles (tools guide) — another reason a curated, admin-scoped tool surface beats publishing several raw servers.

What ChatGPT’s native controls don’t cover

ChatGPT’s admin plane governs ChatGPT: which apps exist, who sees them, which actions are allowed. It deliberately doesn’t govern what’s behind the app — and OpenAI says so. Custom apps are “not verified by OpenAI” (admin controls), developer mode is “powerful but dangerous” (developer mode guide), “a malicious server can exfiltrate sensitive data from anything that enters the model’s context” (tools guide), and “You are responsible for verifying the MCP server and app is safe and appropriate for your organization before publishing” (developer mode and MCP apps doc). Four jobs stay on your side of the line:

  • The servers themselves. Every system ChatGPT should act on needs a custom MCP server someone builds, hosts, secures, and maintains — OpenAI’s “only connect servers you trust” guidance names the problem; building, hosting, and vetting those servers is still yours.
  • Audit beyond 30 days. OpenAI’s compliance logs are retained for 30 days; export to SIEM is on you. And they log that ChatGPT called a tool — not the downstream provider requests the call produced.
  • Credentials per server. Each directly-added server brings its own OAuth app and token lifecycle to manage.
  • The review burden of churn. The frozen-snapshot model is good security, but every tool change on every connected server queues an admin review. Ten servers with shifting tool lists is a standing diff-review job.

The gateway’s role is exactly this layer: it governs the MCP servers, tools, credentials, and data behind ChatGPT’s controls. It never “governs ChatGPT” — it makes ChatGPT’s governance workable past pilot scale.

What to look for in an MCP gateway for ChatGPT Enterprise

CriterionWhy it matters for ChatGPT specifically
Remote streamable-HTTP/SSE server with OAuthChatGPT requires remote servers; OpenAI documents that without offline_access refresh tokens, users get logged out when the original authorization expires — StackOne’s OAuth flow issues refresh tokens; check this in any other gateway you evaluate
Curated, stable, versioned tool listsThe frozen-snapshot model queues tool changes for admin review; an admin-scoped, versioned tool surface survives it — a churning one drowns it
Write-action governance admins can reason aboutChatGPT’s action controls are allow-all / read-only / custom set; a gateway scoped at the same action granularity maps cleanly onto them
Audit logs with long retention and exportPairs with OpenAI’s 30-day compliance logs: the gateway holds what each call did downstream, beyond 30 days, exportable to your observability stack
End-user account linkingOne published app, but each member authorizes their own systems — otherwise the app acts as a shared service account
Depth on business systemsOpenAI’s first-party apps are search-only, so the gateway’s connectors are your write capability on Workday, Salesforce, ServiceNow and the rest

The best MCP gateways for ChatGPT Enterprise, compared

Same evidence rules as our full MCP gateway comparison: capability facts from public documentation, no performance claims. The five most relevant to ChatGPT:

PlatformRemote server + OAuth for ChatGPTTool-list stability (frozen-snapshot review)Action-level governanceAudit beyond 30 daysEnd-user linkingCatalogPricing
StackOneYes — managed remote endpointCurated actions; connector versioning pins toolsPer-project/per-account action scoping; SOC 2 Type II, HIPAA, GDPRProvider-level request logs; Datadog/Grafana exportYes (end-user OAuth 2.1)310+ connectors, 20,000+ actionsFree plan (full catalog)
Zapier MCPYes — hosted remote endpointBroad catalog; curation per action, not per connectorAllowlists, approvals; SOC 2History log; retention not documentedConnected Zapier account’s connections; per-member workforce linking not documented9,000+ apps (automation-shaped)Included; 2 tasks per call
ComposioYes — hosted MCP serversToolkit-level selection; versioning/stability not documentedLight; observability-focused; SOC 2, ISO 27001Audit detail light; retention not documentedYes (Connect Link per user_id)~1,000 toolkitsFree tier; from $29/mo
Pipedream Connect MCPYes — remote or self-hostedDeveloper-managed tool selectionGovernance beyond logging not detailed; SOC 2, HIPAALogging; retention not documentedYes (per external_user_id)3,000+ APIsUsage-based; free tier
Merge Agent HandlerYes — managedTool Packs scopingDLP, guardrails; SOC 2Audit logs on all plans; retention not documentedGuided end-user flow; SCIM”Thousands of tools”; per-system catalog not publishedFree tier; Pro $1,000/mo

1. StackOne

StackOne is the enterprise layer for AI agents to safely act on any application — here’s how it meets the ChatGPT criteria, with a free plan covering the full catalog:

Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box. Best for: workforce ChatGPT Enterprise deployments where agents act on systems of record.

