codex-auth 0.1.0__py3-none-any.whl

codex_auth/__init__.py

@@ -0,0 +1,46 @@
+"""codex-auth — drop-in Codex OAuth for the OpenAI Python SDK.
+
+    import codex_auth           # patches openai automatically
+    from openai import OpenAI
+    client = OpenAI()           # uses Codex OAuth, no API key needed
+
+Or use the explicit client:
+
+    from codex_auth import CodexClient
+    client = CodexClient()
+"""
+
+import os
+
+from .auth import authenticate
+from .client import AsyncCodexClient, CodexClient
+from .patch import apply_patch, remove_patch
+from .tokens import VERSION as __version__  # noqa: N811
+
+__all__ = [
+    "__version__",
+    "CodexClient",
+    "AsyncCodexClient",
+    "authenticate",
+    "apply_patch",
+    "remove_patch",
+    "init",
+]
+
+_auto_patched = False
+
+
+def init(auto_patch: bool = True) -> None:
+    """Called on import. Set ``CODEX_AUTH_NO_PATCH=1`` to suppress."""
+    global _auto_patched
+    if auto_patch and not _auto_patched:
+        if os.environ.get("CODEX_AUTH_NO_PATCH") == "1":
+            return
+        apply_patch()
+        _auto_patched = True
+    elif not auto_patch and _auto_patched:
+        remove_patch()
+        _auto_patched = False
+
+
+init()

