#openai-codex/gpt-5.4 - insufficient permissions

HTTP 401: You have insufficient permissions for this operation. Missing scopes: model.request. Check that you have the correct role in your organization (Reader, Writer, Owner) and project (Member, Owner)

That 401 is coming from the OpenAI side, not OpenClaw. It means the credential you’re using does not have permission to make model calls (model.request), usually because of org/project role or a restricted key.

Checklist to fix:

1. Verify you’re in the right Organization + Project

• In the OpenAI dashboard, make sure you’re a Member/Owner of the Project the key belongs to.
• Org role needs to be Writer or Owner (Reader can’t request models).

2. Check the API key permissions

• If it’s a restricted key, edit it (or create a new one) and ensure it allows model requests (the scope named in the error: model.request).

3. Make sure you’re actually using that key

• If you have multiple env vars / config files, it’s easy to accidentally run with an older restricted key.
• After updating the key in OpenClaw, restart the gateway/client so the new env/config is picked up.

If you paste (sanitized) how you’re providing the key (env var vs OpenClaw config) + your openclaw --version, I can point to the exact place to update it and how to verify which credential is being used.

i'm not using any API - i'm using oauth

OAuth still hits the same model API — it’s just using an access token instead of an API key. That token also carries scopes, and yours is missing model.request, so OpenAI is refusing the call.

Most common reasons with OAuth:

1. You’re authenticated into an org/project where you’re effectively “read-only”

• Even if you personally can use ChatGPT, the API/org/project side can have you as Org: Reader and/or not a Project: Member/Owner.
• If you belong to multiple orgs/projects, OAuth often “picks” a default one.

2. The OAuth grant you have doesn’t include the needed scope

• Fix is usually: revoke the app/session and re-authorize after your org/project access is corrected.

What to do:

• In the OpenAI dashboard, confirm the organization + project you’re landing in, and that your role is Org: Writer/Owner and Project: Member/Owner.
• Then re-run the OAuth login (after revoking the prior authorization).

To pinpoint which path you’re on: what exactly is doing the OAuth login here — Codex CLI, OpenClaw onboarding, or something else? If you tell me which, I can give the precise “where to revoke / re-login” steps for that tool.

within openai dashboard, its all standard "personal" organisation - no specific project. where can i see the writer/owner?

from openclaw chat: What happened:
You selected openai-codex/gpt-5.4
OpenClaw tried to use it → failed with Missing scopes: model.request
OpenClaw's failover kicked in → silently switched to a fallback model
You got a response — but from the fallback, not gpt-5.4
The logs showed the error:
HTTP 401: Missing scopes: model.request

You’ll only see Writer/Owner (org role) + Project Member/Owner in the API platform UI (not the ChatGPT workspace UI).

Do this on https://platform.openai.com:

1) Check org role (Reader/Writer/Owner)

• Click your profile icon (top-right)
• Settings
• Organization → Members
• Your row should show a role like Owner / Writer / Reader

On a “personal” org you’re usually Owner — if it says Reader, that explains the error.

2) Check project membership (Member/Owner)

• In the left sidebar: Projects
• Click the Default project (or any project)
• Go to Members (or similar tab)
• Confirm you’re Member/Owner there too

Even if you didn’t create anything, there’s typically still a Default project.

If you are Owner in org + member/owner in the default project and you still get Missing scopes: model.request, then it’s almost always one of:

• the OAuth login is attached to a different org/project than you think (OAuth picked a default you didn’t notice), or
• the OAuth grant/token is missing scopes → revoke and re-authorize.

If you tell me what you’re doing the OAuth login through (Codex CLI vs OpenClaw onboarding vs something else), I can give the exact “where to revoke / re-login” steps for that specific flow.

Yep — that summary from OpenClaw chat is exactly what happened.

OpenClaw failover works in two layers (docs): it will first rotate auth profiles for the same provider, and if that still fails it will fall back to the next model in agents.defaults.model.fallbacks so you still get some reply.
Docs: https://docs.openclaw.ai/help/faq#how-does-failover-work

How to confirm what model actually replied

In the same chat/thread, run:

• /model status (shows the currently active model/provider for that session)

Or on the gateway host:

• openclaw models status (best single command to see provider auth + what’s failing)

How to fix the Codex OAuth error

Re-run the Codex OAuth flow on the gateway host:

openclaw models auth login --provider openai-codex

(or re-run the wizard: openclaw onboard --auth-choice openai-codex)

Docs: https://docs.openclaw.ai/providers/openai#option-b-openai-code-codex-subscription

If you still get Missing scopes: model.request even after re-login, that’s not an OpenClaw config thing — it means the OpenAI account you’re authorizing doesn’t have the Codex/API permission scope (account/org entitlement). In that case you either need OpenAI-side access fixed, or use a non-Codex provider/model in OpenClaw.

