From f47bb2a294e81f51970868f666476095a7ebf761 Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Sun, 22 Feb 2026 22:22:06 +0100
Subject: [PATCH 1/9] Add OpenAI ChatGPT Plus OAuth device flow and provider UI

---
 interface/src/api/client.ts       |  39 ++++
 interface/src/routes/Settings.tsx | 128 +++++++++++
 src/api/providers.rs              | 230 ++++++++++++++++----
 src/api/server.rs                 |   8 +
 src/config.rs                     |  24 ++-
 src/lib.rs                        |   1 +
 src/llm/manager.rs                | 118 +++++++++--
 src/llm/model.rs                  |  41 +++-
 src/main.rs                       |  24 ++-
 src/openai_auth.rs                | 341 ++++++++++++++++++++++++++++++
 10 files changed, 883 insertions(+), 71 deletions(-)
 create mode 100644 src/openai_auth.rs

diff --git a/interface/src/api/client.ts b/interface/src/api/client.ts
index 8a320a265..5fc4e9ca3 100644
--- a/interface/src/api/client.ts
+++ b/interface/src/api/client.ts
@@ -695,6 +695,15 @@ export interface ProviderModelTestResponse {
 	sample: string | null;
 }
 
+export interface OpenAiOAuthStartResponse {
+	success: boolean;
+	message: string;
+	device_auth_id: string | null;
+	user_code: string | null;
+	poll_interval_secs: number | null;
+	authorization_url: string | null;
+}
+
 // -- Model Types --
 
 export interface ModelInfo {
@@ -1153,6 +1162,36 @@ export const api = {
 		}
 		return response.json() as Promise<ProviderModelTestResponse>;
 	},
+	startOpenAiOAuth: async () => {
+		const response = await fetch(`${API_BASE}/providers/openai/oauth/start`, {
+			method: "POST",
+		});
+		if (!response.ok) {
+			throw new Error(`API error: ${response.status}`);
+		}
+		return response.json() as Promise<OpenAiOAuthStartResponse>;
+	},
+	completeOpenAiOAuth: async (params: {
+		deviceAuthId: string;
+		userCode: string;
+		pollIntervalSecs: number;
+		model: string;
+	}) => {
+		const response = await fetch(`${API_BASE}/providers/openai/oauth/complete`, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				device_auth_id: params.deviceAuthId,
+				user_code: params.userCode,
+				poll_interval_secs: params.pollIntervalSecs,
+				model: params.model,
+			}),
+		});
+		if (!response.ok) {
+			throw new Error(`API error: ${response.status}`);
+		}
+		return response.json() as Promise<ProviderActionResponse>;
+	},
 	removeProvider: async (provider: string) => {
 		const response = await fetch(`${API_BASE}/providers/${encodeURIComponent(provider)}`, {
 			method: "DELETE",
diff --git a/interface/src/routes/Settings.tsx b/interface/src/routes/Settings.tsx
index f7f13fb56..d14d4cbb1 100644
--- a/interface/src/routes/Settings.tsx
+++ b/interface/src/routes/Settings.tsx
@@ -236,6 +236,12 @@ export function Settings() {
 		message: string;
 		sample?: string | null;
 	} | null>(null);
+	const [openAiOAuthSession, setOpenAiOAuthSession] = useState<{
+		deviceAuthId: string;
+		userCode: string;
+		pollIntervalSecs: number;
+		authorizationUrl: string;
+	} | null>(null);
 	const [message, setMessage] = useState<{
 		text: string;
 		type: "success" | "error";
@@ -287,6 +293,17 @@ export function Settings() {
 		mutationFn: ({ provider, apiKey, model }: { provider: string; apiKey: string; model: string }) =>
 			api.testProviderModel(provider, apiKey, model),
 	});
+	const startOpenAiOAuthMutation = useMutation({
+		mutationFn: () => api.startOpenAiOAuth(),
+	});
+	const completeOpenAiOAuthMutation = useMutation({
+		mutationFn: (params: {
+			deviceAuthId: string;
+			userCode: string;
+			pollIntervalSecs: number;
+			model: string;
+		}) => api.completeOpenAiOAuth(params),
+	});
 
 	const removeMutation = useMutation({
 		mutationFn: (provider: string) => api.removeProvider(provider),
@@ -347,12 +364,79 @@ export function Settings() {
 		});
 	};
 
+	const handleStartOpenAiOAuth = async () => {
+		if (!modelInput.trim()) {
+			setMessage({text: "Model cannot be empty", type: "error"});
+			return;
+		}
+
+		setMessage(null);
+		try {
+			const result = await startOpenAiOAuthMutation.mutateAsync();
+			if (
+				!result.success ||
+				!result.device_auth_id ||
+				!result.user_code ||
+				!result.poll_interval_secs ||
+				!result.authorization_url
+			) {
+				setMessage({text: result.message || "Failed to start ChatGPT Plus sign-in", type: "error"});
+				return;
+			}
+
+			setOpenAiOAuthSession({
+				deviceAuthId: result.device_auth_id,
+				userCode: result.user_code,
+				pollIntervalSecs: result.poll_interval_secs,
+				authorizationUrl: result.authorization_url,
+			});
+			window.open(result.authorization_url, "_blank", "noopener,noreferrer");
+			setMessage({text: "Sign-in started. Complete authorization in your browser, then click Complete sign-in.", type: "success"});
+		} catch (error: any) {
+			setMessage({text: `Failed: ${error.message}`, type: "error"});
+		}
+	};
+
+	const handleCompleteOpenAiOAuth = async () => {
+		if (!openAiOAuthSession || !modelInput.trim()) return;
+		setMessage(null);
+
+		try {
+			const result = await completeOpenAiOAuthMutation.mutateAsync({
+				deviceAuthId: openAiOAuthSession.deviceAuthId,
+				userCode: openAiOAuthSession.userCode,
+				pollIntervalSecs: openAiOAuthSession.pollIntervalSecs,
+				model: modelInput.trim(),
+			});
+
+			if (result.success) {
+				setEditingProvider(null);
+				setKeyInput("");
+				setModelInput("");
+				setTestedSignature(null);
+				setTestResult(null);
+				setOpenAiOAuthSession(null);
+				setMessage({text: result.message, type: "success"});
+				queryClient.invalidateQueries({queryKey: ["providers"]});
+				setTimeout(() => {
+					queryClient.invalidateQueries({queryKey: ["agents"]});
+					queryClient.invalidateQueries({queryKey: ["overview"]});
+				}, 3000);
+			} else {
+				setMessage({text: result.message, type: "error"});
+			}
+		} catch (error: any) {
+			setMessage({text: `Failed: ${error.message}`, type: "error"});
+		}
+	};
+
 	const handleClose = () => {
 		setEditingProvider(null);
 		setKeyInput("");
 		setModelInput("");
 		setTestedSignature(null);
 		setTestResult(null);
+		setOpenAiOAuthSession(null);
 	};
 
 	const isConfigured = (providerId: string): boolean => {
@@ -483,6 +567,8 @@ export function Settings() {
 						<DialogDescription>
 							{editingProvider === "ollama"
 								? `Enter your ${editingProviderData?.name} base URL. It will be saved to your instance config.`
+								: editingProvider === "openai"
+									? "Enter an OpenAI API key or use ChatGPT Plus sign-in. The model below will be applied to routing."
 								: `Enter your ${editingProviderData?.name} API key. It will be saved to your instance config.`}
 						</DialogDescription>
 					</DialogHeader>
@@ -509,6 +595,48 @@ export function Settings() {
 						}}
 						provider={editingProvider ?? undefined}
 					/>
+					{editingProvider === "openai" && (
+						<div className="rounded-md border border-app-line bg-app-darkBox/20 px-3 py-2">
+							<div className="text-xs text-ink-faint">
+								Use your ChatGPT Plus account instead of an API key.
+							</div>
+							<div className="mt-2 flex flex-wrap items-center gap-2">
+								<Button
+									onClick={handleStartOpenAiOAuth}
+									disabled={!modelInput.trim()}
+									loading={startOpenAiOAuthMutation.isPending}
+									variant="outline"
+									size="sm"
+								>
+									Sign in with ChatGPT Plus
+								</Button>
+								<Button
+									onClick={handleCompleteOpenAiOAuth}
+									disabled={!openAiOAuthSession || !modelInput.trim()}
+									loading={completeOpenAiOAuthMutation.isPending}
+									variant="outline"
+									size="sm"
+								>
+									Complete sign-in
+								</Button>
+							</div>
+							{openAiOAuthSession && (
+								<div className="mt-2 text-xs text-ink-dull">
+									<div>
+										User code: <code className="rounded bg-app-box px-1 py-0.5">{openAiOAuthSession.userCode}</code>
+									</div>
+									<a
+										href={openAiOAuthSession.authorizationUrl}
+										target="_blank"
+										rel="noreferrer"
+										className="text-accent underline"
+									>
+										Open verification page
+									</a>
+								</div>
+							)}
+						</div>
+					)}
 					<div className="flex items-center gap-2">
 						<Button
 							onClick={handleTestModel}
diff --git a/src/api/providers.rs b/src/api/providers.rs
index 251ceae34..a751d9981 100644
--- a/src/api/providers.rs
+++ b/src/api/providers.rs
@@ -66,6 +66,24 @@ pub(super) struct ProviderModelTestResponse {
     sample: Option<String>,
 }
 
+#[derive(Serialize)]
+pub(super) struct OpenAiOAuthStartResponse {
+    success: bool,
+    message: String,
+    device_auth_id: Option<String>,
+    user_code: Option<String>,
+    poll_interval_secs: Option<u64>,
+    authorization_url: Option<String>,
+}
+
+#[derive(Deserialize)]
+pub(super) struct OpenAiOAuthCompleteRequest {
+    device_auth_id: String,
+    user_code: String,
+    poll_interval_secs: u64,
+    model: String,
+}
+
 fn provider_toml_key(provider: &str) -> Option<&'static str> {
     match provider {
         "anthropic" => Some("anthropic_key"),
@@ -232,10 +250,58 @@ fn build_test_llm_config(provider: &str, credential: &str) -> crate::config::Llm
     }
 }
 
+fn apply_model_routing(doc: &mut toml_edit::DocumentMut, model: &str) {
+    if doc.get("defaults").is_none() {
+        doc["defaults"] = toml_edit::Item::Table(toml_edit::Table::new());
+    }
+    if let Some(defaults) = doc.get_mut("defaults").and_then(|item| item.as_table_mut()) {
+        if defaults.get("routing").is_none() {
+            defaults["routing"] = toml_edit::Item::Table(toml_edit::Table::new());
+        }
+        if let Some(routing_table) = defaults
+            .get_mut("routing")
+            .and_then(|item| item.as_table_mut())
+        {
+            routing_table["channel"] = toml_edit::value(model);
+            routing_table["branch"] = toml_edit::value(model);
+            routing_table["worker"] = toml_edit::value(model);
+            routing_table["compactor"] = toml_edit::value(model);
+            routing_table["cortex"] = toml_edit::value(model);
+        }
+    }
+
+    if let Some(agents) = doc
+        .get_mut("agents")
+        .and_then(|agents_item| agents_item.as_array_of_tables_mut())
+        && let Some(default_agent) = agents.iter_mut().find(|agent| {
+            agent
+                .get("default")
+                .and_then(|value| value.as_bool())
+                .unwrap_or(false)
+        })
+    {
+        if default_agent.get("routing").is_none() {
+            default_agent["routing"] = toml_edit::Item::Table(toml_edit::Table::new());
+        }
+        if let Some(routing_table) = default_agent
+            .get_mut("routing")
+            .and_then(|routing_item| routing_item.as_table_mut())
+        {
+            routing_table["channel"] = toml_edit::value(model);
+            routing_table["branch"] = toml_edit::value(model);
+            routing_table["worker"] = toml_edit::value(model);
+            routing_table["compactor"] = toml_edit::value(model);
+            routing_table["cortex"] = toml_edit::value(model);
+        }
+    }
+}
+
 pub(super) async fn get_providers(
     State(state): State<Arc<ApiState>>,
 ) -> Result<Json<ProvidersResponse>, StatusCode> {
     let config_path = state.config_path.read().await.clone();
+    let instance_dir = (**state.instance_dir.load()).clone();
+    let openai_oauth_configured = crate::openai_auth::credentials_path(&instance_dir).exists();
 
     let (
         anthropic,
@@ -279,7 +345,7 @@ pub(super) async fn get_providers(
 
         (
             has_value("anthropic_key", "ANTHROPIC_API_KEY"),
-            has_value("openai_key", "OPENAI_API_KEY"),
+            has_value("openai_key", "OPENAI_API_KEY") || openai_oauth_configured,
             has_value("openrouter_key", "OPENROUTER_API_KEY"),
             has_value("zhipu_key", "ZHIPU_API_KEY"),
             has_value("groq_key", "GROQ_API_KEY"),
@@ -301,7 +367,7 @@ pub(super) async fn get_providers(
     } else {
         (
             std::env::var("ANTHROPIC_API_KEY").is_ok(),
-            std::env::var("OPENAI_API_KEY").is_ok(),
+            std::env::var("OPENAI_API_KEY").is_ok() || openai_oauth_configured,
             std::env::var("OPENROUTER_API_KEY").is_ok(),
             std::env::var("ZHIPU_API_KEY").is_ok(),
             std::env::var("GROQ_API_KEY").is_ok(),
@@ -363,6 +429,124 @@ pub(super) async fn get_providers(
     Ok(Json(ProvidersResponse { providers, has_any }))
 }
 
+pub(super) async fn start_openai_oauth() -> Result<Json<OpenAiOAuthStartResponse>, StatusCode> {
+    match crate::openai_auth::start_device_authorization().await {
+        Ok(auth) => Ok(Json(OpenAiOAuthStartResponse {
+            success: true,
+            message: "OpenAI device authorization started".to_string(),
+            device_auth_id: Some(auth.device_auth_id),
+            user_code: Some(auth.user_code),
+            poll_interval_secs: Some(auth.poll_interval_secs),
+            authorization_url: Some(auth.authorization_url),
+        })),
+        Err(error) => Ok(Json(OpenAiOAuthStartResponse {
+            success: false,
+            message: format!("Failed to start ChatGPT Plus sign-in: {error}"),
+            device_auth_id: None,
+            user_code: None,
+            poll_interval_secs: None,
+            authorization_url: None,
+        })),
+    }
+}
+
+pub(super) async fn complete_openai_oauth(
+    State(state): State<Arc<ApiState>>,
+    Json(request): Json<OpenAiOAuthCompleteRequest>,
+) -> Result<Json<ProviderUpdateResponse>, StatusCode> {
+    if request.device_auth_id.trim().is_empty() {
+        return Ok(Json(ProviderUpdateResponse {
+            success: false,
+            message: "Missing device_auth_id".to_string(),
+        }));
+    }
+
+    if request.user_code.trim().is_empty() {
+        return Ok(Json(ProviderUpdateResponse {
+            success: false,
+            message: "Missing user_code".to_string(),
+        }));
+    }
+
+    if request.model.trim().is_empty() {
+        return Ok(Json(ProviderUpdateResponse {
+            success: false,
+            message: "Model cannot be empty".to_string(),
+        }));
+    }
+
+    if !model_matches_provider("openai", &request.model) {
+        return Ok(Json(ProviderUpdateResponse {
+            success: false,
+            message: format!(
+                "Model '{}' does not match provider 'openai'.",
+                request.model
+            ),
+        }));
+    }
+
+    let credentials = match crate::openai_auth::complete_device_authorization(
+        &request.device_auth_id,
+        &request.user_code,
+        request.poll_interval_secs,
+    )
+    .await
+    {
+        Ok(credentials) => credentials,
+        Err(error) => {
+            return Ok(Json(ProviderUpdateResponse {
+                success: false,
+                message: format!("Failed to complete ChatGPT Plus sign-in: {error}"),
+            }));
+        }
+    };
+
+    let instance_dir = (**state.instance_dir.load()).clone();
+    if let Err(error) = crate::openai_auth::save_credentials(&instance_dir, &credentials) {
+        return Ok(Json(ProviderUpdateResponse {
+            success: false,
+            message: format!("Failed to save OpenAI OAuth credentials: {error}"),
+        }));
+    }
+
+    if let Some(llm_manager) = state.llm_manager.read().await.as_ref() {
+        llm_manager
+            .set_openai_oauth_credentials(credentials.clone())
+            .await;
+    }
+
+    let config_path = state.config_path.read().await.clone();
+    let content = if config_path.exists() {
+        tokio::fs::read_to_string(&config_path)
+            .await
+            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
+    } else {
+        String::new()
+    };
+
+    let mut doc: toml_edit::DocumentMut = content
+        .parse()
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+    apply_model_routing(&mut doc, request.model.trim());
+
+    tokio::fs::write(&config_path, doc.to_string())
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    state
+        .provider_setup_tx
+        .try_send(crate::ProviderSetupEvent::ProvidersConfigured)
+        .ok();
+
+    Ok(Json(ProviderUpdateResponse {
+        success: true,
+        message: format!(
+            "OpenAI configured via ChatGPT Plus OAuth. Model '{}' applied to defaults and the default agent routing.",
+            request.model.trim()
+        ),
+    }))
+}
+
 pub(super) async fn update_provider(
     State(state): State<Arc<ApiState>>,
     Json(request): Json<ProviderUpdateRequest>,
@@ -417,47 +601,7 @@ pub(super) async fn update_provider(
     }
 
     doc["llm"][key_name] = toml_edit::value(request.api_key);
-
-    if doc.get("defaults").is_none() {
-        doc["defaults"] = toml_edit::Item::Table(toml_edit::Table::new());
-    }
-    if let Some(defaults) = doc.get_mut("defaults").and_then(|d| d.as_table_mut()) {
-        if defaults.get("routing").is_none() {
-            defaults["routing"] = toml_edit::Item::Table(toml_edit::Table::new());
-        }
-        if let Some(routing_table) = defaults.get_mut("routing").and_then(|r| r.as_table_mut()) {
-            routing_table["channel"] = toml_edit::value(request.model.as_str());
-            routing_table["branch"] = toml_edit::value(request.model.as_str());
-            routing_table["worker"] = toml_edit::value(request.model.as_str());
-            routing_table["compactor"] = toml_edit::value(request.model.as_str());
-            routing_table["cortex"] = toml_edit::value(request.model.as_str());
-        }
-    }
-
-    if let Some(agents) = doc
-        .get_mut("agents")
-        .and_then(|agents_item| agents_item.as_array_of_tables_mut())
-        && let Some(default_agent) = agents.iter_mut().find(|agent| {
-            agent
-                .get("default")
-                .and_then(|value| value.as_bool())
-                .unwrap_or(false)
-        })
-    {
-        if default_agent.get("routing").is_none() {
-            default_agent["routing"] = toml_edit::Item::Table(toml_edit::Table::new());
-        }
-        if let Some(routing_table) = default_agent
-            .get_mut("routing")
-            .and_then(|routing_item| routing_item.as_table_mut())
-        {
-            routing_table["channel"] = toml_edit::value(request.model.as_str());
-            routing_table["branch"] = toml_edit::value(request.model.as_str());
-            routing_table["worker"] = toml_edit::value(request.model.as_str());
-            routing_table["compactor"] = toml_edit::value(request.model.as_str());
-            routing_table["cortex"] = toml_edit::value(request.model.as_str());
-        }
-    }
+    apply_model_routing(&mut doc, request.model.as_str());
 
     tokio::fs::write(&config_path, doc.to_string())
         .await
diff --git a/src/api/server.rs b/src/api/server.rs
index a41c7f8d1..65d41233a 100644
--- a/src/api/server.rs
+++ b/src/api/server.rs
@@ -123,6 +123,14 @@ pub async fn start_http_server(
             "/providers",
             get(providers::get_providers).put(providers::update_provider),
         )
+        .route(
+            "/providers/openai/oauth/start",
+            post(providers::start_openai_oauth),
+        )
+        .route(
+            "/providers/openai/oauth/complete",
+            post(providers::complete_openai_oauth),
+        )
         .route("/providers/test", post(providers::test_provider_model))
         .route("/providers/{provider}", delete(providers::delete_provider))
         .route("/models", get(models::get_models))
diff --git a/src/config.rs b/src/config.rs
index 20e3394d7..f2b82b0ce 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -1944,7 +1944,9 @@ impl Config {
         }
 
         // OAuth credentials count as configured
-        if crate::auth::credentials_path(&instance_dir).exists() {
+        if crate::auth::credentials_path(&instance_dir).exists()
+            || crate::openai_auth::credentials_path(&instance_dir).exists()
+        {
             return false;
         }
 
@@ -4272,6 +4274,26 @@ name = "Custom OpenAI"
         assert!(!Config::needs_onboarding());
     }
 
+    #[test]
+    fn test_needs_onboarding_false_with_openai_oauth_credentials() {
+        let _lock = env_test_lock()
+            .lock()
+            .expect("failed to lock env test mutex");
+        let _env = EnvGuard::new();
+
+        let instance_dir = Config::default_instance_dir();
+        let creds = crate::openai_auth::OAuthCredentials {
+            access_token: "openai-access-token-test".to_string(),
+            refresh_token: "openai-refresh-token-test".to_string(),
+            expires_at: chrono::Utc::now().timestamp_millis() + 3_600_000,
+            account_id: Some("acct_test_123".to_string()),
+        };
+        crate::openai_auth::save_credentials(&instance_dir, &creds)
+            .expect("failed to save OpenAI OAuth credentials");
+
+        assert!(!Config::needs_onboarding());
+    }
+
     #[test]
     fn test_load_from_env_populates_legacy_key_and_provider() {
         let _lock = env_test_lock()
diff --git a/src/lib.rs b/src/lib.rs
index 98b4eac3f..b06e676ce 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -15,6 +15,7 @@ pub mod llm;
 pub mod mcp;
 pub mod memory;
 pub mod messaging;
+pub mod openai_auth;
 pub mod opencode;
 pub mod prompts;
 pub mod secrets;
diff --git a/src/llm/manager.rs b/src/llm/manager.rs
index 69fd113ac..b0390b773 100644
--- a/src/llm/manager.rs
+++ b/src/llm/manager.rs
@@ -8,9 +8,10 @@
 //! `reload_config()` when config.toml changes, and all subsequent
 //! `get_api_key()` calls read the new values lock-free.
 
-use crate::auth::OAuthCredentials;
+use crate::auth::OAuthCredentials as AnthropicOAuthCredentials;
 use crate::config::{ApiType, LlmConfig, ProviderConfig};
 use crate::error::{LlmError, Result};
+use crate::openai_auth::OAuthCredentials as OpenAiOAuthCredentials;
 
 use anyhow::Context as _;
 use arc_swap::ArcSwap;
@@ -28,8 +29,10 @@ pub struct LlmManager {
     rate_limited: Arc<RwLock<HashMap<String, Instant>>>,
     /// Instance directory for reading/writing OAuth credentials.
     instance_dir: Option<PathBuf>,
-    /// Cached OAuth credentials (refreshed lazily).
-    oauth_credentials: RwLock<Option<OAuthCredentials>>,
+    /// Cached Anthropic OAuth credentials (refreshed lazily).
+    anthropic_oauth_credentials: RwLock<Option<AnthropicOAuthCredentials>>,
+    /// Cached OpenAI OAuth credentials (refreshed lazily).
+    openai_oauth_credentials: RwLock<Option<OpenAiOAuthCredentials>>,
 }
 
 impl LlmManager {
@@ -45,15 +48,20 @@ impl LlmManager {
             http_client,
             rate_limited: Arc::new(RwLock::new(HashMap::new())),
             instance_dir: None,
-            oauth_credentials: RwLock::new(None),
+            anthropic_oauth_credentials: RwLock::new(None),
+            openai_oauth_credentials: RwLock::new(None),
         })
     }
 
     /// Set the instance directory and load any existing OAuth credentials.
     pub async fn set_instance_dir(&self, instance_dir: PathBuf) {
         if let Ok(Some(creds)) = crate::auth::load_credentials(&instance_dir) {
-            tracing::info!("loaded OAuth credentials from auth.json");
-            *self.oauth_credentials.write().await = Some(creds);
+            tracing::info!("loaded Anthropic OAuth credentials from auth.json");
+            *self.anthropic_oauth_credentials.write().await = Some(creds);
+        }
+        if let Ok(Some(creds)) = crate::openai_auth::load_credentials(&instance_dir) {
+            tracing::info!("loaded OpenAI OAuth credentials from openai_chatgpt_oauth.json");
+            *self.openai_oauth_credentials.write().await = Some(creds);
         }
         // Store instance_dir — we can't set it on &self since it's not behind RwLock,
         // but we only need it for save_credentials which we handle inline.
@@ -66,14 +74,26 @@ impl LlmManager {
             .build()
             .with_context(|| "failed to build HTTP client")?;
 
-        let oauth_credentials = match crate::auth::load_credentials(&instance_dir) {
+        let anthropic_oauth_credentials = match crate::auth::load_credentials(&instance_dir) {
             Ok(Some(creds)) => {
-                tracing::info!("loaded OAuth credentials from auth.json");
+                tracing::info!("loaded Anthropic OAuth credentials from auth.json");
                 Some(creds)
             }
             Ok(None) => None,
             Err(error) => {
-                tracing::warn!(%error, "failed to load OAuth credentials");
+                tracing::warn!(%error, "failed to load Anthropic OAuth credentials");
+                None
+            }
+        };
+
+        let openai_oauth_credentials = match crate::openai_auth::load_credentials(&instance_dir) {
+            Ok(Some(creds)) => {
+                tracing::info!("loaded OpenAI OAuth credentials from openai_chatgpt_oauth.json");
+                Some(creds)
+            }
+            Ok(None) => None,
+            Err(error) => {
+                tracing::warn!(%error, "failed to load OpenAI OAuth credentials");
                 None
             }
         };
@@ -83,7 +103,8 @@ impl LlmManager {
             http_client,
             rate_limited: Arc::new(RwLock::new(HashMap::new())),
             instance_dir: Some(instance_dir),
-            oauth_credentials: RwLock::new(oauth_credentials),
+            anthropic_oauth_credentials: RwLock::new(anthropic_oauth_credentials),
+            openai_oauth_credentials: RwLock::new(openai_oauth_credentials),
         })
     }
 
@@ -110,7 +131,7 @@ impl LlmManager {
     /// returns the OAuth access token (refreshing if needed). Otherwise
     /// falls back to the static API key from config.
     pub async fn get_anthropic_token(&self) -> Result<Option<String>> {
-        let mut creds_guard = self.oauth_credentials.write().await;
+        let mut creds_guard = self.anthropic_oauth_credentials.write().await;
         let Some(creds) = creds_guard.as_ref() else {
             return Ok(None);
         };
@@ -120,22 +141,22 @@ impl LlmManager {
         }
 
         // Need to refresh
-        tracing::info!("OAuth access token expired, refreshing...");
+        tracing::info!("Anthropic OAuth access token expired, refreshing...");
         match creds.refresh().await {
             Ok(new_creds) => {
                 // Save to disk
                 if let Some(ref instance_dir) = self.instance_dir
                     && let Err(error) = crate::auth::save_credentials(instance_dir, &new_creds)
                 {
-                    tracing::warn!(%error, "failed to persist refreshed OAuth credentials");
+                    tracing::warn!(%error, "failed to persist refreshed Anthropic OAuth credentials");
                 }
                 let token = new_creds.access_token.clone();
                 *creds_guard = Some(new_creds);
-                tracing::info!("OAuth token refreshed successfully");
+                tracing::info!("Anthropic OAuth token refreshed successfully");
                 Ok(Some(token))
             }
             Err(error) => {
-                tracing::error!(%error, "OAuth token refresh failed");
+                tracing::error!(%error, "Anthropic OAuth token refresh failed");
                 // Return the expired token anyway — the API will reject it
                 // and the error message will be clearer than "no key"
                 Ok(Some(creds.access_token.clone()))
@@ -169,6 +190,73 @@ impl LlmManager {
         }
     }
 
+    /// Set OpenAI OAuth credentials in memory after successful auth.
+    pub async fn set_openai_oauth_credentials(&self, creds: OpenAiOAuthCredentials) {
+        *self.openai_oauth_credentials.write().await = Some(creds);
+    }
+
+    /// Get OpenAI OAuth access token if available, refreshing when needed.
+    pub async fn get_openai_token(&self) -> Result<Option<String>> {
+        let mut creds_guard = self.openai_oauth_credentials.write().await;
+        let Some(creds) = creds_guard.as_ref() else {
+            return Ok(None);
+        };
+
+        if !creds.is_expired() {
+            return Ok(Some(creds.access_token.clone()));
+        }
+
+        tracing::info!("OpenAI OAuth access token expired, refreshing...");
+        match creds.refresh().await {
+            Ok(new_creds) => {
+                if let Some(ref instance_dir) = self.instance_dir
+                    && let Err(error) =
+                        crate::openai_auth::save_credentials(instance_dir, &new_creds)
+                {
+                    tracing::warn!(%error, "failed to persist refreshed OpenAI OAuth credentials");
+                }
+                let token = new_creds.access_token.clone();
+                *creds_guard = Some(new_creds);
+                tracing::info!("OpenAI OAuth token refreshed successfully");
+                Ok(Some(token))
+            }
+            Err(error) => {
+                tracing::error!(%error, "OpenAI OAuth token refresh failed");
+                Ok(Some(creds.access_token.clone()))
+            }
+        }
+    }
+
+    /// Resolve the OpenAI provider config, preferring OAuth credentials.
+    pub async fn get_openai_provider(&self) -> Result<ProviderConfig> {
+        let token = self.get_openai_token().await?;
+        let static_provider = self.get_provider("openai").ok();
+
+        match (static_provider, token) {
+            (Some(mut provider), Some(token)) => {
+                provider.api_key = token;
+                Ok(provider)
+            }
+            (Some(provider), None) => Ok(provider),
+            (None, Some(token)) => Ok(ProviderConfig {
+                api_type: ApiType::OpenAiCompletions,
+                base_url: "https://api.openai.com".to_string(),
+                api_key: token,
+                name: None,
+            }),
+            (None, None) => Err(LlmError::UnknownProvider("openai".to_string()).into()),
+        }
+    }
+
+    /// Get OpenAI OAuth account id (for ChatGPT Plus/Pro account scoping headers).
+    pub async fn get_openai_account_id(&self) -> Option<String> {
+        self.openai_oauth_credentials
+            .read()
+            .await
+            .as_ref()
+            .and_then(|credentials| credentials.account_id.clone())
+    }
+
     /// Get the appropriate API key for a provider.
     pub fn get_api_key(&self, provider_id: &str) -> Result<String> {
         let provider = self.get_provider(provider_id)?;
diff --git a/src/llm/model.rs b/src/llm/model.rs
index e1bf5203c..e71bbc6b3 100644
--- a/src/llm/model.rs
+++ b/src/llm/model.rs
@@ -89,15 +89,21 @@ impl SpacebotModel {
             .map(|(provider, _)| provider)
             .unwrap_or("anthropic");
 
-        let provider_config = if provider_id == "anthropic" {
-            self.llm_manager
+        let provider_config = match provider_id {
+            "anthropic" => self
+                .llm_manager
                 .get_anthropic_provider()
                 .await
-                .map_err(|e| CompletionError::ProviderError(e.to_string()))?
-        } else {
-            self.llm_manager
+                .map_err(|e| CompletionError::ProviderError(e.to_string()))?,
+            "openai" => self
+                .llm_manager
+                .get_openai_provider()
+                .await
+                .map_err(|e| CompletionError::ProviderError(e.to_string()))?,
+            _ => self
+                .llm_manager
                 .get_provider(provider_id)
-                .map_err(|e| CompletionError::ProviderError(e.to_string()))?
+                .map_err(|e| CompletionError::ProviderError(e.to_string()))?,
         };
 
         if provider_id == "zai-coding-plan" || provider_id == "zhipu" {
@@ -536,6 +542,11 @@ impl SpacebotModel {
             "{}/v1/chat/completions",
             provider_config.base_url.trim_end_matches('/')
         );
+        let openai_account_id = if self.provider == "openai" {
+            self.llm_manager.get_openai_account_id().await
+        } else {
+            None
+        };
 
         let mut request_builder = self
             .llm_manager
@@ -543,6 +554,9 @@ impl SpacebotModel {
             .post(&chat_completions_url)
             .header("authorization", format!("Bearer {api_key}"))
             .header("content-type", "application/json");
+        if let Some(account_id) = openai_account_id {
+            request_builder = request_builder.header("chatgpt-account-id", account_id);
+        }
 
         // Kimi endpoints require a specific user-agent header.
         if chat_completions_url.contains("kimi.com") || chat_completions_url.contains("moonshot.ai")
@@ -625,12 +639,23 @@ impl SpacebotModel {
             body["tools"] = serde_json::json!(tools);
         }
 
-        let response = self
+        let openai_account_id = if self.provider == "openai" {
+            self.llm_manager.get_openai_account_id().await
+        } else {
+            None
+        };
+
+        let mut request_builder = self
             .llm_manager
             .http_client()
             .post(&responses_url)
             .header("authorization", format!("Bearer {api_key}"))
-            .header("content-type", "application/json")
+            .header("content-type", "application/json");
+        if let Some(account_id) = openai_account_id {
+            request_builder = request_builder.header("chatgpt-account-id", account_id);
+        }
+
+        let response = request_builder
             .json(&body)
             .send()
             .await
diff --git a/src/main.rs b/src/main.rs
index bd0090bb2..cc2c004af 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -587,6 +587,15 @@ fn load_config(
     }
 }
 
+fn has_provider_credentials(
+    llm_config: &spacebot::config::LlmConfig,
+    instance_dir: &std::path::Path,
+) -> bool {
+    llm_config.has_any_key()
+        || spacebot::auth::credentials_path(instance_dir).exists()
+        || spacebot::openai_auth::credentials_path(instance_dir).exists()
+}
+
 async fn run(
     config: spacebot::config::Config,
     foreground: bool,
@@ -654,8 +663,7 @@ async fn run(
     };
 
     // Check if we have provider configuration (API keys or OAuth credentials)
-    let has_providers =
-        config.llm.has_any_key() || spacebot::auth::credentials_path(&config.instance_dir).exists();
+    let has_providers = has_provider_credentials(&config.llm, &config.instance_dir);
 
     if !has_providers {
         tracing::info!("No LLM providers configured. Starting in setup mode.");
@@ -715,6 +723,7 @@ async fn run(
     // Set the config path on the API state for config.toml writes
     let config_path = config.instance_dir.join("config.toml");
     api_state.set_config_path(config_path.clone()).await;
+    api_state.set_instance_dir(config.instance_dir.clone());
     api_state.set_llm_manager(llm_manager.clone()).await;
     api_state.set_embedding_model(embedding_model.clone()).await;
     api_state.set_prompt_engine(prompt_engine.clone()).await;
@@ -1050,9 +1059,16 @@ async fn run(
                 };
 
