You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both codex-engine workflows that ran in the last 6 hours failed with identical 401 Unauthorized errors from OpenAI, exhausting all reconnect retries before terminating. This is a P0 credential issue blocking all codex-engine workflows.
Root Cause
Codex (v0.121.0) is configured with requires_openai_auth: true and auth: None — meaning it relies entirely on an environment credential (OPENAI_API_KEY or similar). The engine attempts `(api.openai.com/redacted) and receives:
unexpected status 401 Unauthorized: Missing bearer or basic authentication in header
url: (api.openai.com/redacted)
This surfaces after 5 reconnect retries, causing the agent job to fail with no output emitted.
Verify OPENAI_API_KEY repository secret — confirm it is set, not expired, and has access to the gpt-5.3-codex model
Check OpenAI project/org headers — codex reads OPENAI_PROJECT and OPENAI_ORGANIZATION env vars; verify these are still valid
Confirm model availability — gpt-5.3-codex may require explicit API access or a different endpoint; check if /v1/responses is the correct endpoint for this model
Test with explicit token — if using experimental_bearer_token, verify the token hasn't rotated
Success Criteria
Codex engine completes without 401 errors on the next scheduled run of Daily Observability Report or a PR-triggered AI Moderator run.
Problem Statement
Both codex-engine workflows that ran in the last 6 hours failed with identical
401 Unauthorizederrors from OpenAI, exhausting all reconnect retries before terminating. This is a P0 credential issue blocking all codex-engine workflows.Root Cause
Codex (v0.121.0) is configured with
requires_openai_auth: trueandauth: None— meaning it relies entirely on an environment credential (OPENAI_API_KEYor similar). The engine attempts `(api.openai.com/redacted) and receives:This surfaces after 5 reconnect retries, causing the
agentjob to fail with no output emitted.Affected Workflows & Run IDs
Both workflows: pre_activation ✅ → activation ✅ → agent ❌ (1.2m and 2.6m respectively)
Additional Signals
experimental_bearer_token: None— no explicit token overridegpt-5.3-codex— possibly a new model ID requiring a specific API tierchatgpt.com:443is being blocked by firewall (codex tries to cache plugin IDs there) — separate but worth noting@pelikhan's comment on [aw] Daily Observability Report for AWF Firewall and MCP Gateway failed #27115: "codex woes. New endpoint?" — suggests possible API endpoint migration may also be relevantProposed Remediation
OPENAI_API_KEYrepository secret — confirm it is set, not expired, and has access to thegpt-5.3-codexmodelOPENAI_PROJECTandOPENAI_ORGANIZATIONenv vars; verify these are still validgpt-5.3-codexmay require explicit API access or a different endpoint; check if/v1/responsesis the correct endpoint for this modelexperimental_bearer_token, verify the token hasn't rotatedSuccess Criteria
Codex engine completes without
401errors on the next scheduled run of Daily Observability Report or a PR-triggered AI Moderator run.References: