Codex CLI login fails on Windows: auth.openai.com reachable via curl but OAuth/device-auth fail

API
1

I’m unable to sign in to Codex CLI on Windows. Both normal ChatGPT OAuth login and device auth fail.

Environment:

  • OS: Windows 11, 10.0.26200
  • Node.js: v24.13.0
  • npm: 11.6.2
  • Codex CLI versions tested: 0.133.0 and 0.132.0
  • Browser tested: Chrome and Edge
  • Device code authorization is enabled in ChatGPT security settings

Errors:

  1. Normal login:
    Token exchange failed: error sending request for url (https://auth.openai.com/oauth/token)

  2. Device auth:
    Error logging in with device code: error sending request for url (https://auth.openai.com/api/accounts/deviceauth/usercode)

  3. Browser page sometimes shows:
    Unexpected token '<', '<!DOCTYPE'... is not valid JSON

Network checks already completed:

  • WinHTTP proxy reset. netsh winhttp show proxy returns direct access / no proxy.
  • Windows system proxy disabled. ProxyEnable = 0, ProxyServer is empty.
  • WLAN DNS restored to DHCP and DNS cache flushed.
  • HTTP_PROXY, HTTPS_PROXY, and ALL_PROXY environment variables removed.
  • Only NO_PROXY=localhost,127.0.0.1,::1 remains.
  • Removed C:\Users\lenovo\.codex\auth.json.
  • Tried codex logout, codex login, and codex login --device-auth.
  • Tried Codex CLI 0.133.0 and 0.132.0.
  • Tried Chrome and Edge.
  • Device code authorization is enabled in ChatGPT security settings.

PowerShell can reach the auth endpoint:
curl.exe -I https://auth.openai.com/api/accounts/deviceauth/usercode

It returns:
HTTP/1.1 405 Method Not Allowed

So the endpoint is reachable from PowerShell, but Codex CLI still fails to request the device auth endpoint or exchange the OAuth token.

Question:
Is this a known Codex CLI authentication issue on Windows, possibly related to auth.openai.com / Cloudflare returning an HTML challenge page instead of JSON? Is there any recommended workaround besides API key login, such as a specific CLI version, debug flag, auth flow, or network configuration?

I can provide sanitized logs if needed, but I will not share auth.json, cookies, API keys, account tokens, or proxy subscription links.

image
image1458×772 24.6 KB

2

Might be worth checking whether Windows, WSL, VPN, or a proxy is interfering with the local OAuth callback rather than the OpenAI auth domain itself.

I’d try disabling VPN/proxy temporarily, make sure localhost, 127.0.0.1, and ::1 bypass any proxy, then clear the local Codex auth file and run login again.

3

Thanks for the detailed writeup, and good call from @Vultieris too.

This does look more like the CLI is getting blocked or redirected during the auth request, especially with the Unexpected token '<' hint. That usually means something expected JSON but got an HTML page back instead.

Since PowerShell can reach the endpoint, I’d next try:

  • Run codex login --device-auth from a clean PowerShell session
  • Temporarily disable VPN, antivirus web filtering, DNS filtering, and corporate/security proxy tools
  • Try the same login from WSL or another Windows user profile
  • Test on a different network, like mobile hotspot

API key login is probably the best workaround for now. Sanitized CLI debug logs would be useful, but definitely do not share auth.json, cookies, tokens, or keys.

-Mark G.