2. Zapier MCP

Zapier MCP is the breadth play: 9,000+ apps and 30,000+ pre-built actions behind a hosted remote endpoint, with existing Zapier connections appearing automatically and no-terminal setup — for ChatGPT pilots, “can it post to Slack?” is answered quickly. The caveats from our hub comparison bite harder here: each MCP tool call consumes two tasks from your plan quota (agents are chatty), actions are automation-shaped rather than deep, and curation is per-action, not per-connector — which matters when a workspace admin has to reason about the whole tool list under the frozen-snapshot model. One workforce-specific check: tool calls run on the connected Zapier account’s connections, and per-member linking for a ChatGPT workspace isn’t documented — the shared-service-account pattern the criteria table warns about. Best for: breadth-first ChatGPT pilots by teams already paying for Zapier.

3. Composio

Composio offers 1,000+ toolkits, end users authorizing via a hosted Connect Link with per-user user_id isolation, and published pricing (free tier, then from $29/month). It gets a developer’s custom app into ChatGPT quickly. What we couldn’t find in its public docs as of June 9, 2026 is the org-level control plane — central policy enforcement and approval workflows — the first thing a workspace admin publishing a write-capable app to a few thousand seats will ask about. Best for: developers who want toolkit breadth and SDK speed ahead of organizational governance.

4. Pipedream Connect MCP

Pipedream’s MCP is a developer primitive: 3,000+ APIs, end users connecting accounts through managed auth isolated per external_user_id, remote-hosted or self-hosted, with published usage-based pricing. A strong base for an engineering team building its own custom app for ChatGPT — but not an IT product: governance beyond logging isn’t detailed in the docs, so the admin-side story is yours to construct. Best for: developers embedding user-authorized integrations into a custom ChatGPT app they own.

5. Merge Agent Handler

Merge’s Agent Handler includes inline runtime security controls: DLP scanning on tool-call inputs and outputs, guardrails that block, redact, or mask, audit logs on all plans, SCIM, SOC 2. The open question is published depth: the catalog is summarized as “thousands of tools”, and while Merge documents per-integration coverage for its Unified API, Agent Handler doesn’t publish an equivalent per-system tool catalog. Pricing is credit-metered (free tier; Pro $1,000/month for 25,000 credits). Best for: teams that want DLP-style redaction bundled into a managed tool-call path — verify per-system tool coverage on your systems first.

How to connect StackOne to ChatGPT Enterprise

  1. Set up StackOne first. Create a StackOne project, connect the systems agents should act on, and scope which connectors and actions the project exposes. The MCP quickstart walks through this — it’s where the MCP server URL in step 3 comes from.
  2. Admin: enable developer mode in ChatGPT workspace settings, gated to the individuals who should build apps.
  3. Add the StackOne MCP app — the builder enters the MCP URL from step 1 with OAuth as the auth method.
  4. Scan Tools. ChatGPT imports StackOne’s curated, admin-scoped action surface — not a raw API dump.
  5. Set action controls — allow-all, read-only, or a custom action set, plus parameter constraints, mirroring the scoping set in step 1.
  6. Publish to the workspace. The app lands on the approved list; ChatGPT freezes the tool snapshot.
  7. Members connect. The end user sees the app in ChatGPT (web), then StackOne’s OAuth 2.1 flow — SSO sign-in, consent screen, and an account picker to opt in the specific linked accounts ChatGPT may act on. No ticket to IT.