                 match new_config {
-                    Ok(new_config) if new_config.llm.has_any_key() => {
+                    Ok(new_config)
+                        if has_provider_credentials(&new_config.llm, &new_config.instance_dir) =>
+                    {
                         // Rebuild LlmManager with the new keys
-                        match spacebot::llm::LlmManager::new(new_config.llm.clone()).await {
+                        match spacebot::llm::LlmManager::with_instance_dir(
+                            new_config.llm.clone(),
+                            new_config.instance_dir.clone(),
+                        )
+                        .await
+                        {
                             Ok(new_llm) => {
                                 let new_llm_manager = Arc::new(new_llm);
                                 let mut new_watcher_agents = Vec::new();
diff --git a/src/openai_auth.rs b/src/openai_auth.rs
new file mode 100644
index 000000000..e79cee873
--- /dev/null
+++ b/src/openai_auth.rs
@@ -0,0 +1,341 @@
+//! OpenAI ChatGPT Plus OAuth device flow, token exchange, refresh, and storage.
+
+use anyhow::{Context as _, Result};
+use base64::Engine as _;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use reqwest::StatusCode;
+use serde::{Deserialize, Serialize};
+use std::path::{Path, PathBuf};
+use std::time::Duration;
+
+const CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";
+const DEVICE_CODE_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/usercode";
+const DEVICE_TOKEN_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/token";
+const OAUTH_TOKEN_URL: &str = "https://auth.openai.com/oauth/token";
+const DEVICE_REDIRECT_URI: &str = "https://auth.openai.com/deviceauth/callback";
+const AUTHORIZATION_URL: &str = "https://auth.openai.com/codex/device";
+const POLLING_SAFETY_MARGIN_MS: u64 = 3000;
+const DEVICE_FLOW_TIMEOUT_SECS: u64 = 5 * 60;
+
+/// Stored OpenAI OAuth credentials.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct OAuthCredentials {
+    pub access_token: String,
+    pub refresh_token: String,
+    /// Expiry as Unix timestamp in milliseconds.
+    pub expires_at: i64,
+    pub account_id: Option<String>,
+}
+
+impl OAuthCredentials {
+    /// Check if the access token is expired or about to expire (within 5 minutes).
+    pub fn is_expired(&self) -> bool {
+        let now = chrono::Utc::now().timestamp_millis();
+        let buffer = 5 * 60 * 1000;
+        now >= self.expires_at - buffer
+    }
+
+    /// Refresh the access token and return updated credentials.
+    pub async fn refresh(&self) -> Result<Self> {
+        let client = reqwest::Client::new();
+        let response = client
+            .post(OAUTH_TOKEN_URL)
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .form(&[
+                ("grant_type", "refresh_token"),
+                ("refresh_token", self.refresh_token.as_str()),
+                ("client_id", CLIENT_ID),
+            ])
+            .send()
+            .await
+            .context("failed to send OpenAI OAuth refresh request")?;
+
+        let status = response.status();
+        let body = response
+            .text()
+            .await
+            .context("failed to read OpenAI OAuth refresh response")?;
+
+        if !status.is_success() {
+            anyhow::bail!("OpenAI OAuth refresh failed ({}): {}", status, body);
+        }
+
+        let token_response: TokenResponse =
+            serde_json::from_str(&body).context("failed to parse OpenAI OAuth refresh response")?;
+
+        let account_id = extract_account_id(&token_response).or_else(|| self.account_id.clone());
+        let refresh_token = token_response
+            .refresh_token
+            .unwrap_or_else(|| self.refresh_token.clone());
+
+        Ok(Self {
+            access_token: token_response.access_token,
+            refresh_token,
+            expires_at: chrono::Utc::now().timestamp_millis()
+                + token_response.expires_in.unwrap_or(3600) * 1000,
+            account_id,
+        })
+    }
+}
+
+#[derive(Debug, Deserialize)]
+struct DeviceCodeResponse {
+    device_auth_id: String,
+    user_code: String,
+    interval: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct DeviceTokenResponse {
+    authorization_code: String,
+    code_verifier: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct TokenResponse {
+    access_token: String,
+    refresh_token: Option<String>,
+    expires_in: Option<i64>,
+    id_token: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+struct TokenClaims {
+    chatgpt_account_id: Option<String>,
+    organizations: Option<Vec<TokenOrganization>>,
+    #[serde(rename = "https://api.openai.com/auth")]
+    openai_auth: Option<TokenOpenAiAuthClaims>,
+}
+
+#[derive(Debug, Deserialize)]
+struct TokenOrganization {
+    id: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct TokenOpenAiAuthClaims {
+    chatgpt_account_id: Option<String>,
+}
+
+/// Data needed by the UI to finish OpenAI device auth.
+#[derive(Debug, Clone, Serialize)]
+pub struct DeviceAuthorization {
+    pub device_auth_id: String,
+    pub user_code: String,
+    pub poll_interval_secs: u64,
+    pub authorization_url: String,
+}
+
+fn parse_jwt_claims(token: &str) -> Option<TokenClaims> {
+    let mut parts = token.split('.');
+    let _header = parts.next()?;
+    let payload = parts.next()?;
+    let _signature = parts.next()?;
+    if parts.next().is_some() {
+        return None;
+    }
+
+    let decoded = URL_SAFE_NO_PAD.decode(payload).ok()?;
+    serde_json::from_slice::<TokenClaims>(&decoded).ok()
+}
+
+fn extract_account_id(token_response: &TokenResponse) -> Option<String> {
+    let from_claims = |claims: TokenClaims| {
+        claims
+            .chatgpt_account_id
+            .or_else(|| claims.openai_auth.and_then(|auth| auth.chatgpt_account_id))
+            .or_else(|| {
+                claims
+                    .organizations
+                    .and_then(|organizations| organizations.into_iter().next())
+                    .map(|organization| organization.id)
+            })
+    };
+
+    token_response
+        .id_token
+        .as_deref()
+        .and_then(parse_jwt_claims)
+        .and_then(from_claims)
+        .or_else(|| parse_jwt_claims(&token_response.access_token).and_then(from_claims))
+}
+
+/// Start OpenAI device authorization and return a user code + poll details.
+pub async fn start_device_authorization() -> Result<DeviceAuthorization> {
+    let client = reqwest::Client::new();
+    let response = client
+        .post(DEVICE_CODE_URL)
+        .header("Content-Type", "application/json")
+        .header(
+            "User-Agent",
+            format!("spacebot/{}", env!("CARGO_PKG_VERSION")),
+        )
+        .json(&serde_json::json!({ "client_id": CLIENT_ID }))
+        .send()
+        .await
+        .context("failed to start OpenAI device authorization")?;
+
+    let status = response.status();
+    let body = response
+        .text()
+        .await
+        .context("failed to read OpenAI device authorization response")?;
+
+    if !status.is_success() {
+        anyhow::bail!("OpenAI device authorization failed ({}): {}", status, body);
+    }
+
+    let parsed: DeviceCodeResponse = serde_json::from_str(&body)
+        .context("failed to parse OpenAI device authorization response")?;
+    let poll_interval_secs = parsed.interval.parse::<u64>().unwrap_or(5).max(1);
+
+    Ok(DeviceAuthorization {
+        device_auth_id: parsed.device_auth_id,
+        user_code: parsed.user_code,
+        poll_interval_secs,
+        authorization_url: AUTHORIZATION_URL.to_string(),
+    })
+}
+
+async fn poll_device_authorization(
+    device_auth_id: &str,
+    user_code: &str,
+    poll_interval_secs: u64,
+) -> Result<DeviceTokenResponse> {
+    let client = reqwest::Client::new();
+    let start = tokio::time::Instant::now();
+    let poll_delay =
+        Duration::from_secs(poll_interval_secs) + Duration::from_millis(POLLING_SAFETY_MARGIN_MS);
+
+    loop {
+        if start.elapsed() > Duration::from_secs(DEVICE_FLOW_TIMEOUT_SECS) {
+            anyhow::bail!("OpenAI device authorization timed out");
+        }
+
+        let response = client
+            .post(DEVICE_TOKEN_URL)
+            .header("Content-Type", "application/json")
+            .header(
+                "User-Agent",
+                format!("spacebot/{}", env!("CARGO_PKG_VERSION")),
+            )
+            .json(&serde_json::json!({
+                "device_auth_id": device_auth_id,
+                "user_code": user_code,
+            }))
+            .send()
+            .await
+            .context("failed to poll OpenAI device authorization")?;
+
+        let status = response.status();
+        let body = response
+            .text()
+            .await
+            .context("failed to read OpenAI device authorization poll response")?;
+
+        if status.is_success() {
+            let parsed: DeviceTokenResponse = serde_json::from_str(&body)
+                .context("failed to parse OpenAI device authorization poll response")?;
+            return Ok(parsed);
+        }
+
+        if status == StatusCode::FORBIDDEN || status == StatusCode::NOT_FOUND {
+            tokio::time::sleep(poll_delay).await;
+            continue;
+        }
+
+        anyhow::bail!(
+            "OpenAI device authorization polling failed ({}): {}",
+            status,
+            body
+        );
+    }
+}
+
+/// Complete OpenAI device authorization by polling and exchanging for OAuth tokens.
+pub async fn complete_device_authorization(
+    device_auth_id: &str,
+    user_code: &str,
+    poll_interval_secs: u64,
+) -> Result<OAuthCredentials> {
+    let device_token = poll_device_authorization(device_auth_id, user_code, poll_interval_secs)
+        .await
+        .context("failed to complete OpenAI device authorization")?;
+
+    let client = reqwest::Client::new();
+    let response = client
+        .post(OAUTH_TOKEN_URL)
+        .header("Content-Type", "application/x-www-form-urlencoded")
+        .form(&[
+            ("grant_type", "authorization_code"),
+            ("code", device_token.authorization_code.as_str()),
+            ("redirect_uri", DEVICE_REDIRECT_URI),
+            ("client_id", CLIENT_ID),
+            ("code_verifier", device_token.code_verifier.as_str()),
+        ])
+        .send()
+        .await
+        .context("failed to exchange OpenAI authorization code for tokens")?;
+
+    let status = response.status();
+    let body = response
+        .text()
+        .await
+        .context("failed to read OpenAI token exchange response")?;
+
+    if !status.is_success() {
+        anyhow::bail!("OpenAI token exchange failed ({}): {}", status, body);
+    }
+
+    let token_response: TokenResponse =
+        serde_json::from_str(&body).context("failed to parse OpenAI token exchange response")?;
+    let account_id = extract_account_id(&token_response);
+    let refresh_token = token_response
+        .refresh_token
+        .context("OpenAI token response did not include refresh_token")?;
+
+    Ok(OAuthCredentials {
+        access_token: token_response.access_token,
+        refresh_token,
+        expires_at: chrono::Utc::now().timestamp_millis()
+            + token_response.expires_in.unwrap_or(3600) * 1000,
+        account_id,
+    })
+}
+
+/// Path to OpenAI OAuth credentials within the instance directory.
+pub fn credentials_path(instance_dir: &Path) -> PathBuf {
+    instance_dir.join("openai_chatgpt_oauth.json")
+}
+
+/// Load OpenAI OAuth credentials from disk.
+pub fn load_credentials(instance_dir: &Path) -> Result<Option<OAuthCredentials>> {
+    let path = credentials_path(instance_dir);
+    if !path.exists() {
+        return Ok(None);
+    }
+
+    let data = std::fs::read_to_string(&path)
+        .with_context(|| format!("failed to read {}", path.display()))?;
+    let creds: OAuthCredentials =
+        serde_json::from_str(&data).context("failed to parse OpenAI OAuth credentials")?;
+    Ok(Some(creds))
+}
+
+/// Save OpenAI OAuth credentials to disk with restricted permissions (0600).
+pub fn save_credentials(instance_dir: &Path, creds: &OAuthCredentials) -> Result<()> {
+    let path = credentials_path(instance_dir);
+    let data = serde_json::to_string_pretty(creds)
+        .context("failed to serialize OpenAI OAuth credentials")?;
+
+    std::fs::write(&path, &data).with_context(|| format!("failed to write {}", path.display()))?;
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600))
+            .with_context(|| format!("failed to set permissions on {}", path.display()))?;
+    }
+
+    Ok(())
+}

From cc043b4d7ff42fc08fbe6b7a05634318fc0c99bf Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Sun, 22 Feb 2026 22:33:54 +0100
Subject: [PATCH 2/9] Add OpenAI browser OAuth flow with callback and status
 polling

---
 interface/src/api/client.ts       |  37 +++
 interface/src/routes/Settings.tsx |  90 +++++++
 src/api/providers.rs              | 383 +++++++++++++++++++++++++++++-
 src/api/server.rs                 |  17 +-
 src/openai_auth.rs                |  97 ++++++++
 5 files changed, 621 insertions(+), 3 deletions(-)

diff --git a/interface/src/api/client.ts b/interface/src/api/client.ts
index 5fc4e9ca3..be7f09710 100644
--- a/interface/src/api/client.ts
+++ b/interface/src/api/client.ts
@@ -704,6 +704,20 @@ export interface OpenAiOAuthStartResponse {
 	authorization_url: string | null;
 }
 
+export interface OpenAiOAuthBrowserStartResponse {
+	success: boolean;
+	message: string;
+	authorization_url: string | null;
+	state: string | null;
+}
+
+export interface OpenAiOAuthBrowserStatusResponse {
+	found: boolean;
+	done: boolean;
+	success: boolean;
+	message: string | null;
+}
+
 // -- Model Types --
 
 export interface ModelInfo {
@@ -1192,6 +1206,29 @@ export const api = {
 		}
 		return response.json() as Promise<ProviderActionResponse>;
 	},
+	startOpenAiOAuthBrowser: async (params: {redirectUri: string; model: string}) => {
+		const response = await fetch(`${API_BASE}/providers/openai/oauth/browser/start`, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				redirect_uri: params.redirectUri,
+				model: params.model,
+			}),
+		});
+		if (!response.ok) {
+			throw new Error(`API error: ${response.status}`);
+		}
+		return response.json() as Promise<OpenAiOAuthBrowserStartResponse>;
+	},
+	openAiOAuthBrowserStatus: async (state: string) => {
+		const response = await fetch(
+			`${API_BASE}/providers/openai/oauth/browser/status?state=${encodeURIComponent(state)}`,
+		);
+		if (!response.ok) {
+			throw new Error(`API error: ${response.status}`);
+		}
+		return response.json() as Promise<OpenAiOAuthBrowserStatusResponse>;
+	},
 	removeProvider: async (provider: string) => {
 		const response = await fetch(`${API_BASE}/providers/${encodeURIComponent(provider)}`, {
 			method: "DELETE",
diff --git a/interface/src/routes/Settings.tsx b/interface/src/routes/Settings.tsx
index d14d4cbb1..a2c2d8f59 100644
--- a/interface/src/routes/Settings.tsx
+++ b/interface/src/routes/Settings.tsx
@@ -242,6 +242,8 @@ export function Settings() {
 		pollIntervalSecs: number;
 		authorizationUrl: string;
 	} | null>(null);
+	const [openAiBrowserOAuthState, setOpenAiBrowserOAuthState] = useState<string | null>(null);
+	const [isPollingOpenAiBrowserOAuth, setIsPollingOpenAiBrowserOAuth] = useState(false);
 	const [message, setMessage] = useState<{
 		text: string;
 		type: "success" | "error";
@@ -304,6 +306,9 @@ export function Settings() {
 			model: string;
 		}) => api.completeOpenAiOAuth(params),
 	});
+	const startOpenAiBrowserOAuthMutation = useMutation({
+		mutationFn: (params: {redirectUri: string; model: string}) => api.startOpenAiOAuthBrowser(params),
+	});
 
 	const removeMutation = useMutation({
 		mutationFn: (provider: string) => api.removeProvider(provider),
@@ -397,6 +402,75 @@ export function Settings() {
 		}
 	};
 
+	const monitorOpenAiBrowserOAuth = async (stateToken: string, popup: Window | null) => {
+		setIsPollingOpenAiBrowserOAuth(true);
+		setOpenAiBrowserOAuthState(stateToken);
+		try {
+			for (let attempt = 0; attempt < 180; attempt += 1) {
+				const status = await api.openAiOAuthBrowserStatus(stateToken);
+				if (status.done) {
+					if (status.success) {
+						setEditingProvider(null);
+						setKeyInput("");
+						setModelInput("");
+						setTestedSignature(null);
+						setTestResult(null);
+						setOpenAiOAuthSession(null);
+						setMessage({text: status.message || "OpenAI configured via browser sign-in.", type: "success"});
+						queryClient.invalidateQueries({queryKey: ["providers"]});
+						setTimeout(() => {
+							queryClient.invalidateQueries({queryKey: ["agents"]});
+							queryClient.invalidateQueries({queryKey: ["overview"]});
+						}, 3000);
+					} else {
+						setMessage({text: status.message || "Browser sign-in failed.", type: "error"});
+					}
+					return;
+				}
+				await new Promise((resolve) => setTimeout(resolve, 2000));
+			}
+			setMessage({text: "Browser sign-in timed out. Please try again.", type: "error"});
+		} catch (error: any) {
+			setMessage({text: `Failed to verify browser sign-in: ${error.message}`, type: "error"});
+		} finally {
+			setIsPollingOpenAiBrowserOAuth(false);
+			setOpenAiBrowserOAuthState(null);
+			if (popup && !popup.closed) {
+				popup.close();
+			}
+		}
+	};
+
+	const handleStartOpenAiBrowserOAuth = async () => {
+		if (!modelInput.trim()) {
+			setMessage({text: "Model cannot be empty", type: "error"});
+			return;
+		}
+
+		setMessage(null);
+		try {
+			const redirectUri = `${window.location.origin}${BASE_PATH}/api/providers/openai/oauth/browser/callback`;
+			const result = await startOpenAiBrowserOAuthMutation.mutateAsync({
+				redirectUri,
+				model: modelInput.trim(),
+			});
+			if (!result.success || !result.authorization_url || !result.state) {
+				setMessage({text: result.message || "Failed to start browser sign-in", type: "error"});
+				return;
+			}
+
+			const popup = window.open(
+				result.authorization_url,
+				"spacebot-openai-oauth",
+				"popup=true,width=560,height=780,noopener,noreferrer",
+			);
+			setMessage({text: "Complete sign-in in the browser window. Waiting for callback...", type: "success"});
+			void monitorOpenAiBrowserOAuth(result.state, popup);
+		} catch (error: any) {
+			setMessage({text: `Failed: ${error.message}`, type: "error"});
+		}
+	};
+
 	const handleCompleteOpenAiOAuth = async () => {
 		if (!openAiOAuthSession || !modelInput.trim()) return;
 		setMessage(null);
@@ -437,6 +511,8 @@ export function Settings() {
 		setTestedSignature(null);
 		setTestResult(null);
 		setOpenAiOAuthSession(null);
+		setOpenAiBrowserOAuthState(null);
+		setIsPollingOpenAiBrowserOAuth(false);
 	};
 
 	const isConfigured = (providerId: string): boolean => {
@@ -601,6 +677,15 @@ export function Settings() {
 								Use your ChatGPT Plus account instead of an API key.
 							</div>
 							<div className="mt-2 flex flex-wrap items-center gap-2">
+								<Button
+									onClick={handleStartOpenAiBrowserOAuth}
+									disabled={!modelInput.trim() || isPollingOpenAiBrowserOAuth}
+									loading={startOpenAiBrowserOAuthMutation.isPending || isPollingOpenAiBrowserOAuth}
+									variant="outline"
+									size="sm"
+								>
+									Sign in with browser
+								</Button>
 								<Button
 									onClick={handleStartOpenAiOAuth}
 									disabled={!modelInput.trim()}
@@ -635,6 +720,11 @@ export function Settings() {
 									</a>
 								</div>
 							)}
+							{openAiBrowserOAuthState && (
+								<div className="mt-2 text-xs text-ink-dull">
+									Browser OAuth state: <code className="rounded bg-app-box px-1 py-0.5">{openAiBrowserOAuthState}</code>
+								</div>
+							)}
 						</div>
 					)}
 					<div className="flex items-center gap-2">
diff --git a/src/api/providers.rs b/src/api/providers.rs
index a751d9981..c586a1232 100644
--- a/src/api/providers.rs
+++ b/src/api/providers.rs
@@ -1,13 +1,38 @@
 use super::state::ApiState;
 
+use anyhow::Context as _;
 use axum::Json;
-use axum::extract::State;
+use axum::extract::{Query, State};
 use axum::http::StatusCode;
+use axum::response::Html;
+use reqwest::Url;
 use rig::agent::AgentBuilder;
 use rig::completion::{CompletionModel as _, Prompt as _};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
-use std::sync::Arc;
+use std::sync::{Arc, LazyLock};
+use tokio::sync::RwLock;
+
+const OPENAI_BROWSER_OAUTH_SESSION_TTL_SECS: i64 = 15 * 60;
+
+static OPENAI_BROWSER_OAUTH_SESSIONS: LazyLock<RwLock<HashMap<String, BrowserOAuthSession>>> =
+    LazyLock::new(|| RwLock::new(HashMap::new()));
+
+#[derive(Clone, Debug)]
+struct BrowserOAuthSession {
+    pkce_verifier: String,
+    redirect_uri: String,
+    model: String,
+    created_at: i64,
+    status: BrowserOAuthSessionStatus,
+}
+
+#[derive(Clone, Debug)]
+enum BrowserOAuthSessionStatus {
+    Pending,
+    Completed(String),
+    Failed(String),
+}
 
 #[derive(Serialize)]
 pub(super) struct ProviderStatus {
@@ -84,6 +109,41 @@ pub(super) struct OpenAiOAuthCompleteRequest {
     model: String,
 }
 
+#[derive(Deserialize)]
+pub(super) struct OpenAiOAuthBrowserStartRequest {
+    redirect_uri: String,
+    model: String,
+}
+
+#[derive(Serialize)]
+pub(super) struct OpenAiOAuthBrowserStartResponse {
+    success: bool,
+    message: String,
+    authorization_url: Option<String>,
+    state: Option<String>,
+}
+
+#[derive(Deserialize)]
+pub(super) struct OpenAiOAuthBrowserStatusRequest {
+    state: String,
+}
+
+#[derive(Serialize)]
+pub(super) struct OpenAiOAuthBrowserStatusResponse {
+    found: bool,
+    done: bool,
+    success: bool,
+    message: Option<String>,
+}
+
+#[derive(Deserialize)]
+pub(super) struct OpenAiOAuthBrowserCallbackQuery {
+    code: Option<String>,
+    state: Option<String>,
+    error: Option<String>,
+    error_description: Option<String>,
+}
+
 fn provider_toml_key(provider: &str) -> Option<&'static str> {
     match provider {
         "anthropic" => Some("anthropic_key"),
@@ -296,6 +356,65 @@ fn apply_model_routing(doc: &mut toml_edit::DocumentMut, model: &str) {
     }
 }
 
