mirrors/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-04 21:32:21 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat: load AgentIdentity from JWT login/env (#18904)

Browse Source 
## Summary

This PR lets programmatic AgentIdentity users provide one token through
either stdin login or environment auth.

`codex login --with-agent-identity` reads an Agent Identity JWT from
stdin, validates that it has the required claims, and stores that token
as the `agent_identity` value in `auth.json`. The file format is
token-only; the decoded account and key fields are runtime state, not
hand-authored auth.json fields.

The Agent Identity JWT claim shape and decoder live in
`codex-agent-identity`; `codex-login` only owns env/storage precedence
and conversion into `CodexAuth::AgentIdentity`.

When env auth is enabled, `CODEX_AGENT_IDENTITY` can provide the same
JWT without writing auth state to disk. `CODEX_API_KEY` still wins if
both env vars are set.

Reference old stack: https://github.com/openai/codex/pull/17387/changes
Reference JWT/env stack: https://github.com/openai/codex/pull/18176

## Stack

1. https://github.com/openai/codex/pull/18757: full revert
2. https://github.com/openai/codex/pull/18871: isolated Agent Identity
crate
3. https://github.com/openai/codex/pull/18785: explicit AgentIdentity
auth mode and startup task allocation
4. https://github.com/openai/codex/pull/18811: migrate Codex backend
auth callsites through AuthProvider
5. This PR: accept AgentIdentity JWTs through login/env

## Testing

Tests: targeted login and Agent Identity crate tests, CLI checks, scoped
formatter/linter cleanup, and CI.

---------

Co-authored-by: Shijie Rao <shijie.rao@openai.com>
This commit is contained in:
efrazer-oai
2026-04-26 12:49:54 -07:00
committed by GitHub
parent ac2bffa443
commit fed0a8f4fa
14 changed files with 587 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
codex-rs/cloud-requirements/src/lib.rs
View File

@@ -329,6 +329,11 @@ impl CloudRequirementsService {
let Some(auth) = self.auth_manager.auth().await else {
return Ok(None);
};
if matches!(auth, CodexAuth::AgentIdentity(_)) {
// AgentIdentity does not carry a human bearer token, and identity-edge
// only allowlists task-scoped AgentAssertion calls for the Codex runtime.
return Ok(None);
}
let Some(plan_type) = auth.account_plan_type() else {
return Ok(None);
};