Locked out of Codex because of an old phone number?
so fellas, I found a way how to bypass the bug. All props go to DeepSeek 3 flash and my knowledge of browser automation and session management from my experiments with electron.
Bypass Codex Phone Verification (WhatsApp/SMS Lockout)
The Problem
Codex Desktop/CLI forces phone/WhatsApp verification when you try to log in, even if you have 2FA disabled in your OpenAI account settings. This happens because Codex uses a different OAuth client (app_asdgadfhgafgad) than the web browser (app_123appidclientbs), and that client has phone verification as a mandatory step.
If you’ve lost access to your phone number or can’t receive SMS/WhatsApp, you’re locked out of Codex despite having a valid ChatGPT Pro/Plus account.
The Fix
The trick is: your ChatGPT session contains a valid JWT access token that can be used as an API key. The web browser’s OAuth flow (which allows email-OTP instead of phone) produces a token that Codex accepts via codex login --with-api-key.
Requirements
- Windows PC
- A browser where you’re currently logged into chatgpt.com
- A cookie export extension (like “Get cookies.txt” or “EditThisCookie” for Chrome)
Step-by-Step
1. Export cookies from chatgpt.com
- Go to https://chatgpt.com in your browser (make sure you’re logged in)
- Use a cookie export extension to export cookies for
chatgpt.com - Export in JSON format (most extensions support this)
2. Extract the access token
Open PowerShell and run:
# Load cookies and extract the access token
$cookies = Get-Content “C:\path\to\chatgpt.com_cookies.json” | ConvertFrom-Json
# Build cookie header
$cookieString = (cookies | ForEach-Object { "(\\_.name)=($_.value)" }) -join '; ’
# Call the session endpoint
$session = Invoke-RestMethod -Uri “https://chatgpt.com/api/auth/session” `
-Headers @{ “Cookie” = $cookieString; “Accept” = “application/json” } `
-UserAgent “Mozilla/5.0”
# Save the access token
$session.accessToken | Out-File -FilePath “$env:TEMP\codex_token.txt” -Encoding ascii
Write-Host “Access token extracted! Length: $($session.accessToken.Length)”
3. Pipe the token into Codex
# Replace with your actual Codex path if not in PATH
Get-Content “$env:TEMP\codex_token.txt” | & “$env:LOCALAPPDATA\OpenAI\Codex\bin\\*\codex.exe” login --with-api-key
You should see:
Reading API key from stdin…
Successfully logged in
4. Verify
codex login status
Expected output:
Logged in using an API key - apikey***
That’s it. Codex is now authenticated with your ChatGPT Pro/Plus subscription.
Notes
- The access token is valid until October 2026 (about 3 months from the date of extraction)
- If it expires, just repeat steps 1-3 with fresh cookies
- This uses your ChatGPT Pro/Plus subscription — no separate API billing needed
- The token’s audience is
https://api.openai.com/v1\with scopes formodel.request,model.read, etc. - Your account’s
planType(pro/plus) is preserved
Why This Works
The web browser’s OAuth flow (login via email-OTP) produces a JWT access token signed by OpenAI’s auth server. This token includes your subscription info and is valid for the OpenAI API. Codex’s –with-api-key flag accepts any valid credential that authenticates against api.openai.com/v1 — including this session-derived JWT. The desktop app’s own OAuth flow forces phone verification, but the CLI’s –with-api-key path has no such restriction.
Discussion in the ATmosphere