Can I use OpenClaw with Codex without an API key?

Yes. OpenClaw supports an OAuth "Sign in with ChatGPT" device-code flow for OpenAI Codex. Instead of pasting an sk- API key, you authenticate with your ChatGPT account and the agent draws on your plan's included Codex access. On OpenClaw Launch you do this from the API Keys dashboard.

How does the Codex OAuth device-code flow work?

OpenClaw shows a short code and a verification URL. You open the URL in any browser, sign in to ChatGPT, and enter the code. OpenAI then issues OAuth tokens back to OpenClaw, which stores them as an auth profile and refreshes them automatically, so you normally log in just once.

Why does OpenClaw ask me to re-authenticate Codex?

OAuth tokens can expire or be revoked — for example after a password change or a long idle period — and ChatGPT plans include a weekly Codex usage cap. Re-run the Sign in with ChatGPT flow (from the API Keys page on OpenClaw Launch), or add an API-key fallback to avoid hard stops mid-session.

What is the difference between Codex OAuth and Codex Pro on OpenClaw?

Codex OAuth is the login mechanism — Sign in with ChatGPT via a device-code flow, usable with any ChatGPT plan that includes Codex. OpenClaw + Codex Pro specifically covers using a ChatGPT Codex Pro subscription. Both use OAuth rather than an API key.

← Home

Guide

OpenClaw Codex OAuth: Sign In With ChatGPT Instead of an API Key

OpenClaw can authenticate with OpenAI Codex using OAuth — a “Sign in with ChatGPT” device-code flow — instead of pasting an API key. That lets your agent draw on your existing ChatGPT plan rather than billing tokens to a separate API account. Here's how it works.

OAuth vs API Key for Codex

There are two ways to give OpenClaw access to OpenAI Codex models:

API key (BYOK) — you paste an sk-... key from the OpenAI platform and pay per token through the standard API. Covered in OpenClaw Codex.
OAuth (Sign in with ChatGPT) — you authenticate with your ChatGPT account through a device-code flow. No key to copy, and usage draws on your ChatGPT plan's included Codex access instead of a separate per-token API bill.

OAuth is the better fit if you already pay for ChatGPT (Plus, Pro, Team, or Business) and want your agent to use that subscription. If you specifically want to use a Codex Pro subscription, see OpenClaw + Codex Pro.

How the Device-Code OAuth Flow Works

Codex uses an OAuth device-code flow, the same pattern many CLIs use to log in without a browser redirect on the server:

OpenClaw starts the login and shows a short code plus a verification URL.
You open the URL in any browser, sign in to ChatGPT, and enter the code.
Once you approve, OpenAI issues OAuth tokens back to OpenClaw, which stores them as an auth profile. The agent can now call Codex models without an API key.

The tokens are refreshed automatically, so you normally only do this once per account.

Codex OAuth on OpenClaw Launch (Easiest)

On OpenClaw Launch, the whole flow is handled from the dashboard — no terminal required:

Open the API Keys page in your dashboard.
Choose Sign in with ChatGPT for Codex and complete the device-code login in the popup.
Pick a model under the openai-codex/* family in the model dropdown.
Deploy or restart your instance — your agent now uses Codex over OAuth.

Note: the API Keys dashboard is the source of truth on OpenClaw Launch. The orchestrator syncs what's saved there into your instance, so manage Codex auth from /api-keys rather than editing the container config by hand — manual edits get re-synced away.

Self-Hosted: Where Codex OAuth Credentials Live

On a self-hosted OpenClaw install, the “Sign in with ChatGPT” login is run through the gateway, and the resulting OAuth profile is written under your agent's auth directory (an auth-profiles.json under agents/<agent>/agent/), not as a plaintext key in openclaw.json. Once the profile exists, point your default agent at a Codex model:

{
  "agents": {
    "defaults": {
      "model": {
        "primary": "openai-codex/gpt-5.5"
      }
    }
  }
}

Because the credential is an OAuth profile rather than an API key, you authenticate through the sign-in flow rather than setting a key in the config file. Confirm upstream behavior on the OpenClaw GitHub repository if you need exact command names for your version.

Troubleshooting Codex OAuth

“Re-authentication required” or the agent stops responding on Codex

OAuth tokens can expire or be revoked (for example, after a password change or a long idle period). Re-run the Sign in with ChatGPT flow — on OpenClaw Launch, just re-do it from the API Keys page.

Rate limits or weekly caps

OAuth usage draws on your ChatGPT plan's limits, which include a weekly cap on Codex usage. If you hit it, either wait for the window to reset, switch to a model on another provider, or add an API key as a fallback. Running OpenClaw with multiple paired accounts or a BYOK fallback avoids hard stops mid-session.

Wrong account signed in

Sign out and re-run the flow with the account whose plan you want to use. Make sure the browser you complete the device code in is logged into the correct ChatGPT account.

OAuth vs API Key: Which Should You Use?

Use OAuth if…	Use an API key if…
You already pay for ChatGPT and want to use that plan	You want metered, per-token billing on a separate account
You don't want to manage or rotate keys	You need high, predictable throughput without weekly caps
You want the simplest login on OpenClaw Launch	You're scripting or want a key you can revoke independently

What's Next?

OpenClaw Codex — using GPT Codex models, including the API-key path
OpenClaw + Codex Pro — use your ChatGPT Codex Pro subscription
OpenClaw + OpenAI — GPT models via the OpenAI API
OpenClaw BYOK — bring your own provider keys