codex_auth/auth.py

@@ -0,0 +1,268 @@
+"""Browser (PKCE) and device-code OAuth flows."""
+
+from __future__ import annotations
+
+import http.server
+import logging
+import os
+import sys
+import threading
+import time
+import urllib.parse
+import webbrowser
+from typing import Any
+
+import httpx
+
+from .tokens import (
+    CLIENT_ID,
+    ISSUER,
+    OAUTH_PORT,
+    OAUTH_SCOPES,
+    TOKEN_URL,
+    USER_AGENT,
+    AuthTokens,
+    TokenStore,
+    generate_pkce,
+    generate_state,
+)
+
+log = logging.getLogger(__name__)
+
+_TIMEOUT = httpx.Timeout(30.0, connect=10.0)
+_token_store = TokenStore()
+
+
+def _exchange_code(code: str, redirect_uri: str, verifier: str) -> dict[str, Any]:
+    r = httpx.post(
+        TOKEN_URL,
+        data={
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": redirect_uri,
+            "client_id": CLIENT_ID,
+            "code_verifier": verifier,
+        },
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+        timeout=_TIMEOUT,
+    )
+    r.raise_for_status()
+    return r.json()
+
+
+def refresh_access_token(refresh_token: str) -> dict[str, Any]:
+    r = httpx.post(
+        TOKEN_URL,
+        data={
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+            "client_id": CLIENT_ID,
+        },
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+        timeout=_TIMEOUT,
+    )
+    r.raise_for_status()
+    return r.json()
+
+
+def _authorize_url(redirect_uri: str, challenge: str, state: str) -> str:
+    params = urllib.parse.urlencode({
+        "response_type": "code",
+        "client_id": CLIENT_ID,
+        "redirect_uri": redirect_uri,
+        "scope": OAUTH_SCOPES,
+        "code_challenge": challenge,
+        "code_challenge_method": "S256",
+        "id_token_add_organizations": "true",
+        "codex_cli_simplified_flow": "true",
+        "state": state,
+        "originator": "codex-auth",
+    })
+    return f"{ISSUER}/oauth/authorize?{params}"
+
+
+_HTML_OK = (
+    "<!doctype html><html><head><title>Codex Auth</title>"
+    "<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;"
+    "align-items:center;height:100vh;margin:0;background:#131010;color:#f1ecec}"
+    ".c{text-align:center;padding:2rem}h1{margin-bottom:1rem}p{color:#b7b1b1}</style>"
+    "</head><body><div class='c'><h1>Authorization Successful</h1>"
+    "<p>You can close this window.</p></div>"
+    "<script>setTimeout(()=>window.close(),2000)</script></body></html>"
+)
+
+_HTML_ERR = (
+    "<!doctype html><html><head><title>Codex Auth</title>"
+    "<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;"
+    "align-items:center;height:100vh;margin:0;background:#131010;color:#f1ecec}"
+    ".c{text-align:center;padding:2rem}h1{color:#fc533a;margin-bottom:1rem}"
+    "p{color:#b7b1b1}.e{color:#ff917b;font-family:monospace;margin-top:1rem;"
+    "padding:1rem;background:#3c140d;border-radius:.5rem}</style>"
+    "</head><body><div class='c'><h1>Authorization Failed</h1>"
+    "<p>An error occurred.</p><div class='e'>%s</div></div></body></html>"
+)
+
+
+class _CallbackHandler(http.server.BaseHTTPRequestHandler):
+    code: str | None = None
+    state: str | None = None
+    error: str | None = None
+
+    def do_GET(self) -> None:
+        parsed = urllib.parse.urlparse(self.path)
+        qs = urllib.parse.parse_qs(parsed.query)
+
+        if parsed.path != "/auth/callback":
+            self.send_response(404)
+            self.end_headers()
+            return
+
+        if "error" in qs:
+            msg = qs.get("error_description", qs["error"])[0]
+            _CallbackHandler.error = msg
+            self._html(200, _HTML_ERR % msg)
+            return
+
+        code = qs.get("code", [None])[0]
+        if not code:
+            _CallbackHandler.error = "Missing authorization code"
+            self._html(400, _HTML_ERR % "Missing authorization code")
+            return
+
+        _CallbackHandler.code = code
+        _CallbackHandler.state = qs.get("state", [None])[0]
+        self._html(200, _HTML_OK)
+
+    def _html(self, status: int, body: str) -> None:
+        self.send_response(status)
+        self.send_header("Content-Type", "text/html")
+        self.end_headers()
+        self.wfile.write(body.encode())
+
+    def log_message(self, format: str, *args: Any) -> None:
+        pass
+
+
+def browser_auth() -> AuthTokens:
+    verifier, challenge = generate_pkce()
+    state = generate_state()
+    redirect = f"http://localhost:{OAUTH_PORT}/auth/callback"
+    url = _authorize_url(redirect, challenge, state)
+
+    _CallbackHandler.code = _CallbackHandler.state = _CallbackHandler.error = None
+
+    srv = http.server.HTTPServer(("localhost", OAUTH_PORT), _CallbackHandler)
+    srv.timeout = 300
+
+    def serve() -> None:
+        while _CallbackHandler.code is None and _CallbackHandler.error is None:
+            srv.handle_request()
+
+    t = threading.Thread(target=serve, daemon=True)
+    t.start()
+
+    print(f"Opening browser for authentication...\nIf it doesn't open, visit:\n  {url}")
+    webbrowser.open(url)
+
+    t.join(timeout=300)
+    srv.server_close()
+
+    if _CallbackHandler.error:
+        raise RuntimeError(f"OAuth error: {_CallbackHandler.error}")
+    if not _CallbackHandler.code:
+        raise TimeoutError("OAuth callback timed out")
+    if _CallbackHandler.state != state:
+        raise RuntimeError("OAuth state mismatch — possible CSRF")
+
+    raw = _exchange_code(_CallbackHandler.code, redirect, verifier)
+    auth = AuthTokens.from_response(raw)
+    _token_store.save(auth)
+    return auth
+
+
+def device_auth() -> AuthTokens:
+    r = httpx.post(
+        f"{ISSUER}/api/accounts/deviceauth/usercode",
+        json={"client_id": CLIENT_ID},
+        headers={"Content-Type": "application/json", "User-Agent": USER_AGENT},
+        timeout=_TIMEOUT,
+    )
+    r.raise_for_status()
+    data = r.json()
+
+    device_id = data["device_auth_id"]
+    user_code = data["user_code"]
+    interval = max(int(data.get("interval", 5)), 1)
+
+    print(f"\nTo authenticate, visit: {ISSUER}/codex/device")
+    print(f"Enter code: {user_code}\n")
+
+    for _ in range(300 // interval):
+        time.sleep(interval + 3)
+
+        poll = httpx.post(
+            f"{ISSUER}/api/accounts/deviceauth/token",
+            json={"device_auth_id": device_id, "user_code": user_code},
+            headers={"Content-Type": "application/json", "User-Agent": USER_AGENT},
+            timeout=_TIMEOUT,
+        )
+
+        if poll.status_code in (403, 404):
+            continue
+
+        if poll.is_success:
+            d = poll.json()
+            tok = httpx.post(
+                TOKEN_URL,
+                data={
+                    "grant_type": "authorization_code",
+                    "code": d["authorization_code"],
+                    "redirect_uri": f"{ISSUER}/deviceauth/callback",
+                    "client_id": CLIENT_ID,
+                    "code_verifier": d["code_verifier"],
+                },
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+                timeout=_TIMEOUT,
+            )
+            tok.raise_for_status()
+            auth = AuthTokens.from_response(tok.json())
+            _token_store.save(auth)
+            print("Authentication successful!")
+            return auth
+
+        raise RuntimeError(f"Device auth failed: HTTP {poll.status_code}")
+
+    raise TimeoutError("Device authentication timed out")
+
+
+def _has_display() -> bool:
+    if sys.platform in ("darwin", "win32"):
+        return True
+    return bool(os.environ.get("DISPLAY") or os.environ.get("WAYLAND_DISPLAY"))
+
+
+def authenticate(force: bool = False) -> AuthTokens:
+    """Return valid tokens — from cache, refresh, or a fresh OAuth flow."""
+    if not force:
+        existing = _token_store.load()
+        if existing and existing.access_token:
+            if not existing.is_expired():
+                return existing
+            if existing.refresh_token:
+                try:
+                    raw = refresh_access_token(existing.refresh_token)
+                    auth = AuthTokens.from_response(
+                        raw, existing.refresh_token, existing.account_id,
+                    )
+                    _token_store.save(auth)
+                    return auth
+                except Exception:
+                    log.debug("Token refresh failed, re-authenticating", exc_info=True)
+
+    if _has_display():
+        try:
+            return browser_auth()
+        except Exception as exc:
+            print(f"Browser auth failed ({exc}), trying device flow...")
+
+    return device_auth()

codex_auth/client.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+import httpx
+import openai
+
+from .auth import authenticate
+from .patch import AsyncCodexTransport, CodexTransport
+from .tokens import AuthTokens, TokenStore
+
+
+class CodexClient(openai.OpenAI):
+    """``openai.OpenAI`` subclass that authenticates via Codex OAuth."""
+
+    def __init__(self, *, token: str | None = None, **kwargs: object) -> None:
+        store = TokenStore()
+        auth = AuthTokens(access_token=token) if token else authenticate()
+
+        kwargs.setdefault(
+            "http_client",
+            httpx.Client(transport=CodexTransport(auth_tokens=auth, token_store=store)),
+        )
+        kwargs.setdefault("api_key", "codex-auth-dummy-key")
+        super().__init__(**kwargs)
+
+
+class AsyncCodexClient(openai.AsyncOpenAI):
+    """Async variant of :class:`CodexClient`."""
+
+    def __init__(self, *, token: str | None = None, **kwargs: object) -> None:
+        store = TokenStore()
+        auth = AuthTokens(access_token=token) if token else authenticate()
+
+        kwargs.setdefault(
+            "http_client",
+            httpx.AsyncClient(transport=AsyncCodexTransport(auth_tokens=auth, token_store=store)),
+        )
+        kwargs.setdefault("api_key", "codex-auth-dummy-key")
+        super().__init__(**kwargs)

codex_auth/patch.py

@@ -0,0 +1,280 @@
+"""Monkey-patch the OpenAI SDK to route requests through Codex OAuth."""
+
+from __future__ import annotations
+
+import json
+import logging
+
+import httpx
+import openai
+
+from .auth import authenticate, refresh_access_token
+from .tokens import CODEX_PARSED_URL, USER_AGENT, AuthTokens, TokenStore
+
+log = logging.getLogger(__name__)
+
+_original_init = None
+_original_async_init = None
+_patched = False
+
+
+def _chat_completions_to_responses(body: dict) -> dict:
+    """The Codex endpoint only speaks the Responses API."""
+    messages = body.get("messages", [])
+    instructions: list[str] = []
+    items: list[dict] = []
+
+    for msg in messages:
+        role = msg.get("role", "")
+        content = msg.get("content", "")
+        if role in ("system", "developer"):
+            if isinstance(content, str):
+                instructions.append(content)
+            elif isinstance(content, list):
+                instructions.extend(
+                    p.get("text", "") for p in content
+                    if isinstance(p, dict) and p.get("type") == "text"
+                )
+        elif role in ("user", "assistant"):
+            items.append({"role": role, "content": content})
+
+    result: dict = {
+        "model": body.get("model", ""),
+        "instructions": "\n".join(instructions) or "You are a helpful assistant.",
+        "input": items,
+        "store": False,
+        "stream": True,
+    }
+    for key in ("temperature", "max_output_tokens", "top_p", "tools"):
+        if key in body:
+            result[key] = body[key]
+    if "max_tokens" in body and "max_output_tokens" not in body:
+        result["max_output_tokens"] = body["max_tokens"]
+    return result
+
+
+def _normalize_responses_body(body: dict) -> dict:
+    body = body.copy()
+    if isinstance(body.get("input"), str):
+        body["input"] = [{"role": "user", "content": body["input"]}]
+    body.setdefault("instructions", "You are a helpful assistant.")
+    body["store"] = False
+    body["stream"] = True
+    return body
+
+
+def _extract_sse_response(raw: bytes) -> dict | None:
+    """Parse SSE bytes and return the response dict from the completed event."""
+    for line in raw.decode("utf-8", errors="replace").splitlines():
+        if not line.startswith("data: ") or line == "data: [DONE]":
+            continue
+        try:
+            event = json.loads(line[6:])
+            if event.get("type") == "response.completed":
+                return event.get("response")
+        except json.JSONDecodeError:
+            continue
+    return None
+
+
+def _responses_to_chat_completion(resp: dict) -> dict:
+    """Convert a Responses API response object to chat.completions format."""
+    status = resp.get("status", "completed")
+    return {
+        "id": resp.get("id", ""),
+        "object": "chat.completion",
+        "created": int(resp.get("created_at", 0)),
+        "model": resp.get("model", ""),
+        "choices": [{
+            "index": 0,
+            "message": {"role": "assistant", "content": resp.get("output_text", "")},
+            "finish_reason": "stop" if status == "completed" else "length",
+        }],
+        "usage": resp.get("usage", {}),
+    }
+
+
+def _buffer_sse(raw: bytes, as_chat_completion: bool = False) -> httpx.Response | None:
+    """Turn raw SSE bytes into a JSON httpx.Response, or None on failure."""
+    resp = _extract_sse_response(raw)
+    if resp is None:
+        return None
+    if as_chat_completion:
+        resp = _responses_to_chat_completion(resp)
+    body = json.dumps(resp).encode()
+    return httpx.Response(200, headers={"content-type": "application/json"}, content=body)
+
+
+def _ensure_valid_auth(
+    auth: AuthTokens | None, store: TokenStore,
+) -> AuthTokens:
+    if auth is None:
+        return authenticate()
+
+    if auth.is_expired() and auth.refresh_token:
+        try:
+            raw = refresh_access_token(auth.refresh_token)
+            auth = AuthTokens.from_response(
+                raw, auth.refresh_token, auth.account_id,
+            )
+            store.save(auth)
+        except Exception:
+            log.debug("Token refresh failed, re-authenticating", exc_info=True)
+            auth = authenticate(force=True)
+
+    return auth
+
+
+def _is_codex_path(path: str) -> bool:
+    return "/chat/completions" in path or "/v1/responses" in path
+
+
+def _user_wants_stream(request: httpx.Request) -> bool:
+    try:
+        return json.loads(request.content).get("stream") is True
+    except Exception:
+        return False
+
+
+def _rewrite_request(request: httpx.Request, auth: AuthTokens) -> httpx.Request:
+    path = request.url.path
+    is_chat = "/chat/completions" in path
+
+    if not (is_chat or "/v1/responses" in path):
+        request.headers["authorization"] = f"Bearer {auth.access_token}"
+        if auth.account_id:
+            request.headers["chatgpt-account-id"] = auth.account_id
+        return request
+
+    p = CODEX_PARSED_URL
+    request.url = request.url.copy_with(
+        scheme=p.scheme, host=p.hostname, port=p.port, path=p.path,
+    )
+
+    try:
+        body = json.loads(request.content)
+        body = _chat_completions_to_responses(body) if is_chat else _normalize_responses_body(body)
+        content = json.dumps(body).encode()
+    except (json.JSONDecodeError, UnicodeDecodeError):
+        content = request.content
+
+    headers = {
+        k: v for k, v in request.headers.items()
+        if not k.lower().startswith("x-stainless")
+    }
+    headers.update({
+        "host": p.hostname,
+        "user-agent": USER_AGENT,
+        "originator": "codex-auth",
+        "authorization": f"Bearer {auth.access_token}",
+        "content-length": str(len(content)),
+    })
+    if auth.account_id:
+        headers["chatgpt-account-id"] = auth.account_id
+
+    return httpx.Request(
+        method=request.method, url=request.url,
+        headers=headers, content=content,
+    )
+
+
+class CodexTransport(httpx.BaseTransport):
+    def __init__(
+        self,
+        auth_tokens: AuthTokens | None = None,
+        token_store: TokenStore | None = None,
+        wrapped: httpx.BaseTransport | None = None,
+    ):
+        self._auth = auth_tokens
+        self._store = token_store or TokenStore()
+        self._wrapped = wrapped or httpx.HTTPTransport()
+
+    def handle_request(self, request: httpx.Request) -> httpx.Response:
+        self._auth = _ensure_valid_auth(self._auth, self._store)
+        path = request.url.path
+        needs_buffer = _is_codex_path(path) and not _user_wants_stream(request)
+        is_chat = "/chat/completions" in path
+
+        response = self._wrapped.handle_request(_rewrite_request(request, self._auth))
+
+        if needs_buffer and response.status_code == 200:
+            buffered = _buffer_sse(response.read(), as_chat_completion=is_chat)
+            if buffered is not None:
+                return buffered
+
+        return response
+
+    def close(self) -> None:
+        self._wrapped.close()
+
+
+class AsyncCodexTransport(httpx.AsyncBaseTransport):
+    def __init__(
+        self,
+        auth_tokens: AuthTokens | None = None,
+        token_store: TokenStore | None = None,
+        wrapped: httpx.AsyncBaseTransport | None = None,
+    ):
+        self._auth = auth_tokens
+        self._store = token_store or TokenStore()
+        self._wrapped = wrapped or httpx.AsyncHTTPTransport()
+
+    async def handle_async_request(self, request: httpx.Request) -> httpx.Response:
+        self._auth = _ensure_valid_auth(self._auth, self._store)
+        path = request.url.path
+        needs_buffer = _is_codex_path(path) and not _user_wants_stream(request)
+        is_chat = "/chat/completions" in path
+
+        response = await self._wrapped.handle_async_request(
+            _rewrite_request(request, self._auth)
+        )
+
+        if needs_buffer and response.status_code == 200:
+            buffered = _buffer_sse(await response.aread(), as_chat_completion=is_chat)
+            if buffered is not None:
+                return buffered
+
+        return response
+
+    async def aclose(self) -> None:
+        await self._wrapped.aclose()
+
+
+def apply_patch() -> None:
+    global _original_init, _original_async_init, _patched
+    if _patched:
+        return
+
+    _original_init = openai.OpenAI.__init__
+    _original_async_init = openai.AsyncOpenAI.__init__
+
+    # Capture in locals — the globals get nulled by remove_patch()
+    real_init = _original_init
+    real_async_init = _original_async_init
+
+    def patched_init(self, **kw):
+        kw.setdefault("http_client", httpx.Client(transport=CodexTransport()))
+        kw.setdefault("api_key", "codex-auth-dummy-key")
+        real_init(self, **kw)
+
+    def patched_async_init(self, **kw):
+        kw.setdefault("http_client", httpx.AsyncClient(transport=AsyncCodexTransport()))
+        kw.setdefault("api_key", "codex-auth-dummy-key")
+        real_async_init(self, **kw)
+
+    openai.OpenAI.__init__ = patched_init  # type: ignore[assignment]
+    openai.AsyncOpenAI.__init__ = patched_async_init  # type: ignore[assignment]
+    _patched = True
+
+
+def remove_patch() -> None:
+    global _original_init, _original_async_init, _patched
+    if not _patched or _original_init is None:
+        return
+
+    openai.OpenAI.__init__ = _original_init  # type: ignore[assignment]
+    if _original_async_init is not None:
+        openai.AsyncOpenAI.__init__ = _original_async_init  # type: ignore[assignment]
+
+    _original_init = _original_async_init = None
+    _patched = False

