OpenAI Codex (ChatGPT OAuth) provider.
This mirrors Codex CLI / ChatGPT OAuth:
Tokens are persisted at ~/.vis/openai-codex-auth.json. The access
token is a JWT; Codex requests require the embedded ChatGPT account
id, so this namespace validates/extracts it during login/refresh.
OpenAI Codex (ChatGPT OAuth) provider. This mirrors Codex CLI / ChatGPT OAuth: 1. Generate PKCE verifier + S256 challenge. 2. Open auth.openai.com with Codex's public client id. 3. Let the browser redirect to the registered localhost callback, then paste the final redirect URL/code back into Vis. 4. Exchange the code for ChatGPT access/refresh tokens. 5. Refresh the access token before expiry and expose it to Vis as the provider token. Tokens are persisted at `~/.vis/openai-codex-auth.json`. The access token is a JWT; Codex requests require the embedded ChatGPT account id, so this namespace validates/extracts it during login/refresh.
(account-id access-token)Extract the ChatGPT account id from a Codex access-token JWT.
Extract the ChatGPT account id from a Codex access-token JWT.
(create-authorization-flow)(create-authorization-flow originator)Create PKCE verifier, CSRF state, and OpenAI authorization URL.
Create PKCE verifier, CSRF state, and OpenAI authorization URL.
(detect-credentials)Detect persisted OpenAI Codex credentials. Returns a status-friendly map or nil; does not validate with the network.
Detect persisted OpenAI Codex credentials. Returns a status-friendly map or nil; does not validate with the network.
(force-refresh-token!)(force-refresh-token! rejected-token)Force an OAuth refresh-token exchange, persist the rotated credentials, and return the provider-token map.
get-openai-codex-token! only refreshes when the stored token is locally
expired, so a token that is locally-valid but invalidated server-side
(refresh-token rotation by another client/process) would otherwise never
be replaced. The runtime's 401 recovery path calls this. Routes through
the single-flight refresh-and-persist!, so a STORM of 401s collapses
into one exchange instead of racing the rotating refresh token into
HTTP 400.
rejected-token (optional) is the access token the server just 401'd:
the single-flight reuse step will NOT hand it back, forcing a real
exchange when the on-file token is still the dead one. Throws when there
is no refresh token on file.
Force an OAuth refresh-token exchange, persist the rotated credentials, and return the provider-token map. `get-openai-codex-token!` only refreshes when the stored token is locally expired, so a token that is locally-valid but invalidated server-side (refresh-token rotation by another client/process) would otherwise never be replaced. The runtime's 401 recovery path calls this. Routes through the single-flight `refresh-and-persist!`, so a STORM of 401s collapses into one exchange instead of racing the rotating refresh token into HTTP 400. `rejected-token` (optional) is the access token the server just 401'd: the single-flight reuse step will NOT hand it back, forcing a real exchange when the on-file token is still the dead one. Throws when there is no refresh token on file.
(get-openai-codex-token!)Return a fresh Codex access token in the provider-token shape used by
Vis: {:token access-token :api-url CODEX_BASE_URL :llm-headers {...}}.
Return a fresh Codex access token in the provider-token shape used by
Vis: `{:token access-token :api-url CODEX_BASE_URL :llm-headers {...}}`.(limits)Normalized limits envelope for the OpenAI Codex provider.
Static RPM/TPM metadata comes from svar's provider catalog; this fn reports authentication state and live ChatGPT/Codex quota windows when credentials are available.
Normalized limits envelope for the OpenAI Codex provider. Static RPM/TPM metadata comes from svar's provider catalog; this fn reports authentication state and live ChatGPT/Codex quota windows when credentials are available.
(login! printer-fn)(login! printer-fn
{:keys [originator open-browser-fn manual-code-fn force?]
:or {originator "vis"
open-browser-fn open-browser!
manual-code-fn prompt-for-code!}})Run the Codex OAuth flow and persist fresh credentials.
Options:
:originator value forwarded to OpenAI's OAuth request.:open-browser-fn (fn [url] boolean) override for tests or
alternate frontends.:manual-code-fn (fn [printer-fn] string|nil) collector for the
final redirect URL or bare authorization code. CLI uses read-line;
the TUI injects a dialog-backed collector. Pass nil to disable manual
entry entirely.:force? when true, starts a fresh OAuth flow even if
persisted credentials already exist.Run the Codex OAuth flow and persist fresh credentials. Options: - `:originator` value forwarded to OpenAI's OAuth request. - `:open-browser-fn` `(fn [url] boolean)` override for tests or alternate frontends. - `:manual-code-fn` `(fn [printer-fn] string|nil)` collector for the final redirect URL or bare authorization code. CLI uses `read-line`; the TUI injects a dialog-backed collector. Pass nil to disable manual entry entirely. - `:force?` when true, starts a fresh OAuth flow even if persisted credentials already exist.
(parse-authorization-input input)Parse a pasted OAuth callback URL, raw query string, code#state,
or bare code. Returns {:code string? :state string?}.
Parse a pasted OAuth callback URL, raw query string, `code#state`,
or bare code. Returns `{:code string? :state string?}`.cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |