openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/auth-credential-semantics.md‎
Lines changed: 18 additions & 0 deletions b/‎docs/auth-credential-semantics.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎docs/cli/agents.md‎
Lines changed: 5 additions & 0 deletions b/‎docs/cli/agents.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/concepts/multi-agent.md‎
Lines changed: 6 additions & 1 deletion b/‎docs/concepts/multi-agent.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎docs/concepts/oauth.md‎
Lines changed: 11 additions & 1 deletion b/‎docs/concepts/oauth.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎docs/help/faq-models.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/help/faq-models.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/tools/multi-agent-sandbox-tools.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/tools/multi-agent-sandbox-tools.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎extensions/codex/src/app-server/auth-bridge.test.ts‎
Lines changed: 132 additions & 1 deletion b/‎extensions/codex/src/app-server/auth-bridge.test.ts‎
Lines changed: 132 additions & 1 deletion
diff --git a/‎extensions/codex/src/app-server/auth-bridge.ts‎
Lines changed: 15 additions & 5 deletions b/‎extensions/codex/src/app-server/auth-bridge.ts‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎extensions/codex/src/app-server/auth-profile-runtime-contract.test.ts‎
Lines changed: 27 additions & 20 deletions b/‎extensions/codex/src/app-server/auth-profile-runtime-contract.test.ts‎
Lines changed: 27 additions & 20 deletions
@@ -18,6 +18,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Agents/auth: keep OAuth auth profiles inherited from the main agent read-through instead of copying refresh tokens into secondary agents, and refresh Codex app-server tokens against the owning store so multi-agent swarms avoid reused refresh-token failures. Fixes #74055. Thanks @ClarityInvest.
 - ACP/commands: accept forwarded ACP timeout config controls in the OpenClaw bridge, treat unsupported discard-close controls as recoverable cleanup, and restore native `/verbose full` plus no-arg status behavior, so Discord command menus and nested ACP turns no longer fail on supported session controls. Thanks @vincentkoc.
 - Channels/Discord: fail startup closed when Discord cannot resolve the bot's own identity and keep mention gating active when only configured mention patterns can detect mentions, so the provider no longer continues with a missing bot id. Fixes #42219; carries forward #46856 and #49218. Thanks @education-01 and @BenediktSchackenberg.
 - Channels/Discord: split long CJK replies at punctuation and code-point-safe fallback boundaries so Discord chunking stays readable without corrupting astral characters. Fixes #38597; repairs #71384. Thanks @p3nchan.
 
@@ -44,6 +44,24 @@ Token credentials (`type: "token"`) support inline `token` and/or `tokenRef`.
 2. For eligible profiles, token material may be resolved from inline value or `tokenRef`.
 3. Unresolvable refs produce `unresolved_ref` in `models status --probe` output.
 
+## Agent copy portability
+
+Agent auth inheritance is read-through. When an agent has no local profile, it
+can resolve profiles from the default/main agent store at runtime without
+copying secret material into its own `auth-profiles.json`.
+
+Explicit copy flows, such as `openclaw agents add`, use this portability policy:
+
+- `api_key` profiles are portable unless `copyToAgents: false`.
+- `token` profiles are portable unless `copyToAgents: false`.
+- `oauth` profiles are not portable by default because refresh tokens can be
+  single-use or rotation-sensitive.
+- Provider-owned OAuth flows may opt in with `copyToAgents: true` only when
+  copying refresh material across agents is known safe.
+
+Non-portable profiles remain available through read-through inheritance unless
+the target agent signs in separately and creates its own local profile.
+
 ## Explicit auth order filtering
 
 - When `auth.order.<provider>` or the auth-store order override is set for a
 
@@ -110,6 +110,11 @@ Notes:
 - Passing any explicit add flags switches the command into the non-interactive path.
 - Non-interactive mode requires both an agent name and `--workspace`.
 - `main` is reserved and cannot be used as the new agent id.
+- In interactive mode, auth seeding copies only portable static profiles
+  (`api_key` and static `token` by default). OAuth refresh-token profiles remain
+  available only by read-through inheritance from the real `main` agent store.
+  If the configured default agent is not `main`, sign in separately for OAuth
+  profiles on the new agent.
 
