ChatGPT OAuth helpers for _ChatOpenAICodex.
Implements OAuth 2.0 Authorization Code Flow with PKCE against the OpenAI auth endpoints used by Codex/ChatGPT subscription auth, plus a small file-backed token store and refresh logic.
These helpers exist to keep login and token management separate from model
invocation. _ChatOpenAICodex only consumes a _ChatGPTOAuthTokenProvider.
This is provider-specific subscription auth and is independent from the
standard OpenAI API-key flow used by ChatOpenAI. Refresh-token rotation
against ~/.codex/auth.json can break Codex CLI / VS Code sessions, so
the default store lives at ~/.langchain/chatgpt-auth.json.
These helpers are not an official OpenAI API integration. Use them only where your OpenAI account, workspace, plan, and applicable OpenAI terms permit ChatGPT-authenticated Codex access. You are responsible for ensuring your implementation complies with OpenAI's terms, usage policies, account restrictions, rate limits, and safeguards.
Decode a JWT's payload without signature verification.
This is for local claim extraction only. Never use the returned claims for security or authorization decisions.
Run the ChatGPT OAuth 2.0 Authorization Code Flow with PKCE.
Starts a loopback callback server, optionally opens a browser to the
OpenAI authorize endpoint (when open_browser=True; the URL is always
printed as a fallback), exchanges the returned code for tokens, and
persists them via _FileChatGPTOAuthTokenProvider.
Run the ChatGPT device-code OAuth flow.
This is the headless fallback for environments without a browser. The
function prints a verification URL and user code, polls for completion,
then exchanges the resulting code via the OAuth token endpoint using
CHATGPT_DEVICE_REDIRECT_URI.
