Documentation 2026-06-22 22:58 UTC to 2026-06-23 15:59 UTC

22<div style={{ overflowX: "auto" }}>22<div style={{ overflowX: "auto" }}>

23 23 

24| Area | What it allows | Org owner permissions | Org reader permissions | Project owner permissions | Project member permissions | Project viewer permissions | Custom role eligible |24| Area | What it allows | Org owner permissions | Org reader permissions | Project owner permissions | Project member permissions | Project viewer permissions | Custom role eligible |

25| ---------------------- | ------------------------------------------------------------------------------------ | --------------------- | ---------------------- | ------------------------- | -------------------------- | -------------------------- | -------------------- |25| ---------------------- | ------------------------------------------------------------------------------------ | ----------------------- | ---------------------- | ------------------------- | -------------------------- | -------------------------- | -------------------- |

26| List models | List models this organization has access to | `Read` | `Read` | `Read` | `Read` | `Read` | ✓ |26| List models | List models this organization has access to | `Read` | `Read` | `Read` | `Read` | `Read` | ✓ |

27| Groups | View and manage groups | `Read`, `Write` | `Read` | `Read`, `Write` | `Read`, `Write` | `Read` | |27| Groups | View and manage groups | `Read`, `Write` | `Read` | `Read`, `Write` | `Read`, `Write` | `Read` | |

28| Roles | View and manage roles | `Read`, `Write` | `Read` | `Read`, `Write` | `Read`, `Write` | `Read` | |28| Roles | View and manage roles | `Read`, `Write` | `Read` | `Read`, `Write` | `Read`, `Write` | `Read` | |

44| Webhooks | Create and view webhooks in your project | `Read`, `Write` | `Read` | `Read`, `Write` | `Read`, `Write` | `Read` | ✓ |44| Webhooks | Create and view webhooks in your project | `Read`, `Write` | `Read` | `Read`, `Write` | `Read`, `Write` | `Read` | ✓ |

45| Datasets | Create and retrieve Datasets | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read` | ✓ |45| Datasets | Create and retrieve Datasets | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read` | ✓ |

46| Apps | Create, manage, and submit apps for review in the Dashboard | `Read`, `Write` | | | | | ✓ |46| Apps | Create, manage, and submit apps for review in the Dashboard | `Read`, `Write` | | | | | ✓ |

47| Tunnels | Inspect, use, and manage organization-scoped tunnels | `Read`, `Use`, `Manage` | | | | | ✓ |

47| Project API Keys | Permission for a user to manage their own API keys | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read` | ✓ |48| Project API Keys | Permission for a user to manage their own API keys | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read` | ✓ |

48| Project Administration | Manage project users, service accounts, API keys, and rate limits via management API | `Read`, `Write` | | `Read`, `Write` | | | |49| Project Administration | Manage project users, service accounts, API keys, and rate limits via management API | `Read`, `Write` | | `Read`, `Write` | | | |

49| Batch | Create and manage batch jobs | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read` | |50| Batch | Create and manage batch jobs | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read`, `Write` | `Read` | |

38You need:38You need:

39 39 

40- A `tunnel_id` from [Platform tunnel settings](https://platform.openai.com/settings/organization/tunnels).40- A `tunnel_id` from [Platform tunnel settings](https://platform.openai.com/settings/organization/tunnels).

41- A runtime API key for `tunnel-client`. The key principal needs Tunnels **Read** + **Use** for the target tunnel.41- A runtime API key for `tunnel-client`.

42- A tunnel manager with Tunnels **Read** + **Manage** if you need to create or edit tunnel metadata.

43- An MCP server that `tunnel-client` can reach over stdio or HTTP from inside your network.42- An MCP server that `tunnel-client` can reach over stdio or HTTP from inside your network.

44 43 

44## Permissions and access

45 

46[Platform tunnel permissions](https://developers.openai.com/api/docs/guides/rbac) and ChatGPT developer-mode access are separate:

47 

48- Creating or editing a tunnel requires Tunnels **Read** + **Manage**.

49- Running `tunnel-client` or selecting the tunnel in connector settings requires Tunnels **Read** + **Use**.

50- Tunnel permissions apply to a Platform organization. A Platform organization owner or RBAC administrator grants the tunnel role.

51- ChatGPT developer mode is a separate workspace permission. For Enterprise/Edu, a workspace admin grants **Permissions & Roles** > **Connected Data** > **Developer mode / Create custom MCP connectors**; the user then enables it in **Settings** > **Apps** > **Advanced Settings**. See the [developer-mode Help Center article](https://help.openai.com/en/articles/12584461-developer-mode-apps-and-full-mcp-connectors-in-chatgpt-beta) for plan-specific policy.

52 

53Ask the target ChatGPT workspace admin for developer-mode access, and ask the target Platform organization owner/RBAC admin for tunnel permissions.

54 

45## Associate tunnels with the right organizations and workspaces55## Associate tunnels with the right organizations and workspaces

46 56 

47A tunnel can be associated with one or more Platform organizations or ChatGPT workspaces. Use these associations to define every OpenAI context that should be allowed to find or use the tunnel.57A tunnel can be associated with one or more Platform organizations or ChatGPT workspaces. Use these associations to define every OpenAI context that should be allowed to find or use the tunnel.

51- Include another Platform organization when Codex, the Responses API, or another supported product will call the private MCP server from that organization.61- Include another Platform organization when Codex, the Responses API, or another supported product will call the private MCP server from that organization.

52- Use the same `tunnel_id` for `tunnel-client`; adding organizations or workspaces does not create a second tunnel or change the private MCP server endpoint.62- Use the same `tunnel_id` for `tunnel-client`; adding organizations or workspaces does not create a second tunnel or change the private MCP server endpoint.

53 63 

54For personal accounts, use the personal Platform organization that belongs to that account. A tunnel associated only with a personal account won't automatically appear in an enterprise ChatGPT workspace.64For personal accounts, use the personal Platform organization that belongs to that account. For ChatGPT and Codex testing, associate the tunnel with the target ChatGPT workspace and the Platform organization that Codex will use. A tunnel associated only with a personal Platform organization doesn't automatically appear in an Enterprise/Edu workspace.

55 65 

56If the Platform organization and ChatGPT workspace are already linked, you can add the missing organization or workspace in [Platform tunnel settings](https://platform.openai.com/settings/organization/tunnels). If your enterprise setup can't be verified automatically, such as when the Platform organization has no corresponding ChatGPT workspace, contact your OpenAI account team to request a reviewed manual association override for the enterprise account mapping that should use the tunnel.66If the Platform organization and ChatGPT workspace are already linked, you can add the missing organization or workspace in [Platform tunnel settings](https://platform.openai.com/settings/organization/tunnels). If your enterprise setup can't be verified automatically, such as when the Platform organization has no corresponding ChatGPT workspace, contact your OpenAI account team to request a reviewed manual association override for the enterprise account mapping that should use the tunnel.

57 67