+async fn prune_expired_browser_oauth_sessions() {
+    let cutoff = chrono::Utc::now().timestamp() - OPENAI_BROWSER_OAUTH_SESSION_TTL_SECS;
+    let mut sessions = OPENAI_BROWSER_OAUTH_SESSIONS.write().await;
+    sessions.retain(|_, session| session.created_at >= cutoff);
+}
+
+fn browser_oauth_success_html() -> String {
+    r#"<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Spacebot OpenAI Sign-in</title>
+    <style>
+      body { font-family: system-ui, -apple-system, sans-serif; margin: 0; background: #0f1115; color: #ecf0f1; display: grid; place-items: center; min-height: 100vh; }
+      .card { max-width: 520px; padding: 28px; border: 1px solid #2b313a; border-radius: 12px; background: #161a21; text-align: center; }
+      h1 { margin: 0 0 12px 0; font-size: 22px; }
+      p { margin: 0; color: #b2bcc8; line-height: 1.45; }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Sign-in complete</h1>
+      <p>You can close this window and return to Spacebot settings.</p>
+    </div>
+    <script>setTimeout(() => window.close(), 1800);</script>
+  </body>
+</html>"#
+        .to_string()
+}
+
+fn browser_oauth_error_html(message: &str) -> String {
+    let escaped = message
+        .replace('&', "&amp;")
+        .replace('<', "&lt;")
+        .replace('>', "&gt;");
+    format!(
+        r#"<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Spacebot OpenAI Sign-in</title>
+    <style>
+      body {{ font-family: system-ui, -apple-system, sans-serif; margin: 0; background: #0f1115; color: #ecf0f1; display: grid; place-items: center; min-height: 100vh; }}
+      .card {{ max-width: 560px; padding: 28px; border: 1px solid #4a2d31; border-radius: 12px; background: #1f1416; }}
+      h1 {{ margin: 0 0 12px 0; font-size: 22px; color: #ff7878; }}
+      p {{ margin: 0; color: #e6b9b9; line-height: 1.45; white-space: pre-wrap; word-break: break-word; }}
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Sign-in failed</h1>
+      <p>{}</p>
+    </div>
+  </body>
+</html>"#,
+        escaped
+    )
+}
+
 pub(super) async fn get_providers(
     State(state): State<Arc<ApiState>>,
 ) -> Result<Json<ProvidersResponse>, StatusCode> {
@@ -547,6 +666,266 @@ pub(super) async fn complete_openai_oauth(
     }))
 }
 
+pub(super) async fn start_openai_browser_oauth(
+    Json(request): Json<OpenAiOAuthBrowserStartRequest>,
+) -> Result<Json<OpenAiOAuthBrowserStartResponse>, StatusCode> {
+    if request.model.trim().is_empty() {
+        return Ok(Json(OpenAiOAuthBrowserStartResponse {
+            success: false,
+            message: "Model cannot be empty".to_string(),
+            authorization_url: None,
+            state: None,
+        }));
+    }
+    if !model_matches_provider("openai", &request.model) {
+        return Ok(Json(OpenAiOAuthBrowserStartResponse {
+            success: false,
+            message: format!(
+                "Model '{}' does not match provider 'openai'.",
+                request.model
+            ),
+            authorization_url: None,
+            state: None,
+        }));
+    }
+
+    let redirect_uri = request.redirect_uri.trim();
+    let parsed_redirect = match Url::parse(redirect_uri) {
+        Ok(parsed) => parsed,
+        Err(error) => {
+            return Ok(Json(OpenAiOAuthBrowserStartResponse {
+                success: false,
+                message: format!("Invalid redirect URI: {error}"),
+                authorization_url: None,
+                state: None,
+            }));
+        }
+    };
+    if parsed_redirect.scheme() != "https" && parsed_redirect.scheme() != "http" {
+        return Ok(Json(OpenAiOAuthBrowserStartResponse {
+            success: false,
+            message: "Redirect URI must use http or https".to_string(),
+            authorization_url: None,
+            state: None,
+        }));
+    }
+
+    prune_expired_browser_oauth_sessions().await;
+    let browser_authorization = crate::openai_auth::start_browser_authorization(redirect_uri);
+    let state_key = browser_authorization.state.clone();
+
+    OPENAI_BROWSER_OAUTH_SESSIONS.write().await.insert(
+        state_key.clone(),
+        BrowserOAuthSession {
+            pkce_verifier: browser_authorization.pkce_verifier,
+            redirect_uri: redirect_uri.to_string(),
+            model: request.model.trim().to_string(),
+            created_at: chrono::Utc::now().timestamp(),
+            status: BrowserOAuthSessionStatus::Pending,
+        },
+    );
+
+    Ok(Json(OpenAiOAuthBrowserStartResponse {
+        success: true,
+        message: "OpenAI browser OAuth started".to_string(),
+        authorization_url: Some(browser_authorization.authorization_url),
+        state: Some(state_key),
+    }))
+}
+
+pub(super) async fn openai_browser_oauth_status(
+    Query(request): Query<OpenAiOAuthBrowserStatusRequest>,
+) -> Result<Json<OpenAiOAuthBrowserStatusResponse>, StatusCode> {
+    prune_expired_browser_oauth_sessions().await;
+    if request.state.trim().is_empty() {
+        return Ok(Json(OpenAiOAuthBrowserStatusResponse {
+            found: false,
+            done: false,
+            success: false,
+            message: Some("Missing OAuth state".to_string()),
+        }));
+    }
+
+    let sessions = OPENAI_BROWSER_OAUTH_SESSIONS.read().await;
+    let Some(session) = sessions.get(request.state.trim()) else {
+        return Ok(Json(OpenAiOAuthBrowserStatusResponse {
+            found: false,
+            done: false,
+            success: false,
+            message: None,
+        }));
+    };
+
+    let response = match &session.status {
+        BrowserOAuthSessionStatus::Pending => OpenAiOAuthBrowserStatusResponse {
+            found: true,
+            done: false,
+            success: false,
+            message: None,
+        },
+        BrowserOAuthSessionStatus::Completed(message) => OpenAiOAuthBrowserStatusResponse {
+            found: true,
+            done: true,
+            success: true,
+            message: Some(message.clone()),
+        },
+        BrowserOAuthSessionStatus::Failed(message) => OpenAiOAuthBrowserStatusResponse {
+            found: true,
+            done: true,
+            success: false,
+            message: Some(message.clone()),
+        },
+    };
+    Ok(Json(response))
+}
+
+pub(super) async fn openai_browser_oauth_callback(
+    State(state): State<Arc<ApiState>>,
+    Query(query): Query<OpenAiOAuthBrowserCallbackQuery>,
+) -> Html<String> {
+    prune_expired_browser_oauth_sessions().await;
+
+    let Some(state_key) = query
+        .state
+        .as_deref()
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+        .map(str::to_string)
+    else {
+        return Html(browser_oauth_error_html("Missing OAuth state."));
+    };
+
+    if let Some(error_code) = query.error.as_deref() {
+        let mut message = format!("OpenAI returned OAuth error: {}", error_code);
+        if let Some(description) = query.error_description.as_deref() {
+            message.push_str(&format!(" ({})", description));
+        }
+        if let Some(session) = OPENAI_BROWSER_OAUTH_SESSIONS
+            .write()
+            .await
+            .get_mut(&state_key)
+        {
+            session.status = BrowserOAuthSessionStatus::Failed(message.clone());
+        }
+        return Html(browser_oauth_error_html(&message));
+    }
+
+    let Some(code) = query
+        .code
+        .as_deref()
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+    else {
+        let message = "OpenAI callback did not include an authorization code.";
+        if let Some(session) = OPENAI_BROWSER_OAUTH_SESSIONS
+            .write()
+            .await
+            .get_mut(&state_key)
+        {
+            session.status = BrowserOAuthSessionStatus::Failed(message.to_string());
+        }
+        return Html(browser_oauth_error_html(message));
+    };
+
+    let (pkce_verifier, redirect_uri, model) = {
+        let sessions = OPENAI_BROWSER_OAUTH_SESSIONS.read().await;
+        let Some(session) = sessions.get(&state_key) else {
+            return Html(browser_oauth_error_html(
+                "OAuth session expired or was not found. Start sign-in again.",
+            ));
+        };
+        (
+            session.pkce_verifier.clone(),
+            session.redirect_uri.clone(),
+            session.model.clone(),
+        )
+    };
+
+    let credentials = match crate::openai_auth::exchange_browser_code(
+        code,
+        &redirect_uri,
+        &pkce_verifier,
+    )
+    .await
+    {
+        Ok(credentials) => credentials,
+        Err(error) => {
+            let message = format!("Failed to exchange OpenAI authorization code: {error}");
+            if let Some(session) = OPENAI_BROWSER_OAUTH_SESSIONS
+                .write()
+                .await
+                .get_mut(&state_key)
+            {
+                session.status = BrowserOAuthSessionStatus::Failed(message.clone());
+            }
+            return Html(browser_oauth_error_html(&message));
+        }
+    };
+
+    let persist_result = async {
+        let instance_dir = (**state.instance_dir.load()).clone();
+        crate::openai_auth::save_credentials(&instance_dir, &credentials)
+            .context("failed to save OpenAI OAuth credentials")?;
+
+        if let Some(llm_manager) = state.llm_manager.read().await.as_ref() {
+            llm_manager
+                .set_openai_oauth_credentials(credentials.clone())
+                .await;
+        }
+
+        let config_path = state.config_path.read().await.clone();
+        let content = if config_path.exists() {
+            tokio::fs::read_to_string(&config_path)
+                .await
+                .context("failed to read config.toml")?
+        } else {
+            String::new()
+        };
+
+        let mut doc: toml_edit::DocumentMut =
+            content.parse().context("failed to parse config.toml")?;
+        apply_model_routing(&mut doc, &model);
+        tokio::fs::write(&config_path, doc.to_string())
+            .await
+            .context("failed to write config.toml")?;
+
+        state
+            .provider_setup_tx
+            .try_send(crate::ProviderSetupEvent::ProvidersConfigured)
+            .ok();
+
+        anyhow::Ok(())
+    }
+    .await;
+
+    match persist_result {
+        Ok(()) => {
+            if let Some(session) = OPENAI_BROWSER_OAUTH_SESSIONS
+                .write()
+                .await
+                .get_mut(&state_key)
+            {
+                session.status = BrowserOAuthSessionStatus::Completed(format!(
+                    "OpenAI configured via browser OAuth. Model '{}' applied to defaults and default agent routing.",
+                    model
+                ));
+            }
+            Html(browser_oauth_success_html())
+        }
+        Err(error) => {
+            let message = format!("OAuth sign-in completed but finalization failed: {error}");
+            if let Some(session) = OPENAI_BROWSER_OAUTH_SESSIONS
+                .write()
+                .await
+                .get_mut(&state_key)
+            {
+                session.status = BrowserOAuthSessionStatus::Failed(message.clone());
+            }
+            Html(browser_oauth_error_html(&message))
+        }
+    }
+}
+
 pub(super) async fn update_provider(
     State(state): State<Arc<ApiState>>,
     Json(request): Json<ProviderUpdateRequest>,
diff --git a/src/api/server.rs b/src/api/server.rs
index 65d41233a..72dc8b1e7 100644
--- a/src/api/server.rs
+++ b/src/api/server.rs
@@ -131,6 +131,18 @@ pub async fn start_http_server(
             "/providers/openai/oauth/complete",
             post(providers::complete_openai_oauth),
         )
+        .route(
+            "/providers/openai/oauth/browser/start",
+            post(providers::start_openai_browser_oauth),
+        )
+        .route(
+            "/providers/openai/oauth/browser/status",
+            get(providers::openai_browser_oauth_status),
+        )
+        .route(
+            "/providers/openai/oauth/browser/callback",
+            get(providers::openai_browser_oauth_callback),
+        )
         .route("/providers/test", post(providers::test_provider_model))
         .route("/providers/{provider}", delete(providers::delete_provider))
         .route("/models", get(models::get_models))
@@ -204,7 +216,10 @@ async fn api_auth_middleware(
     };
 
     let path = request.uri().path();
-    if path == "/api/health" || path == "/health" {
+    if path == "/api/health"
+        || path == "/health"
+        || path.ends_with("/api/providers/openai/oauth/browser/callback")
+    {
         return next.run(request).await;
     }
 
diff --git a/src/openai_auth.rs b/src/openai_auth.rs
index e79cee873..510a75779 100644
--- a/src/openai_auth.rs
+++ b/src/openai_auth.rs
@@ -3,17 +3,21 @@
 use anyhow::{Context as _, Result};
 use base64::Engine as _;
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use rand::RngCore as _;
 use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
+use sha2::{Digest as _, Sha256};
 use std::path::{Path, PathBuf};
 use std::time::Duration;
 
 const CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL: &str = "https://auth.openai.com/oauth/authorize";
 const DEVICE_CODE_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/usercode";
 const DEVICE_TOKEN_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/token";
 const OAUTH_TOKEN_URL: &str = "https://auth.openai.com/oauth/token";
 const DEVICE_REDIRECT_URI: &str = "https://auth.openai.com/deviceauth/callback";
 const AUTHORIZATION_URL: &str = "https://auth.openai.com/codex/device";
+const BROWSER_SCOPES: &str = "openid profile email offline_access";
 const POLLING_SAFETY_MARGIN_MS: u64 = 3000;
 const DEVICE_FLOW_TIMEOUT_SECS: u64 = 5 * 60;
 
@@ -126,6 +130,48 @@ pub struct DeviceAuthorization {
     pub authorization_url: String,
 }
 
+/// Data needed to complete OpenAI browser OAuth.
+#[derive(Debug, Clone, Serialize)]
+pub struct BrowserAuthorization {
+    pub authorization_url: String,
+    pub state: String,
+    pub pkce_verifier: String,
+}
+
+fn generate_random_urlsafe_string(bytes_len: usize) -> String {
+    let mut bytes = vec![0u8; bytes_len];
+    rand::rng().fill_bytes(&mut bytes);
+    URL_SAFE_NO_PAD.encode(bytes)
+}
+
+fn generate_pkce() -> (String, String) {
+    let verifier = generate_random_urlsafe_string(64);
+    let challenge = URL_SAFE_NO_PAD.encode(Sha256::digest(verifier.as_bytes()));
+    (verifier, challenge)
+}
+
+/// Build a browser-based OAuth authorization URL using PKCE.
+pub fn start_browser_authorization(redirect_uri: &str) -> BrowserAuthorization {
+    let (pkce_verifier, pkce_challenge) = generate_pkce();
+    let state = generate_random_urlsafe_string(32);
+
+    let authorization_url = format!(
+        "{authorize}?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&scope={scope}&code_challenge={challenge}&code_challenge_method=S256&id_token_add_organizations=true&codex_cli_simplified_flow=true&originator=spacebot&state={state}",
+        authorize = AUTHORIZE_URL,
+        client_id = urlencoding::encode(CLIENT_ID),
+        redirect_uri = urlencoding::encode(redirect_uri),
+        scope = urlencoding::encode(BROWSER_SCOPES),
+        challenge = urlencoding::encode(&pkce_challenge),
+        state = urlencoding::encode(&state),
+    );
+
+    BrowserAuthorization {
+        authorization_url,
+        state,
+        pkce_verifier,
+    }
+}
+
 fn parse_jwt_claims(token: &str) -> Option<TokenClaims> {
     let mut parts = token.split('.');
     let _header = parts.next()?;
@@ -303,6 +349,57 @@ pub async fn complete_device_authorization(
     })
 }
 
+/// Exchange an OAuth authorization code from browser flow for tokens.
+pub async fn exchange_browser_code(
+    code: &str,
+    redirect_uri: &str,
+    pkce_verifier: &str,
+) -> Result<OAuthCredentials> {
+    let client = reqwest::Client::new();
+    let response = client
+        .post(OAUTH_TOKEN_URL)
+        .header("Content-Type", "application/x-www-form-urlencoded")
+        .form(&[
+            ("grant_type", "authorization_code"),
+            ("code", code),
+            ("redirect_uri", redirect_uri),
+            ("client_id", CLIENT_ID),
+            ("code_verifier", pkce_verifier),
+        ])
+        .send()
+        .await
+        .context("failed to exchange OpenAI browser authorization code for tokens")?;
+
+    let status = response.status();
+    let body = response
+        .text()
+        .await
+        .context("failed to read OpenAI browser token exchange response")?;
+
+    if !status.is_success() {
+        anyhow::bail!(
+            "OpenAI browser token exchange failed ({}): {}",
+            status,
+            body
+        );
+    }
+
+    let token_response: TokenResponse = serde_json::from_str(&body)
+        .context("failed to parse OpenAI browser token exchange response")?;
+    let account_id = extract_account_id(&token_response);
+    let refresh_token = token_response
+        .refresh_token
+        .context("OpenAI browser token response did not include refresh_token")?;
+
+    Ok(OAuthCredentials {
+        access_token: token_response.access_token,
+        refresh_token,
+        expires_at: chrono::Utc::now().timestamp_millis()
+            + token_response.expires_in.unwrap_or(3600) * 1000,
+        account_id,
+    })
+}
+
 /// Path to OpenAI OAuth credentials within the instance directory.
 pub fn credentials_path(instance_dir: &Path) -> PathBuf {
     instance_dir.join("openai_chatgpt_oauth.json")

From a59220411786f5ba24f3d6227277fe2bcc930b8b Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Mon, 23 Feb 2026 00:23:23 +0100
Subject: [PATCH 3/9] Fix ChatGPT Plus browser OAuth callback flow and UI label

