Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: models auth login --provider openai-codex writes to :email profile instead of updating :default, and clobbers agents.defaults.models block (v2026.4.15) [1 pull requests]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

openclaw models auth login --provider openai-codex succeeds in exchanging the OAuth PKCE code with OpenAI (fresh JWT with today's iat), but persists the new credentials under profile ID openai-codex:<email> rather than updating openai-codex:default. The gateway's runtime lookup only consults :default, which remains stale. Result: fresh token is present but unused; all Codex requests fail with refresh_token_reused against the stale token.

Additionally, every invocation of models auth login --provider openai-codex rewrites openclaw.json and wipes agents.defaults.models down to a single entry {"openai-codex/gpt-5.4": {}}, destroying all other model aliases and per-model params (maxTokens, cacheRetention, fastMode, etc.). Data loss reproduces on every login attempt.

Root Cause

openclaw models auth login --provider openai-codex succeeds in exchanging the OAuth PKCE code with OpenAI (fresh JWT with today's iat), but persists the new credentials under profile ID openai-codex:<email> rather than updating openai-codex:default. The gateway's runtime lookup only consults :default, which remains stale. Result: fresh token is present but unused; all Codex requests fail with refresh_token_reused against the stale token.

Additionally, every invocation of models auth login --provider openai-codex rewrites openclaw.json and wipes agents.defaults.models down to a single entry {"openai-codex/gpt-5.4": {}}, destroying all other model aliases and per-model params (maxTokens, cacheRetention, fastMode, etc.). Data loss reproduces on every login attempt.

Fix Action

Fixed

PR fix notes

PR #69430: fix: preserve Codex default auth profile on OAuth login

Description (problem / solution / changelog)

Summary

Fixes #69414.

What was broken

openclaw models auth login --provider openai-codex had two bad side effects:

  1. A fresh ChatGPT OAuth login was persisted under openai-codex:<email> instead of updating the canonical openai-codex:default profile that runtime resolution actually uses.
  2. The login flow rewrote agents.defaults.models down to a single openai-codex/gpt-5.4 entry, destroying unrelated model aliases and params.

Root cause

  1. The OpenAI Codex provider passed the resolved account identity through to buildOauthProviderAuthResult, which defaulted the auth profile id from the email address, so logins landed in openai-codex:<email>.
  2. buildOauthProviderAuthResult also injected a default config patch that added the provider's default model to agents.defaults.models. During auth persistence, applyProviderAuthConfigPatch intentionally treats agents.defaults.models patches as full replacements, so that helper-generated patch clobbered the user's existing model map.

Fix

  1. Make the OpenAI Codex OAuth flow write back to the canonical openai-codex:default profile while still preserving email metadata on the credential.
  2. Stop auto-injecting a default agents.defaults.models patch from the shared OAuth result helper. Providers that really need config mutations can still pass an explicit configPatch.

Tests

  • Added src/plugin-sdk/provider-auth-result.test.ts to verify the shared helper no longer injects a models patch by default, while preserving explicit provider-owned patches.
  • Added an OpenAI Codex provider regression that asserts ChatGPT OAuth returns openai-codex:default and no default config patch.
  • Expanded src/commands/models/auth.test.ts to verify models auth login --provider openai-codex preserves an existing multi-model agents.defaults.models block instead of clobbering it.

Validation

  • node scripts/test-projects.mjs src/plugin-sdk/provider-auth-result.test.ts extensions/openai/openai-codex-provider.test.ts src/commands/models/auth.test.ts

Changed files

  • extensions/openai/openai-codex-provider.test.ts (modified, +43/-0)
  • extensions/openai/openai-codex-provider.ts (modified, +1/-1)
  • src/agents/pi-embedded-runner/run.incomplete-turn.test.ts (modified, +43/-0)
  • src/agents/pi-embedded-runner/run.ts (modified, +10/-3)
  • src/agents/pi-embedded-runner/run/payloads.test.ts (modified, +32/-0)
  • src/agents/pi-embedded-runner/run/payloads.ts (modified, +3/-2)
  • src/commands/models/auth.test.ts (modified, +31/-9)
  • src/config/io.ts (modified, +13/-9)
  • src/config/io.write-config.test.ts (modified, +138/-2)
  • src/gateway/server/ws-connection/handshake-auth-helpers.test.ts (modified, +22/-10)
  • src/gateway/server/ws-connection/handshake-auth-helpers.ts (modified, +1/-3)
  • src/plugin-sdk/provider-auth-result.test.ts (added, +49/-0)
  • src/plugin-sdk/provider-auth-result.ts (modified, +1/-11)
  • ui/src/ui/controllers/chat.test.ts (modified, +82/-0)
  • ui/src/ui/controllers/chat.ts (modified, +65/-1)

Code Example

{
     "anthropic/claude-opus-4-6": {"alias": "opus", "params": {"cacheRetention": "long", "maxTokens": 8192}},
     "anthropic/claude-sonnet-4-6": {"alias": "sonnet", "params": {"cacheRetention": "long", "maxTokens": 8192}},
     "moonshot/kimi-k2.5": {"alias": "kimi"},
     "openai-codex/gpt-5.4": {"alias": "gpt54", "params": {"maxTokens": 128000}},
     "openai-codex/gpt-5.4-mini": {"alias": "mini", "params": {"maxTokens": 32000, "fastMode": true, "transport": "auto"}},
     "xai/grok-4": {"alias": "grok"}
   }

