gpt2agent

MCP server for your ChatGPT account: codex login → ChatGPT Plus/Pro inside any MCP client.

An MCP server that puts your ChatGPT Plus or Pro subscription — every model and the account-tier features below — inside Claude Code, Codex, Cursor, Windsurf, Zed, and any MCP client.

📖 Quickstart · Client setup · Troubleshooting · FAQ · Docs index

What it does

gpt2agent exposes 25 MCP tools that forward requests directly to ChatGPT's backend API. No proxy process. No separate account. No platform API key. Your codex login, your token, your quota.

If you already have the codex CLI logged in, setup is zero extra steps — gpt2agent reuses the same ~/.codex/auth.json bearer and picks up its background-refreshed token automatically.

Works with Claude Code, Codex CLI, and any client that speaks the MCP protocol over stdio.

Related MCP server: claude-max-mcp

Install — one line

curl -fsSL https://raw.githubusercontent.com/robotlearning123/gpt2agent/main/install.sh | bash

That command:

1. Installs gpt2agent via pipx (creates an isolated env; falls back to a git install if PyPI is unreachable).

2. Reuses your existing ~/.codex/auth.json if you've run codex login — no separate ChatGPT token paste needed.

3. Detects which MCP clients you have (Claude Code, Codex, Cursor, Windsurf, Claude Desktop, Zed) and writes the right config for each.

4. Drops the Claude Code skills (deep-research + gpt2agent) into ~/.claude/skills/.

Or step-by-step

# 1. Install the package globally (isolated venv)
pipx install gpt2agent

# 2. Register with all detected MCP clients (Claude Code, Codex)
gpt2agent install                          # auto-detect everything

# Want only one client?
gpt2agent install --client claude-code   # or: codex, cursor, windsurf, claude-desktop, zed
# (VS Code & Cline: see docs/clients.md for the manual snippet)

# HTTP transport instead of stdio?
gpt2agent install --transport http --http-port 9000

Or as a Claude Code plugin

/plugin marketplace add robotlearning123/gpt2agent
/plugin install gpt2agent@gpt2agent

This bundles the MCP server registration + both skills in one step. You still need the gpt2agent CLI on PATH (pipx install gpt2agent) — the plugin wires the server (gpt2agent run --stdio) and skills, not the Python package itself.

Per-client config

The install subcommand writes the right thing for each:

Both are idempotent and back up the prior file as <name>.bak-gpt2agent.

After running install, restart Claude Code so it re-spawns the subprocess. Codex picks up the new server on its next invocation automatically.

Manual config (if you'd rather not run install)

Claude Code — add to ~/.claude.json:

{
  "mcpServers": {
    "gpt2agent": {
      "type": "stdio",
      "command": "gpt2agent",
      "args": ["run", "--stdio"]
    }
  }
}

Codex CLI — add to ~/.codex/config.toml:

[mcp_servers.gpt2agent]
command = "gpt2agent"
args = ["run", "--stdio"]

Setup (manual token paste — only if codex isn't available)

gpt2agent setup

Prompts for a ChatGPT session token (saved to ~/.gpt2agent/token.json, mode 600), detects your plan, and registers gpt2agent with your detected MCP clients over stdio — the same wiring as gpt2agent install. The codex login flow is preferred when available because codex auto-refreshes its token; gpt2agent reloads ~/.codex/auth.json on mtime change so long calls don't 401 mid-flight.

Tools (25)

Chat & reasoning

Image & file management

Code execution

Account introspection

Memory & instructions

Codex (cloud agent)

Architecture

Native Python implementation — no proxy. The server calls /backend-api/conversation (SSE) directly using curl_cffi for TLS impersonation. Vendored POW and Turnstile solvers handle the OpenAI Sentinel challenge. Token is reloaded from disk on each request, so codex's background refresh propagates transparently. See NOTICES for attribution.

~/.codex/auth.json  (or ~/.gpt2agent/token.json)  ← auto-refreshed by codex
        |
   gpt2agent  (stdio MCP server, token reloaded on each call)
        |
   curl_cffi  →  chatgpt.com /backend-api/{conversation,f/conversation,me,
                                          models, memories, codex, gizmos, ...}
        |
   25 MCP tools  (chat, agent, DR ×2, GPT chat, image gen,
                  code interpreter, canvas, memory r/w,
                  instructions r/w, codex r/w, account introspect)

Configuration

Optional, searched in order: ~/.gpt2agent/config.toml, ./config.toml, ~/.config/gpt2agent/config.toml. Full reference: docs/configuration.md.