 ### `agents bindings`
 
 
@@ -29,7 +29,12 @@ Auth profiles are **per-agent**. Each agent reads from its own:
 </Note>
 
 <Warning>
-Main agent credentials are **not** shared automatically. Never reuse `agentDir` across agents (it causes auth/session collisions). If you want to share creds, copy `auth-profiles.json` into the other agent's `agentDir`.
+Never reuse `agentDir` across agents (it causes auth/session collisions). Agents
+can read through to the default/main agent's auth profiles when they do not have
+a local profile, but OpenClaw does not clone OAuth refresh tokens into the
+secondary agent store. If you want an independent OAuth account, sign in from
+that agent; if you copy credentials manually, copy only portable static
+`api_key` or `token` profiles.
 </Warning>
 
 Skills are loaded from each agent workspace plus shared roots such as `~/.openclaw/skills`, then filtered by the effective agent skill allowlist when configured. Use `agents.defaults.skills` for a shared baseline and `agents.list[].skills` for per-agent replacement. See [Skills: per-agent vs shared](/tools/skills#per-agent-vs-shared-skills) and [Skills: agent skill allowlists](/tools/skills#agent-skill-allowlists).
 
@@ -54,7 +54,7 @@ To reduce that, OpenClaw treats `auth-profiles.json` as a **token sink**:
 
 ## Storage (where tokens live)
 
-Secrets are stored **per-agent**:
+Secrets are stored in agent auth stores:
 
 - Auth profiles (OAuth + API keys + optional value-level refs): `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
 - Legacy compatibility file: `~/.openclaw/agents/<agentId>/agent/auth.json`
@@ -68,6 +68,13 @@ All of the above also respect `$OPENCLAW_STATE_DIR` (state dir override). Full r
 
 For static secret refs and runtime snapshot activation behavior, see [Secrets Management](/gateway/secrets).
 
+When a secondary agent has no local auth profile, OpenClaw uses read-through
+inheritance from the default/main agent store. It does not clone the main
+agent's `auth-profiles.json` on read. OAuth refresh tokens are especially
+sensitive: normal copy flows skip them by default because some providers rotate
+or invalidate refresh tokens after use. Configure a separate OAuth login for an
+agent when it needs an independent account.
+
 ## Anthropic legacy token compatibility
 
 <Warning>
@@ -132,6 +139,9 @@ At runtime:
 
 - if `expires` is in the future → use the stored access token
 - if expired → refresh (under a file lock) and overwrite the stored credentials
+- if a secondary agent reads an inherited main-agent OAuth profile, refresh
+  writes back to the main agent store instead of copying the refresh token into
+  the secondary agent store
 - exception: some external CLI credentials stay externally managed; OpenClaw
   re-reads those CLI auth stores instead of spending copied refresh tokens.
   Codex CLI bootstrap is intentionally narrower: it seeds an empty
 
@@ -343,7 +343,8 @@ troubleshooting, see the main [FAQ](/help/faq).
     Fix options:
 
     - Run `openclaw agents add <id>` and configure auth during the wizard.
-    - Or copy `auth-profiles.json` from the main agent's `agentDir` into the new agent's `agentDir`.
+    - Or copy only portable static `api_key` / `token` profiles from the main agent's auth store into the new agent's auth store.
+    - For OAuth profiles, sign in from the new agent when it needs its own account; otherwise OpenClaw can read through to the default/main agent without cloning refresh tokens.
 
     Do **not** reuse `agentDir` across agents; it causes auth/session collisions.
 
