Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Feature request: native Codex quota/auth diagnosis plus brokered reauth execution [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#54278Fetched 2026-04-08 01:29:45
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
betamodbetamod
Participants
betamodbetamod

OpenClaw should provide native Codex/ChatGPT OAuth reliability handling by separating quota-window exhaustion from true OAuth credential failure, and by supporting brokered reauth execution when reauthentication is actually required.

User-facing goal

As a user, I want one reliable ChatGPT/Codex OAuth experience:

  • if I only hit my rolling usage window, OpenClaw should tell me the quota state and when it renews
  • if my OAuth refresh token is actually invalid, OpenClaw should tell me that reauth is required
  • if a bounded host-side reauth adapter exists, OpenClaw should be able to invoke it instead of leaving recovery entirely manual

Problem

Today, quota exhaustion and unrecoverable OAuth failure can be confused operationally. For example:

  • rolling usage-window exhaustion should not trigger reauth
  • refresh_token_reused should trigger guided reauth
  • a normal access-token expiry with a valid refresh token should refresh automatically

These are different states, but they are easy to collapse into a single generic "auth failed" workflow.

Requested feature set

  1. Native quota/auth diagnosis in OpenClaw

OpenClaw should distinguish at least:

  • ok
  • expiring_soon
  • quota_wait
  • reauth_required

Behavior:

  • quota_wait: do not trigger reauth
  • reauth_required: prompt for or invoke a bounded reauth adapter
  • normal expired access token + valid refresh token: refresh automatically
  1. Native Codex quota display

OpenClaw should surface Codex rate-limit state natively, including both the 5-hour and weekly windows.

Recommended display format:

Codex rate limits
5h: 96%, renews 05:45 AM
Weekly: 60%, renews 2026-03-25 3:04 PM

Formatting rules:

  • use system local timezone automatically
  • 5h window: percent + local time
  • weekly window: percent + local date and time
  1. Brokered reauth execution

When OpenClaw determines the state is reauth_required, it should support invoking a narrow reauth adapter rather than assuming it must handle browser-based reauth itself.

This is especially important for Docker/sandboxed deployments where:

  • the app can diagnose the problem natively
  • the actual browser-based OAuth flow needs to run outside the container

Conceptually:

  • native decision inside OpenClaw
  • bounded external execution via a broker/adapter

Control UI impact

Yes, this should include Control UI changes.

Suggested Control UI behavior:

  • show the current Codex rate-limit state in a human-readable form
  • when the state is quota_wait, show renewal times instead of suggesting reauth
  • when the state is reauth_required, show a clear guided reauth action if a reauth adapter is available
  • avoid ambiguous generic auth-failure messaging when the real issue is rolling-window quota exhaustion

Why this matters

For users, this is one feature set: a more reliable ChatGPT/Codex OAuth experience. Internally, it can still be split into:

  • native quota/auth diagnosis
  • optional brokered reauth execution

That split keeps the trust boundary clean while delivering one coherent recovery UX.

Additional context

I implemented a local host-side prototype in a Docker-based OpenClaw sandbox that:

  • classifies quota_wait separately from reauth_required
  • formats local-time 5h/weekly renewal info
  • auto-triggers a bounded host-side reauth bridge only for reauth_required

I am not attaching that patch directly here because parts of it are deployment-specific, but it validated the behavior and UX split described above.

Root Cause

I am not attaching that patch directly here because parts of it are deployment-specific, but it validated the behavior and UX split described above.

Fix Action

Fix / Workaround

I am not attaching that patch directly here because parts of it are deployment-specific, but it validated the behavior and UX split described above.

Code Example

Codex rate limits
5h: 96%, renews 05:45 AM
Weekly: 60%, renews 2026-03-25 3:04 PM
RAW_BUFFERClick to expand / collapse

Summary

OpenClaw should provide native Codex/ChatGPT OAuth reliability handling by separating quota-window exhaustion from true OAuth credential failure, and by supporting brokered reauth execution when reauthentication is actually required.

User-facing goal

As a user, I want one reliable ChatGPT/Codex OAuth experience:

  • if I only hit my rolling usage window, OpenClaw should tell me the quota state and when it renews
  • if my OAuth refresh token is actually invalid, OpenClaw should tell me that reauth is required
  • if a bounded host-side reauth adapter exists, OpenClaw should be able to invoke it instead of leaving recovery entirely manual

Problem

Today, quota exhaustion and unrecoverable OAuth failure can be confused operationally. For example:

  • rolling usage-window exhaustion should not trigger reauth
  • refresh_token_reused should trigger guided reauth
  • a normal access-token expiry with a valid refresh token should refresh automatically

These are different states, but they are easy to collapse into a single generic "auth failed" workflow.

Requested feature set

  1. Native quota/auth diagnosis in OpenClaw

OpenClaw should distinguish at least:

  • ok
  • expiring_soon
  • quota_wait
  • reauth_required

Behavior:

  • quota_wait: do not trigger reauth
  • reauth_required: prompt for or invoke a bounded reauth adapter
  • normal expired access token + valid refresh token: refresh automatically
  1. Native Codex quota display

OpenClaw should surface Codex rate-limit state natively, including both the 5-hour and weekly windows.

Recommended display format:

Codex rate limits
5h: 96%, renews 05:45 AM
Weekly: 60%, renews 2026-03-25 3:04 PM

Formatting rules:

  • use system local timezone automatically
  • 5h window: percent + local time
  • weekly window: percent + local date and time
  1. Brokered reauth execution

When OpenClaw determines the state is reauth_required, it should support invoking a narrow reauth adapter rather than assuming it must handle browser-based reauth itself.

This is especially important for Docker/sandboxed deployments where:

  • the app can diagnose the problem natively
  • the actual browser-based OAuth flow needs to run outside the container

Conceptually:

  • native decision inside OpenClaw
  • bounded external execution via a broker/adapter

Control UI impact

Yes, this should include Control UI changes.

Suggested Control UI behavior:

  • show the current Codex rate-limit state in a human-readable form
  • when the state is quota_wait, show renewal times instead of suggesting reauth
  • when the state is reauth_required, show a clear guided reauth action if a reauth adapter is available
  • avoid ambiguous generic auth-failure messaging when the real issue is rolling-window quota exhaustion

Why this matters

For users, this is one feature set: a more reliable ChatGPT/Codex OAuth experience. Internally, it can still be split into:

  • native quota/auth diagnosis
  • optional brokered reauth execution

That split keeps the trust boundary clean while delivering one coherent recovery UX.

Additional context

I implemented a local host-side prototype in a Docker-based OpenClaw sandbox that:

  • classifies quota_wait separately from reauth_required
  • formats local-time 5h/weekly renewal info
  • auto-triggers a bounded host-side reauth bridge only for reauth_required

I am not attaching that patch directly here because parts of it are deployment-specific, but it validated the behavior and UX split described above.

extent analysis

Fix Plan

To implement native Codex/ChatGPT OAuth reliability handling, follow these steps:

  • Step 1: Implement Quota/Auth Diagnosis
    • Introduce a new enum to represent different quota/auth states: ok, expiring_soon, quota_wait, reauth_required.
    • Update the OAuth flow to distinguish between these states.
  • Step 2: Display Codex Rate Limit State
    • Add a new function to format the Codex rate limit state as a human-readable string.
    • Use the system local timezone to display renewal times.
  • Step 3: Implement Brokered Reauth Execution
    • Introduce a new interface for reauth adapters.
    • Update the OAuth flow to invoke the reauth adapter when the state is reauth_required.

Example code (Python):

from enum import Enum
from datetime import datetime, timedelta

class QuotaAuthState(Enum):
    OK = 1
    EXPIRING_SOON = 2
    QUOTA_WAIT = 3
    REAUTH_REQUIRED = 4

def format_codex_rate_limit_state(usage, limit, renewal_time):
    """Format Codex rate limit state as a human-readable string."""
    percent = (usage / limit) * 100
    renewal_time_str = renewal_time.strftime("%I:%M %p")
    return f"Codex rate limits\n5h: {percent:.0f}%, renews {renewal_time_str}"

def get_renewal_time(renewal_timestamp):
    """Get the renewal time as a datetime object."""
    return datetime.fromtimestamp(renewal_timestamp)

def invoke_reauth_adapter(adapter):
    """Invoke the reauth adapter."""
    # Implement the reauth adapter invocation logic here
    pass

# Example usage:
usage = 480  # 5-hour window usage
limit = 500  # 5-hour window limit
renewal_timestamp = 1643723400  # Renewal timestamp
renewal_time = get_renewal_time(renewal_timestamp)

quota_auth_state = QuotaAuthState.QUOTA_WAIT
if quota_auth_state == QuotaAuthState.QUOTA_WAIT:
    print(format_codex_rate_limit_state(usage, limit, renewal_time))
elif quota_auth_state == QuotaAuthState.REAUTH_REQUIRED:
    invoke_reauth_adapter("example_adapter")

Verification

To verify the fix, test the following scenarios:

  • Quota exhaustion: Verify that the quota_wait state is correctly detected and displayed.
  • OAuth credential failure: Verify that the reauth_required state is correctly detected and the reauth adapter is invoked.
  • Normal access token expiry: Verify that the access token is automatically refreshed.

Extra Tips

  • Ensure that the reauth adapter is properly configured and implemented.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#API rate limit#retriever error#indexing error#inference speed#output truncation

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING