Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix openai-codex OAuth provider ignores valid access token, always attempts refresh [1 comments, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#62247Fetched 2026-04-08 03:07:14
View on GitHub
Comments
1
Participants
1
Timeline
2
Reactions
0
Author
Stache73Stache73
Participants
Stache73Stache73
Timeline (top)
closed ×1commented ×1

Error Message

"error": {

Root Cause

None clean. The access token can't be injected via models.providers.openai-codex.apiKey config because the provider is set to auth: "oauth" mode. Fallback chain catches the failure, so requests succeed via alternative providers.

Fix Action

Workaround

None clean. The access token can't be injected via models.providers.openai-codex.apiKey config because the provider is set to auth: "oauth" mode. Fallback chain catches the failure, so requests succeed via alternative providers.

Code Example

[openai-codex] Token refresh failed: 401 {
  "error": {
    "message": "Your refresh token has already been used to generate a new access token. Please try signing in again.",
    "type": "invalid_request_error",
    "param": null,
    "code": "refresh_token_reused"
  }
}
[model-fallback/decision] model fallback decision: decision=candidate_failed requested=openai-codex/gpt-5.4 candidate=openai-codex/gpt-5.4 reason=auth next=google-gemini-cli/gemini-3.1-pro-preview
RAW_BUFFERClick to expand / collapse

Problem

The openai-codex OAuth provider ignores a valid, non-expired access token in ~/.codex/auth.json and immediately attempts to use the refresh token. If the refresh token has already been consumed (single-use OAuth refresh tokens), every request fails with refresh_token_reused (401) — even though the access token is perfectly valid.

Steps to Reproduce

  1. Authenticate via codex CLI (writes ~/.codex/auth.json with access_token, refresh_token, id_token)
  2. Let a cron job or concurrent request consume the refresh token (race condition — see #62198)
  3. Re-authenticate via codex CLI to get fresh tokens
  4. Restart the gateway (full stop + start, not SIGUSR1)
  5. Observe: gateway still fails with refresh_token_reused on the very first openai-codex request, despite the access token being valid for ~10 days

Observed Behaviour

[openai-codex] Token refresh failed: 401 {
  "error": {
    "message": "Your refresh token has already been used to generate a new access token. Please try signing in again.",
    "type": "invalid_request_error",
    "param": null,
    "code": "refresh_token_reused"
  }
}
[model-fallback/decision] model fallback decision: decision=candidate_failed requested=openai-codex/gpt-5.4 candidate=openai-codex/gpt-5.4 reason=auth next=google-gemini-cli/gemini-3.1-pro-preview

The access token in auth.json has exp: 1776391146 (~Apr 14 2026), verified valid. But it's never used — the gateway goes straight to refresh.

Expected Behaviour

  1. On startup, read the access token from auth.json
  2. Check if it's expired (JWT exp claim)
  3. If valid: use it directly — no refresh needed
  4. If expired: then attempt refresh
  5. Only prompt for re-auth if both access token is expired AND refresh fails

Workaround

None clean. The access token can't be injected via models.providers.openai-codex.apiKey config because the provider is set to auth: "oauth" mode. Fallback chain catches the failure, so requests succeed via alternative providers.

Environment

  • OpenClaw v2026.3.13
  • Windows 10
  • Provider: openai-codex (OAuth, ~/.codex/auth.json)
  • Auth profile: openai-codex:default with mode: "oauth"
  • Fresh gateway start (not SIGUSR1 reload)

Related

  • #62198 — OAuth refresh token race condition (concurrent cron jobs)

extent analysis

TL;DR

The gateway can be fixed by modifying it to check the access token's expiration before attempting to refresh it, ensuring that a valid access token is used when available.

Guidance

  • Verify that the access token in ~/.codex/auth.json is correctly parsed and its expiration time is checked before attempting to refresh it.
  • Modify the gateway to use the access token directly if it's valid, instead of immediately attempting to refresh it.
  • Consider implementing a mechanism to handle the case where the refresh token is consumed by a concurrent request, such as using a lock or a more robust token management system.
  • Review the related issue #62198 to address the underlying OAuth refresh token race condition.

Example

No code snippet is provided due to the lack of specific implementation details in the issue.

Notes

The provided workaround is not clean, as it relies on the fallback chain catching the failure and succeeding via alternative providers. A more robust solution would involve modifying the gateway to correctly handle the access token and refresh token.

Recommendation

Apply a workaround by modifying the gateway to check the access token's expiration and use it directly if valid, as this addresses the immediate issue and allows for a more robust solution to be implemented later.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#configuration error#environment variable#network issue#logging issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING