[Bug]: v2026.5.19 Codex unusable on headless VPS: openai-codex auth binding failure and codex provider Cloudflare 403

[Han-HanqingDong]

Summary

After upgrading a headless Ubuntu VPS from OpenClaw 2026.5.12 to 2026.5.19, Codex became unusable in two different ways depending on the model route:

1. Existing openai-codex/gpt-5.5 route fails before inference with an auth binding error:

No API key found for provider "openai-codex".

2. Switching to the new codex/gpt-5.5 catalog route gets past auth resolution, but the actual request fails with a Cloudflare HTML 403 challenge from chatgpt.com/backend-api/responses:

provider=codex api=openai-codex-responses model=gpt-5.5 status=403
Authentication failed with an HTML 403 response from the provider.

This was tested on a clean, reversible upgrade with backups. Rolling back to 2026.5.12 immediately restored openai-codex/gpt-5.5 with the same OAuth profile, so this does not appear to be an expired OAuth token or account access issue.

Environment

• Host type: headless VPS
• OS: Ubuntu 24.04.4 LTS
• Deployment: user systemd service openclaw-gateway.service
• Node entrypoint: /usr/bin/node .../openclaw/dist/index.js gateway --port 18789
• Working version before upgrade: OpenClaw 2026.5.12 (f066dd2)
• Upgraded version tested: OpenClaw 2026.5.19 (a185ca2)
• Global package after upgrade: openclaw@2026.5.19
• Managed packages after upgrade:
  • openclaw@2026.5.19
  • @openclaw/codex@2026.5.19
  • @openai/codex@0.131.0
• OAuth status according to openclaw models status --json: openai-codex status ok
• No fallback model configured during verification

Baseline Before Upgrade

On 2026.5.12, the gateway was healthy and openai-codex/gpt-5.5 worked:

openclaw --version
OpenClaw 2026.5.12 (f066dd2)

systemctl --user is-active openclaw-gateway.service
active

Effective model state:

{
  "defaultModel": "openai-codex/gpt-5.5",
  "resolvedDefault": "openai-codex/gpt-5.5",
  "fallbacks": [],
  "allowed": ["openai-codex/gpt-5.5"],
  "missing": [],
  "oauth": [{ "provider": "openai-codex", "status": "ok" }]
}

Live agent check succeeded:

openclaw agent --agent main --session-id vultr-rollback512-after519-1779352869 \
  --message 'Reply exactly: OK' --thinking off --timeout 240 --json

Relevant result:

{
  "status": "ok",
  "result": {
    "payloads": [{ "text": "OK" }],
    "meta": {
      "executionTrace": {
        "winnerProvider": "openai-codex",
        "winnerModel": "gpt-5.5",
        "fallbackUsed": false,
        "runner": "embedded"
      }
    }
  }
}

Upgrade Procedure

The upgrade was performed with backups of openclaw.json, agent state, the user systemd unit, and package manifests.

Commands used in essence:

npm install -g openclaw@latest --no-audit --no-fund
npm install --prefix "$HOME/.openclaw/npm" openclaw@latest @openclaw/codex@latest --no-audit --no-fund --omit=dev
systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service

After upgrade:

openclaw --version
OpenClaw 2026.5.19 (a185ca2)

systemctl --user is-active openclaw-gateway.service
active

Failure Mode 1: Existing openai-codex/gpt-5.5 Route

After upgrade, keeping the existing default model openai-codex/gpt-5.5, models status still reported OAuth as present and OK:

{
  "defaultModel": "openai-codex/gpt-5.5",
  "resolvedDefault": "openai-codex/gpt-5.5",
  "fallbacks": [],
  "allowed": ["openai-codex/gpt-5.5"],
  "missing": [],
  "oauth": [{ "provider": "openai-codex", "status": "ok" }]
}

But a live agent call failed with:

Error: No API key found for provider "openai-codex". Auth store: /home/<user>/.openclaw/agents/main/agent/auth-profiles.json (agentDir: /home/<user>/.openclaw/agents/main/agent). Configure auth for this agent (openclaw agents add <id>) or copy only portable static auth profiles from the main agentDir.

