#OpenAI Codex OAuth login fails on headless/WSL2 — PTY crashes with setRawMode EIO

6 messages · Page 1 of 1 (latest)

hasty coral Apr 16, 2026, 10:23 AM

Setup: OpenClaw 2026.4.5 on Ubuntu/WSL2 (headless, no display). Running openclaw models auth login --provider openai-codex from an agent's exec tool (PTY mode).

What happens:

The OAuth flow starts correctly — generates PKCE challenge, shows the authorize URL
User opens the URL in their local browser, signs in, gets redirected to localhost:1455/auth/callback?code=...
User pastes the redirect URL back into the PTY prompt
The PTY session crashes before the token exchange completes

Error from gateway logs:

Unhandled promise rejection: Error: Agent listener invoked outside active run
Uncaught exception: Error: setRawMode EIO
    at ReadStream.setRawMode (node:tty:81:24)

Attempted workarounds:

send-keys with literal text (no Enter submitted)
paste action with text + newline (session dies before exchange)
Tried multiple times with fresh OAuth codes — same crash every time

Environment:

WSL2 (Windows Subsystem for Linux)
No physical TTY — headless server
OpenClaw browser config: headless: true, noSandbox: true
Node v22.22.0

Question: Is there a non-interactive way to complete the OpenAI Codex OAuth flow? For example, a command that accepts the redirect URL or authorization code as a CLI argument instead of requiring an interactive PTY prompt? Or a way to manually write the OAuth tokens to auth-profiles.json after doing the PKCE exchange with curl?

OpenClaw version: 2026.4.5 (3e72c03)

winged flaxBOT Apr 16, 2026, 10:29 AM

I’m checking the docs and source so I can answer this cleanly instead of guessing.

I found one important bit already: current models auth login explicitly hard-fails without an interactive TTY, so this isn’t a documented noninteractive path. I’m checking whether there’s any supported manual token import path for Codex before I tell them that.

Short version: no supported non-interactive --code / --redirect-url flag exists right now.

I checked the docs + source:

openclaw models auth login only exposes --provider, --method, --set-default
the command explicitly requires an interactive TTY
the headless/remote Codex flow still expects an interactive prompt for the pasted redirect URL/code

So your agent-exec PTY path is basically hitting a bug/unsupported edge of the login UX.

What I’d recommend, in order:

Best workaround: reuse an existing Codex CLI login
If ~/.codex/auth.json exists, OpenClaw can reuse it. This is documented.
Docs: https://docs.openclaw.ai/start/wizard
OAuth docs: https://docs.openclaw.ai/concepts/oauth
OpenAI provider docs: https://docs.openclaw.ai/providers/openai

Minimal shape OpenClaw knows how to read:

{
  "auth_mode": "chatgpt",
  "tokens": {
    "access_token": "...",
    "refresh_token": "...",
    "account_id": "..."
  }
}

If you do the PKCE exchange yourself: manual auth-profiles.json seeding should work, but it’s undocumented/unsupported

Path:
~/.openclaw/agents/<agentId>/agent/auth-profiles.json

Minimal shape:

{
  "version": 1,
  "profiles": {
    "openai-codex:default": {
      "type": "oauth",
      "provider": "openai-codex",
      "access": "...",
      "refresh": "...",
      "expires": 1760000000000,
      "accountId": "..."
    }
  }
}