openclaw - 💡(How to fix) Fix [Bug]: openai-codex OAuth refresh still 401 token_expired on v2026.5.14-beta.1 (post-#80738)

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

On v2026.5.14-beta.1 (which includes #80738), an openai-codex:* OAuth profile that is independently healthy (expires valid, --probe returns ok, standalone Codex CLI works against the same account) still receives 401 token_expired on every runtime turn. The error originates inside the OAuth manager (dist/oauth-zUFfWVs-.js:715, source src/agents/auth-profiles/oauth-manager.ts), not at the Codex harness call site #80738 modified — empirically patching the harness's forceOAuthRefresh literal to false does not change the outcome.

Followup to #81941 (closed as fixed by #80738 by @steipete) per his request for a fresh issue with v2026.5.14-beta.1 redacted logs.

Steps to reproduce

1. Run OpenClaw 2026.5.14-beta.1 with a freshly issued openai-codex:* OAuth profile (re-auth via openclaw models auth login --provider openai-codex immediately before testing).
2. Configure agents.defaults.model.primary: "openai/gpt-5.5" with agentRuntime.id: "pi" and auth.order.openai: ["openai-codex:<account>"].
3. Trigger a runtime turn.
4. Observe: 401 token_expired from chatgpt.com/backend-api/account/chatgptAuthTokens/refresh, gateway falls back.

Expected behavior

With expires valid and the stored access_token usable against chatgpt.com/backend-api (probe proves this), refresh should either reuse the stored token or successfully rotate via refresh_token. Per @steipete's review, this path is expected to succeed post-#80738.

Actual behavior

Every runtime turn:

OAuth token refresh failed for openai-codex: OpenAI Codex token refresh failed (401):
{
  "error": {
    "message": "Could not validate your token. Please try signing in again.",
    "type": "invalid_request_error",
    "param": null,
    "code": "token_expired"
  }
}. Please try again or re-authenticate.

OpenClaw version

2026.5.14-beta.1 (cef4145)

Operating system

macOS 26 host + OrbStack-managed Ubuntu 24 VM, systemctl --user openclaw-gateway.service.

Install method

Prebuilt npm package (sudo npm install -g [email protected]). Wrapper: https://github.com/aaajiao/openclaw-orbstack.

Model

openai/gpt-5.5

Provider / routing chain

• Model: openai/gpt-5.5, runtime pi
• auth.order.openai = ["openai-codex:<account>", "openai:default"]
• Auth profile resolved: openai-codex:<account> (oauth, expires 2026-05-24T21:39:54.746Z)
• Failure: 401 token_expired from chatgpt.com/backend-api/account/chatgptAuthTokens/refresh

Logs, screenshots, and evidence

1. Probe succeeds against same profile (stored access_token valid):

$ openclaw models status --probe --probe-provider openai-codex
- openai-codex:<account> (<account>) ok expires in 10d
│ openai-codex/gpt-5.4 │ <profile> (oauth) │ ok · 9.4s │

2. Runtime turn 401 (from /tmp/openclaw/openclaw-2026-05-15.log):

{
  "subsystem": "agents/harness",
  "harnessId": "codex",
  "provider": "openai-codex",
  "modelId": "gpt-5.5",
  "error": "OAuth token refresh failed for openai-codex: ...(401): {code: token_expired}",
  "message": "Codex agent harness failed; not falling back to embedded PI backend"
}

3. Empirical: patching forceOAuthRefresh: true → false at #80738's call site does not help:

Located the compiled wrapper from extensions/codex/src/app-server/run-attempt.ts:1330 in dist/shared-client-vUMZHcHd.js:206:

async function refreshCodexAppServerAuthTokens(params) {
    const loginParams = await resolveCodexAppServerAuthProfileLoginParamsInternal({
        ...params,
        forceOAuthRefresh: true   // ← original (post-#80738 still hardcoded true)
    });
    ...
}

Patched to false in-place, verified grep -n shows 206: forceOAuthRefresh: false, restarted gateway, ran real Telegram turn. Same 401 fires.

Suggests the failing refresh request is not gated on this flag's value coming from the harness — the request is made regardless and the endpoint rejects it.

4. Error throws from oauth-manager, not the Codex harness:

dist/oauth-zUFfWVs-.js:715:
throw new Error(`OAuth token refresh failed for ${cred.provider}: ${message}. Please try again or re-authenticate.`, { cause: error });

This is compiled src/agents/auth-profiles/oauth-manager.ts. Chain appears to be: harness → ... → oauth-manager makes refresh request → chatgpt.com returns 401 → oauth-manager throws. The 401 itself is independent of the forceOAuthRefresh flag value at the harness call site.

Impact and severity

• Confirmed on macOS + OrbStack VM topology; jasonftl reported same signature on macOS native + Homebrew Node + pnpm in #81941.
• Severity: ChatGPT/Codex subscription unusable through OpenClaw. Workaround: configure auth.order.openai with explicit api-key fallback so api-key serves openai/gpt-5.5 (loses subscription value, switches to per-token billing).
• Frequency: Every runtime turn. Persists across re-auth, gateway restart, jiti cache clear, and forceOAuthRefresh patching.

Additional information

Three hypotheses for the remaining path:

1. chatgpt.com/backend-api/account/chatgptAuthTokens/refresh may be rejecting refresh_token values for a reason that varies by account state, scope, or client_id (worth confirming whether OpenClaw's refresh request body changed since 2026.5.11 when the issue first surfaced).
2. Another caller of oauth-manager's refresh logic may bypass the patched harness call site.
3. The refresh request body / scopes may have a missing field the endpoint now requires.

Happy to provide additional logs (full gateway log, sandbox-redacted network trace) if useful.