Open
Conversation
This was referenced Apr 16, 2026
efrazer-oai
force-pushed
the
efrazer/codex/agent-identity-jwt
branch
from
cf52e2b to
bf44dee
Compare
adrian-openai
approved these changes
Apr 17, 2026
Contributor
adrian-openai
left a comment
adrian-openai
left a comment
There was a problem hiding this comment.
This seems fine, although I still don't understand why we go through the trouble of signing this payload.
| } | ||
|
|
||
| fn agent_identity_from_jwt(jwt: &str) -> std::io::Result<AgentIdentityAuthRecord> { | ||
| let claims: AgentIdentityJwtClaims = decode_jwt_payload(jwt).map_err(std::io::Error::other)?; |
Contributor
There was a problem hiding this comment.
I don't understand why we wrap these fields in a JWT.
efrazer-oai
force-pushed
the
efrazer/codex/agent-identity-jwt
branch
from
bf44dee to
27ac8b7
Compare
efrazer-oai
changed the base branch from
main
to
dev/adrian/codex/agent-identity-background-task-more-calls
adrian-openai
force-pushed
the
dev/adrian/codex/agent-identity-background-task-more-calls
branch
3 times, most recently
from
a1d28fe to
b014f14
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/agent-identity-background-task-more-calls
branch
6 times, most recently
from
8f3ed7b to
5171ebb
Compare
Base automatically changed from
dev/adrian/codex/agent-identity-background-task-more-calls
to
main
April 20, 2026 14:24
efrazer-oai
force-pushed
the
efrazer/codex/agent-identity-jwt
branch
2 times, most recently
from
bae7e87 to
6c7bf25
Compare
efrazer-oai
force-pushed
the
efrazer/codex/agent-identity-jwt
branch
from
6c7bf25 to
2e0af35
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stack
CODEX_AGENT_IDENTITYWhat changed
auth.json.agent_identitycan now be either the existing object or a JWT string.The JWT payload requires:
workspace_idagent_runtime_idagent_private_keyIt can also include:
chatgpt_user_idregistered_atbackground_task_idis not part of the JWT contract. Codex can cache that later in the stored object after task registration.Why
Launchers can pass one predictable string for an existing registered agent identity. Codex decodes the JWT payload into the same
AgentIdentityAuthRecordit already stores.Validation
cd codex-rs && just fmtcd codex-rs && cargo check -p codex-login -p codex-corecd codex-rs && cargo test -p codex-login agent_identitycd codex-rs && cargo test -p codex-core agent_identitycd codex-rs && just fix -p codex-login