[Bug]: openai-codex provider fails with Cloudflare 403 on headless HTTP after upgrade to 2026.4.5

[st4rnin3]

Summary

After upgrading to OpenClaw 2026.4.5, the openai-codex provider consistently fails with Cloudflare 403 responses on the chatgpt.com/backend-api/codex/responses endpoint, despite holding a freshly acquired, valid OAuth token. This makes openai-codex/gpt-5.4 and openai-codex/gpt-5.4-mini effectively unusable as primary models.

This is a continuation / re-file of #62087 (accidentally closed).

---

Reproduction Steps

1. Upgrade to OpenClaw 2026.4.5
2. Authenticate: openclaw models auth login → OpenAI Codex → complete OAuth flow
3. Use any agent with openai-codex/gpt-5.4 or openai-codex/gpt-5.4-mini as primary model
4. Observe: every request fails with a Cloudflare 403 HTML response

Direct test (reproduces reliably):

curl -s -o /tmp/test.txt -w '%{http_code}' \
  -H 'Authorization: Bearer <valid_access_token>' \
  -H 'chatgpt-account-id: <account_id>' \
  -H 'originator: pi' \
  -H 'User-Agent: pi (linux; x86_64)' \
  -H 'OpenAI-Beta: responses=experimental' \
  -H 'accept: text/event-stream' \
  -H 'content-type: application/json' \
  -X POST --data '<valid_payload>' \
  https://chatgpt.com/backend-api/codex/responses
# Returns: 403 with Cloudflare HTML body

Note: The same token against /backend-api/models and /backend-api/usage returns 200 OK — the token is valid. The block is specific to /codex/responses.

---

Observed Behavior

Gateway logs:

warn {"event":"embedded_run_agent_end","error":"LLM request failed: DNS lookup for the provider endpoint failed.","failoverReason":"auth","model":"gpt-5.4","provider":"openai-codex","rawErrorPreview":"403 <html>\n  <head>..."}
warn {"event":"embedded_run_agent_end","error":"API rate limit reached. Please try again later.","failoverReason":"auth","model":"gpt-5.4","provider":"openai-codex","rawErrorPreview":"403 <html>..."}

Misleading error messages: OpenClaw maps the 403 to auth failure reason, then surfaces it as DNS lookup failed or rate limit reached after retry exhaustion — making diagnosis very difficult.

---

Secondary Issue: OAuth wizard writes invalid config keys

Each re-auth via openclaw models auth login writes token and refreshToken (empty strings) into openclaw.json under the auth profile. The new schema validator in 2026.4.5 rejects these as unrecognized keys, causing gateway startup failures:

Invalid config at /home/openclaw/.openclaw/openclaw.json: Unrecognized keys: "token", "refreshToken"

Workaround: openclaw doctor --fix strips the bad keys. But re-auth rewrites them, so the cycle repeats.

Additionally, each re-auth adds a second profile (openai-codex:<email@gmail.com>) alongside the existing openai-codex:default, causing the retry/fallback loop to attempt both profiles before giving up — doubling the timeout delay on every failed request.

---

Expected Behavior

• openai-codex/gpt-5.4 requests succeed when a valid OAuth token is held
• Re-auth does not write token/refreshToken keys to openclaw.json
• Re-auth does not create duplicate profiles on repeat auth flows

---

Environment

• OpenClaw version: 2026.4.5
• Provider: openai-codex
• Models affected: gpt-5.4, gpt-5.4-mini
• Endpoint: https://chatgpt.com/backend-api/codex/responses
• OAuth client: app_EMoamEEZ73f0CkXaXp7hrann
• Token status: Valid (confirmed against /models and /usage endpoints, expires 2026-04-16)
• Weekly usage: ~43% — not rate limited
• OS: Linux (Ubuntu 20.04, kernel 5.15.0)

---

Workarounds

1. Switch primary model to anthropic/claude-sonnet-4-6 or another non-Codex provider
2. Run openclaw doctor --fix after each re-auth to remove invalid config keys
3. Manually remove duplicate email-based profile from agents/<name>/agent/auth-profiles.json after each re-auth

---

References

• Closed predecessor: [Bug]: openai-codex provider blocked by Cloudflare (403 CF mitigation active) on valid OAuth token #62087
• CF block pattern confirmed: Cloudflare JS challenge page returned in response body
• Transport layer: @mariozechner/pi-ai → openai-codex-responses.js → buildBaseCodexHeaders() sends originator: pi and User-Agent: pi (linux; x86_64) with no browser cookies or CF clearance token — this headless fingerprint appears to trigger CF mitigation

[st4rnin3]

the curl example DOES give you a 200, success. but the Openclaw call still fails.
From my agent:
The reason it works in curl for you but fails in OpenClaw for Orion is exactly why Cloudflare blocks are so insidious: TLS and HTTP Client Fingerprinting.

