Codex Auth Fallback
Multi-provider auth setup for OpenClaw with automatic failover between Anthropic and multiple OpenAI Codex OAuth sessions.
Overview
OpenClaw supports multiple auth profiles per provider. When one profile hits a rate limit, the platform can fail over to another. This skill covers:
- 1. Adding Codex OAuth profiles via device-flow login
- Configuring
openclaw.json for provider fallback order - Setting up
auth-profiles.json with multiple profiles - Deploying a cron job to auto-switch models on cooldown
Prerequisites
- - OpenClaw instance running
- INLINECODE2� CLI installed (
npm i -g @openai/codex) — this also ensures node is available - One or more OpenAI accounts with Codex access
Security & Safety
What this skill accesses:
| File | Access | Purpose |
|---|
| INLINECODE5 | Read + Temporary Write | Temporarily cleared to force a fresh device-flow login, then restored from backup. Original tokens are never deleted — a timestamped backup is created first. |
| INLINECODE6 |
Read + Write | Imported OAuth tokens (access + refresh) are written here. A timestamped backup is created before any modification. |
Important safety notes:
- - Tokens stay local. No tokens are sent to any external endpoint. The script reads tokens from the local Codex CLI auth file and writes them to the local OpenClaw auth-profiles file.
- Backups are always created. Both files are backed up with timestamps before any modification. If login fails or the script is interrupted, a trap handler restores the original Codex CLI auth automatically.
- Interactive confirmation. The script prompts for confirmation before clearing the Codex CLI auth file, so you can abort if needed.
- No elevated privileges. The script runs as your user and does not require sudo or any special permissions.
- Back up manually first. Despite the automatic backups, it is recommended to manually back up
~/.codex/auth.json and your OpenClaw configs before running, especially on first use. - Test with a non-production account. For initial testing, consider using a throwaway or non-production OpenAI account.
Step 1: Add Codex OAuth Profiles
Run the bundled script for each OpenAI account:
CODEBLOCK0
The script:
- 1. Backs up
~/.codex/auth.json and �INLINECODE9 - Clears Codex CLI auth to force fresh device-flow login
- Runs
codex auth login (opens browser for OAuth) - Extracts tokens and imports them into OpenClaw's �INLINECODE11
- Restores the original Codex CLI auth
Repeat for each account. Profile names should be short identifiers (e.g., the OpenAI username).
Step 2: Configure openclaw.json
Add auth profile declarations and fallback model config. See references/config-templates.md for the exact JSON blocks to add to openclaw.json.
Key sections:
- -
auth.profiles — Declare each profile with provider and mode auth.order — Set failover priority per provideragents.defaults.model — Set primary model + fallbacks
Step 3: Auth Profiles JSON Structure
OpenClaw stores live tokens in agents/main/agent/auth-profiles.json. See references/config-templates.md for the schema.
Each Codex profile contains:
- -
type: �INLINECODE20 - INLINECODE21�: �INLINECODE22
- INLINECODE23�: JWT access token (auto-populated by the add-profile script)
- INLINECODE24�: Refresh token (auto-populated)
- INLINECODE25�: Token expiry in ms (parsed from JWT)
- INLINECODE26�: OpenAI account ID (parsed from JWT)
The order object controls which profile is tried first per provider. The usageStats object tracks rate limits and cooldowns automatically.
Step 4: Model Cooldown Auto-Switch Cron (Optional)
This step is entirely optional. The auth profiles from Steps 1-3 work on their own with OpenClaw's built-in failover. This cron job adds automatic model switching, which means your active model may change without manual intervention. Only enable it if you understand and want this behavior.
Deploy a cron job that checks cooldown state every 10 minutes and switches the active model. See references/config-templates.md for the full cron job definition.
The cron job:
- 1. Runs
openclaw models status to check cooldown state - Picks the best available model (priority: opus > codex profiles in order)
- Updates the session model override if needed
- Logs state to a local memory file; only notifies on change
Before enabling:
- - Test manually first: run
openclaw models status to verify your profiles are working - Review the cron job template in
references/config-templates.md — the job only runs local commands and writes to a local state file - The job runs in an isolated session and does not affect your main chat unless a model switch occurs
Add the job to cron/jobs.json using the template in the references.