codex_auth/tokens.py

@@ -0,0 +1,138 @@
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import os
+import platform as _platform
+import secrets
+import time
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Any
+from urllib.parse import urlparse
+
+VERSION = "0.1.0"
+
+CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
+ISSUER = "https://auth.openai.com"
+TOKEN_URL = f"{ISSUER}/oauth/token"
+CODEX_API_ENDPOINT = "https://chatgpt.com/backend-api/codex/responses"
+CODEX_PARSED_URL = urlparse(CODEX_API_ENDPOINT)
+OAUTH_PORT = 1455
+OAUTH_SCOPES = "openid profile email offline_access"
+
+AUTH_DIR = Path.home() / ".codex-auth"
+AUTH_FILE = AUTH_DIR / "auth.json"
+
+USER_AGENT = (
+    f"codex-auth/{VERSION}"
+    f" ({_platform.system()} {_platform.release()}; {_platform.machine()})"
+)
+
+
+def _base64url(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+def generate_pkce() -> tuple[str, str]:
+    alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"
+    verifier = "".join(secrets.choice(alphabet) for _ in range(64))
+    challenge = _base64url(hashlib.sha256(verifier.encode("ascii")).digest())
+    return verifier, challenge
+
+
+def generate_state() -> str:
+    return _base64url(secrets.token_bytes(32))
+
+
+def parse_jwt_claims(token: str) -> dict[str, Any] | None:
+    parts = token.split(".")
+    if len(parts) != 3:
+        return None
+    try:
+        payload = parts[1] + "=" * (-len(parts[1]) % 4)
+        return json.loads(base64.urlsafe_b64decode(payload))
+    except Exception:
+        return None
+
+
+def extract_account_id(tokens: dict[str, str]) -> str | None:
+    """Try id_token then access_token, checking several known claim locations."""
+    for key in ("id_token", "access_token"):
+        raw = tokens.get(key)
+        if not raw:
+            continue
+        claims = parse_jwt_claims(raw)
+        if not claims:
+            continue
+
+        if acct := claims.get("chatgpt_account_id"):
+            return acct
+
+        nested = claims.get("https://api.openai.com/auth")
+        if isinstance(nested, dict) and (acct := nested.get("chatgpt_account_id")):
+            return acct
+
+        orgs = claims.get("organizations", [])
+        if orgs and isinstance(orgs[0], dict) and (acct := orgs[0].get("id")):
+            return acct
+
+    return None
+
+
+@dataclass
+class AuthTokens:
+    access_token: str
+    refresh_token: str = ""
+    expires: float = 0.0
+    account_id: str = ""
+
+    def is_expired(self) -> bool:
+        return bool(self.expires) and time.time() * 1000 >= self.expires
+
+    @classmethod
+    def from_response(
+        cls,
+        raw: dict[str, Any],
+        fallback_refresh: str = "",
+        fallback_account_id: str = "",
+    ) -> AuthTokens:
+        return cls(
+            access_token=raw["access_token"],
+            refresh_token=raw.get("refresh_token", fallback_refresh),
+            expires=time.time() * 1000 + raw.get("expires_in", 3600) * 1000,
+            account_id=extract_account_id(raw) or fallback_account_id,
+        )
+
+
+@dataclass
+class TokenStore:
+    auth_file: Path = field(default_factory=lambda: AUTH_FILE)
+
+    def load(self) -> AuthTokens | None:
+        if env_token := os.environ.get("CODEX_AUTH_TOKEN"):
+            return AuthTokens(access_token=env_token)
+        try:
+            data = json.loads(self.auth_file.read_text())
+            return AuthTokens(
+                access_token=data.get("access_token", ""),
+                refresh_token=data.get("refresh_token", ""),
+                expires=data.get("expires", 0),
+                account_id=data.get("account_id", ""),
+            )
+        except (json.JSONDecodeError, OSError):
+            return None
+
+    def save(self, tokens: AuthTokens) -> None:
+        self.auth_file.parent.mkdir(parents=True, exist_ok=True)
+        self.auth_file.write_text(json.dumps({
+            "access_token": tokens.access_token,
+            "refresh_token": tokens.refresh_token,
+            "expires": tokens.expires,
+            "account_id": tokens.account_id,
+        }, indent=2))
+        self.auth_file.chmod(0o600)
+
+    def clear(self) -> None:
+        self.auth_file.unlink(missing_ok=True)

