openai · efrazer-oai · Apr 21, 2026 · Apr 21, 2026 · pakrym-oai · Apr 21, 2026
diff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock
diff --git a/codex-rs/Cargo.toml b/codex-rs/Cargo.toml
@@ -2,6 +2,7 @@
 members = [
     "analytics",
     "agent-identity",
+    "auth-provider",
     "backend-client",
     "ansi-escape",
     "async-utils",
@@ -112,6 +113,7 @@ license = "Apache-2.0"
 app_test_support = { path = "app-server/tests/common" }
 codex-analytics = { path = "analytics" }
 codex-agent-identity = { path = "agent-identity" }
+codex-auth-provider = { path = "auth-provider" }
 codex-ansi-escape = { path = "ansi-escape" }
 codex-api = { path = "codex-api" }
 codex-app-server = { path = "app-server" }

diff --git a/codex-rs/analytics/Cargo.toml b/codex-rs/analytics/Cargo.toml
@@ -16,6 +16,7 @@ workspace = true
 codex-app-server-protocol = { workspace = true }
 codex-git-utils = { workspace = true }
 codex-login = { workspace = true }
+codex-model-provider = { workspace = true }
 codex-plugin = { workspace = true }
 codex-protocol = { workspace = true }
 os_info = { workspace = true }

diff --git a/codex-rs/analytics/src/client.rs b/codex-rs/analytics/src/client.rs
@@ -307,16 +307,9 @@ async fn send_track_events(
     let Some(auth) = auth_manager.auth().await else {
         return;
     };
-    if !auth.is_chatgpt_auth() {
+    if !auth.uses_codex_backend() {
         return;
     }
-    let access_token = match auth.get_token() {
-        Ok(token) => token,
-        Err(_) => return,
-    };
-    let Some(account_id) = auth.get_account_id() else {
-        return;
-    };
 
     let base_url = base_url.trim_end_matches('/');
     let url = format!("{base_url}/codex/analytics-events/events");
@@ -325,8 +318,7 @@ async fn send_track_events(
     let response = create_client()
         .post(&url)
         .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .bearer_auth(&access_token)
-        .header("chatgpt-account-id", &account_id)
+        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
         .header("Content-Type", "application/json")
         .json(&payload)
         .send()

diff --git a/codex-rs/app-server/Cargo.toml b/codex-rs/app-server/Cargo.toml
@@ -48,6 +48,7 @@ codex-file-search = { workspace = true }
 codex-chatgpt = { workspace = true }
 codex-login = { workspace = true }
 codex-mcp = { workspace = true }
+codex-model-provider = { workspace = true }
 codex-models-manager = { workspace = true }
 codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }

diff --git a/codex-rs/app-server/src/codex_message_processor.rs b/codex-rs/app-server/src/codex_message_processor.rs
@@ -1911,7 +1911,7 @@ impl CodexMessageProcessor {
             });
         };
 
-        if !auth.is_chatgpt_auth() {
+        if !auth.uses_codex_backend() {
             return Err(JSONRPCErrorError {
                 code: INVALID_REQUEST_ERROR_CODE,
                 message: "chatgpt authentication required to notify workspace owner".to_string(),
@@ -1966,7 +1966,7 @@ impl CodexMessageProcessor {
             });
         };
 
-        if !auth.is_chatgpt_auth() {
+        if !auth.uses_codex_backend() {
             return Err(JSONRPCErrorError {
                 code: INVALID_REQUEST_ERROR_CODE,
                 message: "chatgpt authentication required to read rate limits".to_string(),
@@ -6210,7 +6210,7 @@ impl CodexMessageProcessor {
         let auth = self.auth_manager.auth().await;
         if !config
             .features
-            .apps_enabled_for_auth(auth.as_ref().is_some_and(CodexAuth::is_chatgpt_auth))
+            .apps_enabled_for_auth(auth.as_ref().is_some_and(CodexAuth::uses_codex_backend))
         {
             self.outgoing
                 .send_response(
@@ -6971,7 +6971,7 @@ impl CodexMessageProcessor {
                 let auth = self.auth_manager.auth().await;
                 let apps_needing_auth = if plugin_apps.is_empty()
                     || !config.features.apps_enabled_for_auth(
-                        auth.as_ref().is_some_and(CodexAuth::is_chatgpt_auth),
+                        auth.as_ref().is_some_and(CodexAuth::uses_codex_backend),
                     ) {
                     Vec::new()
                 } else {

diff --git a/codex-rs/app-server/src/message_processor.rs b/codex-rs/app-server/src/message_processor.rs
@@ -1073,7 +1073,7 @@ impl MessageProcessor {
         let auth = self.auth_manager.auth().await;
         if !config.features.apps_enabled_for_auth(
             auth.as_ref()
-                .is_some_and(codex_login::CodexAuth::is_chatgpt_auth),
+                .is_some_and(codex_login::CodexAuth::uses_codex_backend),
         ) {
             return;
         }

diff --git a/codex-rs/app-server/src/transport/remote_control/enroll.rs b/codex-rs/app-server/src/transport/remote_control/enroll.rs
@@ -29,7 +29,7 @@ pub(super) struct RemoteControlEnrollment {
 
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub(super) struct RemoteControlConnectionAuth {
-    pub(super) bearer_token: String,
+    pub(super) auth_headers: HeaderMap,
     pub(super) account_id: String,
 }
 
@@ -202,7 +202,7 @@ pub(super) async fn enroll_remote_control_server(
     let http_request = client
         .post(enroll_url)
         .timeout(REMOTE_CONTROL_ENROLL_TIMEOUT)
-        .bearer_auth(&auth.bearer_token)
+        .headers(auth.auth_headers.clone())
         .header(REMOTE_CONTROL_ACCOUNT_ID_HEADER, &auth.account_id)
         .json(&request);
 
@@ -445,7 +445,7 @@ mod tests {
         let err = enroll_remote_control_server(
             &remote_control_target,
             &RemoteControlConnectionAuth {
-                bearer_token: "Access Token".to_string(),
+                auth_headers: HeaderMap::new(),
                 account_id: "account_id".to_string(),
             },
         )

diff --git a/codex-rs/app-server/src/transport/remote_control/websocket.rs b/codex-rs/app-server/src/transport/remote_control/websocket.rs
@@ -680,11 +680,7 @@ fn build_remote_control_websocket_request(
         "x-codex-protocol-version",
         REMOTE_CONTROL_PROTOCOL_VERSION,
     )?;
-    set_remote_control_header(
-        headers,
-        "authorization",
-        &format!("Bearer {}", auth.bearer_token),
-    )?;
+    headers.extend(auth.auth_headers.clone());
     set_remote_control_header(headers, REMOTE_CONTROL_ACCOUNT_ID_HEADER, &auth.account_id)?;
     if let Some(subscribe_cursor) = subscribe_cursor {
         set_remote_control_header(
@@ -712,7 +708,7 @@ pub(crate) async fn load_remote_control_auth(
             reloaded = true;
             continue;
         };
-        if !auth.is_chatgpt_auth() {
+        if !auth.uses_codex_backend() {
             break auth;
         }
         if auth.get_account_id().is_none() && !reloaded {
@@ -723,15 +719,15 @@ pub(crate) async fn load_remote_control_auth(
         break auth;
     };
 
-    if !auth.is_chatgpt_auth() {
+    if !auth.uses_codex_backend() {
         return Err(io::Error::new(
             ErrorKind::PermissionDenied,
             "remote control requires ChatGPT authentication; API key auth is not supported",
         ));
     }
 
     Ok(RemoteControlConnectionAuth {
-        bearer_token: auth.get_token().map_err(io::Error::other)?,
+        auth_headers: codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers(),
         account_id: auth.get_account_id().ok_or_else(|| {
             io::Error::new(
                 ErrorKind::WouldBlock,

diff --git a/codex-rs/auth-provider/BUILD.bazel b/codex-rs/auth-provider/BUILD.bazel
@@ -0,0 +1,6 @@
+load("//:defs.bzl", "codex_rust_crate")
+
+codex_rust_crate(
+    name = "auth-provider",
+    crate_name = "codex_auth_provider",
+)
diff --git a/codex-rs/auth-provider/Cargo.toml b/codex-rs/auth-provider/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "codex-auth-provider"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[lib]
+doctest = false
+name = "codex_auth_provider"
+path = "src/lib.rs"
+
+[dependencies]
+http = { workspace = true }
+
+[lints]
+workspace = true
diff --git a/codex-rs/auth-provider/src/lib.rs b/codex-rs/auth-provider/src/lib.rs
@@ -0,0 +1,21 @@
+use std::sync::Arc;
+
+use http::HeaderMap;
+
+/// Applies resolved authentication state to outbound HTTP request headers.
+///
+/// Implementations must be cheap and non-blocking. Token refresh, task
+/// registration, and other I/O must happen before request construction reaches
+/// this trait.
+pub trait AuthProvider: Send + Sync {
+    fn add_auth_headers(&self, headers: &mut HeaderMap);
+
+    fn to_auth_headers(&self) -> HeaderMap {
+        let mut headers = HeaderMap::new();
+        self.add_auth_headers(&mut headers);
+        headers
+    }
+}
+
+/// Shared auth handle passed through API clients.
+pub type SharedAuthProvider = Arc<dyn AuthProvider>;
diff --git a/codex-rs/backend-client/Cargo.toml b/codex-rs/backend-client/Cargo.toml
@@ -17,8 +17,10 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 codex-backend-openapi-models = { path = "../codex-backend-openapi-models" }
+codex-auth-provider = { workspace = true }
 codex-client = { workspace = true }
 codex-login = { workspace = true }
+codex-model-provider = { workspace = true }
 codex-protocol = { workspace = true }
 
 [dev-dependencies]