OpenAI shipped Secure MCP Tunnel on May 28, an outbound-only connectivity layer that lets enterprises connect private MCP (Model Context Protocol) servers to ChatGPT and the OpenAI API without exposing those servers to inbound traffic from the internet. The release addresses a security blocker that has prevented many enterprise teams from deploying MCP at scale: existing MCP server-to-client architecture required either public hosting or VPN-based connectivity, both of which create attack surfaces enterprise security teams have been unwilling to accept.
The architecture is conceptually similar to Cloudflare Tunnel, ngrok, or Tailscale Funnel. A small tunnel-client process runs alongside the private MCP server inside the enterprise network. The client establishes an outbound HTTPS connection to OpenAI’s tunnel infrastructure and waits to handle inbound requests routed over that single persistent connection. From the enterprise firewall’s perspective, this is normal outbound HTTPS traffic, the same shape as any web browser. No inbound ports open, no VPN configured, no public DNS entry for the MCP server.
The integration story is the part that matters for adoption. Secure MCP Tunnel supports standard enterprise networking constraints, including egress proxies and SSL inspection middleboxes, which are common in regulated industries. The tunnel preserves end-to-end TLS to the OpenAI infrastructure while honoring the inspection points enterprise networks require. That combination, which sounds straightforward but is technically nontrivial to implement correctly, is what makes this deployable in environments where security teams have veto power.
For context: this lands the same week MCP shipped its release candidate spec (covered May 22), and roughly six months after Anthropic introduced the protocol. The pattern of frontier-lab infrastructure layers shipping around MCP at compounding speed suggests the protocol has crossed into the maintainability-and-deployment phase, no longer the early-experimentation phase.
The skeptical read on Secure MCP Tunnel is direct. OpenAI controls the tunnel infrastructure on its side. Enterprises connecting their internal MCP servers via this tunnel are placing OpenAI in the path of every request and every response, which means the model has access to whatever data the MCP server exposes. That access pattern is identical to any cloud-API consumption, but the framing of “secure tunnel” can obscure the data-flow reality. Enterprise architects evaluating this should treat it as a managed proxy with all the corresponding governance implications, not as a zero-trust isolation layer.
For platform and infrastructure teams currently blocked on MCP deployment by inbound networking constraints, Secure MCP Tunnel removes the most common adoption barrier. It is worth evaluating now, particularly for use cases where the alternative was a custom integration pattern with substantially more security review overhead.
Published on the OpenAI Developer Docs on 2026-05-28.