When you don’t need a gateway for ChatGPT Enterprise

  • One custom app, one system, technical owners. If engineering already runs an MCP server for the one system that matters, publish it directly — a gateway adds a hop you don’t need yet.
  • Search-only rollouts. If ChatGPT only needs to find things in Drive, SharePoint, or GitHub, OpenAI’s first-party apps cover it without any custom MCP.
  • Agent-mode-only plans. Per OpenAI, agent mode won’t use custom MCP apps at all today, and deep research uses them read/fetch-only — if those surfaces are your whole use case, no custom app, gateway-backed or not, reaches them yet.
  • You’re still proving the use case. Full-MCP write support is beta; pilot one server with a small developer-mode group, then graduate to gateway controls when user count makes credential sprawl and snapshot reviews real.

StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See pricing or book a demo.

More: The Best MCP Gateways in 2026, Compared · StackOne MCP platform · Salesforce MCP · Workday MCP · ServiceNow MCP

More MCP gateway guides

Every guide in this series applies the same disclosed criteria to a different AI client. Start with the full comparison, or jump to yours:

Frequently Asked Questions

Do I need an MCP gateway for ChatGPT Enterprise?
Not to get started — an admin can enable developer mode, add a single custom MCP app, and publish it to the workspace. You need a gateway when agents must act on many business systems: OpenAI's own apps are search-only, so every write action requires a custom MCP app, and each directly-connected server means another credential to manage, another tool list to review under ChatGPT's frozen-snapshot model, and another log source beyond OpenAI's 30-day compliance retention. A gateway collapses that into one reviewed app with governance behind it.
How do I connect ChatGPT Enterprise to an MCP server?
A workspace admin enables developer mode (Settings → Apps), then a builder adds the app with the server's remote URL (SSE or streamable HTTP) and auth method (OAuth, no-auth, or mixed), clicks Scan Tools to import the tool list, and saves a draft. Only workspace Admins/Owners can publish the app to the workspace, where admins can scope it by role or group and restrict actions. Custom MCP apps work on the web app only, not mobile, and full read-write support is in beta on Business, Enterprise, and Edu plans.
Does ChatGPT Enterprise support MCP write actions?
Yes, in beta. OpenAI-built apps do not support write actions — OpenAI's documentation says to use custom MCP apps for write/modify capabilities. Custom MCP apps with full read-write tools are available in beta on Business, Enterprise, and Edu workspaces via developer mode. Admins can restrict each app to read-only or a custom set of allowed actions, and write actions trigger user confirmation prompts by default.
Can I use MCP with ChatGPT Plus or Pro?
Partly. OpenAI's developer docs list developer mode as available on Plus and Pro, but its help center scopes those plans to read/fetch-level tools on the web app. Full read-write custom MCP apps are in beta on Business, Enterprise, and Edu workspaces only. So reading and fetching data works on individual plans; write actions on business systems — the reason most teams evaluate a gateway — require a workspace plan.
Why does ChatGPT keep asking users to reconnect an MCP app?
OpenAI documents this directly: if the MCP server's OAuth provider doesn't issue refresh tokens (no offline_access support advertised in its .well-known metadata), ChatGPT may lose access after the original authorization expires and users must reauthenticate. The fix is to connect through a server whose OAuth flow issues refresh tokens — one of the first things to check in any gateway you evaluate for ChatGPT. StackOne's OAuth flow issues refresh tokens, so members stay connected.
Are custom MCP app calls in ChatGPT logged for compliance?
Yes — app activity is captured in OpenAI's Compliance Logs Platform, with immutable logs retained for 30 days; OpenAI recommends continuous export to your SIEM, and partners include Microsoft Purview, Netskope, Varonis, and Zenity. Conversations are available via the Compliance API. A gateway adds the other half: request logs of what each tool call actually did in the downstream system, retained on your terms and exportable to your observability stack — StackOne, for example, exports to Datadog or Grafana.
What's the difference between OpenAI-built apps and custom MCP apps?
OpenAI-built apps (formerly 'connectors') are first-party integrations for sources like Google Drive or SharePoint — and they are search-only today; per OpenAI's documentation they do not support write actions. Custom MCP apps are servers you (or a vendor) operate and add via developer mode; they can expose full read-write tools in beta. Anything that acts — updating a record, filing a ticket — has to come in as a custom MCP app.

Put your AI agents to work

All the tools you need to build and scale AI agent integrations, with best-in-class connectivity, execution, and security.

Start Free Book Demo