---
 interface/src/api/client.ts       |  3 +-
 interface/src/routes/Settings.tsx |  6 +--
 src/api/providers.rs              | 76 +++++++++++++++++++++++--------
 src/api/server.rs                 |  9 +---
 src/openai_auth.rs                |  2 +-
 5 files changed, 63 insertions(+), 33 deletions(-)

diff --git a/interface/src/api/client.ts b/interface/src/api/client.ts
index be7f09710..f79c89559 100644
--- a/interface/src/api/client.ts
+++ b/interface/src/api/client.ts
@@ -1206,12 +1206,11 @@ export const api = {
 		}
 		return response.json() as Promise<ProviderActionResponse>;
 	},
-	startOpenAiOAuthBrowser: async (params: {redirectUri: string; model: string}) => {
+	startOpenAiOAuthBrowser: async (params: {model: string}) => {
 		const response = await fetch(`${API_BASE}/providers/openai/oauth/browser/start`, {
 			method: "POST",
 			headers: { "Content-Type": "application/json" },
 			body: JSON.stringify({
-				redirect_uri: params.redirectUri,
 				model: params.model,
 			}),
 		});
diff --git a/interface/src/routes/Settings.tsx b/interface/src/routes/Settings.tsx
index a2c2d8f59..d2dec17fb 100644
--- a/interface/src/routes/Settings.tsx
+++ b/interface/src/routes/Settings.tsx
@@ -449,9 +449,7 @@ export function Settings() {
 
 		setMessage(null);
 		try {
-			const redirectUri = `${window.location.origin}${BASE_PATH}/api/providers/openai/oauth/browser/callback`;
 			const result = await startOpenAiBrowserOAuthMutation.mutateAsync({
-				redirectUri,
 				model: modelInput.trim(),
 			});
 			if (!result.success || !result.authorization_url || !result.state) {
@@ -684,7 +682,7 @@ export function Settings() {
 									variant="outline"
 									size="sm"
 								>
-									Sign in with browser
+									Sign in with ChatGPT Plus
 								</Button>
 								<Button
 									onClick={handleStartOpenAiOAuth}
@@ -693,7 +691,7 @@ export function Settings() {
 									variant="outline"
 									size="sm"
 								>
-									Sign in with ChatGPT Plus
+									Use device code flow
 								</Button>
 								<Button
 									onClick={handleCompleteOpenAiOAuth}
diff --git a/src/api/providers.rs b/src/api/providers.rs
index c586a1232..40b3b379b 100644
--- a/src/api/providers.rs
+++ b/src/api/providers.rs
@@ -4,8 +4,8 @@ use anyhow::Context as _;
 use axum::Json;
 use axum::extract::{Query, State};
 use axum::http::StatusCode;
+use axum::routing::get;
 use axum::response::Html;
-use reqwest::Url;
 use rig::agent::AgentBuilder;
 use rig::completion::{CompletionModel as _, Prompt as _};
 use serde::{Deserialize, Serialize};
@@ -14,9 +14,14 @@ use std::sync::{Arc, LazyLock};
 use tokio::sync::RwLock;
 
 const OPENAI_BROWSER_OAUTH_SESSION_TTL_SECS: i64 = 15 * 60;
+const OPENAI_BROWSER_OAUTH_CALLBACK_BIND: &str = "127.0.0.1:1455";
+const OPENAI_BROWSER_OAUTH_REDIRECT_URI: &str = "http://localhost:1455/auth/callback";
 
 static OPENAI_BROWSER_OAUTH_SESSIONS: LazyLock<RwLock<HashMap<String, BrowserOAuthSession>>> =
     LazyLock::new(|| RwLock::new(HashMap::new()));
+static OPENAI_BROWSER_OAUTH_CALLBACK_SERVER: LazyLock<
+    RwLock<Option<BrowserOAuthCallbackServer>>,
+> = LazyLock::new(|| RwLock::new(None));
 
 #[derive(Clone, Debug)]
 struct BrowserOAuthSession {
@@ -34,6 +39,10 @@ enum BrowserOAuthSessionStatus {
     Failed(String),
 }
 
+struct BrowserOAuthCallbackServer {
+    join_handle: tokio::task::JoinHandle<()>,
+}
+
 #[derive(Serialize)]
 pub(super) struct ProviderStatus {
     anthropic: bool,
@@ -111,7 +120,6 @@ pub(super) struct OpenAiOAuthCompleteRequest {
 
 #[derive(Deserialize)]
 pub(super) struct OpenAiOAuthBrowserStartRequest {
-    redirect_uri: String,
     model: String,
 }
 
@@ -362,6 +370,45 @@ async fn prune_expired_browser_oauth_sessions() {
     sessions.retain(|_, session| session.created_at >= cutoff);
 }
 
+async fn ensure_openai_browser_oauth_callback_server(state: Arc<ApiState>) -> anyhow::Result<()> {
+    let mut callback_server = OPENAI_BROWSER_OAUTH_CALLBACK_SERVER.write().await;
+    if let Some(existing) = callback_server.as_ref() {
+        if existing.join_handle.is_finished() {
+            *callback_server = None;
+        } else {
+            return Ok(());
+        }
+    }
+
+    let listener = tokio::net::TcpListener::bind(OPENAI_BROWSER_OAUTH_CALLBACK_BIND)
+        .await
+        .with_context(|| {
+            format!(
+                "failed to bind local OAuth callback listener on {}",
+                OPENAI_BROWSER_OAUTH_CALLBACK_BIND
+            )
+        })?;
+
+    let app = axum::Router::new()
+        .route("/auth/callback", get(openai_browser_oauth_callback))
+        .with_state(state);
+
+    let bind = OPENAI_BROWSER_OAUTH_CALLBACK_BIND.to_string();
+    let join_handle = tokio::spawn(async move {
+        tracing::info!(bind = %bind, "OpenAI browser OAuth callback listener started");
+        if let Err(error) = axum::serve(listener, app).await {
+            tracing::error!(
+                %error,
+                bind = %bind,
+                "OpenAI browser OAuth callback listener stopped"
+            );
+        }
+    });
+
+    *callback_server = Some(BrowserOAuthCallbackServer { join_handle });
+    Ok(())
+}
+
 fn browser_oauth_success_html() -> String {
     r#"<!doctype html>
 <html>
@@ -667,6 +714,7 @@ pub(super) async fn complete_openai_oauth(
 }
 
 pub(super) async fn start_openai_browser_oauth(
+    State(state): State<Arc<ApiState>>,
     Json(request): Json<OpenAiOAuthBrowserStartRequest>,
 ) -> Result<Json<OpenAiOAuthBrowserStartResponse>, StatusCode> {
     if request.model.trim().is_empty() {
@@ -689,36 +737,28 @@ pub(super) async fn start_openai_browser_oauth(
         }));
     }
 
-    let redirect_uri = request.redirect_uri.trim();
-    let parsed_redirect = match Url::parse(redirect_uri) {
-        Ok(parsed) => parsed,
-        Err(error) => {
-            return Ok(Json(OpenAiOAuthBrowserStartResponse {
-                success: false,
-                message: format!("Invalid redirect URI: {error}"),
-                authorization_url: None,
-                state: None,
-            }));
-        }
-    };
-    if parsed_redirect.scheme() != "https" && parsed_redirect.scheme() != "http" {
+    if let Err(error) = ensure_openai_browser_oauth_callback_server(state.clone()).await {
         return Ok(Json(OpenAiOAuthBrowserStartResponse {
             success: false,
-            message: "Redirect URI must use http or https".to_string(),
+            message: format!(
+                "Failed to start local OAuth callback listener on {}: {}",
+                OPENAI_BROWSER_OAUTH_CALLBACK_BIND, error
+            ),
             authorization_url: None,
             state: None,
         }));
     }
 
     prune_expired_browser_oauth_sessions().await;
-    let browser_authorization = crate::openai_auth::start_browser_authorization(redirect_uri);
+    let browser_authorization =
+        crate::openai_auth::start_browser_authorization(OPENAI_BROWSER_OAUTH_REDIRECT_URI);
     let state_key = browser_authorization.state.clone();
 
     OPENAI_BROWSER_OAUTH_SESSIONS.write().await.insert(
         state_key.clone(),
         BrowserOAuthSession {
             pkce_verifier: browser_authorization.pkce_verifier,
-            redirect_uri: redirect_uri.to_string(),
+            redirect_uri: OPENAI_BROWSER_OAUTH_REDIRECT_URI.to_string(),
             model: request.model.trim().to_string(),
             created_at: chrono::Utc::now().timestamp(),
             status: BrowserOAuthSessionStatus::Pending,
diff --git a/src/api/server.rs b/src/api/server.rs
index 72dc8b1e7..a92196028 100644
--- a/src/api/server.rs
+++ b/src/api/server.rs
@@ -139,10 +139,6 @@ pub async fn start_http_server(
             "/providers/openai/oauth/browser/status",
             get(providers::openai_browser_oauth_status),
         )
-        .route(
-            "/providers/openai/oauth/browser/callback",
-            get(providers::openai_browser_oauth_callback),
-        )
         .route("/providers/test", post(providers::test_provider_model))
         .route("/providers/{provider}", delete(providers::delete_provider))
         .route("/models", get(models::get_models))
@@ -216,10 +212,7 @@ async fn api_auth_middleware(
     };
 
     let path = request.uri().path();
-    if path == "/api/health"
-        || path == "/health"
-        || path.ends_with("/api/providers/openai/oauth/browser/callback")
-    {
+    if path == "/api/health" || path == "/health" {
         return next.run(request).await;
     }
 
diff --git a/src/openai_auth.rs b/src/openai_auth.rs
index 510a75779..6c66c6553 100644
--- a/src/openai_auth.rs
+++ b/src/openai_auth.rs
@@ -156,7 +156,7 @@ pub fn start_browser_authorization(redirect_uri: &str) -> BrowserAuthorization {
     let state = generate_random_urlsafe_string(32);
 
     let authorization_url = format!(
-        "{authorize}?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&scope={scope}&code_challenge={challenge}&code_challenge_method=S256&id_token_add_organizations=true&codex_cli_simplified_flow=true&originator=spacebot&state={state}",
+        "{authorize}?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&scope={scope}&code_challenge={challenge}&code_challenge_method=S256&id_token_add_organizations=true&codex_cli_simplified_flow=true&originator=opencode&state={state}",
         authorize = AUTHORIZE_URL,
         client_id = urlencoding::encode(CLIENT_ID),
         redirect_uri = urlencoding::encode(redirect_uri),

From 877c965baf16df3da35e4f6475ab8cc563a0bc10 Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Mon, 23 Feb 2026 01:09:48 +0100
Subject: [PATCH 4/9] Split OpenAI API-key vs ChatGPT OAuth provider routing

---
 interface/src/components/ModelSelect.tsx |  2 +
 src/api/models.rs                        | 90 +++++++++++++++++-------
 src/api/providers.rs                     | 32 ++++++---
 src/llm/manager.rs                       | 25 ++++---
 src/llm/model.rs                         |  9 ++-
 src/llm/routing.rs                       | 17 +++++
 6 files changed, 130 insertions(+), 45 deletions(-)

diff --git a/interface/src/components/ModelSelect.tsx b/interface/src/components/ModelSelect.tsx
index c4841b861..8abab4391 100644
--- a/interface/src/components/ModelSelect.tsx
+++ b/interface/src/components/ModelSelect.tsx
@@ -16,6 +16,7 @@ const PROVIDER_LABELS: Record<string, string> = {
   anthropic: "Anthropic",
   openrouter: "OpenRouter",
   openai: "OpenAI",
+  "openai-chatgpt": "ChatGPT Plus (OAuth)",
   deepseek: "DeepSeek",
   xai: "xAI",
   mistral: "Mistral",
@@ -129,6 +130,7 @@ export function ModelSelect({
     "openrouter",
     "anthropic",
     "openai",
+    "openai-chatgpt",
     "ollama",
     "deepseek",
     "xai",
diff --git a/src/api/models.rs b/src/api/models.rs
index df85d8185..35e108689 100644
--- a/src/api/models.rs
+++ b/src/api/models.rs
@@ -121,6 +121,23 @@ fn is_known_voice_transcription_model(model_id: &str) -> bool {
     KNOWN_VOICE_TRANSCRIPTION_MODELS.contains(&model_id)
 }
 
+fn as_openai_chatgpt_model(model: &ModelInfo) -> Option<ModelInfo> {
+    if model.provider != "openai" {
+        return None;
+    }
+
+    let model_name = model.id.strip_prefix("openai/")?;
+    Some(ModelInfo {
+        id: format!("openai-chatgpt/{model_name}"),
+        name: model.name.clone(),
+        provider: "openai-chatgpt".into(),
+        context_window: model.context_window,
+        tool_call: model.tool_call,
+        reasoning: model.reasoning,
+        input_audio: model.input_audio,
+    })
+}
+
 /// Models from providers not in models.dev (private/custom endpoints).
 fn extra_models() -> Vec<ModelInfo> {
     vec![
@@ -355,17 +372,14 @@ async fn ensure_models_cache() -> Vec<ModelInfo> {
 pub(super) async fn configured_providers(config_path: &std::path::Path) -> Vec<&'static str> {
     let mut providers = Vec::new();
 
-    let content = match tokio::fs::read_to_string(config_path).await {
-        Ok(c) => c,
-        Err(_) => return providers,
-    };
-    let doc: toml_edit::DocumentMut = match content.parse() {
-        Ok(d) => d,
-        Err(_) => return providers,
-    };
+    let document = tokio::fs::read_to_string(config_path)
+        .await
+        .ok()
+        .and_then(|content| content.parse::<toml_edit::DocumentMut>().ok());
 
-    let has_key = |key: &str, env_var: &str| -> bool {
-        if let Some(llm) = doc.get("llm")
+    let has_key = |key: &str, env_var: &str| {
+        if let Some(doc) = document.as_ref()
+            && let Some(llm) = doc.get("llm")
             && let Some(val) = llm.get(key)
             && let Some(s) = val.as_str()
         {
@@ -383,6 +397,12 @@ pub(super) async fn configured_providers(config_path: &std::path::Path) -> Vec<&
     if has_key("openai_key", "OPENAI_API_KEY") {
         providers.push("openai");
     }
+    if config_path
+        .parent()
+        .is_some_and(|instance_dir| crate::openai_auth::credentials_path(instance_dir).exists())
+    {
+        providers.push("openai-chatgpt");
+    }
     if has_key("openrouter_key", "OPENROUTER_API_KEY") {
         providers.push("openrouter");
     }
@@ -440,6 +460,11 @@ pub(super) async fn get_models(
         .as_deref()
         .map(str::trim)
         .filter(|provider| !provider.is_empty());
+    let requested_provider_for_catalog = if requested_provider == Some("openai-chatgpt") {
+        Some("openai")
+    } else {
+        requested_provider
+    };
     let requested_capability = query
         .capability
         .as_deref()
@@ -447,11 +472,24 @@ pub(super) async fn get_models(
         .filter(|capability| !capability.is_empty());
 
     let catalog = ensure_models_cache().await;
+    let capability_matches = |model: &ModelInfo| {
+        if let Some(capability) = requested_capability {
+            match capability {
+                "input_audio" => model.input_audio,
+                "voice_transcription" => {
+                    model.input_audio && is_known_voice_transcription_model(&model.id)
+                }
+                _ => true,
+            }
+        } else {
+            true
+        }
+    };
 
     let mut models: Vec<ModelInfo> = catalog
-        .into_iter()
+        .iter()
         .filter(|model| {
-            let provider_match = if let Some(provider) = requested_provider {
+            let provider_match = if let Some(provider) = requested_provider_for_catalog {
                 model.provider == provider
             } else {
                 configured.contains(&model.provider.as_str())
@@ -459,21 +497,25 @@ pub(super) async fn get_models(
             if !provider_match {
                 return false;
             }
-
-            if let Some(capability) = requested_capability {
-                return match capability {
-                    "input_audio" => model.input_audio,
-                    "voice_transcription" => {
-                        model.input_audio && is_known_voice_transcription_model(&model.id)
-                    }
-                    _ => true,
-                };
-            }
-
-            true
+            capability_matches(model)
         })
+        .cloned()
         .collect();
 
+    if requested_provider == Some("openai-chatgpt") {
+        models = models
+            .into_iter()
+            .filter_map(|model| as_openai_chatgpt_model(&model))
+            .collect();
+    } else if requested_provider.is_none() && configured.contains(&"openai-chatgpt") {
+        let chatgpt_models: Vec<ModelInfo> = catalog
+            .iter()
+            .filter(|model| model.provider == "openai" && capability_matches(model))
+            .filter_map(as_openai_chatgpt_model)
+            .collect();
+        models.extend(chatgpt_models);
+    }
+
     for model in extra_models() {
         if let Some(capability) = requested_capability {
             if capability == "input_audio" && !model.input_audio {
diff --git a/src/api/providers.rs b/src/api/providers.rs
index 40b3b379b..f21b463a0 100644
--- a/src/api/providers.rs
+++ b/src/api/providers.rs
@@ -180,6 +180,20 @@ fn model_matches_provider(provider: &str, model: &str) -> bool {
     crate::llm::routing::provider_from_model(model) == provider
 }
 
+fn normalize_openai_chatgpt_model(model: &str) -> Option<String> {
+    let trimmed = model.trim();
+    let (provider, model_name) = trimmed.split_once('/')?;
+    if model_name.is_empty() {
+        return None;
+    }
+
+    match provider {
+        "openai" => Some(format!("openai-chatgpt/{model_name}")),
+        "openai-chatgpt" => Some(trimmed.to_string()),
+        _ => None,
+    }
+}
+
 fn build_test_llm_config(provider: &str, credential: &str) -> crate::config::LlmConfig {
     use crate::config::{ApiType, ProviderConfig};
 
@@ -641,15 +655,15 @@ pub(super) async fn complete_openai_oauth(
         }));
     }
 
-    if !model_matches_provider("openai", &request.model) {
+    let Some(chatgpt_model) = normalize_openai_chatgpt_model(&request.model) else {
         return Ok(Json(ProviderUpdateResponse {
             success: false,
             message: format!(
-                "Model '{}' does not match provider 'openai'.",
+                "Model '{}' must use provider 'openai' or 'openai-chatgpt'.",
                 request.model
             ),
         }));
-    }
+    };
 
     let credentials = match crate::openai_auth::complete_device_authorization(
         &request.device_auth_id,
@@ -693,7 +707,7 @@ pub(super) async fn complete_openai_oauth(
     let mut doc: toml_edit::DocumentMut = content
         .parse()
         .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
-    apply_model_routing(&mut doc, request.model.trim());
+    apply_model_routing(&mut doc, &chatgpt_model);
 
     tokio::fs::write(&config_path, doc.to_string())
         .await
@@ -708,7 +722,7 @@ pub(super) async fn complete_openai_oauth(
         success: true,
         message: format!(
             "OpenAI configured via ChatGPT Plus OAuth. Model '{}' applied to defaults and the default agent routing.",
-            request.model.trim()
+            chatgpt_model
         ),
     }))
 }
@@ -725,17 +739,17 @@ pub(super) async fn start_openai_browser_oauth(
             state: None,
         }));
     }
-    if !model_matches_provider("openai", &request.model) {
+    let Some(chatgpt_model) = normalize_openai_chatgpt_model(&request.model) else {
         return Ok(Json(OpenAiOAuthBrowserStartResponse {
             success: false,
             message: format!(
-                "Model '{}' does not match provider 'openai'.",
+                "Model '{}' must use provider 'openai' or 'openai-chatgpt'.",
                 request.model
             ),
             authorization_url: None,
             state: None,
         }));
-    }
+    };
 
     if let Err(error) = ensure_openai_browser_oauth_callback_server(state.clone()).await {
         return Ok(Json(OpenAiOAuthBrowserStartResponse {
@@ -759,7 +773,7 @@ pub(super) async fn start_openai_browser_oauth(
         BrowserOAuthSession {
             pkce_verifier: browser_authorization.pkce_verifier,
             redirect_uri: OPENAI_BROWSER_OAUTH_REDIRECT_URI.to_string(),
-            model: request.model.trim().to_string(),
+            model: chatgpt_model,
             created_at: chrono::Utc::now().timestamp(),
             status: BrowserOAuthSessionStatus::Pending,
         },
diff --git a/src/llm/manager.rs b/src/llm/manager.rs
index b0390b773..5f49b44d7 100644
--- a/src/llm/manager.rs
+++ b/src/llm/manager.rs
@@ -227,24 +227,29 @@ impl LlmManager {
         }
     }
 
