✓ Verified 💻 Development ✓ Enhanced Data

Codex Multi Subscription Auth Fallbacks

Set up OpenClaw multi-provider auth with OpenAI Codex OAuth fallback profiles and automatic model sw

Rating
4.4 (91 reviews)
Downloads
4,305 downloads
Version
1.0.0

Overview

Set up OpenClaw multi-provider auth with OpenAI Codex OAuth fallback profiles and automatic model switching.

Complete Documentation

View Source →

Codex Auth Fallback

Multi-provider auth setup for OpenClaw with automatic failover between Anthropic and multiple OpenAI Codex OAuth sessions.

Overview

OpenClaw supports multiple auth profiles per provider. When one profile hits a rate limit, the platform can fail over to another. This skill covers:

  • Adding Codex OAuth profiles via device-flow login
  • Configuring openclaw.json for provider fallback order
  • Setting up auth-profiles.json with multiple profiles
  • Deploying a cron job to auto-switch models on cooldown

Prerequisites

  • OpenClaw instance running
  • codex CLI installed (npm i -g @openai/codex) — this also ensures node is available
  • One or more OpenAI accounts with Codex access

Security & Safety

What this skill accesses:

FileAccessPurpose
~/.codex/auth.jsonRead + Temporary WriteTemporarily cleared to force a fresh device-flow login, then restored from backup. Original tokens are never deleted — a timestamped backup is created first.
~/.openclaw/agents/main/agent/auth-profiles.jsonRead + WriteImported OAuth tokens (access + refresh) are written here. A timestamped backup is created before any modification.
Important safety notes:
  • Tokens stay local. No tokens are sent to any external endpoint. The script reads tokens from the local Codex CLI auth file and writes them to the local OpenClaw auth-profiles file.
  • Backups are always created. Both files are backed up with timestamps before any modification. If login fails or the script is interrupted, a trap handler restores the original Codex CLI auth automatically.
  • Interactive confirmation. The script prompts for confirmation before clearing the Codex CLI auth file, so you can abort if needed.
  • No elevated privileges. The script runs as your user and does not require sudo or any special permissions.
  • Back up manually first. Despite the automatic backups, it is recommended to manually back up ~/.codex/auth.json and your OpenClaw configs before running, especially on first use.
  • Test with a non-production account. For initial testing, consider using a throwaway or non-production OpenAI account.

Step 1: Add Codex OAuth Profiles

Run the bundled script for each OpenAI account:

bash
./scripts/codex-add-profile.sh <profile-name>

The script:

  • Backs up ~/.codex/auth.json and auth-profiles.json
  • Clears Codex CLI auth to force fresh device-flow login
  • Runs codex auth login (opens browser for OAuth)
  • Extracts tokens and imports them into OpenClaw's auth-profiles.json
  • Restores the original Codex CLI auth
Repeat for each account. Profile names should be short identifiers (e.g., the OpenAI username).

Step 2: Configure openclaw.json

Add auth profile declarations and fallback model config. See references/config-templates.md for the exact JSON blocks to add to openclaw.json.

Key sections:

  • auth.profiles — Declare each profile with provider and mode
  • auth.order — Set failover priority per provider
  • agents.defaults.model — Set primary model + fallbacks

Step 3: Auth Profiles JSON Structure

OpenClaw stores live tokens in agents/main/agent/auth-profiles.json. See references/config-templates.md for the schema.

Each Codex profile contains:

  • type: "oauth"
  • provider: "openai-codex"
  • access: JWT access token (auto-populated by the add-profile script)
  • refresh: Refresh token (auto-populated)
  • expires: Token expiry in ms (parsed from JWT)
  • accountId: OpenAI account ID (parsed from JWT)
The order object controls which profile is tried first per provider. The usageStats object tracks rate limits and cooldowns automatically.

Step 4: Model Cooldown Auto-Switch Cron (Optional)

This step is entirely optional. The auth profiles from Steps 1-3 work on their own with OpenClaw's built-in failover. This cron job adds automatic model switching, which means your active model may change without manual intervention. Only enable it if you understand and want this behavior.

Deploy a cron job that checks cooldown state every 10 minutes and switches the active model. See references/config-templates.md for the full cron job definition.

The cron job:

  • Runs openclaw models status to check cooldown state
  • Picks the best available model (priority: opus > codex profiles in order)
  • Updates the session model override if needed
  • Logs state to a local memory file; only notifies on change
Before enabling:
  • Test manually first: run openclaw models status to verify your profiles are working
  • Review the cron job template in references/config-templates.md — the job only runs local commands and writes to a local state file
  • The job runs in an isolated session and does not affect your main chat unless a model switch occurs
Add the job to cron/jobs.json using the template in the references.

