sinful elk
The latest update has broken my OpenAI Codex logins order. I previously had 5 profiles and in openclaw.json that order is showing however in auth_profiles.json that no longer exists:
it used to have:
"order": {
"openai-codex": [
"openai-codex:XXXX@XX.uk",
"openai-codex:XX@XX.tv",
"openai-codex:XX@XX.tv",
"openai-codex:XX@XX.tv",
"openai-codex:XX@XX.uk"
]
},
pseudo voidBOT
storm hareBOT
pseudo voidBOT
hollow moatBOT
Let me check the auth-store/state code too, since this smells like the order moved out of auth-profiles.json rather than disappearing.
I think part of this is a storage change, not necessarily lost data.
On current OpenClaw:
auth-profiles.json stores the actual profiles/secretsauth-state.json stores runtime routing state like order, lastGood, and usageStatsSo if youβre only checking auth-profiles.json, it makes sense that order is gone there.
If the real issue is that OpenClaw is no longer honoring your configured Codex profile order, can you paste these?
openclaw --version
openclaw models auth order get --provider openai-codex
openclaw models status --probe
If you want to set the per-agent order explicitly again, the CLI is now:
openclaw models auth order set --provider openai-codex <profile1> <profile2> <profile3> ...
Docs:
If openclaw.json still has auth.order.openai-codex and it still is not respected, that does sound like a bug. The --probe output should tell us pretty quickly whether itβs an order issue or a profile-id mismatch.
sinful elk
i dont want it per agent i want it as default
hollow moatBOT
Yep, then openclaw.json is the right place.
Use the shared/default config order there:
auth: {
order: {
"openai-codex": [
"openai-codex:XXXX@XX.uk",
"openai-codex:XX@XX.tv",
"openai-codex:XX@XX.tv",
"openai-codex:XX@XX.tv",
"openai-codex:XX@XX.uk"
]
}
}
Current behavior is basically:
openclaw.json β default/shared orderauth-state.json β per-agent override onlyauth-profiles.json β profiles/secrets onlySo if order disappeared from auth-profiles.json, that part is expected.
If you want the global default to win, make sure there is no per-agent override shadowing it:
openclaw models auth order clear --provider openai-codex
If it still ignores the openclaw.json order after that, paste:
openclaw --version
openclaw models status --probe
At that point itβs probably a real bug.
Docs:
sinful elk
openclaw --version
openclaw models auth order get --provider openai-codex
openclaw models status --probe
OpenClaw 2026.4.11 (769908e)
π¦ OpenClaw 2026.4.11 (769908e)
I keep secrets like a vault... unless you print them in debug logs again.
Agent: main
Provider: openai-codex
Auth state file: ~/.openclaw/agents/main/agent/auth-state.json
Order override: (none)
hollow moatBOT
Thanks, that narrows it down a lot.
Order override: (none) means main is not using a per-agent override, so it should be falling back to the default/shared auth.order.openai-codex from openclaw.json, which is what you want.
So if the order is still wrong, the most likely issue is this:
auth.order.openai-codex no longer exactly match the current openai-codex:* keys in auth-profiles.jsonThat can happen after a login/migration/update if profile IDs got regenerated.
I also donβt see any actual output from:
openclaw models status --probe
Thatβs the important one here. Can you paste:
openclaw models status --probe outputauth.order.openai-codex block from openclaw.jsonopenai-codex:* profile IDs from ~/.openclaw/agents/main/agent/auth-profiles.jsonIf those IDs all match exactly and it still ignores the config order, then yeah, Iβd call that a real regression in 2026.4.11.
sinful elk
openclaw models status --probe
π¦ OpenClaw 2026.4.11 (769908e)
iMessage green bubble energy, but for everyone.
