Skip to content

[Bug]: Expired external Codex credentials overwrite fresh re-auth and cause repeated OAuth failures #53466

Closed
#53611
Closed
[Bug]: Expired external Codex credentials overwrite fresh re-auth and cause repeated OAuth failures#53466
#53611
Labels
bugSomething isn't workingbug:behaviorIncorrect behavior without a crash
@Muoson

Description

@Muoson
Muoson
opened on Mar 24, 2026

Bug type

Behavior bug (incorrect output/state without crash)

Summary

I hit a failure mode where expired external Codex credentials appear to overwrite newly completed OpenClaw auth flows.

In my case, this was not limited to onboarding/configure. Even after running:

openclaw models auth login

The old credential would come back again, and later runtime usage failed with:

OAuth token refresh failed for openai-codex: Failed to refresh OAuth token for openai-codex. Please try again or re-authenticate.

So the issue is not just that stale external credentials can be imported once — it is that they seem able to replace fresh re-auth state afterward, making Codex auth effectively impossible to recover from on the user side.

Steps to reproduce

  1. Ensure an expired Codex external credential file exists at ~/.codex/auth.json.
  2. Start OpenClaw 2026.3.23-2 with Codex configured as the primary model.
  3. Run either onboarding/configure or openclaw models auth login.
  4. Observe the log line when onboarding(won't be shown when auth login):
    [agents/auth-profiles] synced openai-codex credentials from external cli
  5. Trigger actual Codex model usage.
  6. Observe the runtime failure:OAuth token refresh failed for openai-codex:
    Failed to refresh OAuth token for openai-codex. Please try again or re-authenticate.
  7. Remove ~/.codex/, retry the same flow, and observe that the failure no longer occurs.

Expected behavior

Expected result: after completing a fresh OpenClaw Codex auth flow, OpenClaw should keep the newly issued credential and Codex should remain usable at runtime. In this same environment, that was the observed behavior after removing ~/.codex/: openai-codex:default showed ok expires in 10d, the primary model was restored to openai-codex/gpt-5.4, and the repeated OAuth refresh failure stopped.

Actual behavior

Observed result: after re-running onboarding/configure or openclaw models auth login, Codex later failed at runtime with the user-visible error:

⚠️ Agent failed before reply: OAuth token refresh failed for openai-codex: Failed to refresh OAuth token for openai-codex. Please try again or re-authenticate.
Logs: openclaw logs --follow

Supporting evidence observed in logs/status:

  • Gateway logs showed: 
    [agents/auth-profiles] synced openai-codex credentials from external cli
  • openclaw models status previously showed repeated refresh failures such as: 
    [openai-codex] Token refresh failed: 401
"code": "refresh_token_reused"
  • The stale external credential source was found at: 
    ~/.codex/auth.json

OpenClaw version

2026.3.23-2

Operating system

macOS 26.3.1 (a)

Install method

pnpm

Model

gpt-5.4

Provider / routing chain

openclaw -> openai-codex

Additional provider/model setup details

No response

Logs, screenshots, and evidence



Impact and severity


No response


Additional information


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingbug:behaviorIncorrect behavior without a crash
    Type
    No type
    Fields
    No fields configured for issues without a type.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions