OAuth renewal doesn't update auth-profiles.provisioned.json, causing recovery loops

[dfrysinger]

Summary

When OAuth tokens are renewed via openclaw onboard, the token is saved to auth-profiles.json (live copy) but NOT to auth-profiles.provisioned.json (golden copy). This causes safe-mode recovery to repeatedly fail because it reads from the golden copy.

The Architecture

~/.openclaw/agents/main/agent/auth-profiles.json            # Live copy (gateway reads/writes)
~/.openclaw/agents/main/agent/auth-profiles.provisioned.json # Golden copy (recovery reads)

From build-full-config.sh (lines 275-279):

# Golden copy — never modified by gateway, survives shutdown persistence clobber.
# Safe mode recovery reads from this to find OAuth tokens that may have been
# dropped from the live copy during gateway restart cycles.
# NOTE: This is static after provisioning. If credentials are rotated at runtime
# (e.g., OAuth token refresh), re-run build-full-config.sh to update the golden copy.

From safe-mode-recovery.sh (lines 192-200):

# Find auth-profiles.json — prefer golden provisioned copy (survives gateway
# SIGTERM persistence clobber), fall back to live copy if golden doesn't exist.
for path in \
  "$home/.openclaw/agents/main/agent/auth-profiles.provisioned.json" \
  "$home/.openclaw/agents/main/agent/auth-profiles.json" \
  ...

The Problem

1. User runs openclaw onboard --auth-choice openai-codex
2. OAuth flow completes, token saved to auth-profiles.json ✅
3. auth-profiles.provisioned.json is NOT updated ❌
4. Later, something triggers safe-mode recovery
5. Recovery reads from .provisioned.json (stale token)
6. Recovery thinks OAuth is broken → stays in safe mode
7. User re-runs OAuth → same loop repeats

Current Workaround

After OAuth renewal, manually copy live → golden:

cp ~/.openclaw/agents/main/agent/auth-profiles.json \
   ~/.openclaw/agents/main/agent/auth-profiles.provisioned.json

Proposed Fix

Option A: Update openclaw onboard to sync golden copy

When openclaw onboard successfully saves OAuth credentials, also update the provisioned copy:

// After writing auth-profiles.json
const provisionedPath = path.join(agentDir, 'auth-profiles.provisioned.json');
if (fs.existsSync(provisionedPath)) {
  fs.copyFileSync(authProfilesPath, provisionedPath);
}

Option B: Document the manual step

Add to safe-mode agent TOOLS.md and main docs:

• Explain the two-file architecture
• Document the manual copy step after OAuth renewal

Context

This was discovered during a multi-hour safe-mode debugging session where:

• Discord tokens were fixed in both habitat-parsed.env and openclaw.full.json
• OpenAI OAuth was renewed multiple times via openclaw onboard
• Recovery kept reverting to safe mode because .provisioned.json had stale token

Related issue: #37659 (other safe-mode documentation gaps)

[dfrysinger]

Related: Clear Safe Mode Flag After Fix

Even after copying auth-profiles.json → auth-profiles.provisioned.json, recovery will keep running if the safe mode flag is not cleared:

# REQUIRED after OAuth renewal
sudo rm -f /var/lib/init-status/safe-mode
echo 0 | sudo tee /var/lib/init-status/recovery-attempts

Without this, the health check loop continues and may overwrite fixes on the next recovery cycle.

The complete post-OAuth-renewal procedure should be:

1. cp ~/.openclaw/agents/main/agent/auth-profiles.json ~/.openclaw/agents/main/agent/auth-profiles.provisioned.json
2. sudo rm -f /var/lib/init-status/safe-mode
3. echo 0 | sudo tee /var/lib/init-status/recovery-attempts
4. sudo try-full-config.sh

[maximizeGPT]

I found this to be a Windows path issue with OpenClaw.

Quick fix that worked for me:

1. Open PowerShell as Administrator
2. Run: mkdir C:\Users%USERNAME%.openclaw
3. Run: icacls C:\Users%USERNAME%.openclaw /grant %USERNAME%:F
4. Reinstall OpenClaw

The installer needs write permissions to create the .openclaw folder in your home directory. Windows Defender sometimes blocks this.

[newcodebook]

This one looks very actionable: after renewal, the live auth file is newer than the golden recovery copy.

Quickest recovery path:

1. Right after the successful re-auth/onboard step, sync the live profile into the provisioned copy:
   cp ~/.openclaw/agents/main/agent/auth-profiles.json ~/.openclaw/agents/main/agent/auth-profiles.provisioned.json
2. If the host is already stuck in a safe-mode recovery loop, clear the recovery markers and rerun recovery/restart:
   sudo rm -f /var/lib/init-status/safe-mode
echo 0 | sudo tee /var/lib/init-status/recovery-attempts

Why this helps: the recovery path reads auth-profiles.provisioned.json first, so renewing only auth-profiles.json leaves recovery using the stale token and dropping back into the same loop.

If it still flips back into safe mode after that, please share which recovery script/service you run after boot (for example try-full-config.sh or a custom unit) and whether your auth files live somewhere other than ~/.openclaw/agents/main/agent/.

Related reading:

• OAuth token refresh failed (Anthropic Claude subscription)
• OpenClaw Configuration Guide: openclaw.json, Models, Gateway, Channels, and Plugins

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[steipete]

Closing this as not reproducible on current main after Codex review.

Issue #38336 does not match current OpenClaw main: the repo now documents and implements a single per-agent auth-profiles.json auth store, and the reported auth-profiles.provisioned.json / safe-mode-recovery.sh path is not present in this checkout.

What I checked:

• OAuth storage docs name only one primary store: Current docs describe auth-profiles.json as the per-agent token sink and only mention legacy credentials/oauth.json as an import source; there is no documented auth-profiles.provisioned.json golden copy. Public docs: docs/concepts/oauth.md. (docs/concepts/oauth.md:43, 76a4c167f7ef)
• Gateway config reference matches single-store model: The configuration reference says per-agent profiles are stored at <agentDir>/auth-profiles.json and does not describe any provisioned mirror file. Public docs: docs/gateway/configuration-reference.md. (docs/gateway/configuration-reference.md:706, 76a4c167f7ef)
• Onboarding writes OAuth credentials into the agent auth store: writeOAuthCredentials() builds an OAuth credential and persists it through upsertAuthProfile() for the resolved agent dir; this path writes the current auth store, not a separate provisioned mirror. (src/plugins/provider-auth-helpers.ts:269, 76a4c167f7ef)
• Auth profile writes persist through the canonical store helper: upsertAuthProfile() updates the in-memory store and calls saveAuthProfileStore(), which writes auth-profiles.json plus auth state for that agent. (src/agents/auth-profiles/profiles.ts:46, 76a4c167f7ef)
• OAuth refreshes are mirrored into the main agent store: Current refresh logic explicitly mirrors refreshed OAuth credentials into the main agent store when a non-main agent refreshes, which addresses stale-main-store drift within the present architecture. (src/agents/auth-profiles/oauth-manager.ts:297, 76a4c167f7ef)
• Repo search found no reported provisioned/recovery artifacts: A repo-wide search for auth-profiles.provisioned.json, safe-mode-recovery.sh, build-full-config.sh, try-full-config.sh, and /var/lib/init-status/safe-mode returned no matches in the checkout. (76a4c167f7ef)

Review notes: reviewed against 76a4c167f7ef.