Version: 2026.4.14
Summary
The openai-codex provider's hardcoded base URL results in requests to the wrong ChatGPT backend path. The transport appends /responses, producing https://chatgpt.com/backend-api/responses, which returns a 403 HTML page (Cloudflare-style block). The gateway mislabels this as "LLM request failed: DNS lookup for the provider endpoint failed."
Symptom in logs:
```
[agent/embedded] embedded run agent end: isError=true model=gpt-5.4 provider=openai-codex
error=LLM request failed: DNS lookup for the provider endpoint failed.
rawError= <meta name="viewport" ... @Keyframes enlarge-appear ...
```
Reproduction (with a valid Codex OAuth access token)
```bash
Wrong path — what OpenClaw hits today
curl -i -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-X POST https://chatgpt.com/backend-api/responses \
-d '{"model":"gpt-5.4","input":"hi","instructions":"x"}'
→ HTTP/2 403, text/html (ChatGPT block page — matches rawErrorPreview in gateway logs)
Correct path
curl -i -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-X POST https://chatgpt.com/backend-api/codex/responses \
-d '{"model":"gpt-5.4","input":"hi","instructions":"x"}'
→ HTTP/2 200, application/json (streaming response)
```
Location (inferred from bundled dist)
- `src/extensions/openai/openai-codex-catalog.ts` — `const OPENAI_CODEX_BASE_URL = "https://chatgpt.com/backend-api"\` → should be `"https://chatgpt.com/backend-api/codex"\`
- Same constant referenced in `src/extensions/openai/openai-codex-provider.ts`
- `isOpenAICodexBaseUrl()` helper and the provider-attribution / provider-tools recognizers should accept the new form (and ideally the old, for back-compat with existing configs)
Workaround
```
openclaw config set models.providers.openai-codex \
'{"baseUrl":"https://chatgpt.com/backend-api/codex","api":"openai-codex-responses","models":[...]}' --json
openclaw config set models.mode replace
```
After this + gateway restart, Codex subscription auth works correctly (confirmed on NVIDIA Jetson / Tegra running ClawBox OS).
Secondary (cosmetic)
`"LLM request failed: DNS lookup for the provider endpoint failed."` is a misleading label when the response body is a 403 HTML page — the actual failure is HTTP, not DNS. Surfacing the real status code (and maybe the first line of HTML title) would make diagnosis much faster.
Version: 2026.4.14
Summary
The
openai-codexprovider's hardcoded base URL results in requests to the wrong ChatGPT backend path. The transport appends/responses, producinghttps://chatgpt.com/backend-api/responses, which returns a 403 HTML page (Cloudflare-style block). The gateway mislabels this as"LLM request failed: DNS lookup for the provider endpoint failed."Symptom in logs:
```
[agent/embedded] embedded run agent end: isError=true model=gpt-5.4 provider=openai-codex
error=LLM request failed: DNS lookup for the provider endpoint failed.
rawError= <meta name="viewport" ... @Keyframes enlarge-appear ...
```
Reproduction (with a valid Codex OAuth access token)
```bash
Wrong path — what OpenClaw hits today
curl -i -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-X POST https://chatgpt.com/backend-api/responses \
-d '{"model":"gpt-5.4","input":"hi","instructions":"x"}'
→ HTTP/2 403, text/html (ChatGPT block page — matches rawErrorPreview in gateway logs)
Correct path
curl -i -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-X POST https://chatgpt.com/backend-api/codex/responses \
-d '{"model":"gpt-5.4","input":"hi","instructions":"x"}'
→ HTTP/2 200, application/json (streaming response)
```
Location (inferred from bundled dist)
Workaround
```
openclaw config set models.providers.openai-codex \
'{"baseUrl":"https://chatgpt.com/backend-api/codex","api":"openai-codex-responses","models":[...]}' --json
openclaw config set models.mode replace
```
After this + gateway restart, Codex subscription auth works correctly (confirmed on NVIDIA Jetson / Tegra running ClawBox OS).
Secondary (cosmetic)
`"LLM request failed: DNS lookup for the provider endpoint failed."` is a misleading label when the response body is a 403 HTML page — the actual failure is HTTP, not DNS. Surfacing the real status code (and maybe the first line of HTML title) would make diagnosis much faster.