[Bug]: openai-codex OAuth runtime fails on 2026.4.9 with 403 HTML; 2026.3.28 works

[FWo100]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

On the same Ubuntu VPS and openai-codex OAuth setup, OpenClaw 2026.4.9 fails to return runtime chat replies in Control UI, WhatsApp, and WeCom, while 2026.3.28 works.

Steps to reproduce

1. Start the same self-hosted Ubuntu VPS setup on OpenClaw 2026.4.9 with openai-codex OAuth.
2. Open a fresh Control UI chat, or send /new and then a simple text message in WhatsApp or WeCom.
3. Observe that Control UI gets stuck on "writing" or the channel returns an error instead of a normal reply.
4. Check gateway logs and observe repeated 403 <html>... for provider":"openai-codex" and model":"gpt-5.4".
5. Downgrade the same setup to 2026.3.28 and repeat the same tests.
6. Observe that replies work again on 2026.3.28.

Expected behavior

On the same VPS and same openai-codex OAuth setup, Control UI, WhatsApp, and WeCom should return normal replies, as observed on OpenClaw 2026.3.28.

Actual behavior

On 2026.4.9, Control UI main gets stuck on "writing" and WhatsApp/WeCom return misleading user-facing errors such as LLM request failed: DNS lookup for the provider endpoint failed. or ⚠️ API rate limit reached. Please try again later.; the gateway logs repeatedly show upstream 403 <html>... with failoverReason":"auth", provider":"openai-codex", and model":"gpt-5.4".

OpenClaw version

2026.4.9 (0512059)

Operating system

Ubuntu 22.04.5 LTS

Install method

npm global

Model

openai-codex/gpt-5.4

Provider / routing chain

openclaw -> openai-codex OAuth -> https://chatgpt.com/backend-api

Additional provider/model setup details

• Node version: v24.13.1
• Main LLM path is openai-codex OAuth only
• No non-Codex fallback is configured
• openclaw models status --agent main --probe succeeds for the intended profile while runtime chats still fail
• Per-agent probes for live handler agents also showed the intended Codex profile probing OK
• One malformed main/agent/models.json entry (https:/chatgpt.com/backend-api) was found and fixed to https://chatgpt.com/backend-api, but the broader 2026.4.9 runtime failure persisted
• SSE transport was forced in config and did not resolve the issue

Logs, screenshots, and evidence

Observed log patterns on 2026.4.9 include:

- `embedded_run_agent_end`
  - `error":"403 <html>..."`
  - `failoverReason":"auth"`
  - `provider":"openai-codex"`
  - `model":"gpt-5.4"`

- Followed by surfaced user-facing messages such as:
  - `LLM request failed: DNS lookup for the provider endpoint failed.`
  - `⚠️ API rate limit reached. Please try again later.`

Other observed evidence:
- VPS resolver checks for `api.openai.com` succeeded
- `openclaw models status --agent main --probe` succeeded on the intended Codex OAuth profile
- Downgrading from 2026.4.9 to 2026.3.28 restored normal behavior on the same VPS and same setup

Impact and severity

Affected users/systems/channels:

• Control UI main
• WhatsApp channel
• WeCom channel
• Same self-hosted Ubuntu VPS setup

Severity:
High; blocks normal agent replies across the main UI and both tested channels

Frequency:
Repeated across observed attempts on 2026.4.9

Consequence:
Control UI becomes unusable for normal chat replies and channel users receive misleading error messages instead of agent responses

Additional information

• Last known good version: 2026.3.28
• First known bad version observed: 2026.4.9
• Downgrading back to 2026.3.28 restored normal behavior
• This issue reproduced across Control UI, WhatsApp, and WeCom on the same VPS
• The repeated raw runtime symptom observed in logs was upstream 403 <html>..., while the surfaced user-facing error text varied

[mjamiv]

Confirming on v2026.4.9 (Ubuntu VPS, npm global). We have the direct error from the refresh endpoint, which points at a concrete root cause:

[openai-codex] Token refresh failed: 401 {
  "error": {
    "message": "Your refresh token has already been used to generate a new access token. Please try signing in again.",
    "type": "invalid_request_error",
    "param": null,
    "code": "refresh_token_reused"
  }
}

refresh_token_reused means the server already handed out a new refresh token in a prior rotation, but OpenClaw is replaying the old one. OAuth refresh tokens from this endpoint are single-use: a successful refresh returns a new access token AND a new refresh token, and the new refresh token must be persisted back to disk (typically auth-profiles.json) to be used on the next refresh.

This strongly suggests the 2026.4.9 regression is in the OAuth rotation/persistence path — either the new refresh token returned by the refresh call isn't being captured, isn't being written back to the profile store, or is being written but not read on the next attempt. Either way it's not a transient network issue, and re-authenticate is the only workaround once the stored refresh token has been invalidated.

Platform: Linux 6.8.0-107 x64, systemd gateway, direct internet. Matches the reporter's Ubuntu VPS setup. Happy to capture more logs around any suspected persistence path if that would help narrow it down.

[mjamiv]

Confirmed on host (v2026.4.9, `0512059`) — Ubuntu 24.04.3 LTS, Linux 6.8.0-107-generic, bare-metal Node (not Bedrock, not LiteLLM).

Symptom: `openai-codex` OAuth refresh flow is returning 401 during the refresh call itself — not the downstream API request. 4 events in journalctl on 2026-04-10.

Log lines (one event):

```
11:30:24.666 [openai-codex] Token refresh failed: 401 {
11:30:24.787 [diagnostic] lane task error: lane=nested error="FailoverError: OAuth token refresh failed for openai-codex: Failed to refresh OpenAI Codex token. Please try again or re-authenticate."
11:30:24.790 [model-fallback] decision=candidate_failed requested=anthropic/claude-sonnet-4-6 candidate=openai-codex/gpt-5.3-codex reason=auth next=openai/gpt-5.2-codex
11:30:25.108 FailoverError: No available auth profile for openai (all in cooldown or unavailable).
11:30:25.290 decision=candidate_failed requested=anthropic/claude-sonnet-4-6 candidate=openai/gpt-5-mini reason=model_not_found next=nvidia-nim/moonshotai/kimi-k2.5
```

Cascade: refresh 401 → `openai-codex/gpt-5.3-codex` `reason=auth` → `openai/gpt-5.2-codex` & `openai/gpt-5-mini` both return `model_not_found` ("No available auth profile for openai") because the same profile pool is now in cooldown → chain burns through to Kimi.

Possibly related to #64133 (`api.responses.write` scope enforcement) — same root cause family but different failure surface (refresh flow vs API call). Would be worth verifying whether the refresh endpoint `api.openai.com/v1/...` now also rejects ChatGPT OAuth tokens that lack `api.responses.write`.

[FWo100]

4.10 fixed the issue.