File Layout

text
codex-auth-fallback/
├── SKILL.md                    # This file
├── scripts/
│   └── codex-add-profile.sh    # Device-flow profile importer
└── references/
    └── config-templates.md     # openclaw.json, auth-profiles, cron templates

Installation

Terminal bash 

openclaw install codex-multi-subscription-auth-fallbacks
Copied!

💻Code Examples

./scripts/codex-add-profile.sh <profile-name>

scriptscodex-add-profilesh-profile-name.txt
The script:
1. Backs up `~/.codex/auth.json` and `auth-profiles.json`
2. Clears Codex CLI auth to force fresh device-flow login
3. Runs `codex auth login` (opens browser for OAuth)
4. Extracts tokens and imports them into OpenClaw's `auth-profiles.json`
5. Restores the original Codex CLI auth

Repeat for each account. Profile names should be short identifiers (e.g., the OpenAI username).

## Step 2: Configure openclaw.json

Add auth profile declarations and fallback model config. See `references/config-templates.md` for the exact JSON blocks to add to `openclaw.json`.

Key sections:
- **`auth.profiles`** — Declare each profile with provider and mode
- **`auth.order`** — Set failover priority per provider
- **`agents.defaults.model`** — Set primary model + fallbacks

## Step 3: Auth Profiles JSON Structure

OpenClaw stores live tokens in `agents/main/agent/auth-profiles.json`. See `references/config-templates.md` for the schema.

Each Codex profile contains:
- `type`: `"oauth"`
- `provider`: `"openai-codex"`
- `access`: JWT access token (auto-populated by the add-profile script)
- `refresh`: Refresh token (auto-populated)
- `expires`: Token expiry in ms (parsed from JWT)
- `accountId`: OpenAI account ID (parsed from JWT)

The `order` object controls which profile is tried first per provider. The `usageStats` object tracks rate limits and cooldowns automatically.

## Step 4: Model Cooldown Auto-Switch Cron (Optional)

> **This step is entirely optional.** The auth profiles from Steps 1-3 work on their own with OpenClaw's built-in failover. This cron job adds automatic model switching, which means your active model may change without manual intervention. Only enable it if you understand and want this behavior.

Deploy a cron job that checks cooldown state every 10 minutes and switches the active model. See `references/config-templates.md` for the full cron job definition.

The cron job:
1. Runs `openclaw models status` to check cooldown state
2. Picks the best available model (priority: opus > codex profiles in order)
3. Updates the session model override if needed
4. Logs state to a local memory file; only notifies on change

**Before enabling:**
- Test manually first: run `openclaw models status` to verify your profiles are working
- Review the cron job template in `references/config-templates.md` — the job only runs local commands and writes to a local state file
- The job runs in an isolated session and does not affect your main chat unless a model switch occurs

Add the job to `cron/jobs.json` using the template in the references.

## File Layout
example.txt
codex-auth-fallback/
├── SKILL.md                    # This file
├── scripts/
│   └── codex-add-profile.sh    # Device-flow profile importer
└── references/
    └── config-templates.md     # openclaw.json, auth-profiles, cron templates

Tags

#coding_agents-and-ides #code #script

Quick Info

Category Development
Model GPT-4
Complexity One-Click
Author markeljan
Last Updated 3/10/2026
🚀
Optimized for
GPT-4

Ready to Install?

Get started with this skill in seconds

openclaw install codex-multi-subscription-auth-fallbacks

Resources

📂
OpenClaw Skills
View on OpenClaw GitHub

Related Skills

✓ Verified 💻 Development

4claw

4claw — a moderated imageboard for AI agents.

🧠 Claude-Ready #ai_and-llms
)}
4.4 (118)
4,990
v1.0.0
✓ Verified 💻 Development

Aap Passport

Agent Attestation Protocol - The Reverse Turing Test.

🧠 Claude-Ready #ai_and-llms
)}
4.3 (89)
4,621
v1.0.0
✓ Verified 💻 Development

Acestep Lyrics Transcription

Transcribe audio to timestamped lyrics using OpenAI Whisper or ElevenLabs Scribe API.

GPT-Optimized #ai_and-llms #api #script
)}
3.8 (274)
17,648
v1.0.0
✓ Verified 💻 Development

Adaptive Suite

A continuously adaptive skill suite that empowers Clawdbot.

🧠 Claude-Ready #ai_and-llms #bot
)}
4.7 (88)
1,625
v1.0.0