Documentation
¶
Overview ¶
Package chatgpt implements "Sign in with ChatGPT" authentication for the chatgpt model provider.
It performs the same OAuth 2.0 authorization-code + PKCE flow as OpenAI's Codex CLI (issuer https://auth.openai.com, public Codex client ID, fixed localhost callback on port 1455) so a ChatGPT Plus/Pro/Business subscription can be used instead of an OPENAI_API_KEY. The resulting access/refresh tokens authenticate requests against the ChatGPT Codex backend (https://chatgpt.com/backend-api/codex), which serves the gpt-5 model family over the Responses API.
Credentials are stored in <config-dir>/chatgpt-auth.json (owner-only), the same layout Codex CLI uses for ~/.codex/auth.json, and the access token is refreshed transparently when it approaches expiry.
Index ¶
Constants ¶
const ( // ProviderName is the built-in model provider name backed by this login. ProviderName = "chatgpt" // TokenEnvVar is the virtual environment variable through which the // stored login is exposed to the rest of docker-agent (credential // detection, doctor, first_available, ...). It resolves to a fresh // access token via the "chatgpt-login" environment source, and can be // set explicitly to inject a pre-minted access token (e.g. in CI). TokenEnvVar = "CHATGPT_OAUTH_TOKEN" // BaseURL is the ChatGPT Codex backend served to signed-in accounts. // It only exposes the Responses API (/responses). BaseURL = "https://chatgpt.com/backend-api/codex" // Originator identifies the client integration to the Codex backend. // The backend rejects requests from unknown originators, so we reuse // the Codex CLI value that is valid for every ChatGPT plan. Originator = "codex_cli_rs" )
Variables ¶
var ErrNotLoggedIn = errors.New("not signed in with a ChatGPT account")
ErrNotLoggedIn is returned when no ChatGPT account login is stored.
Functions ¶
func AccessToken ¶
AccessToken returns a valid access token for the ChatGPT Codex backend, transparently refreshing (and persisting) it when it is expired or close to expiry. It returns ErrNotLoggedIn when no login is stored.
func AccountIDFromToken ¶
AccountIDFromToken returns the ChatGPT account id embedded in an access token, or an empty string when the token does not carry one. The Codex backend requires this id as a request header for workspace accounts.
func SetCredentialsPathForTests ¶
func SetCredentialsPathForTests(path string) (restore func())
SetCredentialsPathForTests points credential storage at path and returns a restore function. Without an override, every credential operation under `go test` behaves as "not signed in" so the developer's real login is never read, refreshed over the network, or overwritten by tests.
Types ¶
type Credentials ¶
type Credentials struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token,omitempty"`
IDToken string `json:"id_token,omitempty"`
AccountID string `json:"account_id,omitempty"`
Email string `json:"email,omitempty"`
Plan string `json:"plan,omitempty"`
ExpiresAt time.Time `json:"expires_at,omitzero"`
LastRefresh time.Time `json:"last_refresh,omitzero"`
}
Credentials is the persisted result of a ChatGPT account login.
func Load ¶
func Load() (*Credentials, error)
Load returns the stored credentials without refreshing them. Callers that need a usable token should use AccessToken instead.
func (*Credentials) Expired ¶
func (c *Credentials) Expired() bool
Expired reports whether the access token is expired or about to expire. A zero ExpiresAt means the expiry could not be determined; the token is then used as-is and a 401 from the backend surfaces naturally.
type LoginResult ¶
LoginResult summarizes a completed login for display.