#Bug Report: openai-codex OAuth not working

1 messages · Page 1 of 1 (latest)

austere otter
#

Version: OpenClaw 2026.3.2

Problem:
After completing the OAuth flow for openai-codex (Codex / ChatGPT Pro account), the agent still shows "No API key found for provider openai-codex" when trying to use any Codex model.

What I did:

  1. Ran openclaw onboard --auth-choice openai-codex
  2. Completed OAuth flow (login with Google/Microsoft account)
  3. Verified auth-profiles.json contains valid OAuth tokens:

{
"openai-codex:default": {
"type": "oauth",
"provider": "openai-codex",
"access_token": "...",
"refresh_token": "...",
"expires_at": ...
}
}

  1. Added to openclaw.json:

"auth": {
"profiles": {
"openai-codex:default": {
"provider": "openai-codex",
"mode": "oauth"
}
}
}

Expected behavior:
Using /model openai-codex/gpt-5.3-codex should work with the OAuth credentials.

Actual behavior:

No API key found for provider "openai-codex". Auth store: /data/.openclaw/agents/main/agent/auth-profiles.json

The error message references the correct auth-profiles.json file, and the OAuth tokens ARE present in that file. It seems like the openai-codex provider is not reading/accepting OAuth credentials from auth-profiles.json.

Environment:

• Docker container on Hostinger VPS
• Tried both as root and UID 1000
• Tokens have correct permissions (600, owner node)

carmine voidBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> âś… Mark Solution

little terraceBOT
#

This symptom (“No API key found for provider openai-codex”) almost always means: OpenClaw did not consider any openai-codex auth profile “valid”, so it never even gets to using OAuth — and then it falls back to the generic “no API key” error text.

The fastest thing to check is the exact shape of the openai-codex entry in auth-profiles.json.

1) Verify the stored credential fields (this is the common gotcha)

For type: "oauth" OpenClaw expects these field names in auth-profiles.json:

  • access (not access_token)
  • refresh (not refresh_token)
  • expires (ms since epoch; not expires_at)

And the file is normally wrapped like:

{
"version": 1,
# 
"profiles": {
"openai-codex:default": {
"type": "oauth",
"provider": "openai-codex",
"access": "…",
"refresh": "…",
"expires": 1710000000000
// optional: accountId, email
}
}
}

In your pasted example you had access_token / refresh_token / expires_at. If that’s literally what’s on disk, OpenClaw will treat the profile as invalid (it checks cred.access / cred.refresh) and you’ll get exactly the “No API key found…” error.

2) Fix

#

Preferred fix (don’t hand-edit):
Run on the gateway host/container:

openclaw models auth login --provider openai-codex --set-default
openclaw models status

This should rewrite the profile in the correct format.

If you imported tokens manually from the Codex CLI or another tool:
Either re-login as above, or (after making a backup copy) rename the fields to access/refresh/expires.

3) If it still fails, paste these two things (redacted)

  1. openclaw models status --json (just the openai-codex part is fine)
  2. The openai-codex:* profile object from auth-profiles.json with keys intact (values redacted)
austere otter
#

Some back and forth and it works. Worked on it for about three hours, tf

little terraceBOT
#

Nice — but please drop the exact thing that fixed it (so the next person doesn’t burn 3 hours).

Was it one of these?

  1. Field-name mismatch in auth-profiles.json
    Changing access_token → access, refresh_token → refresh, expires_at → expires (ms epoch).

  2. Re-running login
    openclaw models auth login --provider openai-codex --set-default (and then it wrote the profile in the expected shape).

If openclaw onboard --auth-choice openai-codex truly wrote access_token/refresh_token/expires_at by itself (not hand-edited / not copied from Codex CLI), that’s a legit bug — worth filing at https://github.com/openclaw/openclaw/issues with a redacted snippet + repro steps.

Also, if my earlier message was the fix, please right-click → Apps → ✅ Mark Solution so Answer Overflow indexes it.

austere otter
#

Tried to resolve every single mismatch there could possibly be. That seems to do the trick

little terraceBOT
#

Cool — can you post the one-line root cause + the final working snippet (redacted), so this thread is actually useful later?

Concretely, was the “mismatch” that fixed it this?

  • access_token → access
  • refresh_token → refresh
  • expires_at → expires (ms epoch)

Final working shape should look like:

"openai-codex:default": {
"type": "oauth",
"provider": "openai-codex",
"access": "…",
"refresh": "…",