codex-auth代码认证

⚠️ Deprecated: codex-auth is no longer maintained as a standalone skill.
Use codex-profiler for all ongoing /codex_auth and /codex_usage operations.

Run scripts/codex_auth.py to generate a login URL and apply callback URL tokens to auth-profiles.json.

Safe defaults

• - Treat callback URLs/tokens as sensitive and never echo full values.
• Use queued apply flow for controlled restart behavior.
• See RISK.md for allowed/denied operation boundaries.

Commands

• - /codex_auth → selector (discovered profiles)
• INLINECODE7
• INLINECODE8

Interaction adapter

• - If inline buttons are supported: show selector buttons.
• If inline buttons are not supported: send text fallback (default | <profile>).
• Callback message handling must never echo full callback URLs (treat as sensitive).
• Use callback_data namespace prefix codex_auth_* to avoid collisions.

How to run

CODEBLOCK0

Finish flow (after browser redirect URL is pasted):

CODEBLOCK1

Queue safe apply (stops/restarts gateway in background):

CODEBLOCK2

Safety posture

• - No remote shell execution (curl|bash, wget|sh) is allowed by this skill.
• No sudo/SSH/system package mutation is performed by this skill.
• OAuth callback URLs are sensitive: never echo full callback URLs or tokens in chat output.
• Writes are limited to auth profile state files with lock-based coordination.

Notes

• - Uses the same OpenAI Codex OAuth constants/method as OpenClaw onboarding (auth.openai.com + localhost callback).
• OAuth success here does not guarantee chatgpt.com/backend-api/wham/usage acceptance; usage endpoint may reject token/session format with 401 and should be handled by usage/profiler skills.
• Endpoint trust boundary: OpenAI auth hosts + localhost callback flow only; do not send callbacks/tokens to third-party hosts.
• Writes ~/.openclaw/agents/main/agent/auth-profiles.json with file locking to reduce race risk while gateway is running.
• Profile IDs map as:

• - Pending auth state is stored in /tmp/openclaw/codex-auth-pending.json.