File Layout
CODEBLOCK1
Codex 认证回退
为 OpenClaw 配置多提供商认证,支持在 Anthropic 和多个 OpenAI Codex OAuth 会话之间自动故障转移。
概述
OpenClaw 支持每个提供商配置多个认证配置文件。当某个配置文件达到速率限制时,平台可以回退到另一个配置文件。本技能涵盖以下内容:
- 1. 通过设备流登录添加 Codex OAuth 配置文件
- 配置 openclaw.json 以设置提供商回退顺序
- 设置 auth-profiles.json 包含多个配置文件
- 部署定时任务 在冷却期间自动切换模型
前置条件
- - 运行中的 OpenClaw 实例
- 已安装 codex CLI(npm i -g @openai/codex)—— 这也确保 node 可用
- 一个或多个具有 Codex 访问权限的 OpenAI 账户
安全与保障
本技能访问的文件:
| 文件 | 访问权限 | 用途 |
|---|
| ~/.codex/auth.json | 读取 + 临时写入 | 临时清除以强制进行新的设备流登录,然后从备份恢复。原始令牌永远不会被删除——首先会创建带时间戳的备份。 |
| ~/.openclaw/agents/main/agent/auth-profiles.json |
读取 + 写入 | 导入的 OAuth 令牌(访问 + 刷新)会写入此处。在任何修改之前都会创建带时间戳的备份。 |
重要安全说明:
- - 令牌保留在本地。 不会向任何外部端点发送令牌。脚本从本地 Codex CLI 认证文件读取令牌,并将其写入本地 OpenClaw 认证配置文件。
- 始终创建备份。 在进行任何修改之前,两个文件都会使用时间戳进行备份。如果登录失败或脚本被中断,陷阱处理程序会自动恢复原始的 Codex CLI 认证。
- 交互式确认。 脚本在清除 Codex CLI 认证文件之前会提示确认,因此您可以在需要时中止。
- 无需提升权限。 脚本以您的用户身份运行,不需要 sudo 或任何特殊权限。
- 先手动备份。 尽管有自动备份,建议在运行前手动备份 ~/.codex/auth.json 和您的 OpenClaw 配置,尤其是在首次使用时。
- 使用非生产账户进行测试。 对于初始测试,建议使用一次性或非生产环境的 OpenAI 账户。
步骤 1:添加 Codex OAuth 配置文件
为每个 OpenAI 账户运行捆绑脚本:
bash
./scripts/codex-add-profile.sh <配置文件名称>
该脚本:
- 1. 备份 ~/.codex/auth.json 和 auth-profiles.json
- 清除 Codex CLI 认证以强制进行新的设备流登录
- 运行 codex auth login(在浏览器中打开 OAuth)
- 提取令牌并将其导入 OpenClaw 的 auth-profiles.json
- 恢复原始的 Codex CLI 认证
为每个账户重复此操作。配置文件名称应为简短标识符(例如 OpenAI 用户名)。
步骤 2:配置 openclaw.json
添加认证配置文件声明和回退模型配置。请参阅 references/config-templates.md 了解需要添加到 openclaw.json 的确切 JSON 块。
关键部分:
- - auth.profiles — 声明每个配置文件的提供商和模式
- auth.order — 设置每个提供商的故障转移优先级
- agents.defaults.model — 设置主模型 + 回退模型
步骤 3:认证配置文件 JSON 结构
OpenClaw 将实时令牌存储在 agents/main/agent/auth-profiles.json 中。请参阅 references/config-templates.md 了解架构。
每个 Codex 配置文件包含:
- - type:oauth
- provider:openai-codex
- access:JWT 访问令牌(由添加配置文件脚本自动填充)
- refresh:刷新令牌(自动填充)
- expires:令牌过期时间(毫秒,从 JWT 解析)
- accountId:OpenAI 账户 ID(从 JWT 解析)
order 对象控制每个提供商首先尝试哪个配置文件。usageStats 对象自动跟踪速率限制和冷却时间。
步骤 4:模型冷却自动切换定时任务(可选)
此步骤完全可选。 步骤 1-3 中的认证配置文件本身可以与 OpenClaw 内置的故障转移功能配合使用。此定时任务添加了自动模型切换功能,这意味着您的活动模型可能会在没有手动干预的情况下发生变化。只有在您理解并希望使用此行为时才启用它。
部署一个每 10 分钟检查冷却状态并切换活动模型的定时任务。请参阅 references/config-templates.md 了解完整的定时任务定义。
该定时任务:
- 1. 运行 openclaw models status 检查冷却状态
- 选择最佳可用模型(优先级:opus > 按顺序的 codex 配置文件)
- 如果需要,更新会话模型覆盖
- 将状态记录到本地内存文件;仅在发生变化时通知
在启用之前:
- - 首先手动测试:运行 openclaw models status 验证您的配置文件是否正常工作
- 查看 references/config-templates.md 中的定时任务模板——该任务仅运行本地命令并写入本地状态文件
- 该任务在隔离的会话中运行,除非发生模型切换,否则不会影响您的主聊天
使用参考资料中的模板将任务添加到 cron/jobs.json。
文件结构
codex-auth-fallback/
├── SKILL.md # 本文件
├── scripts/
│ └── codex-add-profile.sh # 设备流配置文件导入器
└── references/
└── config-templates.md # openclaw.json、auth-profiles、定时任务模板
