8.3 Responses API ¶

The Responses API accepts MCP servers as first-class tools. For OAuth-protected MCP servers the request shape attaches a short-lived access token as a bearer header (you obtain that token once via the OAuth flow and refresh it from your code’s side):

curl https://api.openai.com/v1/responses \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4.1",
    "input": "Where does my son live?",
    "tools": [
      {
        "type": "mcp",
        "server_label": "ownsona",
        "server_url": "https://ownsona.example.com/mcp",
        "headers": { "Authorization": "Bearer $OWNSONA_ACCESS_TOKEN" },
        "require_approval": "never"
      }
    ]
  }'

$OWNSONA_ACCESS_TOKEN is an OAuth 2.1 access token issued by OwnSona’s authorization server. Obtain one once by adding OwnSona to any OAuth-capable MCP client (Claude Desktop is the easiest), copying the access token out of that client’s local config, and exporting it as an environment variable. Refresh it before expiry via POST /oauth/token with grant_type=refresh_token.

require_approval: "never" tells the API to call tools without prompting the user. Suitable for backend services where there’s no human in the loop.

A walk through one full interaction:

1. Your request comes in.
2. OpenAI sees the recall tool in the MCP server list and decides the question needs it.
3. OpenAI calls POST /mcp with bearer auth (the access token you supplied).
4. OwnSona’s resource server validates the JWT and dispatches the tool call.
5. OwnSona returns matches.
6. OpenAI uses the matches to compose the answer.
7. OpenAI returns the final text response to your code.

All of this happens server-side in OpenAI’s infrastructure — your code makes one HTTP call.