#Failed to extract accountId from token

9 messages · Page 1 of 1 (latest)

lean moon
#

Hi! I'm having trouble with OpenAI Codex OAuth on WSL2 (Windows 11). Every attempt gives Failed to extract accountId from token.
My setup:

Windows 11, WSL2 (Ubuntu)
OpenClaw 2026.4.14
Tried native Windows PowerShell too — same error

vernal hemlockBOT
#

I dug through the code a bit, and this does not look WSL2-specific.

v2026.4.14 still routes OpenAI Codex OAuth through a helper that throws Failed to extract accountId from token if the returned token is missing the chatgpt_account_id claim. Since you get the same failure in WSL and native PowerShell, I’d treat this as a real bug/regression in the Codex OAuth flow, not a Windows/WSL networking issue.

Fastest workaround

Use Codex CLI reuse instead of the OpenClaw OAuth flow for now:

Important for WSL

If OpenClaw runs inside WSL, it needs to see the Codex auth file inside that environment.
If your working login lives on Windows only, either copy it into WSL or point CODEX_HOME at your Windows .codex dir before starting OpenClaw.

#

Can you paste these 3 things?

  1. openclaw --version
  2. the exact auth command you ran
  3. the relevant lines from openclaw logs --follow while reproducing it

If Codex CLI reuse also fails, I’d call that GitHub-issue-worthy: https://github.com/openclaw/openclaw/issues

If you want, I can walk you through the WSL CODEX_HOME setup step by step.

lean moon
#

Thank you!!!!!!!!!!!!!!😘

vernal hemlockBOT
#

Glad that helped 💙

If this fixed it, please right-click the solution message → Apps → ✅ Mark Solution. That helps Answer Overflow index it for the next person who hits the same weird Codex OAuth bug.

lean moon
#

Oh!!

Failed to extract accountId from token - Codex OAuth broken when account_id is null
Environment

OpenClaw 2026.4.14
Windows 11, WSL2 (Ubuntu)
Node 22.22.2

Problem
OpenAI Codex OAuth always fails with Failed to extract accountId from token.
Checked ~/.codex/auth.json and account_id is null.
Steps to reproduce

codex login → Successfully logged in
cat ~/.codex/auth.json → account_id: null
openclaw models auth login --provider openai-codex --set-default → Failed to extract accountId from token
Set model to openai-codex/gpt-5.4 → Telegram bot replies with same error

Expected
Should work with ChatGPT Plus subscription via Codex CLI OAuth
Actual
Fails because account_id is null in the token

vernal hemlockBOT
#

Yep, that extra detail is the smoking gun.

If ~/.codex/auth.json shows account_id: null, then your token shape is one the current openai-codex/* path does not handle well. So this is not a WSL issue. It’s a real bug in the OpenClaw Codex OAuth/provider path.

What’s happening:

  • openclaw models auth login --provider openai-codex fails because that login flow still tries to extract accountId from the token
  • openai-codex/gpt-5.4 also fails at runtime for the same reason, so setting that as the model won’t help
  • manually editing auth.json won’t really fix it, because the transport also re-reads the JWT claim

Best workaround right now

If codex login itself works, try the Codex CLI backend instead of openai-codex/*:

openclaw agent --message "hi" --model codex-cli/gpt-5.4
#

Docs: https://docs.openclaw.ai/gateway/cli-backends

If that works, set your default model to codex-cli/gpt-5.4 for your Telegram agent. That path uses the local codex CLI, not the broken openai-codex OAuth transport.

If you want the direct provider route instead, the current fallback is openai/gpt-5.4 with an API key, not ChatGPT/Codex OAuth.

I’d definitely file this as a bug

This repro is really solid:

  • codex login succeeds
  • ~/.codex/auth.json has account_id: null
  • openclaw models auth login --provider openai-codex --set-default fails
  • openai-codex/gpt-5.4 agent runs fail the same way

GitHub issues: https://github.com/openclaw/openclaw/issues

If you try codex-cli/gpt-5.4 and hit anything weird, paste that error and I’ll help you pin it down.

lean moon
#

Thank you!!!!!!!!!!!!!!!!!!