[VS Code Extension] Requires re-login on every restart — JWT missing chatgpt_plan_type on ARM64 Windows

[Leilight]

Description

The Codex VS Code extension requires re-login to OpenAI (ChatGPT Plus) account on every VS Code restart, and even when opening the Codex settings panel. This happens consistently on Windows 11 ARM64.

Root Cause Analysis

After debugging, I found the root cause in the extension source code (extension.js):

The "account-info" handler extracts chatgpt_account_id, chatgpt_user_id, and chatgpt_plan_type from the JWT token's https://api.openai.com/auth claim:

n = r["https://api.openai.com/auth"] ?? {}
i = n?.chatgpt_account_id ?? null    // → null
s = n?.chatgpt_user_id ?? null       // → null
a = n?.chatgpt_plan_type ?? null     // → null
c = o.email ?? null                  // → "xxx@live.com" ✓
if (i && s && a) return { accountId: i, userId: s, plan: a, email: c }
// Falls through → returns all nulls → triggers re-login

However, the JWT's https://api.openai.com/auth claim only contains:

{
  "groups": [],
  "organizations": [{ "id": "org-xxx", "is_default": true, "role": "owner", "title": "Personal" }],
  "user_id": "user-xxx"
}

The chatgpt_account_id, chatgpt_user_id, and chatgpt_plan_type fields are completely absent from the JWT — both in the initial token and after refresh. This causes the extension to always return {accountId: null, userId: null, plan: null, email: null}, which triggers the account/read error:

error={"code":-32600,"message":"email and plan type are required for chatgpt authentication"}

Expected Behavior

The extension should either:

1. Include chatgpt_plan_type, chatgpt_account_id, chatgpt_user_id in the JWT token returned during authentication/refresh, OR
2. Fall back to fetching account info from the OpenAI API when these claims are missing from the JWT, OR
3. Use user_id (which IS present in the JWT) as a fallback for chatgpt_user_id

Workaround

Patching extension.js to use fallback values when the ChatGPT-specific JWT claims are missing:

// Before (original):
i=n?.chatgpt_account_id??null,s=n?.chatgpt_user_id??null,a=n?.chatgpt_plan_type??null,c=o.email??null;
if(i&&s&&a)return{accountId:i,userId:s,plan:a,email:c}

// After (patched):
i=n?.chatgpt_account_id??null,s=n?.chatgpt_user_id??n?.user_id??null,a=n?.chatgpt_plan_type??"plus",c=o.email??null;
if(s&&c)return{accountId:i??s,userId:s,plan:a,email:c}

Environment

• OS: Windows 11 Pro ARM64 (10.0.26200)
• VS Code: Latest
• Codex Extension Version: 0.4.78 (also reproduced on 0.4.76)
• Architecture: ARM64 (aarch64)
• Account type: ChatGPT Plus (password login, not SSO)
• Auth mode: chatgpt (in ~/.codex/auth.json)

Steps to Reproduce

1. Install Codex VS Code extension on Windows 11 ARM64
2. Sign in with ChatGPT Plus account
3. Close and reopen VS Code
4. Codex extension requires re-login
5. Check ~/.codex/auth.json — tokens exist, account_id is null
6. Decode the JWT id_token — chatgpt_plan_type, chatgpt_account_id, chatgpt_user_id are all missing from the https://api.openai.com/auth claim

Related Issues

• Login with 'Team' plan incorrectly detected as 'Free' plan and usage prohibited #1984 (Team plan detected as Free)
• Logged in with ChatGPT Pro account, codex says "To use Codex with your ChatGPT plan, upgrade to Plus" #2330 (Pro account told to upgrade to Plus)
• codex login didn't support ChatGPT SSO #5553 (SSO fields missing after token refresh)
• Codex becomes unusable after forced re-login: single instance works, other instances fail, reboot breaks all IDE instances #9675 (Unusable after forced re-login)

Logs

2026-02-27 19:51:23.301 [error] Request failed conversationId=none durationMs=1800
error={"code":-32600,"message":"email and plan type are required for chatgpt authentication"}
method=account/read pendingCountAfter=2 timeoutMs=0

[github-actions]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

• #VS Code Codex extension repeatedly requires sign-in with ChatGPT auth, but works with API key auth #12170

Powered by Codex Action

[Leilight]

This is related to #12170 — same symptom and same error message.

However, this issue provides additional root cause analysis and a working patch:

• Root cause: The JWT token's https://api.openai.com/auth claim is missing chatgpt_account_id, chatgpt_user_id, and chatgpt_plan_type fields — both on initial login and after token refresh. The extension code requires all three to be non-null, which always fails.

• Workaround patch for extension.js is included above, which falls back to user_id and defaults plan_type to "plus" when the ChatGPT-specific claims are absent.

This issue is not platform-specific — #12170 reports it on Linux x64, and I'm experiencing it on Windows ARM64. The underlying cause is the same: the JWT simply doesn't contain the required claims.

[Leilight]

Update: This issue is NOT platform-specific.

Reproduced on:

• Windows 11 ARM64 (Surface)
• Windows 11 x64 (Alienware Area 51)
• Linux x64 Ubuntu (VS Code Codex extension repeatedly requires sign-in with ChatGPT auth, but works with API key auth #12170)

This is an account-level issue, not a platform issue. The JWT returned by OpenAI's auth server simply does not include chatgpt_plan_type, chatgpt_account_id, or chatgpt_user_id claims for certain accounts. Sign-in method is password-based (not SSO/social login).

cc @etraut-openai — per your question on #12170 about sign-in method: this account uses password authentication (auth_provider: "password" in JWT). Could this be related to why these ChatGPT-specific claims are missing from the token?

[Leilight]

Important new finding:

Tested with different login methods on the same machine:

Login method	Re-login required?	Plan detected
Password	Yes, every restart	N/A (JWT missing chatgpt_plan_type entirely)
Microsoft OAuth	No ✓	❌ Detected as free (actual subscription: Pro $200/mo)

This confirms two separate bugs:

1. Password auth: JWT https://api.openai.com/auth claim does not include chatgpt_plan_type, chatgpt_account_id, or chatgpt_user_id — causing the account/read failure and re-login loop.

2. Social auth (Microsoft): JWT includes chatgpt_plan_type but with incorrect value — a Pro subscriber is detected as a free user, showing "Get Plus" upgrade prompt.

Both issues point to the same root cause: the auth server is not correctly populating ChatGPT subscription info in the JWT for this account.

[Leilight]

Correction to previous comment:

The Microsoft OAuth test was misleading — it logged into a different OpenAI account (a free one), not the Pro account. So the "wrong plan detection" part was incorrect.

The actual issue remains only one bug:

Password-based login does not populate chatgpt_plan_type, chatgpt_account_id, or chatgpt_user_id in the JWT's https://api.openai.com/auth claim. Social login (Microsoft/Google/Apple) does populate these fields, but that doesn't help users whose subscription is on a password-authenticated account.

This is a server-side issue with OpenAI's auth endpoint — the Codex extension and CLI cannot work around it.

[etraut-openai]

Which version of the extension are you using? Were you seeing this behavior with previous versions? I'm trying to determine if this was a recent regression.

[Leilight]

Extension version: 0.4.78 (also previously tested with 0.4.76 — same behavior)

This is not a recent regression — I started using the Codex VS Code extension about a month ago (late January 2026), and the issue has been present since my very first install. I have never been able to use the extension without re-logging in on every VS Code restart.

Sign-in method: Password-based authentication (auth_provider: "password" in JWT). Auth mode is chatgpt (ChatGPT Pro subscription, not API key).

Reproduction rate: 100%. Today's VS Code logs show 10 separate sessions, and every single one shows the account/read error immediately on startup:

[error] Request failed error={"code":-32600,"message":"email and plan type are required for chatgpt authentication"} method=account/read

The JWT's https://api.openai.com/auth claim consistently does not include chatgpt_plan_type, chatgpt_account_id, or chatgpt_user_id — both on initial login and after token refresh.

[Leilight]

Note: The extension.js workaround patch mentioned in the original issue description does not actually resolve the problem. The account/read validation happens inside the codex.exe binary (compiled Rust code), not in extension.js. The extension.js account-info handler is a separate code path. This is a server-side issue — the fix needs to come from OpenAI's auth server populating the missing JWT claims.