 
@@ -21,7 +21,7 @@ Each agent in a multi-agent setup can override the global sandbox and tool polic
 </CardGroup>
 
 <Warning>
-Auth is per-agent: each agent reads from its own `agentDir` auth store at `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`. Credentials are **not** shared between agents. Never reuse `agentDir` across agents. If you want to share creds, copy `auth-profiles.json` into the other agent's `agentDir`.
+Auth is scoped by agent: each agent has its own `agentDir` auth store at `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`. Never reuse `agentDir` across agents. Agents can read through to the default/main agent's auth profiles when they do not have a local profile, but OAuth refresh tokens are not cloned into secondary agent stores. If you copy credentials manually, copy only portable static `api_key` or `token` profiles.
 </Warning>
 
 ---
 
@@ -1,6 +1,10 @@
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
+import {
+  clearRuntimeAuthProfileStoreSnapshots,
+  loadAuthProfileStoreForSecretsRuntime,
+} from "openclaw/plugin-sdk/agent-runtime";
 import { upsertAuthProfile } from "openclaw/plugin-sdk/provider-auth";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import {
@@ -72,7 +76,7 @@ vi.mock("openclaw/plugin-sdk/agent-runtime", async (importOriginal) => {
         if (refreshed?.access) {
           oauthCredential = refreshed as typeof oauthCredential;
           params.store.profiles[params.profileId] = oauthCredential;
-          if (params.agentDir) {
+          if (params.agentDir || process.env.OPENCLAW_STATE_DIR) {
             actual.saveAuthProfileStore(params.store, params.agentDir);
           }
         }
@@ -92,6 +96,7 @@ vi.mock("openclaw/plugin-sdk/agent-runtime", async (importOriginal) => {
 
 afterEach(() => {
   vi.unstubAllEnvs();
+  clearRuntimeAuthProfileStoreSnapshots();
   oauthMocks.refreshOpenAICodexToken.mockReset();
   providerRuntimeMocks.formatProviderAuthProfileApiKeyWithPlugin.mockReset();
   providerRuntimeMocks.refreshProviderOAuthCredentialWithPlugin.mockClear();
@@ -635,6 +640,132 @@ describe("bridgeCodexAppServerStartOptions", () => {
     }
   });
 
