openclaw - 💡(How to fix) Fix Codex relogin can leave stale openai-codex:default profile that causes refresh_token_reused conflicts [1 comments, 1 participants]

Summary

After re-authenticating OpenAI Codex multiple times, Gateway kept logging refresh_token_reused and some runs failed with OAuth refresh errors.

In our case, the root cause appears to be that the main agent auth store retained both:

• openai-codex:default (older login)
• a newer named Codex profile (email-based profile key)

Different paths seemed to use different profiles, which led to refresh-token rotation conflicts.

Removing the stale openai-codex:default entry and keeping only the newest named profile fixed the issue.

Environment

• OpenClaw: 2026.4.1
• Gateway mode: local
• Model: openai-codex/gpt-5.4
• macOS

Symptoms

1. Gateway logs repeatedly showed:

   [openai-codex] Token refresh failed: 401 {
     "error": {
       "message": "Your refresh token has already been used to generate a new access token. Please try signing in again.",
       "code": "refresh_token_reused"
     }
   }

2. Some scheduled / agent runs failed with auth refresh errors.
3. After re-login, some paths recovered, but Gateway still kept emitting 401 refresh errors.

What we found

The file:

• ~/.openclaw/agents/main/agent/auth-profiles.json

contained two Codex profiles at the same time:

• old openai-codex:default
• newer named profile

lastGood had already moved to the newer named profile, but the old default profile was still present and still got touched by some runtime path(s).

That made behavior inconsistent:

• one path could succeed using the newer profile
• another path still attempted refresh on the old profile
• resulting in refresh_token_reused

Workaround that fixed it

Manually remove the stale openai-codex:default entry from:

• ~/.openclaw/agents/main/agent/auth-profiles.json

and keep only the latest valid Codex profile.

After restarting Gateway:

• no new refresh_token_reused log lines appeared
• previously failing scheduled runs recovered

Expected behavior

OpenClaw should probably do one of these when Codex is re-authenticated:

1. automatically supersede / retire stale Codex profiles for the same account, especially openai-codex:default
2. avoid using stale default once lastGood has moved to a newer named profile
3. provide a safer migration path from older default profile semantics to newer named-profile semantics
4. optionally surface a warning like:
   • multiple Codex OAuth profiles detected for the same account
   • stale default profile may cause refresh token conflicts

Suggestion

A good fix might be:

• if a named Codex profile is confirmed good and maps to the same account as openai-codex:default, stop selecting the stale default profile automatically
• or migrate default -> named profile during relogin

Why this matters

This can look like "relogin didn't work", while in reality the new login is fine but an older retained profile is still being selected somewhere.