403 Failed to refresh auth token: new Cloudflare protections

[shifoc]

Hello, I am now getting a 403 Forbidden error

[DobroslavR]

Me too! I just installed it and it does not work :D

[ovasylenko]

After last chatGPT infra update it happens

[flolep2607]

It's caused by the addition of cloudflare protection

[PLhery]

Unfortunately cf_clearance, cloudflare's cookie to certify it thinks you're a human (by sometimes showing a captcha), is valid only 30min as far as I know (from the same User-Agent, and the same IP I believe).

[abacaj]

Unfortunately cf_clearance, cloudflare's cookie to certify it thinks you're a human (by sometimes showing a captcha), is valid only 30min as far as I know (from the same User-Agent, and the same IP I believe).

Interesting, will let you know how long it survives for I have a service running already for 20min~

[onion0835]

I think chatgpt had changed its code! It was normal yesterday, but it was wrong today

[khoatran1602]

Access to fetch at 'https://chat.openai.com/api/auth/session' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Does anyone get this issue?

[transitive-bullshit]

Yes, OpenAI added some additional Cloudflare protections that are preventing access token refresh.

CleanShot.2022-12-11.at.15.26.12.mp4

NOTE: this is affecting all ChatGPT API wrappers, including the python ones. I'm actively working on a workaround, so please stay tuned. See also the conversation happening over here rawandahmad698/PyChatGPT#71

@abacaj I don't see that as a solution because those CF tokens are too short-lived to be all that useful.

[transitive-bullshit]

I've added a note to the top of the readme to reflect the current status. Will be updating this thread w/ progress.

[DexterStorey]

welcome to the bleeding edge.
@transitive-bullshit thanks for the update, looking into it as well - let us know if you need help testing or implementing a fix

[abacaj]

Yes, OpenAI added some additional Cloudflare protections that are preventing access token refresh.

CleanShot.2022-12-11.at.15.26.12.mp4
NOTE: this is affecting all ChatGPT API wrappers, including the python ones. I'm actively working on a workaround, so please stay tuned. See also the conversation happening over here rawandahmad698/PyChatGPT#71

@abacaj I don't see that as a solution because those CF tokens are too short-lived to be all that useful.

Not sure why that was considered spam, was pointing out the cookie was added and it can be worked around if you have the cookie / can refresh it

[transitive-bullshit]

@abacaj just DM'ed you on twitter; sorry about that.

[lethefrost]

Unfortunately cf_clearance, cloudflare's cookie to certify it thinks you're a human (by sometimes showing a captcha), is valid only 30min as far as I know (from the same User-Agent, and the same IP I believe).

Interesting, will let you know how long it survives for I have a service running already for 20min~

any update?

[abacaj]

For reference, so far the cf cookie is still valid after 1 hour

[PLhery]

Awesome news, so it may be the solution indeed! Keep us informed

(the default is 30min but it can be changed according to CF https://developers.cloudflare.com/fundamentals/security/challenge-passage/#:~:text=By%20default%2C%20the%20cf_clearance%20cookie,between%2015%20and%2045%20minutes )

[transitive-bullshit]

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.1.0 adds support for passing the CF clearanceToken. Hat tip to @abacaj

I'm working on a more automated solution to refresh access tokens and clearance tokens. Stay tuned..

[yizhangliu]

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.1.0 adds support for passing the CF clearanceToken. Hat tip to @abacaj

I'm working on a more automated solution to refresh access tokens and clearance tokens. Stay tuned..

Come on. We all love you.

[alex12058]

I'm still getting 403 forbidden errors even with the fix. This may just be because ChatGPT is currently at capacity. If I visit https://chat.openai.com/auth/login I see this message at the top of the page:

We're experiencing exceptionally high demand. Please hang tight as we work on scaling our systems.

and the networks tab shows the session request returned error 403.

[transitive-bullshit]

@alex12058 agreed; I'm seeing the same. Still debugging and not sure whether it's because OpenAI is explicitly tamping down on new sessions to try and curtail usage or whether it's a problem with bot detection.

If anyone finds out more info, feel free to post here as well.

[fffiloni]

according to this message, there is a _cf_bm cookie that is specifically to prevent bots.

[Ademking]

I'm still getting 403 forbidden errors even with the fix. This may just be because ChatGPT is currently at capacity. If I visit https://chat.openai.com/auth/login I see this message at the top of the page:

We're experiencing exceptionally high demand. Please hang tight as we work on scaling our systems.

and the networks tab shows the session request returned error 403.

