[Bug]: openai-codex OAuth fails with 403 unsupported_country_region_territory while codex-cli works

[wulala-xjj]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

OpenClaw latest version cannot complete openai-codex OAuth in my environment, while official codex-cli works on the same machine/network/account.

Environment:

• macOS
• Latest OpenClaw
• Node v24.14.0

What I tested:

1. Browser OAuth page opens normally.
2. Local callback on localhost:1455 works.
3. curl -I https://auth.openai.com/oauth/token reaches the endpoint and returns HTTP 405 when proxy is enabled.
4. Official codex login succeeds on the same machine, same browser, same account, same network/proxy.
5. openclaw models auth login --provider openai-codex consistently fails at code->token exchange with:
   403 unsupported_country_region_territory
6. I also tested with:
   • http_proxy / https_proxy
   • ALL_PROXY
   • forcing Node proxy through global-agent preload
     Result is unchanged.

Conclusion:
This appears to be specific to OpenClaw's openai-codex OAuth/token exchange path rather than a general account/network/browser issue.

Steps to reproduce

1. Run: openclaw models auth login --provider openai-codex
2. Browser opens and login completes successfully
3. Paste redirect URL back into CLI (or auto callback)
4. OpenClaw fails during code->token exchange

Expected behavior

OAuth should complete successfully and return a valid token, similar to official codex-cli login.

Actual behavior

OpenClaw consistently fails with:

403 {"error":{"code":"unsupported_country_region_territory","message":"Country, region, or territory not supported"}}

while official codex login works on the same machine, same account, same network.

OpenClaw version

2026.3.13

Operating system

macOS14.2.1

Install method

npm全局

Model

glm-5

Provider / routing chain

OpenClaw CLI -> openai-codex provider -> local proxy (http://127.0.0.1:2022 / socks5://127.0.0.1:1080) -> browser OAuth flow -> localhost:1455 callback -> auth.openai.com/oauth/token

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

Notes:

• curl to https://auth.openai.com/oauth/token works (returns 405)
• proxies configured (http_proxy, https_proxy, ALL_PROXY)
• also tested with global-agent (forced Node proxy), same result
• official codex-cli login succeeds

Additional information

No response

[Artyomkun]

@evan @стипете

This looks like an OAuth token exchange bug — the browser part works, but the code → token request fails with 403 unsupported_country_region_territory.

The same machine, account, and proxy work with official codex-cli, so the issue is in OpenClaw's token exchange implementation. It's likely ignoring http_proxy/https_proxy when calling auth.openai.com/oauth/token, or sending incorrect User-Agent/Origin headers.

Check:

• Does the token exchange respect proxy settings?
• Does it mimic the same headers as codex-cli?

A fix here would make OpenAI Codex work in regions where direct API access is blocked.

[wulala-xjj]

Thanks! I did some additional checks:

• curl to https://auth.openai.com/oauth/token works through the proxy (returns HTTP 405)
• official codex-cli login succeeds on the same machine, same account, same proxy
• OpenClaw fails consistently at code -> token with 403

I also tried:

• setting http_proxy / https_proxy / ALL_PROXY
• forcing Node to use proxy via global-agent preload

The result is still the same.

So it seems likely that the token exchange request in OpenClaw behaves differently from codex-cli (possibly in headers or how the request is routed).

Happy to provide more logs if needed.

[wulala-xjj]

Just to clarify: I don't actually have request-level logs for the token exchange.

I tried DEBUG=openclaw:*, but it doesn't expose the actual OAuth request details (headers / proxy usage).

What I can confirm is based on behavior:

• curl to the token endpoint works via proxy
• codex-cli succeeds in the same environment
• OpenClaw consistently fails at code -> token

Happy to try any additional debug flags if available.

[vincentkoc]

I split this out from the broader Codex OAuth cleanup.

The proxy plumbing already exists on current main, but the unsupported_country_region_territory failure still surfaced as a generic OAuth error. I opened #71501 to make that path explicit and give operators a proxy/region hint during openclaw models auth login --provider openai-codex.

Keeping this open until that PR lands. If the token exchange still fails after that with the same region code, the next check is request-level parity with Codex CLI.