[codex] Add OpenRouter OAuth login

[kenrogers]

Summary

• Add provider-owned OpenRouter PKCE OAuth login that exchanges the browser authorization code for an OpenRouter API key.
• Store the issued key as the existing openrouter:default API-key auth profile, with OAuth provenance metadata.
• Register openrouter-oauth in runtime auth methods, manifest auth choices, and the provider contract API.
• Validate per-login OAuth state for both loopback callbacks and pasted redirect URLs.
• Update OpenRouter provider docs and the model-provider overview to show OAuth alongside API-key setup.

Verification

• node scripts/run-vitest.mjs extensions/openrouter/oauth.test.ts extensions/openrouter/index.test.ts extensions/openrouter/onboard.test.ts extensions/openrouter/provider-runtime.contract.test.ts
• node scripts/run-vitest.mjs src/plugins/contracts/providers.contract.test.ts src/plugins/contracts/registry.contract.test.ts
• node scripts/run-vitest.mjs src/commands/auth-choice.test.ts src/commands/models/auth.test.ts
• pnpm docs:list
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local
• Live OpenRouter OAuth proof below, including a successful one-shot model request with OPENROUTER_API_KEY unset.

Real behavior proof

Behavior addressed: Adds an OpenRouter OAuth login path that builds the documented PKCE authorization URL, validates per-login callback state, exchanges the returned code at OpenRouter's auth/keys endpoint, and stores the issued key in the default OpenRouter auth profile.

Real environment tested: Local OpenClaw checkout on macOS, Node v24.14.1, Brave browser signed into OpenRouter, isolated proof home at /private/tmp/openclaw-openrouter-oauth-proof, and OPENROUTER_API_KEY explicitly unset for post-login profile/model checks.

Exact steps or command run after this patch:

env OPENCLAW_HOME=/private/tmp/openclaw-openrouter-oauth-proof \
  OPENCLAW_CONFIG_PATH=/private/tmp/openclaw-openrouter-oauth-proof/openclaw.json \
  pnpm openclaw models auth login --provider openrouter --method oauth

# Browser opened OpenRouter's Authorization Request page.
# User clicked Authorize on the OpenRouter consent screen.

env -u OPENROUTER_API_KEY \
  OPENCLAW_HOME=/private/tmp/openclaw-openrouter-oauth-proof \
  OPENCLAW_CONFIG_PATH=/private/tmp/openclaw-openrouter-oauth-proof/openclaw.json \
  pnpm openclaw models status

env -u OPENROUTER_API_KEY \
  OPENCLAW_HOME=/private/tmp/openclaw-openrouter-oauth-proof \
  OPENCLAW_CONFIG_PATH=/private/tmp/openclaw-openrouter-oauth-proof/openclaw.json \
  pnpm openclaw infer model run --local \
    --model openrouter/liquid/lfm-2.5-1.2b-instruct:free \
    --prompt 'Reply exactly: oauth-ok' \
    --json

Evidence after fix: Redacted live terminal output from the browser OAuth flow, profile check, and model request:

OpenRouter OAuth
Browser will open for OpenRouter authentication.
Redirect URI: http://localhost:3000/openrouter-oauth/callback
Open: https://openrouter.ai/auth?...callback_url=...localhost%3A3000%2Fopenrouter-oauth%2Fcallback%3Fstate%3D[redacted]&code_challenge=[redacted]&code_challenge_method=S256
Waiting for OpenRouter OAuth callback on http://localhost:3000/openrouter-oauth/callback
Exchanging OpenRouter OAuth code.
OpenRouter OAuth complete
Updated config: $OPENCLAW_HOME/openclaw.json
Auth profile: openrouter:default (openrouter/api_key)
Default model available: openrouter/auto (use --set-default to apply)

Provider notes:
OpenRouter OAuth issued an OpenRouter API key and stored it in the default OpenRouter auth profile.
Re-run OpenRouter OAuth to rotate that key or use the API-key setup path for a key you manage manually.

Auth overview
Auth store    : $OPENCLAW_HOME/.openclaw/agents/main/agent/openclaw-agent.sqlite
Shell env     : off
- openrouter effective=profiles:$OPENCLAW_HOME/.openclaw/agents/main/agent/openclaw-agent.sqlite | profiles=1 (oauth=0, token=0, api_key=1) | openrouter:default=sk-or-v1...[redacted]

{
  "ok": true,
  "capability": "model.run",
  "transport": "local",
  "provider": "openrouter",
  "model": "liquid/lfm-2.5-1.2b-instruct:free",
  "attempts": [],
  "outputs": [
    {
      "text": "OAuth-ok",
      "mediaUrl": null
    }
  ]
}

Observed result after fix: OpenClaw opened the OpenRouter browser authorization page, received the loopback callback on localhost:3000, exchanged the OAuth code, stored the issued key as openrouter:default (openrouter/api_key), recognized that stored profile with OPENROUTER_API_KEY unset, and used it for a successful local OpenRouter model request.

What was not tested: I did not test a remote/headless pasted-redirect OAuth flow; the live proof covers the normal local browser/callback path.

Default profile behavior

Selecting OpenRouter OAuth intentionally writes the issued OpenRouter API key to openrouter:default. OpenRouter OAuth returns a user-controlled API key rather than a refreshable OAuth credential, so reusing the existing default API-key profile keeps the runtime path unchanged and gives users one canonical default OpenRouter credential. Users who want a separate manual key can use the API-key setup path or a different profile ID.

Notes

• I checked OpenRouter's current OAuth PKCE docs and auth-keys endpoint docs before implementation.
• The full live account browser OAuth completion has now been verified with redacted proof above.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 7, 2026, 1:18 AM ET / 05:18 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

PR surface: Source +455, Tests +323, Docs +41. Total +819 across 8 files.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fa614d0907e8.

Label changes

Label changes:

• add rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.
• remove P2: Current review triage priority is none.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🌊 off-meta tidepool, so this older rating label is no longer current.
• remove merge-risk: 🚨 compatibility: Current PR review selected no merge-risk labels.
• remove merge-risk: 🚨 auth-provider: Current PR review selected no merge-risk labels.
• remove status: ⏳ waiting on author: Current PR status no longer selects a status label.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

PR surface:

Source +455, Tests +323, Docs +41. Total +819 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	458	3	+455
Tests	2	323	0	+323
Docs	2	61	20	+41
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	842	23	+819

What I checked:

• failure reason: timeout.
• codex failure detail: Codex review failed for this PR: spawnSync codex ETIMEDOUT.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[kenrogers]

Added full redacted live OAuth proof to the PR body: browser authorization, loopback callback/key exchange, profile check with OPENROUTER_API_KEY unset, and a successful free-model request through the stored OpenRouter profile.

The openrouter:default write is intentional: OpenRouter OAuth returns an API key, so the provider stores it in the existing default OpenRouter API-key profile rather than introducing a second runtime credential path.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27077529993
• Updated: 2026-06-07T00:11:21.718Z

[Patrick-Erichsen]

Closing as superseded by #91830, which landed the OpenRouter OAuth implementation via an attributed cherry-pick and added the missing top-level onboarding picker follow-up.

Landed commits on main:

• b9280d5863cc9f345fb5aa59c681ceeb98b24c46 feat: add OpenRouter OAuth login (author: @kenrogers / kenny krogers@hey.com)
• e9671ed60327a97e538b4574b26fd42b79e117ad feat: feature openrouter in onboarding provider picker

Proof carried forward on #91830: focused OpenRouter/provider picker tests, CLI picker output with OpenRouter listed, autoreview clean, ClawSweeper re-review loop with no automated repair indicated, and green PR checks.