Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Bug: image_generate via openai-codex OAuth does not refresh expired per-agent token [1 pull requests]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

image_generate with openai/gpt-image-2 through OpenAI Codex OAuth does not appear to refresh an expired per-agent OAuth access token. It fails with No API key found for provider "openai-codex" even when that agent's auth-profiles.json contains openai-codex OAuth profiles with refresh tokens.

This looks related to, but distinct from, #70885. #70885 covered the missing image scope / Codex Responses routing. In this case the failure happens earlier in auth resolution. After manually copying a freshly refreshed auth profile into the agent store, the same image generation request succeeds.

Error Message

  1. Observe the auth resolution error. If OAuth refresh is intentionally unsupported on the image generation path, the error should say that the OAuth token is expired and instruct the user how to refresh the specific per-agent auth store. The expired OAuth access token is not refreshed by the image generation path. The tool fails with an auth lookup error similar to:
  • a clearer error identifying the exact expired profile and agent id,

Root Cause

image_generate with openai/gpt-image-2 through OpenAI Codex OAuth does not appear to refresh an expired per-agent OAuth access token. It fails with No API key found for provider "openai-codex" even when that agent's auth-profiles.json contains openai-codex OAuth profiles with refresh tokens.

This looks related to, but distinct from, #70885. #70885 covered the missing image scope / Codex Responses routing. In this case the failure happens earlier in auth resolution. After manually copying a freshly refreshed auth profile into the agent store, the same image generation request succeeds.

Fix Action

Fixed

Code Example

{
  "agents": {
    "defaults": {
      "imageGenerationModel": {
        "primary": "openai/gpt-image-2",
        "timeoutMs": 180000
      }
    }
  }
}

---

image_generate(prompt="A friendly robot mascot", size="1024x1024")

---

No API key found for provider "openai-codex". Auth store: ~/.openclaw/agents/<agent-id>/agent/auth-profiles.json (agentDir: ~/.openclaw/agents/<agent-id>/agent). Configure auth for this agent ... or copy only portable static auth profiles from the main agentDir.
RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug / regression

Summary

image_generate with openai/gpt-image-2 through OpenAI Codex OAuth does not appear to refresh an expired per-agent OAuth access token. It fails with No API key found for provider "openai-codex" even when that agent's auth-profiles.json contains openai-codex OAuth profiles with refresh tokens.

This looks related to, but distinct from, #70885. #70885 covered the missing image scope / Codex Responses routing. In this case the failure happens earlier in auth resolution. After manually copying a freshly refreshed auth profile into the agent store, the same image generation request succeeds.

Environment

  • OpenClaw version: 2026.5.7 (eeef486)
  • Runtime: Codex agent runtime
  • OS: macOS / Darwin arm64
  • Image model config:
{
  "agents": {
    "defaults": {
      "imageGenerationModel": {
        "primary": "openai/gpt-image-2",
        "timeoutMs": 180000
      }
    }
  }
}
  • models.providers.openai is not explicitly configured with an API key or custom base URL.
  • The affected agent auth store has openai-codex OAuth profiles in ~/.openclaw/agents/<agent-id>/agent/auth-profiles.json.

Steps to reproduce

  1. Configure image generation with agents.defaults.imageGenerationModel.primary = "openai/gpt-image-2".
  2. Authenticate with OpenAI Codex OAuth.
  3. Let the OAuth access token expire while the auth store still contains an OAuth refresh token.
  4. From that agent/session, call image generation, e.g.:
image_generate(prompt="A friendly robot mascot", size="1024x1024")
  1. Observe the auth resolution error.
  2. Run openclaw models auth login --provider openai-codex from another/default agent context. This refreshes that other agent's auth store, but the original agent/session still fails.
  3. Manually copy the refreshed auth-profiles.json into the affected agent's auth store.
  4. Repeat the exact same image generation request.
  5. It succeeds immediately.

Expected behavior

If the current agent's auth store contains an openai-codex OAuth profile with a valid refresh token, image_generate should refresh the expired access token and proceed through the Codex Responses image route.

If OAuth refresh is intentionally unsupported on the image generation path, the error should say that the OAuth token is expired and instruct the user how to refresh the specific per-agent auth store.

Actual behavior

The expired OAuth access token is not refreshed by the image generation path. The tool fails with an auth lookup error similar to:

No API key found for provider "openai-codex". Auth store: ~/.openclaw/agents/<agent-id>/agent/auth-profiles.json (agentDir: ~/.openclaw/agents/<agent-id>/agent). Configure auth for this agent ... or copy only portable static auth profiles from the main agentDir.

After manually copying a freshly refreshed auth profile into the affected agent's auth store, image_generate succeeds with openai/gpt-image-2.

Why this seems like a bug

  • The docs for image generation state that openai/gpt-image-2 can use OpenAI Codex OAuth.
  • The installed provider code appears to detect openai-codex profiles and use a codex-responses image route.
  • The failing auth store did contain openai-codex OAuth profiles, but the access token had expired.
  • The same request succeeded after replacing the expired auth store with a freshly refreshed one.

Secondary usability issue

Per-agent OAuth auth stores make this easy to hit in multi-agent setups. Running openclaw models auth login --provider openai-codex refreshed a different agent's auth store, while the agent executing image_generate continued to use the expired store.

If OAuth refresh tokens are intentionally not synchronized across agents, it would help to have one of:

  • a documented per-agent auth refresh command,
  • a clearer error identifying the exact expired profile and agent id,
  • or an official safe sync/refresh workflow for Codex OAuth profiles across agent stores.

Privacy note

All local usernames, email addresses, auth tokens, account IDs, and exact auth-profile contents have been intentionally redacted from this report.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

If the current agent's auth store contains an openai-codex OAuth profile with a valid refresh token, image_generate should refresh the expired access token and proceed through the Codex Responses image route.

If OAuth refresh is intentionally unsupported on the image generation path, the error should say that the OAuth token is expired and instruct the user how to refresh the specific per-agent auth store.

#api#agent setup#search optimization#API routing#API middleware

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix Bug: image_generate via openai-codex OAuth does not refresh expired per-agent token [1 pull requests]