+  it("refreshes inherited main Codex OAuth without cloning it into the child store", async () => {
+    const root = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-codex-app-server-"));
+    const stateDir = path.join(root, "state");
+    const childAgentDir = path.join(stateDir, "agents", "worker", "agent");
+    const childAuthPath = path.join(childAgentDir, "auth-profiles.json");
+    vi.stubEnv("OPENCLAW_STATE_DIR", stateDir);
+    vi.stubEnv("OPENCLAW_AGENT_DIR", "");
+    oauthMocks.refreshOpenAICodexToken.mockResolvedValueOnce({
+      access: "main-refreshed-access-token",
+      refresh: "main-refreshed-refresh-token",
+      expires: Date.now() + 60_000,
+      accountId: "account-main-refreshed",
+    });
+    try {
+      upsertAuthProfile({
+        profileId: "openai-codex:work",
+        credential: {
+          type: "oauth",
+          provider: "openai-codex",
+          access: "main-current-access-token",
+          refresh: "main-refresh-token",
+          expires: Date.now() + 60_000,
+          accountId: "account-main",
+          email: "main-codex@example.test",
+        },
+      });
+
+      await expect(
+        refreshCodexAppServerAuthTokens({
+          agentDir: childAgentDir,
+          authProfileId: "openai-codex:work",
+        }),
+      ).resolves.toEqual({
+        accessToken: "main-refreshed-access-token",
+        chatgptAccountId: "account-main-refreshed",
+        chatgptPlanType: null,
+      });
+
+      expect(oauthMocks.refreshOpenAICodexToken).toHaveBeenCalledWith("main-refresh-token");
+      await expect(fs.access(childAuthPath)).rejects.toMatchObject({ code: "ENOENT" });
+      expect(loadAuthProfileStoreForSecretsRuntime().profiles["openai-codex:work"]).toMatchObject({
+        type: "oauth",
+        provider: "openai-codex",
+        access: "main-refreshed-access-token",
+        refresh: "main-refreshed-refresh-token",
+      });
+    } finally {
+      await fs.rm(root, { recursive: true, force: true });
+    }
+  });
+
+  it("force-refreshes the owner credential instead of a stale child OAuth clone", async () => {
+    const root = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-codex-app-server-"));
+    const stateDir = path.join(root, "state");
+    const childAgentDir = path.join(stateDir, "agents", "worker", "agent");
+    const childAuthPath = path.join(childAgentDir, "auth-profiles.json");
+    vi.stubEnv("OPENCLAW_STATE_DIR", stateDir);
+    vi.stubEnv("OPENCLAW_AGENT_DIR", "");
+    oauthMocks.refreshOpenAICodexToken.mockResolvedValueOnce({
+      access: "main-refreshed-access-token",
+      refresh: "main-refreshed-refresh-token",
+      expires: Date.now() + 60_000,
+      accountId: "account-main-refreshed",
+    });
+    try {
+      upsertAuthProfile({
+        profileId: "openai-codex:work",
+        credential: {
+          type: "oauth",
+          provider: "openai-codex",
+          access: "main-current-access-token",
+          refresh: "main-owner-refresh-token",
+          expires: Date.now() + 60_000,
+          accountId: "account-main",
+          email: "main-codex@example.test",
+        },
+      });
+      await fs.mkdir(childAgentDir, { recursive: true });
+      await fs.writeFile(
+        childAuthPath,
+        JSON.stringify({
+          version: 1,
+          profiles: {
+            "openai-codex:work": {
+              type: "oauth",
+              provider: "openai-codex",
+              access: "child-stale-access-token",
+              refresh: "child-stale-refresh-token",
+              expires: Date.now() - 60_000,
+              accountId: "account-main",
+              email: "main-codex@example.test",
+            },
+          },
+        }),
+      );
+
+      await expect(
+        refreshCodexAppServerAuthTokens({
+          agentDir: childAgentDir,
+          authProfileId: "openai-codex:work",
+        }),
+      ).resolves.toEqual({
+        accessToken: "main-refreshed-access-token",
+        chatgptAccountId: "account-main-refreshed",
+        chatgptPlanType: null,
+      });
+
+      expect(oauthMocks.refreshOpenAICodexToken).toHaveBeenCalledWith("main-owner-refresh-token");
+      expect(loadAuthProfileStoreForSecretsRuntime().profiles["openai-codex:work"]).toMatchObject({
+        type: "oauth",
+        provider: "openai-codex",
+        access: "main-refreshed-access-token",
+        refresh: "main-refreshed-refresh-token",
+      });
+      const child = JSON.parse(await fs.readFile(childAuthPath, "utf8")) as {
+        profiles: Record<string, { access?: string; refresh?: string }>;
+      };
+      expect(child.profiles["openai-codex:work"]).toMatchObject({
+        access: "child-stale-access-token",
+        refresh: "child-stale-refresh-token",
+      });
+    } finally {
+      await fs.rm(root, { recursive: true, force: true });
+    }
+  });
+
   it("accepts a refreshed Codex OAuth credential when the stored provider is a legacy alias", async () => {
     const agentDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-codex-app-server-"));
     oauthMocks.refreshOpenAICodexToken.mockResolvedValueOnce({
 
@@ -3,6 +3,7 @@ import {
   loadAuthProfileStoreForSecretsRuntime,
   resolveProviderIdForAuth,
   resolveApiKeyForProfile,
+  resolvePersistedAuthProfileOwnerAgentDir,
   saveAuthProfileStore,
   type AuthProfileCredential,
   type OAuthCredential,
@@ -178,17 +179,26 @@ async function resolveOAuthCredentialForCodexAppServer(
   credential: OAuthCredential,
   params: { agentDir: string; forceRefresh: boolean },
 ): Promise<OAuthCredential> {
-  const store = ensureAuthProfileStore(params.agentDir, { allowKeychainPrompt: false });
+  const ownerAgentDir = resolvePersistedAuthProfileOwnerAgentDir({
+    agentDir: params.agentDir,
+    profileId,
+  });
+  const store = ensureAuthProfileStore(ownerAgentDir, { allowKeychainPrompt: false });
+  const ownerCredential = store.profiles[profileId];
+  const credentialForOwner =
+    ownerCredential?.type === "oauth" && isCodexAppServerAuthProvider(ownerCredential.provider)
+      ? ownerCredential
+      : credential;
   if (params.forceRefresh) {
-    store.profiles[profileId] = { ...credential, expires: 0 };
-    saveAuthProfileStore(store, params.agentDir);
+    store.profiles[profileId] = { ...credentialForOwner, expires: 0 };
+    saveAuthProfileStore(store, ownerAgentDir);
   }
   const resolved = await resolveApiKeyForProfile({
     store,
     profileId,
-    agentDir: params.agentDir,
+    agentDir: ownerAgentDir,
   });
-  const refreshed = loadAuthProfileStoreForSecretsRuntime(params.agentDir).profiles[profileId];
+  const refreshed = loadAuthProfileStoreForSecretsRuntime(ownerAgentDir).profiles[profileId];
   const storedCredential = store.profiles[profileId];
   const candidate =
     refreshed?.type === "oauth" && isCodexAppServerAuthProvider(refreshed.provider)
 