codex_auth-0.1.0.dist-info/METADATA

@@ -0,0 +1,128 @@
+Metadata-Version: 2.4
+Name: codex-auth
+Version: 0.1.0
+Summary: Drop-in OpenAI SDK patch for ChatGPT Codex OAuth authentication
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Typing :: Typed
+Requires-Python: >=3.10
+Requires-Dist: httpx>=0.24
+Requires-Dist: openai>=1.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.21; extra == 'dev'
+Requires-Dist: pytest>=7.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# codex-auth
+
+Drop-in OAuth for the OpenAI Python SDK — use the ChatGPT Codex API with your Pro/Plus account instead of an API key.
+
+## Install
+
+```bash
+pip install codex-auth
+```
+
+## Usage
+
+```python
+import codex_auth
+
+from openai import OpenAI
+client = OpenAI()  # no API key needed
+
+response = client.responses.create(
+    model="gpt-5.1-codex-mini",
+    input="Write a one-sentence bedtime story about a unicorn.",
+)
+print(response.output_text)
+```
+
+A browser window opens on first run for OAuth. Tokens are cached in
+`~/.codex-auth/auth.json` and refreshed automatically.
+
+Both streaming and non-streaming calls work — the library handles the
+Codex endpoint's streaming requirement transparently.
+
+### Streaming
+
+```python
+stream = client.responses.create(
+    model="gpt-5.1-codex-mini",
+    input="Write a hello-world in Rust.",
+    stream=True,
+)
+for event in stream:
+    if event.type == "response.completed":
+        print(event.response.output_text)
+```
+
+### `chat.completions` compatibility
+
+Existing code using `chat.completions` works too — requests are converted
+to the Responses API format automatically:
+
+```python
+response = client.chat.completions.create(
+    model="gpt-5.1-codex-mini",
+    messages=[{"role": "user", "content": "Hello!"}],
+)
+print(response.choices[0].message.content)
+```
+
+### Explicit client
+
+If you prefer not to monkey-patch:
+
+```python
+from codex_auth import CodexClient
+
+client = CodexClient()            # browser / device auth
+client = CodexClient(token="…")   # existing token
+```
+
+Async variant:
+
+```python
+from codex_auth import AsyncCodexClient
+client = AsyncCodexClient()
+```
+
+### Disable auto-patch
+
+```bash
+export CODEX_AUTH_NO_PATCH=1
+```
+
+Or in code:
+
+```python
+import codex_auth
+codex_auth.init(auto_patch=False)
+```
+
+## How it works
+
+A custom [httpx transport](https://www.python-httpx.org/advanced/transports/) intercepts OpenAI SDK requests to:
+
+1. Rewrite URLs to the Codex backend (`chatgpt.com/backend-api/codex/responses`)
+2. Convert `chat.completions` payloads to the Responses API format
+3. Buffer SSE responses for non-streaming callers
+4. Inject OAuth bearer tokens and refresh them transparently
+
+Browser-based PKCE auth is used on desktop; device-code flow on headless/SSH.
+
+## Token storage
+
+`~/.codex-auth/auth.json` (mode `0600`). Override with `CODEX_AUTH_TOKEN` env var.
+
+## License
+
+MIT

codex_auth-0.1.0.dist-info/RECORD

@@ -0,0 +1,10 @@
+codex_auth/__init__.py,sha256=sK5l1PEb3NGKoFKfK3iCJCb3eVp1X3OjvaXkLxEaSX4,1109
+codex_auth/auth.py,sha256=YXuap9USefPiBr07vAeXhf33EJDkVRZP-54TtYA1qnQ,8568
+codex_auth/client.py,sha256=kNZjdQhsrTk3nM0FI1_npvOx_KixmVP0cb0Fnk8DW74,1275
+codex_auth/patch.py,sha256=t33iE3kV4agxjpjajjKgYqbcfon4_I-OIwBMMGuUsBg,9385
+codex_auth/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+codex_auth/tokens.py,sha256=EfyYYNJIRPaSGQisf0gr9edM5SCatOqEQ595sRnfoho,4191
+codex_auth-0.1.0.dist-info/METADATA,sha256=YpnB_a1n4Ko2_hF-nxbCUTQK8Ydb5umyuzLkkbEj1ww,3151
+codex_auth-0.1.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+codex_auth-0.1.0.dist-info/licenses/LICENSE,sha256=J2DYk1GTb8XHFUCH50BQDdbj4keTGgj9Bdf8PpB7HY0,432
+codex_auth-0.1.0.dist-info/RECORD,,

codex_auth-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.29.0
+Root-Is-Purelib: true
+Tag: py3-none-any

codex_auth-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,11 @@
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+                    Version 2, December 2004
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.