This looks similar in spirit to the auth-profile / embedded-path work referenced by PR #84752, but in this environment it is observable on 2026.5.19 after upgrading from a working 2026.5.12 state.

Failure Mode 2: New codex/gpt-5.5 Route

openclaw models list on 5.19 showed both the old and new routes:

openai-codex/gpt-5.5    text        195k   no  yes   default,configured
codex/gpt-5.5           text+image  266k   no  yes

I then changed the default model and allowlist to the new route:

{
  "agents": {
    "defaults": {
      "model": {
        "primary": "codex/gpt-5.5",
        "fallbacks": []
      },
      "models": {
        "codex/gpt-5.5": {}
      }
    }
  }
}

After restarting the gateway, models status showed:

{
  "defaultModel": "codex/gpt-5.5",
  "resolvedDefault": "codex/gpt-5.5",
  "fallbacks": [],
  "allowed": ["codex/gpt-5.5"],
  "missing": ["codex"],
  "oauth": [{ "provider": "openai-codex", "status": "ok" }]
}

A live agent call then reached the transport layer but failed with a Cloudflare HTML challenge:

[openai-transport] [responses] error provider=codex api=openai-codex-responses model=gpt-5.5 name=Error status=403
message=403 <html> ...

The preserved HTML contained a Cloudflare challenge page for chatgpt.com and /backend-api/responses.

The gateway eventually surfaced:

Authentication failed with an HTML 403 response from the provider. Re-authenticate and verify your provider account access.

However, re-auth does not look like the root cause here because the same OAuth profile works again after rollback to 5.12.

Attempted Fix from #62142

Issue #62142 was closed after the reporter found that openai-codex had been mapped to the wrong transport (anthropic-messages) and fixed it by setting both provider-level and model-level API values to openai-codex-responses.

I tried the same workaround explicitly on 5.19:

{
  "models": {
    "mode": "merge",
    "providers": {
      "openai-codex": {
        "api": "openai-codex-responses",
        "models": [
          {
            "id": "gpt-5.5",
            "name": "gpt-5.5",
            "contextWindow": 272000,
            "maxTokens": 128000,
            "input": ["text", "image"],
            "api": "openai-codex-responses"
          },
          {
            "id": "gpt-5.4",
            "name": "gpt-5.4",
            "contextWindow": 272000,
            "maxTokens": 128000,
            "input": ["text", "image"],
            "api": "openai-codex-responses"
          }
        ]
      }
    }
  }
}

Then I switched the default back to openai-codex/gpt-5.5 and restarted the gateway.

Result: this did not fix 5.19 in this environment. The request again failed before inference with:

No API key found for provider "openai-codex".

So #62142's transport mapping fix is not sufficient for this 5.19 headless VPS case.

Rollback Result

I rolled back to the known-good 5.12 state:

npm install -g openclaw@2026.5.12 --no-audit --no-fund
npm install --prefix "$HOME/.openclaw/npm" openclaw@2026.5.12 @openclaw/codex@2026.5.12 --no-audit --no-fund --omit=dev
systemctl --user restart openclaw-gateway.service

Final state:

OpenClaw 2026.5.12 (f066dd2)
openclaw@2026.5.12
@openclaw/codex@2026.5.12
@openai/codex@0.131.0
systemd service: active

The same live agent test succeeded again:

{
  "status": "ok",
  "payloads": [{ "text": "OK" }],
  "executionTrace": {
    "winnerProvider": "openai-codex",
    "winnerModel": "gpt-5.5",
    "fallbackUsed": false,
    "runner": "embedded"
  }
}

Expected Behavior

After upgrading from a working 2026.5.12 Codex setup to 2026.5.19, one of the supported Codex routes should continue to work without requiring fallback to a different provider:

• either existing openai-codex/gpt-5.5 should continue resolving the existing OAuth profile, or
• the new codex/gpt-5.5 route should bind to the existing OAuth profile and avoid Cloudflare 403 on headless VPS requests.