@@ -80,30 +80,35 @@ function turnStartResult(turnId = "turn-auth-contract") {
 
 function createCodexAuthProfileHarness(params: { startMethod: "thread/start" | "thread/resume" }) {
   const seenAuthProfileIds: Array<string | undefined> = [];
+  const seenAgentDirs: Array<string | undefined> = [];
   const requests: Array<{ method: string; params: unknown }> = [];
   let notify: (notification: unknown) => Promise<void> = async () => undefined;
-  __testing.setCodexAppServerClientFactoryForTests(async (_startOptions, authProfileId) => {
-    seenAuthProfileIds.push(authProfileId);
-    return {
-      request: vi.fn(async (method: string, requestParams?: unknown) => {
-        requests.push({ method, params: requestParams });
-        if (method === params.startMethod) {
-          return threadStartResult();
-        }
-        if (method === "turn/start") {
-          return turnStartResult();
-        }
-        throw new Error(`unexpected method: ${method}`);
-      }),
-      addNotificationHandler: (handler: (notification: unknown) => Promise<void>) => {
-        notify = handler;
-        return () => undefined;
-      },
-      addRequestHandler: () => () => undefined,
-    } as never;
-  });
+  __testing.setCodexAppServerClientFactoryForTests(
+    async (_startOptions, authProfileId, agentDir) => {
+      seenAuthProfileIds.push(authProfileId);
+      seenAgentDirs.push(agentDir);
+      return {
+        request: vi.fn(async (method: string, requestParams?: unknown) => {
+          requests.push({ method, params: requestParams });
+          if (method === params.startMethod) {
+            return threadStartResult();
+          }
+          if (method === "turn/start") {
+            return turnStartResult();
+          }
+          throw new Error(`unexpected method: ${method}`);
+        }),
+        addNotificationHandler: (handler: (notification: unknown) => Promise<void>) => {
+          notify = handler;
+          return () => undefined;
+        },
+        addRequestHandler: () => () => undefined,
+      } as never;
+    },
+  );
   return {
     seenAuthProfileIds,
+    seenAgentDirs,
     async waitForMethod(method: string) {
       await vi.waitFor(() => expect(requests.some((entry) => entry.method === method)).toBe(true), {
         interval: 1,
@@ -140,6 +145,7 @@ describe("Auth profile runtime contract - Codex app-server adapter", () => {
     const sessionFile = path.join(tmpDir, "session.jsonl");
     const params = createParams(sessionFile, tmpDir);
     params.authProfileId = AUTH_PROFILE_RUNTIME_CONTRACT.openAiCodexProfileId;
+    params.agentDir = tmpDir;
 
     const run = runCodexAppServerAttempt(params);
     await vi.waitFor(
@@ -149,6 +155,7 @@ describe("Auth profile runtime contract - Codex app-server adapter", () => {
         ]),
       { interval: 1 },
     );
+    expect(harness.seenAgentDirs).toEqual([tmpDir]);
     await harness.waitForMethod("turn/start");
     await harness.completeTurn();
     await run;