---
RAW_BUFFERClick to expand / collapse

Bug type

Crash (process/app exits or hangs)

Beta release blocker

No

Summary

Bug type

Behavior bug (incorrect output/state without crash) + Data loss

Version / Environment

  • OpenClaw: 2026.4.15 (container: openclaw-custom:latest, base ghcr.io/openclaw/openclaw:2026.4.15@sha256:9d5f1df...)
  • OS: Ubuntu 24 on Hetzner CPX32 VPS
  • Runtime: Docker Compose, container openclaw-gateway, host networking
  • Agents: main (default) + cron-agent
  • Primary model: anthropic/claude-sonnet-4-6; fallbacks: openai-codex/gpt-5.4, moonshot/kimi-k2.5
  • Provider: openai-codex via ChatGPT Pro OAuth

Summary

openclaw models auth login --provider openai-codex succeeds in exchanging the OAuth PKCE code with OpenAI (fresh JWT with today's iat), but persists the new credentials under profile ID openai-codex:<email> rather than updating openai-codex:default. The gateway's runtime lookup only consults :default, which remains stale. Result: fresh token is present but unused; all Codex requests fail with refresh_token_reused against the stale token.

Additionally, every invocation of models auth login --provider openai-codex rewrites openclaw.json and wipes agents.defaults.models down to a single entry {"openai-codex/gpt-5.4": {}}, destroying all other model aliases and per-model params (maxTokens, cacheRetention, fastMode, etc.). Data loss reproduces on every login attempt.

Steps to reproduce

  1. Install OpenClaw 2026.4.15 with multi-agent setup (main + cron-agent)
  2. Configure agents.defaults.models with multiple entries and aliases:
   {
     "anthropic/claude-opus-4-6": {"alias": "opus", "params": {"cacheRetention": "long", "maxTokens": 8192}},
     "anthropic/claude-sonnet-4-6": {"alias": "sonnet", "params": {"cacheRetention": "long", "maxTokens": 8192}},
     "moonshot/kimi-k2.5": {"alias": "kimi"},
     "openai-codex/gpt-5.4": {"alias": "gpt54", "params": {"maxTokens": 128000}},
     "openai-codex/gpt-5.4-mini": {"alias": "mini", "params": {"maxTokens": 32000, "fastMode": true, "transport": "auto"}},
     "xai/grok-4": {"alias": "grok"}
   }
  1. Run openclaw models auth login --provider openai-codex, complete the OAuth PKCE flow in a browser, paste the redirect URL back
  2. Check openclaw models status
  3. Inspect ~/.openclaw/agents/main/agent/auth-profiles.json keys
  4. Inspect agents.defaults.models in openclaw.json

Expected behavior

openai-codex:default profile in auth-profiles.json updated with fresh token

  • openclaw models status shows openai-codex:default ... ok expires in 10d
  • agents.defaults.models unchanged

Actual behavior

  • auth-profiles.json contains TWO profiles: openai-codex:default (stale, expires in 0m) AND openai-codex:<email> (fresh, expires in 10d)
  • openclaw models status:

OpenClaw version

2026.4.15

Operating system

ubuntu

Install method

docker

Model

chatgpt

Provider / routing chain

openai-codex/gpt-5.4 (ChatGPT Pro OAuth) — in fallback chain after anthropic/claude-sonnet-4-6 primary

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

extent analysis

TL;DR

The issue can be fixed by updating the openclaw models auth login command to correctly update the openai-codex:default profile with the fresh token.

Guidance

  • The openclaw models auth login --provider openai-codex command is not updating the openai-codex:default profile correctly, resulting in a stale token being used.
  • The agents.defaults.models configuration is being overwritten with a single entry {"openai-codex/gpt-5.4": {}} every time the openclaw models auth login command is run, causing data loss.
  • To mitigate this, the openclaw models auth login command should be modified to update the openai-codex:default profile correctly and preserve the existing agents.defaults.models configuration.
  • The auth-profiles.json file should be inspected to ensure that the openai-codex:default profile is being updated correctly.

Example

No code example is provided as the issue is related to the behavior of the openclaw models auth login command and not a specific code snippet.

Notes

The issue seems to be related to the way the openclaw models auth login command handles the OAuth PKCE flow and updates the auth-profiles.json file. The agents.defaults.models configuration is being overwritten due to a bug in the command.

Recommendation

Apply a workaround by manually updating the openai-codex:default profile in the auth-profiles.json file with the fresh token and preserving the existing agents.defaults.models configuration. This will ensure that the correct token is used and the data loss is prevented.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

openai-codex:default profile in auth-profiles.json updated with fresh token

  • openclaw models status shows openai-codex:default ... ok expires in 10d
  • agents.defaults.models unchanged
#api#installation#tensor shape#autograd error#agent setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix [Bug]: models auth login --provider openai-codex writes to :email profile instead of updating :default, and clobbers agents.defaults.models block (v2026.4.15) [1 pull requests]