~/blog/openclaw-chatgpt-oauth-gpt54-no-api-key

OpenClaw · part 11

[AI Agent] openclaw + ChatGPT OAuth: Run GPT-5.4 Agents Without API Credits

2026-03-24updated 2026-06-215 min read#openclaw#gpt-5.4#chatgpt#oauth中文版
cat --toc

TL;DR

openclaw models auth login --provider openai-codex adds GPT-5.4 (1,050,000-token context) to your openclaw agent using a ChatGPT Plus account. No OpenAI API key required. Three gotchas: it needs an interactive terminal, the gateway must restart after auth, and the default model has to be set separately.

The short version: your ChatGPT Plus model, in your own agent

A lot of people pay $20/month for ChatGPT Plus — to chat, write, ask questions. What most people don't realize is that the AI model behind it (GPT-5.4) can be "borrowed" by other tools, not just the ChatGPT website.

openclaw is an open-source AI agent framework that runs on your own machine. In March 2026 it added ChatGPT Plus OAuth: log in with your ChatGPT account and your agent can call GPT-5.4 directly — no separate OpenAI API billing.

So if you already pay for ChatGPT Plus, your local agent can use that same model — a 1-million-token context window — without a separate API bill. (You're still bound by your ChatGPT plan's usage limits, but there's no metered API charge.) It's like finding out the pool was included in your gym membership all along.

How the openclaw + ChatGPT OAuth flow works: your already-paid ChatGPT Plus → openclaw OAuth login (openai-codex) → token saved in ~/.openclaw → your agent runs GPT-5.4 with no separate API bill (your ChatGPT plan limits still apply).

Setup takes about five minutes, but there are three gotchas the release notes don't mention. This article walks you through the whole process.

The openclaw 2026.3.13 OAuth fix

The openai-codex provider shipped in earlier builds, but auth was broken — successful logins were re-validated against the public OpenAI Responses API, which rejected the Codex OAuth tokens. The fix landed in 2026.3.13:

OpenAI Codex OAuth/login parity: keep openclaw models auth login --provider openai-codex on the built-in path even without provider plugins, preserve Pi-generated authorize URLs without local scope rewriting, and stop validating successful Codex sign-ins against the public OpenAI Responses API after callback.

In practice: the login flow now completes cleanly, and auth.profiles gets written to ~/.openclaw/openclaw.json.

Three setup gotchas the release notes skip: (1) the OAuth login needs an interactive TTY — ssh -t won't forward the localhost callback; (2) restart the gateway, because provider registration isn't hot-reloaded; (3) set the default model separately (agents.defaults.model.primary), then restart.

Running the Auth Flow

It's a single command:

openclaw models auth login --provider openai-codex

It opens a browser at https://auth.openai.com/oauth/authorize. You log in with your ChatGPT account, and the callback writes the token.

Gotcha 1: this requires an interactive TTY. Running it over SSH fails immediately:

Error: models auth login requires an interactive TTY.

Run it directly on the machine where openclaw is installed — either sit at it, or use screen sharing / remote desktop. ssh -t does not help here because the OAuth callback runs on localhost.

After a successful login, the terminal shows:

◇  OpenAI OAuth complete
Config overwrite: /Users/coolthor/.openclaw/openclaw.json (sha256 b6289... -> d6fae...)
Updated ~/.openclaw/openclaw.json
Auth profile: openai-codex:default (openai-codex/oauth)
Default model available: openai-codex/gpt-5.4 (use --set-default to apply)

The config is saved and the gateway detects the change via file watcher (config change detected; evaluating reload). But GPT-5.4 won't appear in openclaw models list yet.

Setting the Default Model

Gotcha 2: the model isn't automatically set as default. The auth output says "use --set-default to apply" but that flag only works during an interactive auth login session, not after the fact.

Set it via config:

openclaw config set agents.defaults.model.primary openai-codex/gpt-5.4

Output confirms the write and tells you what's still needed:

Updated agents.defaults.model.primary. Restart the gateway to apply.

Restarting the Gateway

Gotcha 3: you have to restart the gateway. The dynamic config reload handles most changes, but model provider registration isn't one of them.

# macOS launchd
launchctl stop ai.openclaw.gateway
launchctl start ai.openclaw.gateway

After restart, openclaw models list shows the new entry and your agent will use GPT-5.4 by default.

What GPT-5.4 actually buys you

The model ships with a 1,050,000-token context window and 128,000 max output tokens. For an agent running long research sessions or chewing through large documents over Telegram, this lifts the context ceiling that local 120B models hit around 128K.

Currency note: openclaw 2026.3.13 maps the openai-codex provider to GPT-5.4. ChatGPT itself has since moved to GPT-5.5 as the default, and newer openclaw builds may expose it — the OAuth flow above is identical whichever model the provider points at.

The tradeoff: GPT-5.4 runs on OpenAI's servers, not locally. Anything the agent sends goes through ChatGPT's backend. For a personal agent handling trading notes or private data, that's worth thinking about before switching primary models.

Takeaways

The biggest time sink: the TTY requirement. The error message is clear, but "interactive TTY" doesn't immediately suggest "use screen sharing," and ssh -t feels like it should work but doesn't.

For next time: when an openclaw config change doesn't show up in models list, it's almost always a missing gateway restart. The file-watcher reload is real but partial — it handles credentials and routing, not provider registration.

The general rule: auth flows that open a local callback (localhost:1455/auth/callback) can't be proxied through SSH. The browser, the CLI process, and the callback listener all have to run on the same machine.

Checklist

  1. Update openclaw to 2026.3.13 or later
  2. On the gateway machine directly (not via SSH): run openclaw models auth login --provider openai-codex
  3. Complete the ChatGPT login in the browser that opens
  4. Run openclaw config set agents.defaults.model.primary openai-codex/gpt-5.4
  5. Restart the gateway: launchctl stop ai.openclaw.gateway && launchctl start ai.openclaw.gateway
  6. Verify with openclaw models list

Also in this series: Part 10 — Telegram sendMessageDraft Streaming

FAQ

How do I use GPT-5.4 in openclaw without an OpenAI API key?
Run `openclaw models auth login --provider openai-codex` and log in with your ChatGPT Plus account. openclaw stores the OAuth token in `~/.openclaw/openclaw.json` and uses it to call GPT-5.4 via the Codex endpoint. No separate OpenAI API billing required.
Does the openclaw + ChatGPT OAuth integration work with ChatGPT Plus or do I need ChatGPT Pro?
ChatGPT Plus is sufficient. The OAuth flow uses the same credentials as the ChatGPT website, and gives your openclaw agent the same GPT-5.4 access — including the 1,050,000-token context window.
Why does `openclaw models auth login` fail with 'requires an interactive TTY' over SSH?
The OAuth callback opens a browser on localhost, and `ssh -t` does not forward that. Run the login command directly on the machine where openclaw is installed — sit at it, or use screen sharing / VNC. Once logged in, the token persists and subsequent runs don't need a TTY.
After OAuth login, why does openclaw still use the old model instead of GPT-5.4?
Auth and default model selection are separate. After login you must restart the gateway AND set the default model explicitly: edit `~/.openclaw/openclaw.json` to point the active profile at `openai-codex/gpt-5.4`, or run `openclaw config set agents.defaults.model.primary openai-codex/gpt-5.4`. The release notes don't spell this out.
ShareRedditLinkedInXFacebook
← back to blog