Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from bundle
Free Telegram /setup command for OpenClaw Codex auth: OAuth via pasted redirect/code, token fallback, status, and safe config patching.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
SKILL.md
1---2name: tg-auth-setup3description: Install and use a Telegram `/setup` command that lets an authorized OpenClaw operator configure OpenAI Codex auth for the current agent from chat. Use when you need token-based setup, Telegram-driven OAuth completion, or self-serve Codex auth bootstrap without opening server files manually.4---56# TG Auth Setup78Install a small OpenClaw plugin that adds an owner-only `/setup` command for OpenAI Codex auth bootstrap from Telegram.910This is the current working flow we use now:11- `/setup` starts OAuth and prints the browser login URL.12- After login, paste the full redirect URL or code as a normal next Telegram message — no extra command needed.13- `/setup code <redirect_url_or_code>` is still available as a fallback.14- `/setup codex <token>` or `/setup <token>` stores a token profile instead of OAuth.15- `/setup status` shows which auth profile is active and the exact `auth-profiles.json` path.16- `/cancel` or `/setup cancel` cancels a waiting OAuth session.1718## Quick usage1920```text21/setup22/setup status23/setup oauth24/setup code <redirect_url_or_code>25/setup cancel26/cancel27/setup codex <token>28/setup <token>29```3031## What is bundled3233- `assets/tg-auth-setup-plugin/` — the OpenClaw plugin package.34- `scripts/install_plugin.sh` — installer wrapper around `openclaw plugins install`.3536## Install the plugin into OpenClaw3738Prefer copy mode for real servers:3940```bash41bash {baseDir}/scripts/install_plugin.sh copy42```4344Use link mode only for local plugin development where edits should stay live:4546```bash47bash {baseDir}/scripts/install_plugin.sh link48```4950Both modes install plugin id `tg-auth-setup`.5152## Verify and activate5354After install:5556```bash57openclaw plugins info tg-auth-setup58openclaw gateway restart59```6061Then confirm from Telegram:6263```text64/setup status65```6667If `/setup` is unknown, the Gateway usually has not been restarted or the plugin is not installed in the active OpenClaw runtime.6869## Operator flow in Telegram7071### 1. Check current status7273```text74/setup status75```7677The command reports whether `openai-codex:default` is missing, token-based, or OAuth-based, plus the active `auth-profiles.json` path. If OAuth is in progress, it also shows the session state and cancel hint.7879### 2. OAuth setup, preferred8081```text82/setup83```8485Then:861. Open the returned auth URL in a local browser.872. Finish sign-in.883. Copy the full redirect URL or auth code.894. Paste it back into Telegram as a normal message.9091Fallback if the plain follow-up message is inconvenient:9293```text94/setup code <redirect_url_or_code>95```9697The plugin keeps a short-lived per-sender OAuth session in memory, captures the next message from the same sender, stores OAuth credentials, and patches OpenClaw config when complete.9899### 3. Token-based setup100101```text102/setup codex <token>103```104105or just:106107```text108/setup <token>109```110111This writes a token profile for `openai-codex:default` and patches config so OpenClaw can use it.112113### 4. Cancel a stuck flow114115```text116/cancel117```118119Alias:120121```text122/setup cancel123```124125## What the plugin changes126127The bundled plugin:128- writes `openai-codex:default` into the target agent `auth-profiles.json`;129- stores either a token profile or an OAuth profile;130- patches OpenClaw config so `auth.profiles.openai-codex:default` points at provider `openai-codex` with mode `token` or `oauth`;131- sets `agents.defaults.model.primary` to `openai-codex/gpt-5.5` only if no primary model is already configured — it does not overwrite an existing agent model.132133## Implementation notes134135- OAuth helper loading is resilient across npm/global installs: it searches the active OpenClaw install, PATH-derived prefixes, npm global root, and common `@mariozechner/pi-ai` locations.136- Auth path defaults to `~/.openclaw/agents/main/agent/auth-profiles.json`, or `OPENCLAW_AGENT_DIR/auth-profiles.json` when `OPENCLAW_AGENT_DIR` is set.137- Writes are atomic and use restrictive file permissions where possible (`0700` dir, `0600` file).138- OAuth sessions timeout after 10 minutes.139140## Files to inspect141142When debugging or adapting behavior, read:143- `assets/tg-auth-setup-plugin/openclaw.plugin.json`144- `assets/tg-auth-setup-plugin/index.js`145- `scripts/install_plugin.sh`146147## Guardrails148149- Treat `/setup codex <token>` messages as sensitive; delete the Telegram message after successful setup.150- The command is registered with `requireAuth: true`; keep it limited to authorized senders only.151- Restart Gateway after installing or updating the plugin.152- Do not hardcode `/usr/lib/node_modules` or `/usr/local/lib/node_modules`; resolve the OAuth helper relative to the active OpenClaw install when adapting this skill.153