OpenAI Codex OAuth token not passed to pi-ai streamSimpleOpenAICodexResponses (regression in 2026.3.26)

[odrobnik]

Bug Report

Version: OpenClaw 2026.3.26 (f9b8499)

Description

After upgrading to 2026.3.26, the openai-codex provider always fails with:

No API key for provider: openai-codex

This affects all openai-codex/* models (tested with gpt-5.4 and gpt-5.3-codex). The gateway falls back to the configured fallback model (e.g. anthropic/claude-opus-4-6).

Root Cause

The OAuth token is resolved correctly from auth-profiles.json and stored via authStorage.setRuntimeApiKey(model.provider, apiKeyInfo.apiKey). However, pi-ai's streamSimpleOpenAICodexResponses does not read from AuthStorage — it checks options?.apiKey || getEnvApiKey(model.provider):

// In @mariozechner/pi-ai/dist/providers/openai-codex-responses.js
const streamSimpleOpenAICodexResponses = (model, context, options) => {
    const apiKey = options?.apiKey || getEnvApiKey(model.provider);
    if (!apiKey) {
        throw new Error(`No API key for provider: ${model.provider}`);
    }
    // ...
};

getEnvApiKey() has no mapping for openai-codex (there is no OPENAI_CODEX_API_KEY env var entry), and options.apiKey is not being populated by OpenClaw's caller.

Meanwhile, the non-Simple streamOpenAICodexResponses function does its own getEnvApiKey(model.provider) check separately, which also fails.

Call Chain

1. getApiKeyForModel() → resolveApiKeyForProvider() → resolves OAuth access token from auth-profiles.json ✅
2. authStorage.setRuntimeApiKey(model.provider, apiKeyInfo.apiKey) — stores in AuthStorage object ✅
3. Pi-ai's streamSimpleOpenAICodexResponses checks options?.apiKey — empty ❌
4. Falls through to getEnvApiKey("openai-codex") — no mapping ❌
5. Throws No API key for provider: openai-codex

Key Files

• pi-model-discovery-DaNAekda.js: discoverAuthStorage() creates AuthStorage from auth.json (legacy path)
• model-auth-CxlTW8uU.js: resolveApiKeyForProvider() reads from auth-profiles.json correctly
• pi-embedded-_crSbDV9.js: Line ~68870 calls authStorage.setRuntimeApiKey() but the token never reaches the Simple stream function's options.apiKey

Expected Behavior

The resolved OAuth access token should be passed as options.apiKey when calling streamSimpleOpenAICodexResponses, or pi-ai's getEnvApiKey should include a mapping for openai-codex.

Workaround

None clean. Setting OPENAI_CODEX_API_KEY env var works temporarily but OAuth tokens expire.

Environment

• OpenClaw 2026.3.26 (f9b8499)
• macOS (arm64)
• Auth profile: openai-codex:sylvia@email.me (type: oauth, valid access token)
• Models tested: openai-codex/gpt-5.4, openai-codex/gpt-5.3-codex

[odrobnik]

Additional Analysis from Source Code

Traced the full auth resolution chain in the source code:

The Auth Chain (run/attempt flow)

1. auth-controller.ts → applyApiKeyInfo() resolves the OAuth token via getApiKeyForModel() from auth-profiles.json and calls params.authStorage.setRuntimeApiKey(provider, apiKey) ✅
2. pi-coding-agent/auth-storage.ts → AuthStorage.runtimeOverrides stores the key in a Map ✅
3. pi-coding-agent/sdk.ts → createAgentSession() wires getApiKey callback on the Agent that calls modelRegistry.getApiKeyForProvider() → authStorage.getApiKey() ✅
4. pi-agent-core/agent-loop.js calls config.getApiKey(provider) before each stream call, passes result as options.apiKey to streamSimple() ✅
5. pi-ai/stream.js → streamSimple() dispatches to streamSimpleOpenAICodexResponses which checks options?.apiKey ✅

Where It Should Work But Doesn't

The AuthStorage.getApiKey() method checks runtimeOverrides first:

async getApiKey(providerId) {
    const runtimeKey = this.runtimeOverrides.get(providerId);
    if (runtimeKey) return runtimeKey;  // Should return the OAuth token here
    ...
}

And the agent-loop resolves it:

const resolvedApiKey = (config.getApiKey ? await config.getApiKey(config.model.provider) : undefined) || config.apiKey;

pi-model-discovery.ts Also Sets Runtime Overrides

During createAuthStorage(), credentials from auth-profiles.json are pre-loaded into runtimeOverrides:

for (const [provider, credential] of Object.entries(creds)) {
    if (credential.type === "api_key") {
        withRuntimeOverride.setRuntimeApiKey(provider, credential.key);
    }
    withRuntimeOverride.setRuntimeApiKey(provider, credential.access);
}

Possible Root Cause

The credential map IS populated correctly (verified: openai-codex has access_len=1963, expires=2026-04-06). The runtime override IS being set. But the error still occurs.

