OAuth

OmeniaClaw supports "subscription auth" via OAuth for providers that offer it (notably OpenAI Codex (ChatGPT OAuth)). For Anthropic, the practical split is now:

• Anthropic API key: normal Anthropic API billing
• Anthropic Claude CLI / subscription auth inside OmeniaClaw: Anthropic staff told us this usage is allowed again

OpenAI Codex OAuth is explicitly supported for use in external tools like OmeniaClaw.

OmeniaClaw stores both OpenAI API-key auth and ChatGPT/Codex OAuth under the canonical provider id openai. Older openai-codex:* profile ids and auth.order.openai-codex entries are legacy state repaired by OmeniaClaw doctor --fix; use openai:* profile ids and auth.order.openai for new config.

For Anthropic in production, API key auth is the safer recommended path.

This page explains:

• how the OAuth token exchange works (PKCE)
• where tokens are stored (and why)
• how to handle multiple accounts (profiles + per-session overrides)

OmeniaClaw also supports provider plugins that ship their own OAuth or API-key flows. Run them via:

OmeniaClaw models auth login --provider <id>

The token sink (why it exists)

OAuth providers commonly mint a new refresh token during login/refresh flows. Some providers (or OAuth clients) can invalidate older refresh tokens when a new one is issued for the same user/app.

Practical symptom:

• you log in via OmeniaClaw and via Claude Code / Codex CLI → one of them randomly gets "logged out" later

To reduce that, OmeniaClaw treats auth-profiles.json as a token sink:

• the runtime reads credentials from one place
• we can keep multiple profiles and route them deterministically
• external CLI reuse is provider-specific: Codex CLI can bootstrap an empty openai:default profile, but once OmeniaClaw has a local OAuth profile, the local refresh token is canonical. If that local refresh token is rejected, OmeniaClaw can use a usable same-account Codex CLI token as a runtime-only fallback; other integrations can remain externally managed and re-read their CLI auth store
• status and startup paths that already know the configured provider set scope external CLI discovery to that set, so an unrelated CLI login store is not probed for a single-provider setup

Storage (where tokens live)

Secrets are stored in agent auth stores:

• Auth profiles (OAuth + API keys + optional value-level refs): ~/.OmeniaClaw/agents/<agentId>/agent/auth-profiles.json
• Legacy compatibility file: ~/.OmeniaClaw/agents/<agentId>/agent/auth.json (static api_key entries are scrubbed when discovered)

Legacy import-only file (still supported, but not the main store):

• ~/.OmeniaClaw/credentials/oauth.json (imported into auth-profiles.json on first use)

All of the above also respect $OmeniaClaw_STATE_DIR (state dir override). Full reference: /gateway/configuration

For static secret refs and runtime snapshot activation behavior, see Secrets Management.

When a secondary agent has no local auth profile, OmeniaClaw uses read-through inheritance from the default/main agent store. It does not clone the main agent's auth-profiles.json on read. OAuth refresh tokens are especially sensitive: normal copy flows skip them by default because some providers rotate or invalidate refresh tokens after use. Configure a separate OAuth login for an agent when it needs an independent account.

Anthropic legacy token compatibility

OmeniaClaw also exposes Anthropic setup-token as a supported token-auth path, but it now prefers Claude CLI reuse and claude -p when available.

Anthropic Claude CLI migration

OmeniaClaw supports Anthropic Claude CLI reuse again. If you already have a local Claude login on the host, onboarding/configure can reuse it directly.

OAuth exchange (how login works)

OmeniaClaw's interactive login flows are implemented in OmeniaClaw/plugin-sdk/llm and wired into the wizards/commands.

Anthropic setup-token

Flow shape:

1. start Anthropic setup-token or paste-token from OmeniaClaw
2. OmeniaClaw stores the resulting Anthropic credential in an auth profile
3. model selection stays on anthropic/...
4. existing Anthropic auth profiles remain available for rollback/order control

OpenAI Codex (ChatGPT OAuth)

OpenAI Codex OAuth is explicitly supported for use outside the Codex CLI, including OmeniaClaw workflows.

The login command still uses the canonical OpenAI provider id:

OmeniaClaw models auth login --provider openai

Use --profile-id openai:<name> for multiple ChatGPT/Codex OAuth accounts in one agent. Do not use openai-codex:<name> for new profiles. Doctor migrates that older prefix to a collision-free openai:* profile id; run OmeniaClaw models auth list --provider openai after repair before copying profile ids into auth.order or /model ...@<profileId>.

Flow shape (PKCE):

1. generate PKCE verifier/challenge + random state
2. open https://auth.openai.com/oauth/authorize?...
3. try to capture callback on http://127.0.0.1:1455/auth/callback
4. if callback can't bind (or you're remote/headless), paste the redirect URL/code
5. exchange at https://auth.openai.com/oauth/token
6. extract accountId from the access token and store { access, refresh, expires, accountId }

Wizard path is OmeniaClaw onboard → auth choice openai.

Refresh + expiry

Profiles store an expires timestamp.

At runtime:

• if expires is in the future → use the stored access token
• if expired → refresh (under a file lock) and overwrite the stored credentials
• if a secondary agent reads an inherited main-agent OAuth profile, refresh writes back to the main agent store instead of copying the refresh token into the secondary agent store
• exception: some external CLI credentials stay externally managed; OmeniaClaw re-reads those CLI auth stores instead of spending copied refresh tokens. Codex CLI bootstrap is intentionally narrower: it seeds an empty openai:default profile, then OmeniaClaw-owned refreshes keep the local profile canonical. If the local Codex refresh fails and Codex CLI has a usable token for the same account, OmeniaClaw may use that token for the current runtime request without writing it back to auth-profiles.json.

The refresh flow is automatic; you generally don't need to manage tokens manually.

Multiple accounts (profiles) + routing

Two patterns:

1) Preferred: separate agents

If you want "personal" and "work" to never interact, use isolated agents (separate sessions + credentials + workspace):

OmeniaClaw agents add workOmeniaClaw agents add personal

Then configure auth per-agent (wizard) and route chats to the right agent.

2) Advanced: multiple profiles in one agent

auth-profiles.json supports multiple profile IDs for the same provider.

Pick which profile is used:

• globally via config ordering (auth.order)
• per-session via /model ...@<profileId>

Example (session override):

• /model Opus@anthropic:work

How to see what profile IDs exist:

• OmeniaClaw channels list --json (shows auth[])

Related docs:

• Model failover (rotation + cooldown rules)
• Slash commands (command surface)

Related

• Authentication - model provider auth overview
• Secrets - credential storage and SecretRef
• Configuration Reference - auth config keys