β
10:39:50+01:00 [plugins] [lcm] Ignoring sessions matching 1 pattern(s): agent:*:cron:**
10:39:50+01:00 [plugins] [lcm] Plugin loaded (enabled=true, db=/home/hl-metabase/.openclaw/memory/lossless-claw/lcm.db, threshold=0.6)
10:39:50+01:00 [plugins] [lcm] Registered context engine id=lossless-claw (plugins.slots.contextEngine must point to "lossless-claw"; plugin ids alone do not activate a context engine)
10:39:50+01:00 [plugins] [lcm] Compaction summarization model: openai-codex/gpt-5.1-codex-mini (override)
10:40:08+01:00 [plugins] [lcm] afterTurn hook fired sessionKey= sessionId=probe-google-e56fb86b-ab71-4c97-8e7e-515bf2721893 prePrompt=0 totalMessages=2
10:40:08+01:00 [plugins] [lcm] ingestBatch() sessionKey= sessionId=probe-google-e56fb86b-ab71-4c97-8e7e-515bf2721893 count=2 heartbeat=false
10:40:08+01:00 [plugins] [lcm] afterTurn ingested 2/2 message(s) for sessionKey=
β
Config : ~/.openclaw/openclaw.json
Agent dir : ~/.openclaw/agents/main/agent
Default : openai-codex/gpt-5.4
Fallbacks (0) : -
Image model : -
Image fallbacks (0): -
Aliases (0) : -
Configured models (9): openai-codex/gpt-5.1, openai-codex/gpt-5.1-codex-max, openai-codex/gpt-5.1-codex-mini, openai-codex/gpt-5.2, openai-codex/gpt-5.2-codex, openai-codex/gpt-5.3-codex, openai-codex/gpt-5.3-codex-spark, openai-codex/gpt-5.4, openai-codex/gpt-5.4-mini
Auth overview
Auth store : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (3): google-antigravity (1), google-gemini-cli (1), openai-codex (1)
OAuth/token status
Auth probes
ββββββββββββββββββββ¬βββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β Model β Profile β Status β
ββββββββββββββββββββΌβββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ€
β google/gemini-1. β models.json (api_key) β ok Β· 11.2s β
β 5-flash β β β
β google- β google- β auth Β· 5.6s β
β antigravity/ β antigravity:default β β³ OAuth token refresh failed β
β claude-opus-4-5- β (oauth) β for google-antigravity: Failed β
β thinking β β to refresh OAuth token for β
β β β google-antigravity. Please try β
β β β again or re-authenticate. β
β google-gemini- β google-gemini- β auth Β· 1.3s β
β cli/gemini-2.0- β cli:default (oauth) β β³ OAuth token refresh failed β
β flash β β for google-gemini-cli: Failed β
β β β to refresh OAuth token for β
β β β google-gemini-cli. Please try β
β β β again or re-authenticate. β
β ollama/- β env (api_key) β no_model Β· - β
β β β β³ No model available for probe β
β openai-codex/ β openai-codex:default β unknown Β· - β
β gpt-5.4 β (oauth) β β³ Excluded by auth.order for β
β β β this provider. β
ββββββββββββββββββββ΄βββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββ
Probed 3 targets in 33s
hollow moatBOT
That paste still cuts off before the auth/probe part, so we still canβt see the actual resolved profile order.
What we do know now:
2026.4.11main should be using openclaw.json auth.order.openai-codexAt this point the two likely causes are:
auth.order.openai-codex no longer exactly match the current openai-codex:* profile IDs2026.4.11 has a regression hereCan you run this more targeted one and paste it?
openclaw models status --json --probe --probe-provider openai-codex
Iβm specifically looking for whether it shows:
openai-codex profile IDsexcluded_by_auth_orderunusableProfilesIf you want the fastest local sanity check, also compare:
auth.order.openai-codex in ~/.openclaw/openclaw.jsonopenai-codex:* keys in ~/.openclaw/agents/main/agent/auth-profiles.jsonIf those strings differ at all, the default order can effectively stop matching.
Let me check the Codex auth code path quickly, because your output shows the real problem now: OpenClaw only sees one Codex profile, not five.
Ah, okay, this makes it pretty clear.
The problem is not the order file anymore. The problem is that OpenClaw currently sees only one Codex auth profile:
openai-codex:defaultprofiles=1So thereβs nothing left to rotate between. Your old 5-profile auth.order.openai-codex canβt apply if only one openai-codex:* profile exists in auth-profiles.json.
I checked the current source, and the Codex external CLI sync path is wired to a single fixed profile id, openai-codex:default. So if your old setup depended on multiple Codex logins in one agent, this really does look like a regression in 2026.4.11.
Short version:
auth-profiles.json no longer contains your 5 Codex profilesIβd file this as a bug, with exactly this evidence:
openclaw --versionopenclaw models auth order get --provider openai-codexopenclaw models status --probeopenai-codex:defaultBug tracker:
https://github.com/openclaw/openclaw/issues
Relevant docs:
Workaround for now, if you need multiple Codex accounts immediately:
openai-codex:* profilesGlad we caught the real failure mode, itβs not just the order key moving.
Yep, that probe nails it.
openai-codex:default is being excluded by your global auth.order.
So the situation is:
openclaw.json still has the old 5-profile auth.order.openai-codexauth-profiles.json now only has one Codex profile: openai-codex:defaultauth.order exists, OpenClaw will exclude any stored profile not listed thereIn ~/.openclaw/openclaw.json, either:
auth.order.openai-codex entirely, orauth: {
order: {
"openai-codex": ["openai-codex:default"]
}
}
Then restart:
openclaw gateway restart
This fixes the immediate breakage, but it also confirms the deeper regression:
openai-codex:defaultSo Iβd still file a bug for that part, with this exact probe output:
https://github.com/openclaw/openclaw/issues
If you want, I can help you write the issue text cleanly.
sinful elk
raise the bug
hollow moatBOT
I canβt open the GitHub issue for you from here, but hereβs a clean copy-paste draft.
File it at:
https://github.com/openclaw/openclaw/issues
Title
Codex multi-profile auth collapsed to openai-codex:default on 2026.4.11, causing auth.order to exclude the only remaining profile
Body
## Version
OpenClaw 2026.4.11 (769908e)
## Summary
After updating, my existing multi-profile OpenAI Codex auth setup appears to have collapsed to a single profile (`openai-codex:default`).
I previously had 5 Codex profiles and a matching global `auth.order.openai-codex` in `openclaw.json`.
After the update:
- `auth-profiles.json` only shows 1 Codex profile
- `openclaw models auth order get --provider openai-codex` shows no per-agent override
- `openclaw models status --probe` shows the only remaining Codex profile being excluded by `auth.order`
This breaks Codex auth entirely unless I manually remove or rewrite the old global order.
## Expected
One of these should happen:
1. existing multi-profile Codex auth profiles should be preserved, or
2. if profiles collapse/migrate, `auth.order` should be migrated too, or
3. the only remaining valid Codex profile should not be silently excluded
## Actual
The only remaining Codex profile is:
- `openai-codex:default`
And probe shows:
- `openai-codex/gpt-5.4`
- `openai-codex:default (oauth)`
- `Excluded by auth.order for this provider`
## Relevant outputs
### auth order
```text
openclaw models auth order get --provider openai-codex
Agent: main
Provider: openai-codex
Auth state file: ~/.openclaw/agents/main/agent/auth-state.json
Order override: (none)
### auth overview
```text
Auth overview
Auth store : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (3): google-antigravity (1), google-gemini-cli (1), openai-codex (1)
- openai-codex effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=1, token=0, api_key=0) | openai-codex:default=OAuth
OAuth/token status
- openai-codex
- openai-codex:default ok expires in 10d
Auth probes
...
β openai-codex/ β openai-codex:default β unknown Β· - β
β gpt-5.4 β (oauth) β β³ Excluded by auth.order for β
β β β this provider. β
...
## Workaround
Global workaround is to remove `auth.order.openai-codex` from `openclaw.json`, or replace it with:
```json5
auth: {
order: {
"openai-codex": ["openai-codex:default"]
}}
That restores functionality, but the old multi-profile Codex setup is still gone.
If you want, I can tighten that down even more before you post it.
sinful elk
ok raised the bug is there any fix for now?
hollow moatBOT
Yep, thereβs a workable temporary fix.
In ~/.openclaw/openclaw.json, either:
auth.order.openai-codex completely, orauth: {
order: {
"openai-codex": ["openai-codex:default"]
}
}
Then restart:
openclaw gateway restart
That should restore Codex auth with the one remaining profile.
This only fixes access with the current surviving profile. It does not restore your old 5-profile rotation.
Best workaround for now is:
because your current install is only surfacing a single openai-codex:default profile in main.
If you want, I can help you sanity-check the exact openclaw.json edit before you restart.
sinful elk
so relogging into my profiles is adding them to auth-profile so i suspect i need order in auth-state
hollow moatBOT
Yep, that sounds right.
If re-login is recreating the openai-codex:* entries in auth-profiles.json, then the remaining problem is probably just that your global auth.order.openai-codex still points at the old profile IDs.
So:
auth-state.json for the default/shared fix.auth-state.json would work as a temporary per-agent override for main.Update ~/.openclaw/openclaw.json so auth.order.openai-codex contains the current relogged profile IDs, in the order you want.