Suspicion: Either the AuthStorage instance in createAgentSession is different from the one that received setRuntimeApiKey, or there's an exception path in the getApiKey() method (e.g., the OAuth refresh path throws and isn't caught, causing resolvedApiKey to be undefined).

Key files in source

• src/agents/pi-model-discovery.ts — creates AuthStorage with runtime overrides from auth-profiles
• src/agents/pi-embedded-runner/run/auth-controller.ts — applyApiKeyInfo() calls setRuntimeApiKey
• src/agents/pi-auth-credentials.ts — resolvePiCredentialMapFromStore() converts profiles to pi-ai format
• Installed pi-ai version: 0.53.0 (repo HEAD: 0.63.0 — significant version gap)

[odrobnik]

Root Cause Confirmed

PR #55898 fixes this exact issue:

pi-coding-agent 0.63.0 replaced ModelRegistry.getApiKey() with getApiKeyAndHeaders(), breaking the auth resolution chain for OAuth providers like openai-codex.

The agent-loop's getApiKey callback was wired to the old modelRegistry.getApiKeyForProvider() → authStorage.getApiKey() path, but since 0.63.0 that path no longer returns the key correctly.

The fix in #55898 adds wrapStreamFnWithModelRegistryAuth() that resolves auth once per attempt and injects apiKey + headers directly into every streamFn invocation.

This is a duplicate of #55672 / #55760. Closing in favor of those.

[odrobnik]

Duplicate of #55672 / #55760 — fix in PR #55898.

[odrobnik]

Cross-Reference: Same Root Cause as #55816

Issue #55816 provides the clearest explanation of the root cause:

In attempt.ts, the else fallback replaces the SDK's wrapped streamFn with raw streamSimple:

} else {
  activeSession.agent.streamFn = streamSimple;
}

The SDK's createAgentSession() wraps streamSimple with a function that resolves API keys via modelRegistry.getApiKeyAndHeaders() (new in pi-coding-agent 0.63.0). When OpenClaw replaces this wrapper, the API key resolution is lost.

In pi-* ≤0.61.1, API keys were resolved through the Agent.getApiKey callback in the agent loop. In 0.63.0, the SDK moved to resolving keys inside the wrapped streamFn — but OpenClaw's attempt.ts overwrites that wrapper, silently dropping auth for all providers that don't have env var fallbacks.

Related Issues

• Custom providers fail with 'No API key for provider' after pi-* 0.63.0 upgrade #55816 — Custom providers fail with same error (best root cause analysis)
• [BUG,RELEASE BLOCKER]: No API key for provider even when openclaw models status --probe works #55672 / [Bug]: Embedded agent auth broken after pi-coding-agent 0.63.0 bump — streamFn overrides bypass new auth-injection wrapper #55760 — Same regression
• PR fix(agents): restore embedded auth injection after pi-coding-agent 0.63.0 bump #55898 — Fix: wrapStreamFnWithModelRegistryAuth() injects auth into every streamFn invocation

[odrobnik]

Final finding: fixed in 2026.3.27

I re-tested this after OpenClaw updated locally from 2026.3.26 to 2026.3.27 and confirmed the original regression no longer reproduces.

What changed

On the failing 2026.3.26 build, the embedded runner replaced the SDK-provided wrapped stream function with raw streamSimple:

activeSession.agent.streamFn = streamSimple

That discarded the auth wrapper introduced by the pi-* 0.63.0 changes, so providers that depended on injected runtime auth (including openai-codex OAuth) reached pi-ai without options.apiKey, leading to:

No API key for provider: openai-codex

On the newer 2026.3.27 build, the corresponding code now preserves the session's default wrapped stream function instead of replacing it with raw streamSimple:

const defaultSessionStreamFn = activeSession.agent.streamFn;
...
else activeSession.agent.streamFn = defaultSessionStreamFn;

Why this matters

defaultSessionStreamFn is the SDK-created wrapped stream function that carries the auth injection behavior needed after the pi-coding-agent 0.63.0 changes. Preserving it keeps OAuth/API-key resolution intact.

Evidence from local repro

• Failing build: 2026.3.26 (env-BQimSfev.js), produced repeated No API key for provider: openai-codex errors.
• Working build: 2026.3.27, chunked output (auth-profiles-Dxwrv8un.js / subsystem-CJEvHE2o.js), no further No API key errors after switching back to openai-codex/gpt-5.4.
• A fresh ping on openai-codex/gpt-5.4 succeeded after the upgrade.

Conclusion

So this issue was valid for 2026.3.26, but it appears already fixed in 2026.3.27 (or by the equivalent code change from the auth-wrapper fix work such as #55898).

Keeping this issue closed. Users still seeing this should verify they are not on 2026.3.26 or an equivalent affected build.