I think you need to pass "clearanceToken" to ChatGPTAPI

const api = new ChatGPTAPI({
    sessionToken: "TOKEN",
    clearanceToken: "TOKEN"
  })

[alex12058]

@Ademking Thanks. I am passing the clearanceToken to ChatGPTAPI but I am still getting 403 errors.

[abacaj]

Likely the token is tied to your IP address, still digging

[BooBooKittyFck]

Tried a workaround by using cloudscraper instead of requests - it wants me to use a captcha service since it's a hcaptcha.
If someone has any captcha service account supported by cloudscraper you could try that way.

[transitive-bullshit]

For anyone just joining this thread, a bunch of us + the python hackers have been discussing options in here: https://discord.gg/DrSWaCzN

[ronny1020]

Thanks for the hard work on the puppeteer demo. However, could I ask what would be the best strategy to update the open AI info from the puppeteer for now? Should I update it every 2 hours or do I have to update it every time request?

[dmonizer]

Tried the puppeteer option - works great on desktop, BUT - seems not to run in headless mode, thus it's still impossible to run it on the server where the script runs :(

[ronny1020]

Tried the puppeteer option - works great on desktop, BUT - seems not to run in headless mode, thus it's still impossible to run it on the server where the script runs :(

I have a project running puppeteer on the server. I think the easiest way is to run the project in a docker container. There is an
official puppeteer image. Here is the link. https://pptr.dev/guides/docker/

However, the version of node.js in this image is 16.18.1 which doesn't support the fetch that is required by this chatgpt-api package. I don't have a good solution for now.

[transitive-bullshit]

Thanks for the hard work on the puppeteer demo. However, could I ask what would be the best strategy to update the open AI info from the puppeteer for now? Should I update it every 2 hours or do I have to update it every time request?

The clearance token expires every 2 hours, but some of the other tokens expire sooner, so I recommend every ~45 minutes to an hour. I don't think you need to refresh the full login every time; you can just refresh the CF token.

[transitive-bullshit]

Note: it will be difficult getting it to work on a server since it needs to match the IP address and user agent you used to generate the CF token.

It's also possible that Cloudflare will occasionally ask you to solve a CAPTCHA, which can only really be done locally in headful mode at the moment.

I'm working on an automated solution to bypass the hCaptchas.

[transitive-bullshit]

The latest release includes a puppeteer-based solution to automate login built into the package. Still TODO is automating potential CAPTCHAS.

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.3.0

[No3ming]

The latest release includes a puppeteer-based solution to automate login built into the package. Still TODO is automating potential CAPTCHAS.

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.3.0

Also: ChatGPT failed to refresh auth token. Error: 403 Forbidden

[No3ming]

The latest release includes a puppeteer-based solution to automate login built into the package. Still TODO is automating potential CAPTCHAS.

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.3.0

console.log(authInfo)
I get sessionToken: undefined

[danielbayley]

I'm working on an automated solution to bypass the hCaptchas.

Nice one @transitive-bullshit. I’m trying to use this in my Alfred workflow, but unfortunately the headful mode breaks the workflow at the moment… Will it be headless once you crack this?

[transitive-bullshit]

@danielbayley yes; the main challenge with headless is auto-solving potential captchas (no guarantee they will appear and no guarantee they won't).

[transitive-bullshit]

The latest release includes a puppeteer-based solution to automate login built into the package. Still TODO is automating potential CAPTCHAS.
v2.3.0 (release)

console.log(authInfo) I get sessionToken: undefined

Are you passing email and password?

This will happen if you try to get the auth credentials but don't pass email/password to login.

[No3ming]

The latest release includes a puppeteer-based solution to automate login built into the package. Still TODO is automating potential CAPTCHAS.
v2.3.0 (release)

console.log(authInfo) I get sessionToken: undefined

Are you passing email and password?

This will happen if you try to get the auth credentials but don't pass email/password to login.

yes! is use email and password to login.

[vvanglro]

Hi guys！You can use my project to get cookies. cf-clearance

[danielbayley]

@danielbayley yes; the main challenge with headless is auto-solving potential captchas (no guarantee they will appear and no guarantee they won't).

Does #110 not address this?

[slovx2]

Hi guys！You can use my project to get cookies. cf-clearance

Not work using in this lib, still 403

[ikechan8370]

I'm sure I'm using the same UA and IP address, but I still get a 403 error. Has anyone been able to use it normally?

