{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiguwbogn5xavchjaujvjtjpd5xzhxx3rahr3lyb4ciwqbpwrdzffm",
"uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mpsbibrxaso2"
},
"path": "/t/locked-out-of-codex-because-of-an-old-phone-number/1382387?page=6#post_120",
"publishedAt": "2026-07-04T03:52:06.000Z",
"site": "https://community.openai.com",
"tags": [
"chatgpt.com",
"https://chatgpt.com",
"https://chatgpt.com/api/auth/session",
"https://api.openai.com/v1\\`"
],
"textContent": "so fellas, I found a way how to bypass the bug. All props go to DeepSeek 3 flash and my knowledge of browser automation and session management from my experiments with electron.\n\n# Bypass Codex Phone Verification (WhatsApp/SMS Lockout)\n\n## The Problem\n\nCodex Desktop/CLI forces **phone/WhatsApp verification** when you try to log in, even if you have 2FA disabled in your OpenAI account settings. This happens because Codex uses a different OAuth client (`app_asdgadfhgafgad`) than the web browser (`app_123appidclientbs`), and that client has phone verification as a mandatory step.\n\nIf you’ve lost access to your phone number or can’t receive SMS/WhatsApp, you’re locked out of Codex despite having a valid ChatGPT Pro/Plus account.\n\n## The Fix\n\nThe trick is: your ChatGPT session contains a valid JWT access token that can be used as an API key. The web browser’s OAuth flow (which allows email-OTP instead of phone) produces a token that Codex accepts via `codex login --with-api-key`.\n\n### Requirements\n\n * Windows PC\n * A browser where you’re **currently logged into** chatgpt.com\n * A cookie export extension (like “Get cookies.txt” or “EditThisCookie” for Chrome)\n\n\n\n### Step-by-Step\n\n#### 1. Export cookies from chatgpt.com\n\n 1. Go to https://chatgpt.com in your browser (make sure you’re logged in)\n 2. Use a cookie export extension to export cookies for `chatgpt.com`\n 3. Export in JSON format (most extensions support this)\n\n\n\n#### 2. Extract the access token\n\nOpen PowerShell and run:\n\n```powershell\n\n# Load cookies and extract the access token\n\n$cookies = Get-Content “C:\\path\\to\\chatgpt.com_cookies.json” | ConvertFrom-Json\n\n# Build cookie header\n\n$cookieString = (cookies | ForEach-Object { \"(\\\\_.name)=($_.value)\" }) -join '; ’\n\n# Call the session endpoint\n\n$session = Invoke-RestMethod -Uri “https://chatgpt.com/api/auth/session” `\n-Headers @{ “Cookie” = $cookieString; “Accept” = “application/json” } `\n-UserAgent “Mozilla/5.0”\n\n# Save the access token\n\n$session.accessToken | Out-File -FilePath “$env:TEMP\\codex_token.txt” -Encoding ascii\nWrite-Host “Access token extracted! Length: $($session.accessToken.Length)”\n```\n\n#### 3. Pipe the token into Codex\n\n```powershell\n\n# Replace with your actual Codex path if not in PATH\n\nGet-Content “$env:TEMP\\codex_token.txt” | & “$env:LOCALAPPDATA\\OpenAI\\Codex\\bin\\\\*\\codex.exe” login --with-api-key\n```\n\nYou should see:\n```\nReading API key from stdin…\nSuccessfully logged in\n```\n\n#### 4. Verify\n\n```powershell\ncodex login status\n```\n\nExpected output:\n```\nLogged in using an API key - apikey***\n```\n\nThat’s it. Codex is now authenticated with your ChatGPT Pro/Plus subscription.\n\n### Notes\n\n * The access token is valid until October 2026 (about 3 months from the date of extraction)\n * If it expires, just repeat steps 1-3 with fresh cookies\n * This uses your ChatGPT Pro/Plus subscription — no separate API billing needed\n * The token’s audience is `https://api.openai.com/v1\\` with scopes for `model.request`, `model.read`, etc.\n * Your account’s `planType` (pro/plus) is preserved\n\n\n\n### Why This Works\n\nThe web browser’s OAuth flow (login via email-OTP) produces a JWT access token signed by OpenAI’s auth server. This token includes your subscription info and is valid for the OpenAI API. Codex’s `–with-api-key` flag accepts any valid credential that authenticates against `api.openai.com/v1` — including this session-derived JWT. The desktop app’s own OAuth flow forces phone verification, but the CLI’s `–with-api-key` path has no such restriction.",
"title": "Locked out of Codex because of an old phone number?"
}