in upstream Codex, it is now a new way to authenticate Codex against ChatGPT/Codex backend without a full auth.json refresh-token bundle. it is an opaque token starting with at-, not
a JWT. Codex now accepts it via codex login --with-access-token or CODEX_ACCESS_TOKEN, calls AuthAPI whoami to hydrate account metadata, then uses the PAT directly as the bearer
token.
impact for us:
-
this is upstream identity auth, not pool api-key auth
users still call codex-pooler with our pool keys; PATs would matter for the upstream accounts we import/use behind the pool
-
current admin import is auth.json-oriented
if someone gives us an at-... PAT, we probably cannot onboard it cleanly today through /admin/upstreams
-
manual storage might partly work, but it is risky
because dispatch likely only needs a bearer token, but refresh, quota, display, account matching, workspace slotting, and reauth status all depend on trusted metadata we normally
derive from auth.json/refresh flow
-
PATs are probably not refreshable
so our token-refresh job/UI semantics need to know “this credential must be revalidated/replaced”, not “try refresh_token grant”
-
workspace/account identity is the subtle bit
upstream explicitly hydrates metadata through whoami; we should do the same before creating or matching an UpstreamIdentity, otherwise we can attach the PAT to the wrong identity
slot or lack chatgpt_account_id/plan evidence
in upstream Codex, it is now a new way to authenticate Codex against ChatGPT/Codex backend without a full auth.json refresh-token bundle. it is an opaque token starting with at-, not
a JWT. Codex now accepts it via codex login --with-access-token or CODEX_ACCESS_TOKEN, calls AuthAPI whoami to hydrate account metadata, then uses the PAT directly as the bearer
token.
impact for us:
this is upstream identity auth, not pool api-key auth
users still call codex-pooler with our pool keys; PATs would matter for the upstream accounts we import/use behind the pool
current admin import is auth.json-oriented
if someone gives us an at-... PAT, we probably cannot onboard it cleanly today through /admin/upstreams
manual storage might partly work, but it is risky
because dispatch likely only needs a bearer token, but refresh, quota, display, account matching, workspace slotting, and reauth status all depend on trusted metadata we normally
derive from auth.json/refresh flow
PATs are probably not refreshable
so our token-refresh job/UI semantics need to know “this credential must be revalidated/replaced”, not “try refresh_token grant”
workspace/account identity is the subtle bit
upstream explicitly hydrates metadata through whoami; we should do the same before creating or matching an UpstreamIdentity, otherwise we can attach the PAT to the wrong identity
slot or lack chatgpt_account_id/plan evidence