[JanYork]

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.1.0 adds support for passing the CF . Hat tip to @abacajclearanceToken

I'm working on a more automated solution to refresh access tokens and clearance tokens. Stay tuned..

Is there a perfect bypass solution now? It seems that carrying cookies still has a high chance of being intercepted and returning 403

[transitive-bullshit]

v2.1.0 (release) adds support for passing the CF . Hat tip to @abacajclearanceToken
I'm working on a more automated solution to refresh access tokens and clearance tokens. Stay tuned..

Is there a perfect bypass solution now? It seems that carrying cookies still has a high chance of being intercepted and returning 403

If you follow all of the instructions carefully, and your account / IP hasn't been permanently flagged by Cloudflare / OpenAI, then you shouldn't ever get a 403 at this point.

My Twitter bot has been running for the past 2 days without a single 403, and others have been able to get it working on Discord. Although it can take a bit of effort to get working, once you have it working, you're set.

The biggest problem at this point is automating the CAPTCHAs.

For anyone trying to get this to work and struggling with 403s:

• Make sure you're using Node.js >= 18
• Make sure you're using the latest version of this package
• Make sure your IP address and user agent match exactly the browser that's being used to generate the CF token and session tokens
  • This means that for most cases, you can't use a proxy or VPN to connect to the API
• Make sure you're using your local install of Chrome and not the default puppeteer executable (which Cloudflare detects)
• Make sure you're not using the account in a browser window at the same time (since it can invalidate your bot's credentials)
• The clearance token expires every 2 hours; make sure you're refreshing it at least every hour or so
• Double check the Restrictions section of the readme
• Some users have reported that openai is blocking chrome more than other browsers like firefox / brave, so that may be worth trying

If you're 100% sure you're doing all of these things and are still experiencing 403 errors, then your account or IP address may have been flagged / banned by either Cloudflare or OpenAI. Note that this can happen if you call the API far too aggressively, so be sure to put proper delays in place in your code.

If you can access the webapp normally with the same account, and you've double-checked everything above, then please create a new issue with as much detail about your environment and how you're using the API as possible. Priority will be given to reviewing issues that include a minimal reproduction repo.

[transitive-bullshit]

@optionsx to refresh your cf_clearance token, you must call getOpenAIAuth again and then create a new ChatGPTAPI instance with the updated credentials.

If you don't pass email and password to getOpenAIAuth, it will only refresh the clearance token. Otherwise, you can refresh both the clearance and session tokens by passing email and password.

[tnspartan1]

@transitive-bullshit I ran into this issue while trying out the bot on Twitch
c:\Users\xxxxx\Documents\chatgpt\chatgpt-twitch-bot-main\node_modules\chatgpt\build\index.js:74
const error = new ChatGPTError(msg);
^

ChatGPTError: ChatGPTAPI error 403
at fetchSSE (c:\Users\xxxxx\Documents\chatgpt\chatgpt-twitch-bot-main\node_modules\chatgpt\build\index.js:74:19)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
statusCode: 403,
statusText: 'Forbidden',
response: Response {
[Symbol(realm)]: null,
[Symbol(state)]: {
aborted: false,
rangeRequested: false,
timingAllowPassed: true,
requestIncludesCredentials: true,
type: 'default',
status: 403,
timingInfo: {
startTime: 41568.83180004358,
redirectStartTime: 0,
redirectEndTime: 0,
postRedirectStartTime: 41568.83180004358,
finalServiceWorkerStartTime: 0,
finalNetworkResponseStartTime: 0,
finalNetworkRequestStartTime: 0,
endTime: 0,
encodedBodySize: 527,
decodedBodySize: 0,
finalConnectionTimingInfo: null
},

  ],
  body: {
    stream: ReadableStream {
      [Symbol(kType)]: 'ReadableStream',
      [Symbol(kState)]: {
        disturbed: false,
        reader: undefined,
        state: 'readable',
        storedError: undefined,
        stream: undefined,
        transfer: [Object],
        controller: [ReadableStreamDefaultController]
      },
      [Symbol(nodejs.webstream.isClosedPromise)]: {
        promise: [Promise],
        resolve: [Function (anonymous)],
        reject: [Function (anonymous)]
      },
      [Symbol(nodejs.webstream.controllerErrorFunction)]: [Function: bound error]

---

I read your guideline and tried different things, but not able to get it to work.