-    /// Resolve the OpenAI provider config, preferring OAuth credentials.
+    /// Resolve the OpenAI provider config from static API-key configuration.
+    ///
+    /// OpenAI ChatGPT OAuth is intentionally handled via a separate internal
+    /// provider (`openai-chatgpt`) so a saved OAuth token cannot shadow a
+    /// configured `openai` API key.
     pub async fn get_openai_provider(&self) -> Result<ProviderConfig> {
+        self.get_provider("openai")
+    }
+
+    /// Resolve the OpenAI ChatGPT OAuth provider config.
+    ///
+    /// This internal provider uses OAuth access tokens from ChatGPT Plus/Pro.
+    pub async fn get_openai_chatgpt_provider(&self) -> Result<ProviderConfig> {
         let token = self.get_openai_token().await?;
-        let static_provider = self.get_provider("openai").ok();
 
-        match (static_provider, token) {
-            (Some(mut provider), Some(token)) => {
-                provider.api_key = token;
-                Ok(provider)
-            }
-            (Some(provider), None) => Ok(provider),
-            (None, Some(token)) => Ok(ProviderConfig {
+        match token {
+            Some(token) => Ok(ProviderConfig {
                 api_type: ApiType::OpenAiCompletions,
                 base_url: "https://api.openai.com".to_string(),
                 api_key: token,
                 name: None,
             }),
-            (None, None) => Err(LlmError::UnknownProvider("openai".to_string()).into()),
+            None => Err(LlmError::UnknownProvider("openai-chatgpt".to_string()).into()),
         }
     }
 
diff --git a/src/llm/model.rs b/src/llm/model.rs
index e71bbc6b3..2ce737712 100644
--- a/src/llm/model.rs
+++ b/src/llm/model.rs
@@ -100,6 +100,11 @@ impl SpacebotModel {
                 .get_openai_provider()
                 .await
                 .map_err(|e| CompletionError::ProviderError(e.to_string()))?,
+            "openai-chatgpt" => self
+                .llm_manager
+                .get_openai_chatgpt_provider()
+                .await
+                .map_err(|e| CompletionError::ProviderError(e.to_string()))?,
             _ => self
                 .llm_manager
                 .get_provider(provider_id)
@@ -542,7 +547,7 @@ impl SpacebotModel {
             "{}/v1/chat/completions",
             provider_config.base_url.trim_end_matches('/')
         );
-        let openai_account_id = if self.provider == "openai" {
+        let openai_account_id = if self.provider == "openai-chatgpt" {
             self.llm_manager.get_openai_account_id().await
         } else {
             None
@@ -639,7 +644,7 @@ impl SpacebotModel {
             body["tools"] = serde_json::json!(tools);
         }
 
-        let openai_account_id = if self.provider == "openai" {
+        let openai_account_id = if self.provider == "openai-chatgpt" {
             self.llm_manager.get_openai_account_id().await
         } else {
             None
diff --git a/src/llm/routing.rs b/src/llm/routing.rs
index 2cdbd929a..cae1bb157 100644
--- a/src/llm/routing.rs
+++ b/src/llm/routing.rs
@@ -190,6 +190,22 @@ pub fn defaults_for_provider(provider: &str) -> RoutingConfig {
                 ..RoutingConfig::default()
             }
         }
+        "openai-chatgpt" => {
+            let channel: String = "openai-chatgpt/gpt-4.1".into();
+            let worker: String = "openai-chatgpt/gpt-4.1-mini".into();
+            RoutingConfig {
+                channel: channel.clone(),
+                branch: channel.clone(),
+                worker: worker.clone(),
+                compactor: worker.clone(),
+                cortex: worker.clone(),
+                voice: String::new(),
+                task_overrides: HashMap::from([("coding".into(), channel.clone())]),
+                fallbacks: HashMap::from([(channel, vec![worker])]),
+                rate_limit_cooldown_secs: 60,
+                ..RoutingConfig::default()
+            }
+        }
         "zhipu" => {
             let channel: String = "zhipu/glm-4-plus".into();
             let worker: String = "zhipu/glm-4-flash".into();
@@ -352,6 +368,7 @@ pub fn provider_to_prefix(provider: &str) -> &str {
     match provider {
         "openrouter" => "openrouter/",
         "openai" => "openai/",
+        "openai-chatgpt" => "openai-chatgpt/",
         "anthropic" => "anthropic/",
         "zhipu" => "zhipu/",
         "groq" => "groq/",

From c88b7d609d32f02edeb97892594d1b9fda68c19f Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Mon, 23 Feb 2026 01:49:29 +0100
Subject: [PATCH 5/9] Route openai-chatgpt through Codex Responses endpoint

---
 src/llm/manager.rs |  4 +-
 src/llm/model.rs   | 96 ++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 83 insertions(+), 17 deletions(-)

diff --git a/src/llm/manager.rs b/src/llm/manager.rs
index 5f49b44d7..32fb97412 100644
--- a/src/llm/manager.rs
+++ b/src/llm/manager.rs
@@ -244,8 +244,8 @@ impl LlmManager {
 
         match token {
             Some(token) => Ok(ProviderConfig {
-                api_type: ApiType::OpenAiCompletions,
-                base_url: "https://api.openai.com".to_string(),
+                api_type: ApiType::OpenAiResponses,
+                base_url: "https://chatgpt.com/backend-api/codex".to_string(),
                 api_key: token,
                 name: None,
             }),
diff --git a/src/llm/model.rs b/src/llm/model.rs
index 2ce737712..c2a166dd0 100644
--- a/src/llm/model.rs
+++ b/src/llm/model.rs
@@ -606,7 +606,12 @@ impl SpacebotModel {
         provider_config: &ProviderConfig,
     ) -> Result<completion::CompletionResponse<RawResponse>, CompletionError> {
         let base_url = provider_config.base_url.trim_end_matches('/');
-        let responses_url = format!("{base_url}/v1/responses");
+        let is_chatgpt_codex = self.provider == "openai-chatgpt";
+        let responses_url = if is_chatgpt_codex {
+            format!("{base_url}/responses")
+        } else {
+            format!("{base_url}/v1/responses")
+        };
         let api_key = provider_config.api_key.as_str();
 
         let input = convert_messages_to_openai_responses(&request.chat_history);
@@ -618,16 +623,25 @@ impl SpacebotModel {
 
         if let Some(preamble) = &request.preamble {
             body["instructions"] = serde_json::json!(preamble);
+        } else if is_chatgpt_codex {
+            body["instructions"] = serde_json::json!(
+                "You are Spacebot. Follow instructions exactly and respond concisely."
+            );
         }
 
-        if let Some(max_tokens) = request.max_tokens {
+        if !is_chatgpt_codex && let Some(max_tokens) = request.max_tokens {
             body["max_output_tokens"] = serde_json::json!(max_tokens);
         }
 
-        if let Some(temperature) = request.temperature {
+        if !is_chatgpt_codex && let Some(temperature) = request.temperature {
             body["temperature"] = serde_json::json!(temperature);
         }
 
+        if is_chatgpt_codex {
+            body["store"] = serde_json::json!(false);
+            body["stream"] = serde_json::json!(true);
+        }
+
         if !request.tools.is_empty() {
             let tools: Vec<serde_json::Value> = request
                 .tools
@@ -657,7 +671,19 @@ impl SpacebotModel {
             .header("authorization", format!("Bearer {api_key}"))
             .header("content-type", "application/json");
         if let Some(account_id) = openai_account_id {
-            request_builder = request_builder.header("chatgpt-account-id", account_id);
+            request_builder = request_builder.header("ChatGPT-Account-Id", account_id);
+        }
+        if is_chatgpt_codex {
+            request_builder = request_builder
+                .header("originator", "opencode")
+                .header(
+                    "session_id",
+                    format!("spacebot-{}", chrono::Utc::now().timestamp()),
+                )
+                .header(
+                    "user-agent",
+                    format!("spacebot/{}", env!("CARGO_PKG_VERSION")),
+                );
         }
 
         let response = request_builder
@@ -671,23 +697,25 @@ impl SpacebotModel {
             CompletionError::ProviderError(format!("failed to read response body: {e}"))
         })?;
 
-        let response_body: serde_json::Value =
-            serde_json::from_str(&response_text).map_err(|e| {
-                CompletionError::ProviderError(format!(
-                    "OpenAI Responses API response ({status}) is not valid JSON: {e}\nBody: {}",
-                    truncate_body(&response_text)
-                ))
-            })?;
-
         if !status.is_success() {
-            let message = response_body["error"]["message"]
-                .as_str()
-                .unwrap_or("unknown error");
+            let message = parse_openai_error_message(&response_text)
+                .unwrap_or_else(|| "unknown error".to_string());
             return Err(CompletionError::ProviderError(format!(
                 "OpenAI Responses API error ({status}): {message}"
             )));
         }
 
+        let response_body: serde_json::Value = if is_chatgpt_codex {
+            parse_openai_responses_sse_response(&response_text)?
+        } else {
+            serde_json::from_str(&response_text).map_err(|e| {
+                CompletionError::ProviderError(format!(
+                    "OpenAI Responses API response ({status}) is not valid JSON: {e}\nBody: {}",
+                    truncate_body(&response_text)
+                ))
+            })?
+        };
+
         parse_openai_responses_response(response_body)
     }
 
@@ -1442,6 +1470,44 @@ fn parse_openai_responses_response(
     })
 }
 
+fn parse_openai_responses_sse_response(
+    response_text: &str,
+) -> Result<serde_json::Value, CompletionError> {
+    for line in response_text.lines() {
+        let Some(data) = line.strip_prefix("data: ") else {
+            continue;
+        };
+
+        if data.trim().is_empty() || data.trim() == "[DONE]" {
+            continue;
+        }
+
+        let Ok(event_body) = serde_json::from_str::<serde_json::Value>(data) else {
+            continue;
+        };
+
+        if event_body["type"].as_str() == Some("response.completed")
+            && let Some(response) = event_body.get("response")
+        {
+            return Ok(response.clone());
+        }
+    }
+
+    Err(CompletionError::ProviderError(format!(
+        "OpenAI Responses SSE stream missing response.completed event.\nBody: {}",
+        truncate_body(response_text)
+    )))
+}
+
+fn parse_openai_error_message(response_text: &str) -> Option<String> {
+    let parsed = serde_json::from_str::<serde_json::Value>(response_text).ok()?;
+    parsed["error"]["message"]
+        .as_str()
+        .or(parsed["detail"].as_str())
+        .or(parsed["message"].as_str())
+        .map(ToOwned::to_owned)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

From 334524c8eda0d5ac71d2493faf2a7c9cc0fbc1e3 Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Mon, 23 Feb 2026 03:14:18 +0100
Subject: [PATCH 6/9] Simplify ChatGPT OAuth settings

---
 interface/src/api/client.ts         |  42 +---
 interface/src/lib/providerIcons.tsx |   1 +
 interface/src/routes/Settings.tsx   | 303 +++++++++++-----------------
 src/api/providers.rs                | 146 +-------------
 src/api/server.rs                   |   8 -
 src/openai_auth.rs                  | 175 +---------------
 6 files changed, 130 insertions(+), 545 deletions(-)

diff --git a/interface/src/api/client.ts b/interface/src/api/client.ts
index f79c89559..a2e020545 100644
--- a/interface/src/api/client.ts
+++ b/interface/src/api/client.ts
@@ -661,6 +661,7 @@ export interface CronExecutionsParams {
 export interface ProviderStatus {
 	anthropic: boolean;
 	openai: boolean;
+	openai_chatgpt: boolean;
 	openrouter: boolean;
 	zhipu: boolean;
 	groq: boolean;
@@ -669,10 +670,12 @@ export interface ProviderStatus {
 	deepseek: boolean;
 	xai: boolean;
 	mistral: boolean;
+	gemini: boolean;
 	ollama: boolean;
 	opencode_zen: boolean;
 	nvidia: boolean;
 	minimax: boolean;
+	minimax_cn: boolean;
 	moonshot: boolean;
 	zai_coding_plan: boolean;
 }
@@ -695,15 +698,6 @@ export interface ProviderModelTestResponse {
 	sample: string | null;
 }
 
-export interface OpenAiOAuthStartResponse {
-	success: boolean;
-	message: string;
-	device_auth_id: string | null;
-	user_code: string | null;
-	poll_interval_secs: number | null;
-	authorization_url: string | null;
-}
-
 export interface OpenAiOAuthBrowserStartResponse {
 	success: boolean;
 	message: string;
@@ -1176,36 +1170,6 @@ export const api = {
 		}
 		return response.json() as Promise<ProviderModelTestResponse>;
 	},
-	startOpenAiOAuth: async () => {
-		const response = await fetch(`${API_BASE}/providers/openai/oauth/start`, {
-			method: "POST",
-		});
-		if (!response.ok) {
-			throw new Error(`API error: ${response.status}`);
-		}
-		return response.json() as Promise<OpenAiOAuthStartResponse>;
-	},
-	completeOpenAiOAuth: async (params: {
-		deviceAuthId: string;
-		userCode: string;
-		pollIntervalSecs: number;
-		model: string;
-	}) => {
-		const response = await fetch(`${API_BASE}/providers/openai/oauth/complete`, {
-			method: "POST",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				device_auth_id: params.deviceAuthId,
-				user_code: params.userCode,
-				poll_interval_secs: params.pollIntervalSecs,
-				model: params.model,
-			}),
-		});
-		if (!response.ok) {
-			throw new Error(`API error: ${response.status}`);
-		}
-		return response.json() as Promise<ProviderActionResponse>;
-	},
 	startOpenAiOAuthBrowser: async (params: {model: string}) => {
 		const response = await fetch(`${API_BASE}/providers/openai/oauth/browser/start`, {
 			method: "POST",
diff --git a/interface/src/lib/providerIcons.tsx b/interface/src/lib/providerIcons.tsx
index 08abacce5..29487961a 100644
--- a/interface/src/lib/providerIcons.tsx
+++ b/interface/src/lib/providerIcons.tsx
@@ -99,6 +99,7 @@ export function ProviderIcon({ provider, className = "text-ink-faint", size = 24
 	const iconMap: Record<string, React.ComponentType<IconProps>> = {
 		anthropic: Anthropic,
 		openai: OpenAI,
+		"openai-chatgpt": OpenAI,
 		openrouter: OpenRouter,
 		groq: Groq,
 		mistral: Mistral,
diff --git a/interface/src/routes/Settings.tsx b/interface/src/routes/Settings.tsx
index d2dec17fb..9a49ced43 100644
--- a/interface/src/routes/Settings.tsx
+++ b/interface/src/routes/Settings.tsx
@@ -210,6 +210,8 @@ const PROVIDERS = [
 	},
 ] as const;
 
+const CHATGPT_OAUTH_DEFAULT_MODEL = "openai-chatgpt/gpt-5.3-codex";
+
 export function Settings() {
 	const queryClient = useQueryClient();
 	const navigate = useNavigate();
@@ -236,14 +238,11 @@ export function Settings() {
 		message: string;
 		sample?: string | null;
 	} | null>(null);
-	const [openAiOAuthSession, setOpenAiOAuthSession] = useState<{
-		deviceAuthId: string;
-		userCode: string;
-		pollIntervalSecs: number;
-		authorizationUrl: string;
-	} | null>(null);
-	const [openAiBrowserOAuthState, setOpenAiBrowserOAuthState] = useState<string | null>(null);
 	const [isPollingOpenAiBrowserOAuth, setIsPollingOpenAiBrowserOAuth] = useState(false);
+	const [openAiBrowserOAuthMessage, setOpenAiBrowserOAuthMessage] = useState<{
+		text: string;
+		type: "success" | "error";
+	} | null>(null);
 	const [message, setMessage] = useState<{
 		text: string;
 		type: "success" | "error";
@@ -295,19 +294,8 @@ export function Settings() {
 		mutationFn: ({ provider, apiKey, model }: { provider: string; apiKey: string; model: string }) =>
 			api.testProviderModel(provider, apiKey, model),
 	});
-	const startOpenAiOAuthMutation = useMutation({
-		mutationFn: () => api.startOpenAiOAuth(),
-	});
-	const completeOpenAiOAuthMutation = useMutation({
-		mutationFn: (params: {
-			deviceAuthId: string;
-			userCode: string;
-			pollIntervalSecs: number;
-			model: string;
-		}) => api.completeOpenAiOAuth(params),
-	});
 	const startOpenAiBrowserOAuthMutation = useMutation({
-		mutationFn: (params: {redirectUri: string; model: string}) => api.startOpenAiOAuthBrowser(params),
+		mutationFn: (params: { model: string }) => api.startOpenAiOAuthBrowser(params),
 	});
 
 	const removeMutation = useMutation({
@@ -369,91 +357,61 @@ export function Settings() {
 		});
 	};
 
-	const handleStartOpenAiOAuth = async () => {
-		if (!modelInput.trim()) {
-			setMessage({text: "Model cannot be empty", type: "error"});
-			return;
-		}
-
-		setMessage(null);
-		try {
-			const result = await startOpenAiOAuthMutation.mutateAsync();
-			if (
-				!result.success ||
-				!result.device_auth_id ||
-				!result.user_code ||
-				!result.poll_interval_secs ||
-				!result.authorization_url
-			) {
-				setMessage({text: result.message || "Failed to start ChatGPT Plus sign-in", type: "error"});
-				return;
-			}
-
-			setOpenAiOAuthSession({
-				deviceAuthId: result.device_auth_id,
-				userCode: result.user_code,
-				pollIntervalSecs: result.poll_interval_secs,
-				authorizationUrl: result.authorization_url,
-			});
-			window.open(result.authorization_url, "_blank", "noopener,noreferrer");
-			setMessage({text: "Sign-in started. Complete authorization in your browser, then click Complete sign-in.", type: "success"});
-		} catch (error: any) {
-			setMessage({text: `Failed: ${error.message}`, type: "error"});
-		}
-	};
-
 	const monitorOpenAiBrowserOAuth = async (stateToken: string, popup: Window | null) => {
 		setIsPollingOpenAiBrowserOAuth(true);
-		setOpenAiBrowserOAuthState(stateToken);
+		setOpenAiBrowserOAuthMessage(null);
 		try {
 			for (let attempt = 0; attempt < 180; attempt += 1) {
 				const status = await api.openAiOAuthBrowserStatus(stateToken);
 				if (status.done) {
 					if (status.success) {
-						setEditingProvider(null);
-						setKeyInput("");
-						setModelInput("");
-						setTestedSignature(null);
-						setTestResult(null);
-						setOpenAiOAuthSession(null);
-						setMessage({text: status.message || "OpenAI configured via browser sign-in.", type: "success"});
+						setOpenAiBrowserOAuthMessage({
+							text: status.message || "ChatGPT OAuth configured.",
+							type: "success",
+						});
 						queryClient.invalidateQueries({queryKey: ["providers"]});
 						setTimeout(() => {
 							queryClient.invalidateQueries({queryKey: ["agents"]});
 							queryClient.invalidateQueries({queryKey: ["overview"]});
 						}, 3000);
 					} else {
-						setMessage({text: status.message || "Browser sign-in failed.", type: "error"});
+						setOpenAiBrowserOAuthMessage({
+							text: status.message || "Browser sign-in failed.",
+							type: "error",
+						});
 					}
 					return;
 				}
 				await new Promise((resolve) => setTimeout(resolve, 2000));
 			}
-			setMessage({text: "Browser sign-in timed out. Please try again.", type: "error"});
+			setOpenAiBrowserOAuthMessage({
+				text: "Browser sign-in timed out. Please try again.",
+				type: "error",
+			});
 		} catch (error: any) {
-			setMessage({text: `Failed to verify browser sign-in: ${error.message}`, type: "error"});
+			setOpenAiBrowserOAuthMessage({
+				text: `Failed to verify browser sign-in: ${error.message}`,
+				type: "error",
+			});
 		} finally {
 			setIsPollingOpenAiBrowserOAuth(false);
-			setOpenAiBrowserOAuthState(null);
 			if (popup && !popup.closed) {
 				popup.close();
 			}
 		}
 	};
 
