XMemo for ChatGPT, Claude, Gemini, and MCP
MCP entry · Multi-market ready
A hosted, OAuth-protected Streamable HTTP MCP endpoint that lets ChatGPT, Claude, Gemini, GitHub Copilot, and compatible agents search, recall, save, update, and govern user-owned memory without raw token paste.
Open Docs chapter
OAuth without token paste
ChatGPT connects through the XMemo OAuth adapter while direct MCP clients use local secret stores, so reviewers and users never copy raw bearer tokens into public configuration.
VS Code / Copilot first-run path
Add https://xmemo.dev/mcp in VS Code, approve the browser OAuth prompt, then use XMemo without pasting a raw token into mcp.json.
Scoped memory actions
Read, write, update, reminder, redaction, and conflict-review tools are mapped to memory scopes and marketplace-safe tool annotations.
Review-ready privacy boundary
Public pages, screenshots, recordings, marketplace listings, and tool responses must stay free of tokens, trace IDs, internal account IDs, raw logs, and unrelated PII.
Universal MCP URL for marketplace review
Submit XMemo as a universal hosted MCP server URL wherever the marketplace accepts remote MCP. Use OAuth for the ChatGPT lane, local secret-store credentials for direct clients, and keep marketplace-specific review flows separated from the npm CLI.
MCP Server URL: https://xmemo.dev/mcp
Authentication: OAuth for ChatGPT and VS Code / GitHub Copilot
Resource / audience: https://xmemo.dev/mcp
Direct MCP clients: set XMEMO_KEY in the local environment or secret store
- MCP Server URL — https://xmemo.dev/mcp
- Transport — Streamable HTTP over HTTPS
- Authentication — OAuth for ChatGPT and VS Code / GitHub Copilot; bearer-scoped credentials for direct MCP clients
- Public support — https://xmemo.dev/support
What OpenAI reviewers should be able to verify
A reviewer should be able to authorize, list tools, search memory, save a synthetic test memory, read it back, create a test reminder, and reconnect without extra configuration.
- Tool discovery — ChatGPT can initialize the hosted MCP endpoint and list XMemo memory tools.
- Read path — Search and recall return scoped memory or a clear empty-state response.
- Write path — Controlled write/readback tests use synthetic review data and do not expose tokens or backend internals.
- Reconnect — The app recovers to tool discovery after reconnect without asking the reviewer to paste raw bearer tokens.
One hosted memory layer, separate marketplace lanes
ChatGPT is the strictest review lane, but XMemo should also stay ready for Claude apps, GitHub MCP marketplace, Gemini MCP marketplace, OpenClaw MCP marketplace, and skills directories without making any one marketplace the default product boundary.
- Shared baseline — Keep xmemo.dev, /product/mcp, /support, privacy, terms, server.json, and the hosted MCP endpoint consistent across every submission.
- Lane-specific evidence — Capture separate redacted evidence bundles for ChatGPT, Claude, GitHub MCP, Gemini, OpenClaw, and Skills so one review's requirements do not block the others.
- Auth separation — Use OAuth where the platform requires an app authorization flow, and keep direct MCP bearer credentials limited to local environments or approved secret stores.
- Listing separation — Reuse the XMemo product story, but tailor screenshots, setup steps, and reviewer notes to each marketplace's supported client surface.
Public-safe memory review posture
XMemo is designed for user-owned memory. Tool descriptions, privacy copy, support materials, screenshots, and demo recordings should present only the minimum information needed for the user's request.
- Privacy — Memory content, account metadata, OAuth-scoped access, operational telemetry, and support diagnostics are disclosed in the Privacy Notice.
- Terms — Credential handling, acceptable use, service boundaries, and abuse-response rights are disclosed in the Terms of Service.
- Support — Users and reviewers can find setup help, privacy request guidance, and security-reporting rules on the Support page.
Before the final OpenAI submit
The app draft can import the prepared JSON, but the live reviewer journey should stay complete before the final review submission.
- Live public pages — Website, MCP product page, privacy policy, terms, and support page should all return 200 and present reviewer-safe English copy when no language preference is sent.
- Reviewer workspace — Provide a no-MFA demo account with synthetic sample memory, granted OAuth access, and no requirement to paste bearer tokens.
- Evidence package — Attach redacted screenshots and a short demo recording that covers OAuth, tool discovery, search/read, controlled write/readback, reminder creation, and reconnect.
- No secret leakage — Screenshots, recordings, support issues, and tool responses must not include bearer tokens, OAuth codes, cookies, trace IDs, internal account IDs, raw logs, or private memory content.