Then restart:
openclaw gateway restart
If you just want it working and donβt care about exact order for a minute, remove auth.order.openai-codex entirely from openclaw.json.
Then OpenClaw should use the stored profiles from auth-profiles.json and stop excluding them.
You can use auth-state via:
openclaw models auth order set --provider openai-codex <profile1> <profile2> ...
But that is only for that agent, not your global default.
So your instinct is close, but for the setup you want, the real fix is: refresh openclaw.json with the new profile IDs.
sinful elk
current state file:
{
"version": 1,
"lastGood": {
"openai-codex": "openai-codex:xxx@xx.tv"
},
"usageStats": {
"openai-codex:xx@xx.tv": {
"errorCount": 1,
"lastFailureAt": 1776074276268,
"lastUsed": 1776074016968,
"failureCounts": {
"rate_limit": 1
},
"cooldownUntil": 1776075560268,
"cooldownReason": "rate_limit",
"cooldownModel": "gpt-5.4"
}
}
}
hollow moatBOT
Yep, that auth-state.json looks normal.
Itβs only holding:
lastGoodusageStatsThereβs no problem with that file by itself, and you do not need to manually add order there unless you want a per-agent override.
Two useful takeaways from what you pasted:
rate_limit cooldown for gpt-5.4, so it may get pushed back temporarily even with correct orderingopenclaw.json auth.order.openai-codex to the current relogged profile IDs, orauth.order.openai-codex entirely and let OpenClaw use the stored profiles automaticallyUse the CLI once to set a per-agent order for main:
openclaw models auth order set --provider openai-codex <current-profile-1> <current-profile-2> ...
If that works, then you know the global fix is just mirroring that same list into openclaw.json.
So, short answer: no, you donβt need to hand-edit auth-state.json for the default fix. The stale global auth.order is still the real thing to update.
sinful elk
openclaw.json is fine its the order statement in auth-state that i need updating
hollow moatBOT
If your goal is to fix main right now, then yes, auth-state is the lever.
auth-state.json order override takes precedence over openclaw.json, so the clean way is:
openclaw models auth order set --provider openai-codex <current-profile-1> <current-profile-2> <current-profile-3> ...
That writes the order block into auth-state.json for main.
Then verify with:
openclaw models auth order get --provider openai-codex
openclaw models status --probe
A couple of gotchas:
openai-codex:* IDs from auth-profiles.jsonauth-state.json if you can avoid it, the CLI is saferrate_limit cooldown can still get pushed to the back temporarilyIf you want to go back to config-only later:
openclaw models auth order clear --provider openai-codex
So yes, for the immediate fix youβre describing, auth-state order override is the right move.
dire sandal
@hollow moat why is the new 4.12 update making google gemini cli not work properly
hollow moatBOT
That sounds like a separate issue from the Codex order bug, so please open a new #help thread for it so this one stays searchable π
In the new thread, please include:
openclaw --version
openclaw models status
and the exact Gemini CLI error/output youβre seeing.
Relevant setup docs:
https://docs.openclaw.ai/help/faq#how-do-i-set-up-gemini-cli-oauth
If you paste the error there, I can help dig in.
sinful elk
what can i add to the auth-state .json to include the order?
hollow moatBOT
Youβd add a top-level order block, like this:
{
"version": 1,
"order": {
"openai-codex": [
"openai-codex:profile1@example.com",
"openai-codex:profile2@example.com",
"openai-codex:profile3@example.com"
]
},
"lastGood": {
"openai-codex": "openai-codex:profile2@example.com"
},
"usageStats": {
"openai-codex:profile2@example.com": {
"errorCount": 1,
"lastFailureAt": 1776074276268,
"lastUsed": 1776074016968,
"failureCounts": {
"rate_limit": 1
},
"cooldownUntil": 1776075560268,
"cooldownReason": "rate_limit",
"cooldownModel": "gpt-5.4"
}
}
}
A couple of important bits:
openai-codex:* profile IDs from auth-profiles.jsonlastGood and usageStats as-isorder is a top-level sibling of those fieldsThat said, Iβd still strongly recommend writing it with the CLI instead of hand-editing:
openclaw models auth order set --provider openai-codex <profile1> <profile2> <profile3>
Then verify:
openclaw models auth order get --provider openai-codex
openclaw models status --probe