[Bug]: openai-codex provider blocked by Cloudflare (403 CF mitigation active) on valid OAuth token

[st4rnin3]

Summary

The openai-codex provider is currently failing with a 403 Forbidden due to Cloudflare mitigation on the ChatGPT backend endpoint, despite holding a freshly acquired and valid OAuth token.

This breaks the default free model paths (openai-codex/gpt-5.4, openai-codex/gpt-5.4-mini).

Reproduction

1. Authenticate via openclaw models auth login \u2192 OpenAI Codex
2. Successfully exchange the authorization code for a token
3. Attempt to use the model (e.g. via cron job or standard conversation)
4. Fails with timeout / 403.

Direct POST to https://chatgpt.com/backend-api/conversation using the saved Bearer token yields:

Response (403): <html>
  <head>
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style global>body{font-family:Arial,Helvetica,sans-serif}.container{align-items:center;display:flex;flex
...

Headers confirm: CF mitigation active on this endpoint. The token is valid, but ChatGPT endpoint requires JS/browser validation.

Impact

• All jobs and agent turns bound to the openai-codex provider hang until they timeout, then fallback.
• In environments without paid fallbacks, the system becomes non-functional.
• Tokens are generating correctly via the app_EMoamEEZ73f0CkXaXp7hrann client, but the API endpoint itself is aggressively blocking headless HTTP clients.

Environment

• OpenClaw 2026.4.5
• Provider: openai-codex
• Models: gpt-5.4, gpt-5.4-mini

[shreefentsar]

still happening with me
Error: Token exchange failed
[openai-codex] code->token failed: 403 <title>Just a moment...</title>
looks like cloudflare WAF

[st4rnin3]

Root cause found and fixed.

This was not an OAuth token problem and not ultimately a Cloudflare-only issue.

Actual root cause

openclaw.json had a bad provider transport mapping for openai-codex under models.providers.openai-codex:

"api": "anthropic-messages"

That caused OpenClaw to generate malformed requests for Codex models like openai-codex/gpt-5.4.

The correct mapping is:

"api": "openai-codex-responses"

The same incorrect API mapping was also present at the model level for the custom gpt-5.4-mini entry.

Why it was confusing

• The access token was valid
• Direct curl tests to https://chatgpt.com/backend-api/codex/responses returned 200
• Gateway logs surfaced misleading downstream errors such as:
  • DNS lookup for the provider endpoint failed
  • API rate limit reached
  • raw 403 <html>...

Those were symptoms of the wrong transport / malformed request path, not the real cause.

Fix applied

Updated openclaw.json:

• models.providers.openai-codex.api
  • from anthropic-messages
  • to openai-codex-responses
• models.providers.openai-codex.models[*].api
  • from anthropic-messages
  • to openai-codex-responses

Then restarted the gateway.

Result

openai-codex/gpt-5.4 began working again after the config fix + restart.

Closing as resolved because we now have a verified local root cause and workaround/fix.