-	const handleStartOpenAiBrowserOAuth = async () => {
-		if (!modelInput.trim()) {
-			setMessage({text: "Model cannot be empty", type: "error"});
-			return;
-		}
-
-		setMessage(null);
+	const handleStartChatGptOAuth = async () => {
+		setOpenAiBrowserOAuthMessage(null);
 		try {
 			const result = await startOpenAiBrowserOAuthMutation.mutateAsync({
-				model: modelInput.trim(),
+				model: CHATGPT_OAUTH_DEFAULT_MODEL,
 			});
 			if (!result.success || !result.authorization_url || !result.state) {
-				setMessage({text: result.message || "Failed to start browser sign-in", type: "error"});
+				setOpenAiBrowserOAuthMessage({
+					text: result.message || "Failed to start browser sign-in",
+					type: "error",
+				});
 				return;
 			}
 
@@ -462,43 +420,13 @@ export function Settings() {
 				"spacebot-openai-oauth",
 				"popup=true,width=560,height=780,noopener,noreferrer",
 			);
-			setMessage({text: "Complete sign-in in the browser window. Waiting for callback...", type: "success"});
-			void monitorOpenAiBrowserOAuth(result.state, popup);
-		} catch (error: any) {
-			setMessage({text: `Failed: ${error.message}`, type: "error"});
-		}
-	};
-
-	const handleCompleteOpenAiOAuth = async () => {
-		if (!openAiOAuthSession || !modelInput.trim()) return;
-		setMessage(null);
-
-		try {
-			const result = await completeOpenAiOAuthMutation.mutateAsync({
-				deviceAuthId: openAiOAuthSession.deviceAuthId,
-				userCode: openAiOAuthSession.userCode,
-				pollIntervalSecs: openAiOAuthSession.pollIntervalSecs,
-				model: modelInput.trim(),
+			setOpenAiBrowserOAuthMessage({
+				text: "Complete sign-in in the browser window. Waiting for callback...",
+				type: "success",
 			});
-
-			if (result.success) {
-				setEditingProvider(null);
-				setKeyInput("");
-				setModelInput("");
-				setTestedSignature(null);
-				setTestResult(null);
-				setOpenAiOAuthSession(null);
-				setMessage({text: result.message, type: "success"});
-				queryClient.invalidateQueries({queryKey: ["providers"]});
-				setTimeout(() => {
-					queryClient.invalidateQueries({queryKey: ["agents"]});
-					queryClient.invalidateQueries({queryKey: ["overview"]});
-				}, 3000);
-			} else {
-				setMessage({text: result.message, type: "error"});
-			}
+			void monitorOpenAiBrowserOAuth(result.state, popup);
 		} catch (error: any) {
-			setMessage({text: `Failed: ${error.message}`, type: "error"});
+			setOpenAiBrowserOAuthMessage({text: `Failed: ${error.message}`, type: "error"});
 		}
 	};
 
@@ -508,9 +436,6 @@ export function Settings() {
 		setModelInput("");
 		setTestedSignature(null);
 		setTestResult(null);
-		setOpenAiOAuthSession(null);
-		setOpenAiBrowserOAuthState(null);
-		setIsPollingOpenAiBrowserOAuth(false);
 	};
 
 	const isConfigured = (providerId: string): boolean => {
@@ -577,24 +502,36 @@ export function Settings() {
 							) : (
 								<div className="flex flex-col gap-3">
 									{PROVIDERS.map((provider) => (
-										<ProviderCard
-											key={provider.id}
-											provider={provider.id}
-											name={provider.name}
-											description={provider.description}
-											configured={isConfigured(provider.id)}
-											defaultModel={provider.defaultModel}
-											onEdit={() => {
-												setEditingProvider(provider.id);
-												setKeyInput("");
-												setModelInput(provider.defaultModel ?? "");
-												setTestedSignature(null);
-												setTestResult(null);
-												setMessage(null);
-											}}
-											onRemove={() => removeMutation.mutate(provider.id)}
-											removing={removeMutation.isPending}
-										/>
+										[
+											<ProviderCard
+												key={provider.id}
+												provider={provider.id}
+												name={provider.name}
+												description={provider.description}
+												configured={isConfigured(provider.id)}
+												defaultModel={provider.defaultModel}
+												onEdit={() => {
+													setEditingProvider(provider.id);
+													setKeyInput("");
+													setModelInput(provider.defaultModel ?? "");
+													setTestedSignature(null);
+													setTestResult(null);
+													setMessage(null);
+												}}
+												onRemove={() => removeMutation.mutate(provider.id)}
+												removing={removeMutation.isPending}
+											/>,
+											provider.id === "openai" ? (
+												<ChatGptOAuthCard
+													key="openai-chatgpt"
+													configured={isConfigured("openai-chatgpt")}
+													defaultModel={CHATGPT_OAUTH_DEFAULT_MODEL}
+													isPolling={isPollingOpenAiBrowserOAuth}
+													message={openAiBrowserOAuthMessage}
+													onSignIn={handleStartChatGptOAuth}
+												/>
+											) : null,
+										]
 									))}
 								</div>
 							)}
@@ -642,7 +579,7 @@ export function Settings() {
 							{editingProvider === "ollama"
 								? `Enter your ${editingProviderData?.name} base URL. It will be saved to your instance config.`
 								: editingProvider === "openai"
-									? "Enter an OpenAI API key or use ChatGPT Plus sign-in. The model below will be applied to routing."
+									? "Enter an OpenAI API key. The model below will be applied to routing."
 								: `Enter your ${editingProviderData?.name} API key. It will be saved to your instance config.`}
 						</DialogDescription>
 					</DialogHeader>
@@ -669,62 +606,6 @@ export function Settings() {
 						}}
 						provider={editingProvider ?? undefined}
 					/>
-					{editingProvider === "openai" && (
-						<div className="rounded-md border border-app-line bg-app-darkBox/20 px-3 py-2">
-							<div className="text-xs text-ink-faint">
-								Use your ChatGPT Plus account instead of an API key.
-							</div>
-							<div className="mt-2 flex flex-wrap items-center gap-2">
-								<Button
-									onClick={handleStartOpenAiBrowserOAuth}
-									disabled={!modelInput.trim() || isPollingOpenAiBrowserOAuth}
-									loading={startOpenAiBrowserOAuthMutation.isPending || isPollingOpenAiBrowserOAuth}
-									variant="outline"
-									size="sm"
-								>
-									Sign in with ChatGPT Plus
-								</Button>
-								<Button
-									onClick={handleStartOpenAiOAuth}
-									disabled={!modelInput.trim()}
-									loading={startOpenAiOAuthMutation.isPending}
-									variant="outline"
-									size="sm"
-								>
-									Use device code flow
-								</Button>
-								<Button
-									onClick={handleCompleteOpenAiOAuth}
-									disabled={!openAiOAuthSession || !modelInput.trim()}
-									loading={completeOpenAiOAuthMutation.isPending}
-									variant="outline"
-									size="sm"
-								>
-									Complete sign-in
-								</Button>
-							</div>
-							{openAiOAuthSession && (
-								<div className="mt-2 text-xs text-ink-dull">
-									<div>
-										User code: <code className="rounded bg-app-box px-1 py-0.5">{openAiOAuthSession.userCode}</code>
-									</div>
-									<a
-										href={openAiOAuthSession.authorizationUrl}
-										target="_blank"
-										rel="noreferrer"
-										className="text-accent underline"
-									>
-										Open verification page
-									</a>
-								</div>
-							)}
-							{openAiBrowserOAuthState && (
-								<div className="mt-2 text-xs text-ink-dull">
-									Browser OAuth state: <code className="rounded bg-app-box px-1 py-0.5">{openAiBrowserOAuthState}</code>
-								</div>
-							)}
-						</div>
-					)}
 					<div className="flex items-center gap-2">
 						<Button
 							onClick={handleTestModel}
@@ -1710,3 +1591,53 @@ function ProviderCard({ provider, name, description, configured, defaultModel, o
 		</div>
 	);
 }
+
+interface ChatGptOAuthCardProps {
+	configured: boolean;
+	defaultModel: string;
+	isPolling: boolean;
+	message: { text: string; type: "success" | "error" } | null;
+	onSignIn: () => void;
+}
+
+function ChatGptOAuthCard({ configured, defaultModel, isPolling, message, onSignIn }: ChatGptOAuthCardProps) {
+	return (
+		<div className="rounded-lg border border-app-line bg-app-box p-4">
+			<div className="flex items-center gap-3">
+				<ProviderIcon provider="openai-chatgpt" size={32} />
+				<div className="flex-1">
+					<div className="flex items-center gap-2">
+						<span className="text-sm font-medium text-ink">ChatGPT Plus (OAuth)</span>
+						{configured && (
+							<span className="text-tiny text-green-400">
+								● Configured
+							</span>
+						)}
+					</div>
+					<p className="mt-0.5 text-sm text-ink-dull">
+						Sign in with your ChatGPT Plus account in the browser.
+					</p>
+					<p className="mt-1 text-tiny text-ink-faint">
+						Default model: <span className="text-ink-dull">{defaultModel}</span>
+					</p>
+					{message && (
+						<p className={`mt-1 text-tiny ${message.type === "success" ? "text-green-400" : "text-red-400"}`}>
+							{message.text}
+						</p>
+					)}
+				</div>
+				<div className="flex gap-2">
+					<Button
+						onClick={onSignIn}
+						disabled={isPolling}
+						loading={isPolling}
+						variant="outline"
+						size="sm"
+					>
+						Sign in with ChatGPT Plus
+					</Button>
+				</div>
+			</div>
+		</div>
+	);
+}
diff --git a/src/api/providers.rs b/src/api/providers.rs
index f21b463a0..c505cc78f 100644
--- a/src/api/providers.rs
+++ b/src/api/providers.rs
@@ -47,6 +47,7 @@ struct BrowserOAuthCallbackServer {
 pub(super) struct ProviderStatus {
     anthropic: bool,
     openai: bool,
+    openai_chatgpt: bool,
     openrouter: bool,
     zhipu: bool,
     groq: bool,
@@ -100,24 +101,6 @@ pub(super) struct ProviderModelTestResponse {
     sample: Option<String>,
 }
 
-#[derive(Serialize)]
-pub(super) struct OpenAiOAuthStartResponse {
-    success: bool,
-    message: String,
-    device_auth_id: Option<String>,
-    user_code: Option<String>,
-    poll_interval_secs: Option<u64>,
-    authorization_url: Option<String>,
-}
-
-#[derive(Deserialize)]
-pub(super) struct OpenAiOAuthCompleteRequest {
-    device_auth_id: String,
-    user_code: String,
-    poll_interval_secs: u64,
-    model: String,
-}
-
 #[derive(Deserialize)]
 pub(super) struct OpenAiOAuthBrowserStartRequest {
     model: String,
@@ -486,6 +469,7 @@ pub(super) async fn get_providers(
     let (
         anthropic,
         openai,
+        openai_chatgpt,
         openrouter,
         zhipu,
         groq,
@@ -525,7 +509,8 @@ pub(super) async fn get_providers(
 
         (
             has_value("anthropic_key", "ANTHROPIC_API_KEY"),
-            has_value("openai_key", "OPENAI_API_KEY") || openai_oauth_configured,
+            has_value("openai_key", "OPENAI_API_KEY"),
+            openai_oauth_configured,
             has_value("openrouter_key", "OPENROUTER_API_KEY"),
             has_value("zhipu_key", "ZHIPU_API_KEY"),
             has_value("groq_key", "GROQ_API_KEY"),
@@ -547,7 +532,8 @@ pub(super) async fn get_providers(
     } else {
         (
             std::env::var("ANTHROPIC_API_KEY").is_ok(),
-            std::env::var("OPENAI_API_KEY").is_ok() || openai_oauth_configured,
+            std::env::var("OPENAI_API_KEY").is_ok(),
+            openai_oauth_configured,
             std::env::var("OPENROUTER_API_KEY").is_ok(),
             std::env::var("ZHIPU_API_KEY").is_ok(),
             std::env::var("GROQ_API_KEY").is_ok(),
@@ -570,6 +556,7 @@ pub(super) async fn get_providers(
     let providers = ProviderStatus {
         anthropic,
         openai,
+        openai_chatgpt,
         openrouter,
         zhipu,
         groq,
@@ -589,6 +576,7 @@ pub(super) async fn get_providers(
     };
     let has_any = providers.anthropic
         || providers.openai
+        || providers.openai_chatgpt
         || providers.openrouter
         || providers.zhipu
         || providers.groq
@@ -609,124 +597,6 @@ pub(super) async fn get_providers(
     Ok(Json(ProvidersResponse { providers, has_any }))
 }
 
-pub(super) async fn start_openai_oauth() -> Result<Json<OpenAiOAuthStartResponse>, StatusCode> {
-    match crate::openai_auth::start_device_authorization().await {
-        Ok(auth) => Ok(Json(OpenAiOAuthStartResponse {
-            success: true,
-            message: "OpenAI device authorization started".to_string(),
-            device_auth_id: Some(auth.device_auth_id),
-            user_code: Some(auth.user_code),
-            poll_interval_secs: Some(auth.poll_interval_secs),
-            authorization_url: Some(auth.authorization_url),
-        })),
-        Err(error) => Ok(Json(OpenAiOAuthStartResponse {
-            success: false,
-            message: format!("Failed to start ChatGPT Plus sign-in: {error}"),
-            device_auth_id: None,
-            user_code: None,
-            poll_interval_secs: None,
-            authorization_url: None,
-        })),
-    }
-}
-
-pub(super) async fn complete_openai_oauth(
-    State(state): State<Arc<ApiState>>,
-    Json(request): Json<OpenAiOAuthCompleteRequest>,
-) -> Result<Json<ProviderUpdateResponse>, StatusCode> {
-    if request.device_auth_id.trim().is_empty() {
-        return Ok(Json(ProviderUpdateResponse {
-            success: false,
-            message: "Missing device_auth_id".to_string(),
-        }));
-    }
-
-    if request.user_code.trim().is_empty() {
-        return Ok(Json(ProviderUpdateResponse {
-            success: false,
-            message: "Missing user_code".to_string(),
-        }));
-    }
-
-    if request.model.trim().is_empty() {
-        return Ok(Json(ProviderUpdateResponse {
-            success: false,
-            message: "Model cannot be empty".to_string(),
-        }));
-    }
-
-    let Some(chatgpt_model) = normalize_openai_chatgpt_model(&request.model) else {
-        return Ok(Json(ProviderUpdateResponse {
-            success: false,
-            message: format!(
-                "Model '{}' must use provider 'openai' or 'openai-chatgpt'.",
-                request.model
-            ),
-        }));
-    };
-
-    let credentials = match crate::openai_auth::complete_device_authorization(
-        &request.device_auth_id,
-        &request.user_code,
-        request.poll_interval_secs,
-    )
-    .await
-    {
-        Ok(credentials) => credentials,
-        Err(error) => {
-            return Ok(Json(ProviderUpdateResponse {
-                success: false,
-                message: format!("Failed to complete ChatGPT Plus sign-in: {error}"),
-            }));
-        }
-    };
-
-    let instance_dir = (**state.instance_dir.load()).clone();
-    if let Err(error) = crate::openai_auth::save_credentials(&instance_dir, &credentials) {
-        return Ok(Json(ProviderUpdateResponse {
-            success: false,
-            message: format!("Failed to save OpenAI OAuth credentials: {error}"),
-        }));
-    }
-
-    if let Some(llm_manager) = state.llm_manager.read().await.as_ref() {
-        llm_manager
-            .set_openai_oauth_credentials(credentials.clone())
-            .await;
-    }
-
-    let config_path = state.config_path.read().await.clone();
-    let content = if config_path.exists() {
-        tokio::fs::read_to_string(&config_path)
-            .await
-            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
-    } else {
-        String::new()
-    };
-
-    let mut doc: toml_edit::DocumentMut = content
-        .parse()
-        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
-    apply_model_routing(&mut doc, &chatgpt_model);
-
-    tokio::fs::write(&config_path, doc.to_string())
-        .await
-        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
-
-    state
-        .provider_setup_tx
-        .try_send(crate::ProviderSetupEvent::ProvidersConfigured)
-        .ok();
-
-    Ok(Json(ProviderUpdateResponse {
-        success: true,
-        message: format!(
-            "OpenAI configured via ChatGPT Plus OAuth. Model '{}' applied to defaults and the default agent routing.",
-            chatgpt_model
-        ),
-    }))
-}
-
 pub(super) async fn start_openai_browser_oauth(
     State(state): State<Arc<ApiState>>,
     Json(request): Json<OpenAiOAuthBrowserStartRequest>,
diff --git a/src/api/server.rs b/src/api/server.rs
index a92196028..29bdaa847 100644
--- a/src/api/server.rs
+++ b/src/api/server.rs
@@ -123,14 +123,6 @@ pub async fn start_http_server(
             "/providers",
             get(providers::get_providers).put(providers::update_provider),
         )
-        .route(
-            "/providers/openai/oauth/start",
-            post(providers::start_openai_oauth),
-        )
-        .route(
-            "/providers/openai/oauth/complete",
-            post(providers::complete_openai_oauth),
-        )
         .route(
             "/providers/openai/oauth/browser/start",
             post(providers::start_openai_browser_oauth),
diff --git a/src/openai_auth.rs b/src/openai_auth.rs
index 6c66c6553..bdf615f01 100644
--- a/src/openai_auth.rs
+++ b/src/openai_auth.rs
@@ -1,25 +1,17 @@
-//! OpenAI ChatGPT Plus OAuth device flow, token exchange, refresh, and storage.
+//! OpenAI ChatGPT Plus OAuth browser flow, token exchange, refresh, and storage.
 
 use anyhow::{Context as _, Result};
 use base64::Engine as _;
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use rand::RngCore as _;
-use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
 use sha2::{Digest as _, Sha256};
 use std::path::{Path, PathBuf};
-use std::time::Duration;
 
 const CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";
 const AUTHORIZE_URL: &str = "https://auth.openai.com/oauth/authorize";
-const DEVICE_CODE_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/usercode";
-const DEVICE_TOKEN_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/token";
 const OAUTH_TOKEN_URL: &str = "https://auth.openai.com/oauth/token";
-const DEVICE_REDIRECT_URI: &str = "https://auth.openai.com/deviceauth/callback";
-const AUTHORIZATION_URL: &str = "https://auth.openai.com/codex/device";
 const BROWSER_SCOPES: &str = "openid profile email offline_access";
-const POLLING_SAFETY_MARGIN_MS: u64 = 3000;
-const DEVICE_FLOW_TIMEOUT_SECS: u64 = 5 * 60;
 