Cloudflare doesn't just look at the headers we send (like User-Agent: pi); it looks at how the underlying HTTP request is constructed at the network level.

curl uses OpenSSL and has a very specific TLS fingerprint (JA3/JA4 hash) and header ordering. Cloudflare often lets curl traffic through unless it's explicitly blacklisted, because so many legitimate scripts use it.
OpenClaw runs on Node.js and uses Node's native fetch (via Undici). Node.js has a very distinct, globally recognized TLS fingerprint. Cloudflare's bot-protection WAF instantly sees "This request claims its User-Agent is pi (linux), but its TLS fingerprint screams Node.js fetch."

When it detects that mismatch, Cloudflare drops the hammer and throws the 403 HTML challenge, which Node.js blindly parses as a failure.

So your token is perfectly valid (which is why curl gets a 200), but ChatGPT's Cloudflare shield is specifically blocking OpenClaw's underlying Node.js network fingerprint. This is exactly what the bug I filed (#62142) highlights — the community will need to either update the @mariozechner/pi-ai network transport to mask its fingerprint or find a different endpoint.

For now, openai-codex is dead in the water for OpenClaw agents until the devs patch the transport layer. You'll need to keep Orion on an Anthropic or Gemini model for now.

[st4rnin3]

Root cause found and fixed.

This was not an OAuth token problem and not ultimately a Cloudflare-only issue.

Actual root cause

openclaw.json had a bad provider transport mapping for openai-codex under models.providers.openai-codex:

"api": "anthropic-messages"

That caused OpenClaw to generate malformed requests for Codex models like openai-codex/gpt-5.4.

The correct mapping is:

"api": "openai-codex-responses"

The same incorrect API mapping was also present at the model level for the custom gpt-5.4-mini entry.

Why it was confusing

• The access token was valid
• Direct curl tests to https://chatgpt.com/backend-api/codex/responses returned 200
• Gateway logs surfaced misleading downstream errors such as:
  • DNS lookup for the provider endpoint failed
  • API rate limit reached
  • raw 403 <html>...

Those were symptoms of the wrong transport / malformed request path, not the real cause.

Fix applied

Updated openclaw.json:

• models.providers.openai-codex.api
  • from anthropic-messages
  • to openai-codex-responses
• models.providers.openai-codex.models[*].api
  • from anthropic-messages
  • to openai-codex-responses

Then restarted the gateway.

Result

openai-codex/gpt-5.4 began working again after the config fix + restart.

Closing as resolved because we now have a verified local root cause and workaround/fix.

[imranshaiedi-byte]

I can reproduce this on macOS as of April 8, 2026.

Environment:

• OpenClaw: 2026.4.8 (9ece252)
• OS: macOS 26.5 / Darwin 25.5.0 arm64
• Provider: openai-codex
• Model tested: openai-codex/gpt-5.4
• OAuth: refreshed successfully on April 8, 2026
• Gateway: healthy
• Browser control enabled, Chrome configured, headless: false

What I see:

• openclaw models status shows openai-codex/gpt-5.4 configured
• live inference against openai-codex/gpt-5.4 fails consistently
• OpenClaw surfaces this as DNS/auth-ish noise, but the preserved raw error is an HTTP 403 HTML response from chatgpt.com/backend-api

Repro:

openclaw infer model run --prompt 'Reply with exactly: codex-ok' --model openai-codex/gpt-5.4 --json

Observed output excerpt:

error=LLM request failed: DNS lookup for the provider endpoint failed.
rawError=403 <html> ...

Additional notes:

• This is not a general gateway failure. openclaw gateway health is OK.
• Requests appear to be reaching the backend and getting rejected, rather than failing DNS/TLS/connectivity locally.
• Refreshing OAuth did not resolve it.
• Reordering available openai-codex auth profiles did not resolve it.
• The same pattern was previously observed with the mini variant before my config settled on gpt-5.4 only.

If useful, I can provide a longer sanitized log excerpt, but the key point is that runtime calls to chatgpt.com/backend-api are returning a Cloudflare-style 403 HTML response even though OAuth appears valid.

[imranshaiedi-byte]

Follow-up: the transport mapping fix resolved it on my macOS setup too.

What fixed it locally:

• set models.providers.openai-codex.api to openai-codex-responses
• set models.providers.openai-codex.models[*].api to openai-codex-responses
• restart gateway

After that, this succeeds:

openclaw infer model run --prompt 'Reply with exactly: codex-ok' --model openai-codex/gpt-5.4 --json

Result:

{"ok":true,"provider":"openai-codex","model":"gpt-5.4","outputs":[{"text":"codex-ok"}]}

Product-level conclusion: this should be fixed in the provider/migration layer, not left as a manual config workaround.

Suggested upstream changes:

• default openai-codex to openai-codex-responses
• ensure model entries inherit that transport correctly
• migrate older configs automatically
• add validation so openai-codex cannot silently bind to an incompatible transport
• stop surfacing this failure as misleading DNS/rate-limit/auth noise