#8729: feat(auth): sync OpenAI Codex CLI credentials into auth store
agents
stale
Cluster:
Auth Improvements and Fixes
Sync credentials from ~/.codex/auth.json into the openai-codex:codex-cli profile, so OpenClaw can use ChatGPT subscription via Codex without requiring the openai-codex auth provider plugin.
Follows the same pattern as Qwen and MiniMax CLI sync. Users who run 'codex' and sign in with ChatGPT get their tokens synced on gateway load; no 'openclaw models auth login --provider openai-codex' needed when no provider plugin is installed.
- Add readCodexCliCredentialsCached + CODEX_CLI_PROFILE_ID
- Include openai-codex in isExternalProfileFresh
- Call syncExternalCliCredentialsForProvider for Codex CLI
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR adds syncing of OpenAI Codex CLI credentials (from `~/.codex/auth.json` / keychain) into the auth profile store under the `openai-codex:codex-cli` profile, matching the existing external-CLI sync behavior used for Qwen and MiniMax. It extends the “freshness” check to recognize `openai-codex` as an external provider and invokes the shared `syncExternalCliCredentialsForProvider` helper to load cached Codex credentials on gateway load so users don’t need to install the `openai-codex` auth provider plugin just to use ChatGPT OAuth via Codex.
<h3>Confidence Score: 4/5</h3>
- This PR looks safe to merge, with one behavior edge case worth addressing.
- Changes are small and follow existing external CLI sync patterns; main concern is `isExternalProfileFresh` treating non-expiring token credentials as permanently fresh, which can block future re-syncs if such credentials ever exist for these providers.
- src/agents/auth-profiles/external-cli-sync.ts
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#17531: fix(auth): sync Codex CLI credentials into auth profile store and c...
by sauerdaniel · 2026-02-15
81.8%
#4550: fix: sync google-gemini-cli-auth tokens from external CLI (#3803)
by SalimBinYousuf1 · 2026-01-30
78.4%
#7523: fix(auth): re-sync external CLI credentials on token revocation
by codeslayer44 · 2026-02-02
78.0%
#13484: feat(auth): restore Claude Code CLI OAuth credential sync
by joshpocock · 2026-02-10
76.0%
#6730: feat: Make OpenAI Codex CLI models usable - reasoning effort directive
by levineam · 2026-02-02
75.3%
#11882: fix: accept openai-codex/gpt-5.3-codex model refs
by jackberger03 · 2026-02-08
75.2%
#21884: feat(models): auth improvements — status command, heuristics, multi...
by kckylechen1 · 2026-02-20
74.6%
#2123: fix(auth): sync from Claude CLI keychain before OAuth refresh
by jorge123255 · 2026-01-26
74.5%
#3196: docs: clarify auth-profiles.json format for Claude Max setup-tokens
by aadeina · 2026-01-28
73.6%
#12059: feat(agents): Add Azure AI Foundry credential support
by lisanyambere · 2026-02-08
73.0%