Actual Behavior

On 5.19:

• openai-codex/gpt-5.5 fails with No API key found for provider "openai-codex" despite models status showing OAuth ok.
• codex/gpt-5.5 fails with Cloudflare HTML 403 from chatgpt.com/backend-api/responses.
• Explicitly applying the [Bug]: openai-codex provider fails with Cloudflare 403 on headless HTTP after upgrade to 2026.4.5 #62142 openai-codex-responses mapping does not repair the old route.
• Rollback to 5.12 immediately restores successful Codex execution with the same OAuth profile.

Notes

• The host is a headless VPS, which may be relevant to the Cloudflare response.
• The brave plugin warning was present before and does not appear related.
• No secrets are included here; paths and account details have been sanitized.
• I intentionally kept fallbacks: [] during verification so that success could not be masked by another provider.

Related

• [Bug]: openai-codex provider fails with Cloudflare 403 on headless HTTP after upgrade to 2026.4.5 #62142: prior openai-codex Cloudflare/transport mapping report; its workaround was tested here but did not resolve the 5.19 behavior.
• fix: self-heal lane wedges + restore openai-codex OAuth on embedded path #84752: appears related to restoring openai-codex OAuth on the embedded path, based on title/search result, but this issue documents a reproducible upgrade/regression case and the separate codex/gpt-5.5 Cloudflare 403 result.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main resolves the central upgrade regression: the embedded/read-only Codex auth loaders now rehydrate legacy openai-codex OAuth sidecars, so the supported legacy route no longer drops the existing OAuth material before inference. The remaining direct-provider Cloudflare/TLS behavior is already tracked separately and does not need this broader upgrade-regression report kept open.

I found the merged PR that appears to have closed this: #85074: fix(auth): load legacy Codex OAuth sidecars in embedded secrets-runtime loaders.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the current-main auth-loader fix, ship it in the next release, and leave the independent Cloudflare/TLS and macOS Keychain-only buckets to their narrower canonical issues.

Do we have a high-confidence way to reproduce the issue?

Yes for the original auth-binding failure: source and regression tests show sidecar-backed openai-codex OAuth profiles previously loaded without token material on embedded read-only paths. I did not run a live VPS/OAuth turn in this read-only review.

Is this the best way to solve the issue?

Yes. Fixing the shared auth-store loader boundary is the maintainable resolution for the No API key found regression, while the Cloudflare behavior is a separate direct-transport decision already tracked elsewhere.

Security review:

Security review: This is issue triage with no proposed patch under review.

What I checked:

• Current loader behavior: Current main sets resolveLegacyOAuthSidecars: true for loadAuthProfileStoreForSecretsRuntime, loadAuthProfileStoreWithoutExternalProfiles, and ensureAuthProfileStoreWithoutExternalProfiles, covering the read-only/secrets-runtime paths implicated by the report. (src/agents/auth-profiles/store.ts:589, fad1c8a0711e)
• Embedded discovery path: resolvePiCredentialsForDiscovery uses the affected store loaders before converting auth profiles into PI credentials, so the current loader default carries the sidecar material into the provider credential map. (src/agents/pi-auth-discovery.ts:34, fad1c8a0711e)
• Regression coverage: The new regression test builds a legacy openai-codex:default OAuth sidecar fixture and asserts all three secrets-runtime loaders hydrate access, refresh, and id token material by default. (src/agents/auth-profiles/store.sidecar-runtime-defaults.test.ts:107, fad1c8a0711e)
• Fix provenance: git blame ties the key default changes on the current implementation lines to merge commit 4399eee6e0e41bd7db22b31b9482dc71fc6fab46. (src/agents/auth-profiles/store.ts:593, 4399eee6e0e4)
• Merged fix PR: Live GitHub data shows the focused auth-loader PR was merged at 2026-05-21T20:07:50Z and changed src/agents/auth-profiles/store.ts, the regression test, docs, and changelog. (4399eee6e0e4)
• Current-main-only release check: git tag --contains returned no release tag for the fix, git merge-base --is-ancestor returned 1 for v2026.5.20 and 0 for HEAD, so the fix is present on current main but not in the latest release tag. (4399eee6e0e4)