 /// Stored OpenAI OAuth credentials.
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -82,19 +74,6 @@ impl OAuthCredentials {
     }
 }
 
-#[derive(Debug, Deserialize)]
-struct DeviceCodeResponse {
-    device_auth_id: String,
-    user_code: String,
-    interval: String,
-}
-
-#[derive(Debug, Deserialize)]
-struct DeviceTokenResponse {
-    authorization_code: String,
-    code_verifier: String,
-}
-
 #[derive(Debug, Deserialize)]
 struct TokenResponse {
     access_token: String,
@@ -121,15 +100,6 @@ struct TokenOpenAiAuthClaims {
     chatgpt_account_id: Option<String>,
 }
 
-/// Data needed by the UI to finish OpenAI device auth.
-#[derive(Debug, Clone, Serialize)]
-pub struct DeviceAuthorization {
-    pub device_auth_id: String,
-    pub user_code: String,
-    pub poll_interval_secs: u64,
-    pub authorization_url: String,
-}
-
 /// Data needed to complete OpenAI browser OAuth.
 #[derive(Debug, Clone, Serialize)]
 pub struct BrowserAuthorization {
@@ -206,149 +176,6 @@ fn extract_account_id(token_response: &TokenResponse) -> Option<String> {
         .or_else(|| parse_jwt_claims(&token_response.access_token).and_then(from_claims))
 }
 
-/// Start OpenAI device authorization and return a user code + poll details.
-pub async fn start_device_authorization() -> Result<DeviceAuthorization> {
-    let client = reqwest::Client::new();
-    let response = client
-        .post(DEVICE_CODE_URL)
-        .header("Content-Type", "application/json")
-        .header(
-            "User-Agent",
-            format!("spacebot/{}", env!("CARGO_PKG_VERSION")),
-        )
-        .json(&serde_json::json!({ "client_id": CLIENT_ID }))
-        .send()
-        .await
-        .context("failed to start OpenAI device authorization")?;
-
-    let status = response.status();
-    let body = response
-        .text()
-        .await
-        .context("failed to read OpenAI device authorization response")?;
-
-    if !status.is_success() {
-        anyhow::bail!("OpenAI device authorization failed ({}): {}", status, body);
-    }
-
-    let parsed: DeviceCodeResponse = serde_json::from_str(&body)
-        .context("failed to parse OpenAI device authorization response")?;
-    let poll_interval_secs = parsed.interval.parse::<u64>().unwrap_or(5).max(1);
-
-    Ok(DeviceAuthorization {
-        device_auth_id: parsed.device_auth_id,
-        user_code: parsed.user_code,
-        poll_interval_secs,
-        authorization_url: AUTHORIZATION_URL.to_string(),
-    })
-}
-
-async fn poll_device_authorization(
-    device_auth_id: &str,
-    user_code: &str,
-    poll_interval_secs: u64,
-) -> Result<DeviceTokenResponse> {
-    let client = reqwest::Client::new();
-    let start = tokio::time::Instant::now();
-    let poll_delay =
-        Duration::from_secs(poll_interval_secs) + Duration::from_millis(POLLING_SAFETY_MARGIN_MS);
-
-    loop {
-        if start.elapsed() > Duration::from_secs(DEVICE_FLOW_TIMEOUT_SECS) {
-            anyhow::bail!("OpenAI device authorization timed out");
-        }
-
-        let response = client
-            .post(DEVICE_TOKEN_URL)
-            .header("Content-Type", "application/json")
-            .header(
-                "User-Agent",
-                format!("spacebot/{}", env!("CARGO_PKG_VERSION")),
-            )
-            .json(&serde_json::json!({
-                "device_auth_id": device_auth_id,
-                "user_code": user_code,
-            }))
-            .send()
-            .await
-            .context("failed to poll OpenAI device authorization")?;
-
-        let status = response.status();
-        let body = response
-            .text()
-            .await
-            .context("failed to read OpenAI device authorization poll response")?;
-
-        if status.is_success() {
-            let parsed: DeviceTokenResponse = serde_json::from_str(&body)
-                .context("failed to parse OpenAI device authorization poll response")?;
-            return Ok(parsed);
-        }
-
-        if status == StatusCode::FORBIDDEN || status == StatusCode::NOT_FOUND {
-            tokio::time::sleep(poll_delay).await;
-            continue;
-        }
-
-        anyhow::bail!(
-            "OpenAI device authorization polling failed ({}): {}",
-            status,
-            body
-        );
-    }
-}
-
-/// Complete OpenAI device authorization by polling and exchanging for OAuth tokens.
-pub async fn complete_device_authorization(
-    device_auth_id: &str,
-    user_code: &str,
-    poll_interval_secs: u64,
-) -> Result<OAuthCredentials> {
-    let device_token = poll_device_authorization(device_auth_id, user_code, poll_interval_secs)
-        .await
-        .context("failed to complete OpenAI device authorization")?;
-
-    let client = reqwest::Client::new();
-    let response = client
-        .post(OAUTH_TOKEN_URL)
-        .header("Content-Type", "application/x-www-form-urlencoded")
-        .form(&[
-            ("grant_type", "authorization_code"),
-            ("code", device_token.authorization_code.as_str()),
-            ("redirect_uri", DEVICE_REDIRECT_URI),
-            ("client_id", CLIENT_ID),
-            ("code_verifier", device_token.code_verifier.as_str()),
-        ])
-        .send()
-        .await
-        .context("failed to exchange OpenAI authorization code for tokens")?;
-
-    let status = response.status();
-    let body = response
-        .text()
-        .await
-        .context("failed to read OpenAI token exchange response")?;
-
-    if !status.is_success() {
-        anyhow::bail!("OpenAI token exchange failed ({}): {}", status, body);
-    }
-
-    let token_response: TokenResponse =
-        serde_json::from_str(&body).context("failed to parse OpenAI token exchange response")?;
-    let account_id = extract_account_id(&token_response);
-    let refresh_token = token_response
-        .refresh_token
-        .context("OpenAI token response did not include refresh_token")?;
-
-    Ok(OAuthCredentials {
-        access_token: token_response.access_token,
-        refresh_token,
-        expires_at: chrono::Utc::now().timestamp_millis()
-            + token_response.expires_in.unwrap_or(3600) * 1000,
-        account_id,
-    })
-}
-
 /// Exchange an OAuth authorization code from browser flow for tokens.
 pub async fn exchange_browser_code(
     code: &str,

From 4b70fefa8ce0003ac9475e9679ff016037c86911 Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Mon, 23 Feb 2026 03:15:52 +0100
Subject: [PATCH 7/9] Simplify configured indicator

---
 interface/src/routes/Settings.tsx | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/interface/src/routes/Settings.tsx b/interface/src/routes/Settings.tsx
index 9a49ced43..087a3d998 100644
--- a/interface/src/routes/Settings.tsx
+++ b/interface/src/routes/Settings.tsx
@@ -1567,8 +1567,9 @@ function ProviderCard({ provider, name, description, configured, defaultModel, o
 					<div className="flex items-center gap-2">
 						<span className="text-sm font-medium text-ink">{name}</span>
 						{configured && (
-							<span className="text-tiny text-green-400">
-								● Configured
+							<span className="inline-flex items-center">
+								<span className="h-2 w-2 rounded-full bg-green-400" aria-hidden="true" />
+								<span className="sr-only">Configured</span>
 							</span>
 						)}
 					</div>
@@ -1609,8 +1610,9 @@ function ChatGptOAuthCard({ configured, defaultModel, isPolling, message, onSign
 					<div className="flex items-center gap-2">
 						<span className="text-sm font-medium text-ink">ChatGPT Plus (OAuth)</span>
 						{configured && (
-							<span className="text-tiny text-green-400">
-								● Configured
+							<span className="inline-flex items-center">
+								<span className="h-2 w-2 rounded-full bg-green-400" aria-hidden="true" />
+								<span className="sr-only">Configured</span>
 							</span>
 						)}
 					</div>

From e65801938d344eadecc3aea42224c22681ef833b Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Mon, 23 Feb 2026 03:50:37 +0100
Subject: [PATCH 8/9] Move ChatGPT OAuth callback onto API server

---
 src/api/providers.rs | 118 +++++++++++++++++++++++--------------------
 src/api/server.rs    |   4 ++
 2 files changed, 68 insertions(+), 54 deletions(-)

diff --git a/src/api/providers.rs b/src/api/providers.rs
index c505cc78f..79e9ca72d 100644
--- a/src/api/providers.rs
+++ b/src/api/providers.rs
@@ -3,9 +3,9 @@ use super::state::ApiState;
 use anyhow::Context as _;
 use axum::Json;
 use axum::extract::{Query, State};
-use axum::http::StatusCode;
-use axum::routing::get;
+use axum::http::{HeaderMap, StatusCode};
 use axum::response::Html;
+use reqwest::Url;
 use rig::agent::AgentBuilder;
 use rig::completion::{CompletionModel as _, Prompt as _};
 use serde::{Deserialize, Serialize};
@@ -14,14 +14,10 @@ use std::sync::{Arc, LazyLock};
 use tokio::sync::RwLock;
 
 const OPENAI_BROWSER_OAUTH_SESSION_TTL_SECS: i64 = 15 * 60;
-const OPENAI_BROWSER_OAUTH_CALLBACK_BIND: &str = "127.0.0.1:1455";
-const OPENAI_BROWSER_OAUTH_REDIRECT_URI: &str = "http://localhost:1455/auth/callback";
+const OPENAI_BROWSER_OAUTH_REDIRECT_PATH: &str = "/providers/openai/oauth/browser/callback";
 
 static OPENAI_BROWSER_OAUTH_SESSIONS: LazyLock<RwLock<HashMap<String, BrowserOAuthSession>>> =
     LazyLock::new(|| RwLock::new(HashMap::new()));
-static OPENAI_BROWSER_OAUTH_CALLBACK_SERVER: LazyLock<
-    RwLock<Option<BrowserOAuthCallbackServer>>,
-> = LazyLock::new(|| RwLock::new(None));
 
 #[derive(Clone, Debug)]
 struct BrowserOAuthSession {
@@ -39,10 +35,6 @@ enum BrowserOAuthSessionStatus {
     Failed(String),
 }
 
-struct BrowserOAuthCallbackServer {
-    join_handle: tokio::task::JoinHandle<()>,
-}
-
 #[derive(Serialize)]
 pub(super) struct ProviderStatus {
     anthropic: bool,
@@ -367,43 +359,64 @@ async fn prune_expired_browser_oauth_sessions() {
     sessions.retain(|_, session| session.created_at >= cutoff);
 }
 
-async fn ensure_openai_browser_oauth_callback_server(state: Arc<ApiState>) -> anyhow::Result<()> {
-    let mut callback_server = OPENAI_BROWSER_OAUTH_CALLBACK_SERVER.write().await;
-    if let Some(existing) = callback_server.as_ref() {
-        if existing.join_handle.is_finished() {
-            *callback_server = None;
-        } else {
-            return Ok(());
+fn resolve_browser_oauth_redirect_uri(headers: &HeaderMap) -> Option<String> {
+    if let Some(origin) = header_value(headers, axum::http::header::ORIGIN.as_str()) {
+        if let Ok(origin_url) = Url::parse(origin) {
+            let origin = origin_url.origin().ascii_serialization();
+            if origin != "null" {
+                return Some(format!("{origin}{OPENAI_BROWSER_OAUTH_REDIRECT_PATH}"));
+            }
         }
     }
 
-    let listener = tokio::net::TcpListener::bind(OPENAI_BROWSER_OAUTH_CALLBACK_BIND)
-        .await
-        .with_context(|| {
-            format!(
-                "failed to bind local OAuth callback listener on {}",
-                OPENAI_BROWSER_OAUTH_CALLBACK_BIND
-            )
-        })?;
-
-    let app = axum::Router::new()
-        .route("/auth/callback", get(openai_browser_oauth_callback))
-        .with_state(state);
-
-    let bind = OPENAI_BROWSER_OAUTH_CALLBACK_BIND.to_string();
-    let join_handle = tokio::spawn(async move {
-        tracing::info!(bind = %bind, "OpenAI browser OAuth callback listener started");
-        if let Err(error) = axum::serve(listener, app).await {
-            tracing::error!(
-                %error,
-                bind = %bind,
-                "OpenAI browser OAuth callback listener stopped"
-            );
-        }
-    });
+    if let (Some(proto), Some(host)) = (
+        header_value(headers, "x-forwarded-proto"),
+        header_value(headers, "x-forwarded-host"),
+    ) {
+        let proto = first_header_value(proto);
+        let host = normalize_host(first_header_value(host));
+        return Some(format!(
+            "{proto}://{host}{OPENAI_BROWSER_OAUTH_REDIRECT_PATH}"
+        ));
+    }
+
+    if let Some(host) = header_value(headers, "host") {
+        let host = normalize_host(host);
+        let scheme = if is_local_host(&host) { "http" } else { "https" };
+        return Some(format!(
+            "{scheme}://{host}{OPENAI_BROWSER_OAUTH_REDIRECT_PATH}"
+        ));
+    }
+
+    None
+}
+
+fn header_value(headers: &HeaderMap, name: impl AsRef<str>) -> Option<&str> {
+    headers.get(name.as_ref()).and_then(|value| value.to_str().ok())
+}
+
+fn first_header_value(value: &str) -> &str {
+    value.split(',').next().map(str::trim).unwrap_or(value)
+}
+
+fn normalize_host(host: &str) -> String {
+    let host = host.trim();
+    let colon_count = host.matches(':').count();
+    if colon_count > 1 && !host.starts_with('[') {
+        format!("[{host}]")
+    } else {
+        host.to_string()
+    }
+}
 
-    *callback_server = Some(BrowserOAuthCallbackServer { join_handle });
-    Ok(())
+fn is_local_host(host: &str) -> bool {
+    let host = host
+        .trim_start_matches('[')
+        .trim_end_matches(']')
+        .split(':')
+        .next()
+        .unwrap_or(host);
+    matches!(host, "localhost" | "127.0.0.1" | "::1")
 }
 
 fn browser_oauth_success_html() -> String {
@@ -598,7 +611,7 @@ pub(super) async fn get_providers(
 }
 
 pub(super) async fn start_openai_browser_oauth(
-    State(state): State<Arc<ApiState>>,
+    headers: HeaderMap,
     Json(request): Json<OpenAiOAuthBrowserStartRequest>,
 ) -> Result<Json<OpenAiOAuthBrowserStartResponse>, StatusCode> {
     if request.model.trim().is_empty() {
@@ -621,28 +634,25 @@ pub(super) async fn start_openai_browser_oauth(
         }));
     };
 
-    if let Err(error) = ensure_openai_browser_oauth_callback_server(state.clone()).await {
+    let Some(redirect_uri) = resolve_browser_oauth_redirect_uri(&headers) else {
         return Ok(Json(OpenAiOAuthBrowserStartResponse {
             success: false,
-            message: format!(
-                "Failed to start local OAuth callback listener on {}: {}",
-                OPENAI_BROWSER_OAUTH_CALLBACK_BIND, error
-            ),
+            message: "Unable to determine OAuth callback URL. Check your Host/Origin headers."
+                .to_string(),
             authorization_url: None,
             state: None,
         }));
-    }
+    };
 
     prune_expired_browser_oauth_sessions().await;
-    let browser_authorization =
-        crate::openai_auth::start_browser_authorization(OPENAI_BROWSER_OAUTH_REDIRECT_URI);
+    let browser_authorization = crate::openai_auth::start_browser_authorization(&redirect_uri);
     let state_key = browser_authorization.state.clone();
 
     OPENAI_BROWSER_OAUTH_SESSIONS.write().await.insert(
         state_key.clone(),
         BrowserOAuthSession {
             pkce_verifier: browser_authorization.pkce_verifier,
-            redirect_uri: OPENAI_BROWSER_OAUTH_REDIRECT_URI.to_string(),
+            redirect_uri,
             model: chatgpt_model,
             created_at: chrono::Utc::now().timestamp(),
             status: BrowserOAuthSessionStatus::Pending,
diff --git a/src/api/server.rs b/src/api/server.rs
index 29bdaa847..31d2116dd 100644
--- a/src/api/server.rs
+++ b/src/api/server.rs
@@ -131,6 +131,10 @@ pub async fn start_http_server(
             "/providers/openai/oauth/browser/status",
             get(providers::openai_browser_oauth_status),
         )
+        .route(
+            "/providers/openai/oauth/browser/callback",
+            get(providers::openai_browser_oauth_callback),
+        )
         .route("/providers/test", post(providers::test_provider_model))
         .route("/providers/{provider}", delete(providers::delete_provider))
         .route("/models", get(models::get_models))

From 568f6b2bfb8110cd30356d0180b502c13629eeed Mon Sep 17 00:00:00 2001
From: Marijn van der Werf <marijn.vanderwerf@gmail.com>
Date: Mon, 23 Feb 2026 21:21:42 +0100
Subject: [PATCH 9/9] Fix clippy collapsible if and format

---
 src/api/providers.rs | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/api/providers.rs b/src/api/providers.rs
index 79e9ca72d..8fb5e54d6 100644
--- a/src/api/providers.rs
+++ b/src/api/providers.rs
@@ -360,12 +360,12 @@ async fn prune_expired_browser_oauth_sessions() {
 }
 
 fn resolve_browser_oauth_redirect_uri(headers: &HeaderMap) -> Option<String> {
-    if let Some(origin) = header_value(headers, axum::http::header::ORIGIN.as_str()) {
-        if let Ok(origin_url) = Url::parse(origin) {
-            let origin = origin_url.origin().ascii_serialization();
-            if origin != "null" {
-                return Some(format!("{origin}{OPENAI_BROWSER_OAUTH_REDIRECT_PATH}"));
-            }
+    if let Some(origin) = header_value(headers, axum::http::header::ORIGIN.as_str())
+        && let Ok(origin_url) = Url::parse(origin)
+    {
+        let origin = origin_url.origin().ascii_serialization();
+        if origin != "null" {
+            return Some(format!("{origin}{OPENAI_BROWSER_OAUTH_REDIRECT_PATH}"));
         }
     }
 
@@ -382,7 +382,11 @@ fn resolve_browser_oauth_redirect_uri(headers: &HeaderMap) -> Option<String> {
 
     if let Some(host) = header_value(headers, "host") {
         let host = normalize_host(host);
-        let scheme = if is_local_host(&host) { "http" } else { "https" };
+        let scheme = if is_local_host(&host) {
+            "http"
+        } else {
+            "https"
+        };
         return Some(format!(
             "{scheme}://{host}{OPENAI_BROWSER_OAUTH_REDIRECT_PATH}"
         ));
@@ -392,7 +396,9 @@ fn resolve_browser_oauth_redirect_uri(headers: &HeaderMap) -> Option<String> {
 }
 
 fn header_value(headers: &HeaderMap, name: impl AsRef<str>) -> Option<&str> {
-    headers.get(name.as_ref()).and_then(|value| value.to_str().ok())
+    headers
+        .get(name.as_ref())
+        .and_then(|value| value.to_str().ok())
 }
 
 fn first_header_value(value: &str) -> &str {