fix(openai-codex-auth): use ChatGPT Codex backend instead of OpenAI API

The OAuth token works with chatgpt.com/backend-api, not api.openai.com.
- Change base URL to https://chatgpt.com/backend-api
- Use /codex/responses endpoint
- Add required headers: OpenAI-Beta, originator, chatgpt-account-id
- Extract account ID from JWT token claims

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: brettheap

packages/openai-codex-auth/src/constants.ts

@@ -19,8 +19,14 @@ export const LOCAL_SERVER = {
 } as const
 
 export const CODEX_API = {
-  baseUrl: "https://api.openai.com/v1",
-  responsesEndpoint: "/responses",
+  baseUrl: "https://chatgpt.com/backend-api",
+  responsesEndpoint: "/codex/responses",
+} as const
+
+export const CODEX_HEADERS = {
+  openAiBeta: "responses=experimental",
+  originator: "codex_cli_rs",
+  jwtClaimPath: "https://api.openai.com/auth",
 } as const
 
 export const PLUGIN_NAME = "openai-codex-auth"

packages/openai-codex-auth/src/index.ts

@@ -7,8 +7,8 @@
 
 import type { Plugin, AuthHook, AuthOuathResult } from "@opencode-ai/plugin"
 import { initiateOAuthFlow, refreshAccessToken } from "./auth/auth"
-import { PROVIDER_ID, AUTH_LABEL } from "./constants"
-import { isTokenExpired } from "./request/fetch-helpers"
+import { PROVIDER_ID, AUTH_LABEL, CODEX_API, CODEX_HEADERS } from "./constants"
+import { isTokenExpired, extractAccountId } from "./request/fetch-helpers"
 
 /**
  * OpenAI Codex Authentication Plugin
@@ -22,7 +22,7 @@ export const OpenAICodexAuthPlugin: Plugin = async (_ctx) => {
 
     /**
      * Loader function called when the provider needs authentication
-     * Handles token refresh and returns SDK options
+     * Handles token refresh and returns SDK options for Codex backend
      */
     loader: async (getAuth, _provider) => {
       const auth = await getAuth()
@@ -31,35 +31,47 @@ export const OpenAICodexAuthPlugin: Plugin = async (_ctx) => {
         return {}
       }
 
+      /**
+       * Build SDK options with Codex backend configuration
+       */
+      const buildOptions = (accessToken: string, refreshedAuth?: object) => {
+        const accountId = extractAccountId(accessToken)
+        const headers: Record<string, string> = {
+          "OpenAI-Beta": CODEX_HEADERS.openAiBeta,
+          originator: CODEX_HEADERS.originator,
+        }
+        if (accountId) {
+          headers["chatgpt-account-id"] = accountId
+        }
+
+        return {
+          apiKey: accessToken,
+          baseURL: CODEX_API.baseUrl,
+          headers,
+          ...(refreshedAuth ? { _refreshedAuth: refreshedAuth } : {}),
+        }
+      }
+
       // Check if token needs refresh
       if (isTokenExpired(auth.expires)) {
         try {
           const tokens = await refreshAccessToken(auth.refresh)
           const newExpires = Date.now() + tokens.expires_in * 1000
 
-          // Return refreshed credentials
-          // Note: The opencode system will handle persisting these
-          return {
-            apiKey: tokens.access_token,
-            _refreshedAuth: {
-              type: "oauth" as const,
-              access: tokens.access_token,
-              refresh: tokens.refresh_token,
-              expires: newExpires,
-            },
-          }
+          return buildOptions(tokens.access_token, {
+            type: "oauth" as const,
+            access: tokens.access_token,
+            refresh: tokens.refresh_token,
+            expires: newExpires,
+          })
         } catch (error) {
           console.error("[openai-codex-auth] Failed to refresh token:", error)
           // Return existing token and let the API call fail if it's truly expired
-          return {
-            apiKey: auth.access,
-          }
+          return buildOptions(auth.access)
         }
       }
 
-      return {
-        apiKey: auth.access,
-      }
+      return buildOptions(auth.access)
     },
 
     methods: [

packages/openai-codex-auth/src/request/fetch-helpers.ts

@@ -3,7 +3,7 @@
  */
 
 import { refreshAccessToken } from "../auth/auth"
-import { CODEX_API } from "../constants"
+import { CODEX_API, CODEX_HEADERS } from "../constants"
 
 export interface TokenManager {
   accessToken: string
@@ -51,13 +51,47 @@ export async function getValidAccessToken(manager: TokenManager): Promise<string
 }
 
 /**
- * Create authorization headers for API requests
+ * Decode a JWT token and extract claims (without verification)
+ */
+export function decodeJWT(token: string): Record<string, unknown> {
+  try {
+    const parts = token.split(".")
+    if (parts.length !== 3) return {}
+    const payload = parts[1]
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"))
+    return JSON.parse(decoded)
+  } catch {
+    return {}
+  }
+}
+
+/**
+ * Extract ChatGPT account ID from JWT token
+ */
+export function extractAccountId(accessToken: string): string | undefined {
+  const claims = decodeJWT(accessToken)
+  const authClaims = claims[CODEX_HEADERS.jwtClaimPath] as Record<string, unknown> | undefined
+  return authClaims?.["organization_id"] as string | undefined
+}
+
+/**
+ * Create authorization headers for Codex API requests
  */
 export function createAuthHeaders(accessToken: string): Record<string, string> {
-  return {
+  const headers: Record<string, string> = {
     Authorization: `Bearer ${accessToken}`,
     "Content-Type": "application/json",
+    "OpenAI-Beta": CODEX_HEADERS.openAiBeta,
+    originator: CODEX_HEADERS.originator,
   }
+
+  // Extract and add account ID from JWT if available
+  const accountId = extractAccountId(accessToken)
+  if (accountId) {
+    headers["chatgpt-account-id"] = accountId
+  }
+
+  return headers
 }
 
 /**