Recovery guide for Codex CLI multi-account install issues, OAuth login failures, account switching problems, runtime rotation routing, project/worktree storage, and stale local auth state.
codex-multi-auth doctor --fix
codex-multi-auth check
codex-multi-auth forecast --liveIf the account pool is still not usable:
codex-multi-auth loginCheck the official CLI and the multi-auth package bins. On Windows use where; on macOS/Linux use which.
where codex
where codex-multi-auth
where codex-multi-auth-codex
codex --version
codex-multi-auth --version
codex-multi-auth-codex --version
codex-multi-auth status
npm ls -g codex-multi-authIf an old scoped package is still active:
npm uninstall -g @ndycode/codex-multi-auth
npm i -g codex-multi-authThe package does not publish a global codex binary. codex-multi-auth ... is the canonical account-manager family, and codex-multi-auth-codex ... is the optional forwarding wrapper.
| Symptom | Likely cause | Action |
|---|---|---|
| Browser opens unexpectedly | Normal browser-first OAuth flow | Complete the auth step and return to the terminal |
OAuth callback port 1455 is in use |
Another local process owns the port | Stop the conflicting process and rerun codex-multi-auth login |
| Browser or callback handoff is unavailable | Remote, SSH, container, or headless shell | Run codex-multi-auth login --device-auth; use codex-multi-auth login --manual only if device auth is unavailable |
missing field id_token |
Stale or malformed auth payload | Re-login the affected account |
refresh_token_reused |
The token pair rotated in another context | Re-login the affected account |
token_expired |
The refresh token is no longer valid | Re-login the affected account |
| Symptom | Likely cause | Action |
|---|---|---|
| Switch succeeds but the wrong account stays active | Stale Codex CLI sync state | Re-run codex-multi-auth switch <index> and restart the session |
| All accounts look unhealthy | The entire pool is stale or damaged | Run codex-multi-auth doctor --fix, then add at least one fresh account |
| The dashboard shows old account state | Local files were updated outside the current session | Run codex-multi-auth list, then codex-multi-auth check |
| Symptom | Likely cause | Action |
|---|---|---|
codex-multi-auth rotation status says disabled |
Stored setting or env override is off | Run codex-multi-auth rotation enable, remove CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=0, or set CODEX_MULTI_AUTH_RUNTIME_ROTATION_PROXY=1 for one process |
| Forwarded Codex session does not show the local provider | Command is help/non-requesting, rotation is disabled, or the official CLI was not launched through the wrapper | Check where codex-multi-auth-codex, then run codex-multi-auth rotation status |
| Pool exhausted error from the proxy | Every managed account is unavailable for that model/family | Run codex-multi-auth rotation status, then codex-multi-auth forecast --live |
| Packaged app still uses normal Codex routing | App bind was not installed or was removed | Run codex-multi-auth rotation bind-app, then reopen the app |
| Codex Desktop history disappears after app bind | Current Codex Desktop builds can filter local threads by the active provider, and app bind switches the real config to codex-multi-auth-runtime-proxy |
The data is normally still under ~/.codex; run codex-multi-auth rotation unbind-app or codex-multi-auth rotation disable to restore the original provider/config before browsing old history |
| Model speed controls are not visible with rotation | Speed/reasoning controls remain owned by Codex config or CLI flags; the app bind only routes Responses traffic | Set model_reasoning_effort in ~/.codex/config.toml or pass -c model_reasoning_effort=<level> for wrapper-launched CLI sessions |
| App bind needs to be removed | You want the official app config restored | Run codex-multi-auth rotation unbind-app or codex-multi-auth rotation disable |
The runtime proxy is loopback-only and default-on. It routes Responses traffic only for forwarded request-bearing official Codex sessions and supported app launches.
| Symptom | Likely cause | Action |
|---|---|---|
| A worktree asks for login again | The worktree still points at a legacy path key | Run codex-multi-auth list once in the worktree to trigger migration into repo-shared storage |
| A repo should not share accounts with another repo | Project-scoped storage is not enabled or not in use | Review the project storage rules in reference/storage-paths.md |
codex-multi-auth list
codex-multi-auth status
codex-multi-auth check
codex-multi-auth verify-flagged --json
codex-multi-auth forecast --live
codex-multi-auth fix --dry-run
codex-multi-auth report --live --json
codex-multi-auth doctor --jsonPowerShell:
Remove-Item "$HOME\.codex\multi-auth\openai-codex-accounts.json" -Force -ErrorAction SilentlyContinue
Remove-Item "$HOME\.codex\multi-auth\openai-codex-flagged-accounts.json" -Force -ErrorAction SilentlyContinue
Remove-Item "$HOME\.codex\multi-auth\settings.json" -Force -ErrorAction SilentlyContinue
codex-multi-auth loginBash:
rm -f ~/.codex/multi-auth/openai-codex-accounts.json
rm -f ~/.codex/multi-auth/openai-codex-flagged-accounts.json
rm -f ~/.codex/multi-auth/settings.json
codex-multi-auth loginnpm@7+ no longer fires preuninstall lifecycle scripts, so npm uninstall -g codex-multi-auth on its own leaves residual artifacts (a stale plugin entry in Codex.json, the cached node_modules/codex-multi-auth directory, an OS launcher, and the runtime app-bind state).
To uninstall completely, run the manager's own cleanup before you remove the npm package:
codex-multi-auth uninstall
npm uninstall -g codex-multi-authUseful flags on the cleanup step:
--dry-runpreviews what would be removed without touching the filesystem.--jsonprints a machine-readable summary.--clear-accountsalso wipes stored credentials (irreversible — use only when you are leaving the package permanently).
The cleanup unbinds Codex app runtime rotation, removes OS launchers, strips codex-multi-auth from Codex.json, and clears the plugin's node_modules cache. It conservatively preserves the shared bun.lock when other Codex plugins remain installed, and only deletes it when this is the sole plugin or Codex.json does not exist.
Attach these outputs when opening a bug report:
codex-multi-auth report --jsoncodex-multi-auth doctor --jsoncodex --versioncodex-multi-auth --versionnpm ls -g codex-multi-auth- the failing command and full terminal output