What version of Codex CLI is running?
0.105.0
What subscription do you have?
ChatGPT Pro
Which model were you using?
gpt-5.3-codex
What platform is your computer?
Darwin 25.3.0 arm64 arm
What terminal emulator and version are you using (if applicable)?
Ghostty
What issue are you seeing?
codex mcp list shows Auth: Unsupported for MCP servers hosted behind Cloudflare Pages (and likely any infrastructure with bot protection that checks for a User-Agent header).
Root cause: The rmcp HTTP client uses reqwest, which does not set a default User-Agent header. Cloudflare's built-in bot protection returns 403 Forbidden (with text/html body) for requests with no User-Agent. This 403 HTML response hits the OAuth discovery flow before it can reach /.well-known/oauth-protected-resource, causing Codex to report Auth: Unsupported.
Evidence:
# No User-Agent → 403 from Cloudflare (text/html)
$ curl -s -o /dev/null -w "%{http_code} %{content_type}" -H "User-Agent:" https://example-mcp-server.com/.well-known/oauth-protected-resource/mcp
403 text/html
# With User-Agent → 200 (application/json)
$ curl -s -o /dev/null -w "%{http_code} %{content_type}" -A "codex/1.0" https://example-mcp-server.com/.well-known/oauth-protected-resource/mcp
200 application/jsonCodex logs show: Unexpected content type: Some("text/html") — the Cloudflare challenge page.
This is an HTTP best practice issue per RFC 9110 §10.1.5, which recommends that clients send a User-Agent header.
What steps can reproduce the bug?
- Host an MCP server behind Cloudflare Pages (or any CDN/WAF with bot protection that requires User-Agent)
codex mcp add my-server --url https://my-cloudflare-hosted-app.com/mcpcodex mcp list → shows Auth: Unsupportedcodex mcp login my-server → Error: No authorization support detected
What is the expected behavior?
Codex should set a User-Agent header (e.g., codex-cli/0.105.0 or rmcp/0.15.0) on all HTTP requests made by the rmcp MCP client. This would allow OAuth discovery to succeed behind CDN/WAF infrastructure with standard bot protection.
Additional information
Workaround: Adding http_headers = { "User-Agent" = "codex-mcp/1.0" } to the MCP server config in ~/.codex/config.toml resolves the issue:
[mcp_servers.my-server]
url = "https://my-cloudflare-hosted-app.com/mcp"
enabled = true
http_headers = { "User-Agent" = "codex-mcp/1.0" }Scope: This likely affects any MCP server hosted behind Cloudflare Pages, Cloudflare Workers with bot protection, or any similar infrastructure that blocks requests without a User-Agent header. The Cloudflare Pages bot protection is enabled by default and cannot be disabled without purchasing the Bot Management add-on.
Suggested fix location: In codex-rs/rmcp-client/src/utils.rs or wherever the reqwest client is constructed — set a default User-Agent header (e.g., codex-cli/{version}).
Related but distinct: Issue #12804 reports a similar Cloudflare 403 for voice transcription, which may share the same root cause (missing User-Agent on reqwest requests).
What version of Codex CLI is running?
0.105.0
What subscription do you have?
ChatGPT Pro
Which model were you using?
gpt-5.3-codex
What platform is your computer?
Darwin 25.3.0 arm64 arm
What terminal emulator and version are you using (if applicable)?
Ghostty
What issue are you seeing?
codex mcp listshowsAuth: Unsupportedfor MCP servers hosted behind Cloudflare Pages (and likely any infrastructure with bot protection that checks for aUser-Agentheader).Root cause: The rmcp HTTP client uses reqwest, which does not set a default
User-Agentheader. Cloudflare's built-in bot protection returns403 Forbidden(withtext/htmlbody) for requests with no User-Agent. This 403 HTML response hits the OAuth discovery flow before it can reach/.well-known/oauth-protected-resource, causing Codex to reportAuth: Unsupported.Evidence:
Codex logs show:
Unexpected content type: Some("text/html")— the Cloudflare challenge page.This is an HTTP best practice issue per RFC 9110 §10.1.5, which recommends that clients send a User-Agent header.
What steps can reproduce the bug?
codex mcp add my-server --url https://my-cloudflare-hosted-app.com/mcpcodex mcp list→ showsAuth: Unsupportedcodex mcp login my-server→Error: No authorization support detectedWhat is the expected behavior?
Codex should set a
User-Agentheader (e.g.,codex-cli/0.105.0orrmcp/0.15.0) on all HTTP requests made by the rmcp MCP client. This would allow OAuth discovery to succeed behind CDN/WAF infrastructure with standard bot protection.Additional information
Workaround: Adding
http_headers = { "User-Agent" = "codex-mcp/1.0" }to the MCP server config in~/.codex/config.tomlresolves the issue:Scope: This likely affects any MCP server hosted behind Cloudflare Pages, Cloudflare Workers with bot protection, or any similar infrastructure that blocks requests without a User-Agent header. The Cloudflare Pages bot protection is enabled by default and cannot be disabled without purchasing the Bot Management add-on.
Suggested fix location: In
codex-rs/rmcp-client/src/utils.rsor wherever the reqwest client is constructed — set a defaultUser-Agentheader (e.g.,codex-cli/{version}).Related but distinct: Issue #12804 reports a similar Cloudflare 403 for voice transcription, which may share the same root cause (missing User-Agent on reqwest requests).