Likely related people:

• RomneyDa: Authored and merged the focused current-main fix for the secrets-runtime sidecar loader defaults, and recently touched adjacent OAuth missing-refresh behavior. (role: recent auth-profile repair contributor; confidence: high; commits: 4399eee6e0e4, 205c595b134c; files: src/agents/auth-profiles/store.ts, src/agents/auth-profiles/store.sidecar-runtime-defaults.test.ts, docs/gateway/doctor.md)
• Totalsolutionsync: The merged focused PR credits this contributor's earlier branch, whose commits first flipped the affected loader defaults and supplied real self-hosted gateway proof for the No API key found for provider "openai-codex" regression. (role: original fix author and live-proof provider; confidence: high; commits: 85f36e8d2b4e, 4624e34c0671; files: src/agents/auth-profiles/store.ts)
• joshavant: Merged the earlier legacy Codex OAuth sidecar compatibility work that the current loader fix now reaches from embedded runtime paths. (role: legacy sidecar compatibility introducer; confidence: high; commits: 06f4c97130c6; files: src/agents/auth-profiles/legacy-oauth-sidecar.ts, src/agents/auth-profiles/persisted.ts, src/agents/auth-profiles/store.ts)
• ragesaq: Authored the current routing work that makes canonical openai/gpt-* agent turns select the Codex app-server runtime by default, relevant to the Cloudflare-sensitive route discussion. (role: adjacent Codex runtime routing contributor; confidence: medium; commits: 58f1db1bc8eb; files: src/agents/harness/policy.ts, src/agents/openai-codex-routing.ts, docs/providers/openai.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against fad1c8a0711e; fix evidence: merged PR #85074, commit 4399eee6e0e4, main fix timestamp 2026-05-21T13:07:49-07:00.

[xieetudousi]

Hi @Han-HanqingDong, excellent bug report — thorough reproduction and clean rollback verification. I've been tracking this one too since 2026.5.19.

Analysis on the two failure modes:

Failure 1 (openai-codex/gpt-5.5 → "No API key found"):
This is the same auth-profile resolution change that hit #84875 with Ollama. In 5.19, the agent-level auth store (the per-agent auth-profiles.json) was made the primary auth source, but the embedded agent path wasn't copying or resolving provider-level OAuth profiles properly. PR #84752 touched this area but apparently didn't cover the Codex OAuth case.

your models status shows OAuth ok at the global level, but the per-agent store is empty. The fix from #84752 may have addressed the doctor migration path but not the runtime lookup for openai-codex specifically.

Failure 2 (codex/gpt-5.5 → Cloudflare 403):
This is almost certainly the headless VPS issue — Cloudflare challenges headless servers/browsers differently than desktop browsers with full cookie jars/localStorage. When the new codex/gpt-5.5 route makes direct HTTP calls to chatgpt.com/backend-api/responses, Cloudflare sees a bare Node.js request with no browser fingerprint, no cookies, no localStorage, and issues the challenge.

The old openai-codex route must have been running through a different transport layer (perhaps using a persistent session with proper cookies) that avoided the CF challenge.

What might help short-term:

1. Try rolling back just the @openai/codex package to the 5.12 version while keeping OpenClaw core on 5.19 — if the transport layer changed in the codex package
2. Adding a User-Agent and cookie persistence layer to the codex transport config might help with the CF challenge
3. Consider using a proxy with a browser fingerprint when running on headless VPS

Long-term fix needed at OpenClaw level:

• The openai-codex provider's OAuth profiles need to be copyable to per-agent auth stores on gateway upgrade/restart
• The new codex/ route's transport needs to handle Cloudflare challenges in headless environments (cookie jar, proper TLS fingerprint)

If you want help testing a patched config or getting a workable deployment on 5.19 with Codex, I offer deployment configuration support — feel free to reach out.