If you paste the output of openclaw models status (it redacts secrets), I can tell you exactly which provider/profile it’s trying and what it considers “unusable.”

clawd@clawdbot:~$ openclaw models status

🦞 OpenClaw 2026.3.7 (42a1394) — More integrations than your therapist's intake form.

Config : ~/.openclaw/openclaw.json
Agent dir : ~/.openclaw/agents/main/agent
Default : openai-codex/gpt-5.4
Fallbacks (5) : moonshot/kimi-k2-0905-preview, moonshot/kimi-k2.5, ollama/llama3.2:3b, minimax/MiniMax-M2.5, minimax/MiniMax-M2.1
Image model : -
Image fallbacks (0): -
Aliases (0) : -
Configured models (6): moonshot/kimi-k2-0905-preview, moonshot/kimi-k2.5, ollama/llama3.2:3b, minimax/MiniMax-M2.5, minimax/MiniMax-M2.1, openai-codex/gpt-5.4

Auth overview
Auth store : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (1): openai-codex (1)

• minimax effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | minimax:default=sk-cp-5p...wwFmpIC8
• moonshot effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | moonshot:default=sk-hdCva...gxizBmCz
• openai-codex effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=1, token=0, api_key=0) | openai-codex:default=OAuth

Missing auth

• ollama Run openclaw configure or set an API key env var.

OAuth/token status

• openai-codex usage: 5h 100% left ⏱4h 59m · Week 91% left ⏱6d 6h
  • openai-codex:default ok expires in 10d
    clawd@clawdbot:~$

That models status output is super helpful — it shows:

• You do have an openai-codex:default OAuth profile stored, and it’s not expired (expires in 10d).
• So this isn’t “you forgot to log in” — it’s “the token you have is valid, but OpenAI is rejecting actual model calls with Missing scopes: model.request”.

Next things I’d try (in this order):

1) Run a live probe to reproduce in a controlled way

This will actually attempt a request and should surface the same 401 (and sometimes extra details):

openclaw models status --probe --probe-provider openai-codex

2) Re-do the Codex OAuth login (to refresh scopes)

If OpenAI changed what scopes are granted/required, the fix is often just re-authorizing:

openclaw models auth login --provider openai-codex

Then re-run the probe from step (1).

3) If it still fails: it’s likely account entitlement (OpenAI-side) or a provider bug

At that point, two quick checks help isolate it:

• Can you use Codex directly when logged into the same OpenAI account (web/Codex CLI)? If that also fails, it’s almost certainly an OpenAI account/org entitlement issue.
• If Codex works elsewhere but OpenClaw still gets model.request missing, it’s likely an OpenClaw openai-codex auth scope regression → worth filing a GitHub issue with:
  • your OpenClaw version (2026.3.7 you already have)
  • the exact 401 line from logs
  • output of openclaw models status --probe --probe-provider openai-codex --json

(Also minor: you’ve got ollama/... in fallbacks but “Missing auth”; not related to the 401, but it can cause extra fallback churn later.)

Auth probes
┌──────────────────┬────────────────────────┬───────────────────────────────────────┐
│ Model │ Profile │ Status │
├──────────────────┼────────────────────────┼───────────────────────────────────────┤
│ openai-codex/ │ openai-codex:default │ auth · 2.6s │
│ gpt-5.4 │ (oauth) │ ↳ HTTP 401: You have insufficient │
│ │ │ permissions for this operation. │
│ │ │ Missing scopes: model.request. Check │
│ │ │ that you have the correct role in │
│ │ │ your organization (Reader, Writer, │
│ │ │ Owner) and project (Member, Owner), │
│ │ │ and if you're using a restricted API │
│ │ │ key, that it has the necessary │
│ │ │ scopes.

That probe result is the smoking gun: the OAuth token is valid, but OpenAI is explicitly saying it doesn’t include the model.request permission, so every Codex request will 401 no matter what OpenClaw does on retry/failover.

A few practical takeaways / next steps:

1. There’s no OpenClaw-side “toggle” to add scopes to an already-issued OAuth token. The only fixes are:

• OpenAI grants your account/token that scope (entitlement/role), or
• OpenClaw’s OAuth flow needs to request the right scope(s) (if this is a regression on our side).

2. Quick workaround so you don’t silently fall back every time
   Until Codex OAuth works, set your primary model to something that’s already configured + authenticated for you (one of the models shown under “Configured models / fallbacks”), using either:

• /model (in chat) and pick from the list, or
• openclaw models set <something-working>

3. To isolate “my account” vs “OpenClaw OAuth scope bug”
   Can you use Codex with the same OpenAI login outside OpenClaw (Codex web or Codex CLI) successfully?

• If no → it’s almost certainly OpenAI account/org entitlement (you’ll need OpenAI-side access fixed).
• If yes → this looks like an OpenClaw openai-codex OAuth scope mismatch and should be reported.