Route Fed API-key logins with existing base-url config by jackz-oai · Pull Request #17171 · openai/codex

jackz-oai · 2026-04-08T23:51:13Z

Summary:

Probe public OpenAI /v1/me during API-key login.
If /v1/me reports the current org is FedRAMP, show a login prompt and write the existing openai_base_url config override to Gov API.
Leave commercial API-key logins alone; this does not store base URLs in auth.json or change provider request construction.

Depends on:

openai/openai#804108 for /v1/me current_organization_is_fedramp

github-actions · 2026-04-08T23:51:26Z

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

Probe OpenAI /v1/me during API-key login, persist a Gov API base URL for FedRAMP current orgs, and apply the saved base when constructing OpenAI API providers. Testing: just fmt; cargo test -p codex-login; cargo test -p codex-core openai_api_key_routing. cargo check -p codex-cli blocked by local disk full. Co-authored-by: Codex <noreply@openai.com>

jackz-oai · 2026-04-09T00:00:00Z

I have read the CLA Document and I hereby sign the CLA

jackz-oai · 2026-04-09T00:00:15Z

recheck

Validate API-key login with /v1/me, use the current org FedRAMP flag to persist the existing openai_base_url override, and keep runtime provider construction on the existing config path. Co-authored-by: Codex <noreply@openai.com>

Co-authored-by: Codex <noreply@openai.com>

jackz-oai · 2026-04-09T19:50:06Z

1 open question is im not sure what the best logout behavior should be? should we reset openai_base_url on logout ?

viyatb-oai · 2026-04-09T23:59:09Z

Security review note: I think the FedRAMP routing config write needs to happen before the API key is persisted, or the auth write needs to be rolled back if the config write fails.

In the current run_login_with_api_key flow, we detect current_organization_is_fedramp, then call login_with_api_key(...), and only after that call write_gov_openai_base_url(&config). If write_gov_openai_base_url fails, the command exits with an error but the API key has already been stored while openai_base_url may still be unset or left at the commercial/default value. A later Codex run could then pick up the saved API-key auth and route requests to the wrong API edge.

Could we either write the required openai_base_url before persisting the key, or delete/rollback the just-written auth state on the config-write failure path?

Co-authored-by: Codex <noreply@openai.com>

jackz-oai · 2026-04-10T00:19:23Z

Addressed in 029bd9ba1 by removing the separate openai_base_url config mutation entirely.

The /v1/me result is now stored next to the API key in auth.json as OPENAI_API_KEY_IS_FEDRAMP, and runtime routing derives the gov base URL from that same auth record. That means there is no longer a split state where the key is persisted but the routing config write failed. A normal/non-Fed API-key login also clears any stale FedRAMP flag with the auth write.

jackz-oai force-pushed the jackz/fed-codex-api-mode branch from cc2d9b4 to 8069205 Compare April 8, 2026 23:56

github-actions Bot added a commit that referenced this pull request Apr 9, 2026

@jackz-oai has signed the CLA in #17171

085d9d6

[codex] Use existing base-url config for Fed API login

0a1d8c4

Validate API-key login with /v1/me, use the current org FedRAMP flag to persist the existing openai_base_url override, and keep runtime provider construction on the existing config path. Co-authored-by: Codex <noreply@openai.com>

jackz-oai changed the title ~~Route Fed API-key logins to Gov API~~ Route Fed API-key logins with existing base-url config Apr 9, 2026

jackz-oai and others added 2 commits April 9, 2026 11:47

codex: simplify fed api base-url login switch

14d5a71

Co-authored-by: Codex <noreply@openai.com>

codex: satisfy argument-comment lint for api login test

c674092

Co-authored-by: Codex <noreply@openai.com>

codex: store fedramp api routing with api key

029bd9b

Co-authored-by: Codex <noreply@openai.com>

etraut-openai added the oai PRs contributed by OpenAI employees label Apr 11, 2026

jackz-oai closed this Apr 23, 2026

jackz-oai deleted the jackz/fed-codex-api-mode branch April 23, 2026 03:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Route Fed API-key logins with existing base-url config#17171

Route Fed API-key logins with existing base-url config#17171
jackz-oai wants to merge 5 commits intomainfrom
jackz/fed-codex-api-mode

jackz-oai commented Apr 8, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 8, 2026 •

edited

Loading

Uh oh!

jackz-oai commented Apr 9, 2026

Uh oh!

jackz-oai commented Apr 9, 2026

Uh oh!

jackz-oai commented Apr 9, 2026

Uh oh!

viyatb-oai commented Apr 9, 2026

Uh oh!

jackz-oai commented Apr 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jackz-oai commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jackz-oai commented Apr 9, 2026

Uh oh!

jackz-oai commented Apr 9, 2026

Uh oh!

jackz-oai commented Apr 9, 2026

Uh oh!

viyatb-oai commented Apr 9, 2026

Uh oh!

jackz-oai commented Apr 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jackz-oai commented Apr 8, 2026 •

edited

Loading

github-actions Bot commented Apr 8, 2026 •

edited

Loading