[server]
host = "127.0.0.1"   # loopback only; the HTTP transport is UNAUTHENTICATED
port = 9000

[models]
chat     = "gpt-5-3"        # default for chat tool
agent    = "agent-mode"     # default for agent tool
heavy_dr = "gpt-5-5-pro"    # override slug for deep_research_heavy

Limitations

• Deep Research quota: roughly ~248 heavy requests / monthly cycle on Pro, lower on Plus — approximate and account/region-dependent, not a guaranteed number.

• Account-tier features not yet supported: Sora video, Operator/CUA, voice sessions. These use HTTP endpoints that return 404 or haven't yet been reverse-engineered out of the chatgpt.com web bundle.

• gpt_chat is experimental — gizmo_id payload field verified against web traffic but not load-tested across all g-p-* types.

• Requires an active ChatGPT Plus or Pro subscription.

Security & risk — read before you run this

gpt2agent talks to ChatGPT's private backend the way the web app does. That has real consequences; please understand them before pointing it at your account.

• It impersonates the chatgpt.com web client. It uses curl_cffi TLS fingerprint impersonation and vendored Proof-of-Work + Cloudflare Turnstile solvers to pass the OpenAI Sentinel challenge. This is very likely against the OpenAI Terms of Service, and automated/abnormal traffic can get your account rate-limited, challenged, suspended, or banned. Use an account you can afford to lose, keep volume human-scale, and don't rely on it for anything critical. This is a reverse-engineering / research tool, not an official API.

• The HTTP transport is UNAUTHENTICATED. It proxies your entire account — read all conversations, spend Deep Research quota, overwrite custom instructions, launch Codex cloud tasks. Anyone who can reach the port controls your account. Therefore:

  • Use stdio (the default for gpt2agent install) for local clients like Claude Code and Codex. It is not network-exposed.

  • The server binds 127.0.0.1 by default and refuses to start the HTTP transport on a non-loopback host unless you explicitly set GPT2AGENT_ALLOW_REMOTE=1. Only do that behind your own auth proxy / firewall.

• Your token stays local. It is read from ~/.codex/auth.json (or ~/.gpt2agent/token.json, chmod 600) and sent only to chatgpt.com. gpt2agent never transmits it anywhere else. Token/secret values are redacted from error messages and logs (best-effort).

• PII redaction is limited. Tools that return conversation/memory data strip only emails and phone numbers from text — names, addresses, IDs, and the full message bodies of get_conversation are returned verbatim. Don't treat the output as anonymized.

• GPT2AGENT_RAW_DUMP (debug) writes raw, unredacted SSE/poll traffic — including prompts, responses, and resume tokens — to the path you give it. Use only for debugging and delete the dumps after.

Found a security issue? See SECURITY.md.

Development

python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
pytest

Release

Tagged releases are configured to publish to PyPI and create a GitHub Release with the matching CHANGELOG section:

# bump version
$EDITOR pyproject.toml             # e.g. "0.0.3" → "0.0.4"
$EDITOR CHANGELOG.md               # add ## [0.0.4] - YYYY-MM-DD ...
git commit -am "release: 0.0.4"
git tag v0.0.4
git push origin main --tags        # release workflow fires on the tag

The release workflow (.github/workflows/release.yml) verifies the tag matches pyproject.toml, runs the test matrix, builds wheel + sdist, publishes to PyPI via OIDC trusted publishing, and posts a GitHub Release with that version's CHANGELOG body.

One-time PyPI setup required before the first publish succeeds. PyPI's OIDC exchange needs a Trusted Publisher registered for this repo (project gpt2agent, owner robotlearning123, workflow release.yml, environment pypi) at pypi.org → Publishing — or a first manual twine upload to create the project. Until that is done the release job fails with invalid-publisher and the package is not on PyPI; the install.sh one-liner falls back to a git+https install in the meantime.

License

MIT. See NOTICES for third-party attributions.

Acknowledgments

• lanqian528/chat2api — POW and Turnstile solver code (MIT)

• basketikun/chatgpt2api — survey of ChatGPT backend API patterns

• 7836246/cursor2api — survey of Cursor API patterns