External Publication
Visit Post

Codex CLI login fails on Windows: auth.openai.com reachable via curl but OAuth/device-auth fail

OpenAI Developer Community May 25, 2026
Source

I’m unable to sign in to Codex CLI on Windows. Both normal ChatGPT OAuth login and device auth fail.

Environment:

  • OS: Windows 11, 10.0.26200
  • Node.js: v24.13.0
  • npm: 11.6.2
  • Codex CLI versions tested: 0.133.0 and 0.132.0
  • Browser tested: Chrome and Edge
  • Device code authorization is enabled in ChatGPT security settings

Errors:

  1. Normal login: Token exchange failed: error sending request for url (https://auth.openai.com/oauth/token)

  2. Device auth: Error logging in with device code: error sending request for url (https://auth.openai.com/api/accounts/deviceauth/usercode)

  3. Browser page sometimes shows: Unexpected token '<', '<!DOCTYPE'... is not valid JSON

Network checks already completed:

  • WinHTTP proxy reset. netsh winhttp show proxy returns direct access / no proxy.
  • Windows system proxy disabled. ProxyEnable = 0, ProxyServer is empty.
  • WLAN DNS restored to DHCP and DNS cache flushed.
  • HTTP_PROXY, HTTPS_PROXY, and ALL_PROXY environment variables removed.
  • Only NO_PROXY=localhost,127.0.0.1,::1 remains.
  • Removed C:\Users\lenovo\.codex\auth.json.
  • Tried codex logout, codex login, and codex login --device-auth.
  • Tried Codex CLI 0.133.0 and 0.132.0.
  • Tried Chrome and Edge.
  • Device code authorization is enabled in ChatGPT security settings.

PowerShell can reach the auth endpoint: curl.exe -I https://auth.openai.com/api/accounts/deviceauth/usercode

It returns: HTTP/1.1 405 Method Not Allowed

So the endpoint is reachable from PowerShell, but Codex CLI still fails to request the device auth endpoint or exchange the OAuth token.

Question: Is this a known Codex CLI authentication issue on Windows, possibly related to auth.openai.com / Cloudflare returning an HTML challenge page instead of JSON? Is there any recommended workaround besides API key login, such as a specific CLI version, debug flag, auth flow, or network configuration?

I can provide sanitized logs if needed, but I will not share auth.json, cookies, API keys, account tokens, or proxy subscription links.

Discussion in the ATmosphere

Loading comments...