diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 0a3605521..3a6adb02c 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "d610e2cc6cfe4fdc88ba47600809ad927f8b8ee8", - "syncedAt": "2026-04-25T00:50:19.208Z" + "sha": "5a202f6f909daf37beb951252a80a27f280e4c31", + "syncedAt": "2026-04-25T00:50:56.659Z" } diff --git a/docs/concepts/oauth.md b/docs/concepts/oauth.md index 17bb084ed..9d098dcb9 100644 --- a/docs/concepts/oauth.md +++ b/docs/concepts/oauth.md @@ -44,9 +44,10 @@ To reduce that, OpenClaw treats `auth-profiles.json` as a **token sink**: - the runtime reads credentials from **one place** - we can keep multiple profiles and route them deterministically -- when credentials are reused from an external CLI like Codex CLI, OpenClaw - mirrors them with provenance and re-reads that external source instead of - rotating the refresh token itself +- external CLI reuse is provider-specific: Codex CLI can bootstrap an empty + `openai-codex:default` profile, but once OpenClaw has a local OAuth profile, + the local refresh token is canonical; other integrations can remain + externally managed and re-read their CLI auth store ## Storage (where tokens live) @@ -128,8 +129,11 @@ At runtime: - if `expires` is in the future → use the stored access token - if expired → refresh (under a file lock) and overwrite the stored credentials -- exception: reused external CLI credentials stay externally managed; OpenClaw - re-reads the CLI auth store and never spends the copied refresh token itself +- exception: some external CLI credentials stay externally managed; OpenClaw + re-reads those CLI auth stores instead of spending copied refresh tokens. + Codex CLI bootstrap is intentionally narrower: it seeds an empty + `openai-codex:default` profile, then OpenClaw-owned refreshes keep the local + profile canonical. The refresh flow is automatic; you generally don't need to manage tokens manually.