Converting ChatGPT/Codex Subscriptions to OpenAI-Compatible API: A Detailed Explanation of the codex-openai-proxy Service

Explore how codex-openai-proxy uses Rust to build a lightweight proxy layer that converts OpenAI's ChatGPT/Codex subscriptions into standard OpenAI API format, supporting OAuth PKCE authentication, automatic token refresh, and reasoning parameter mapping.

OpenAI's product line is divided into two tracks:

• ChatGPT Subscription: A conversational interface for end-users, accessible via web or app
• OpenAI API: A programmatic interface for developers, charged by usage

The two use different authentication systems (OAuth vs. API Key) and protocol formats. For developers who have built applications based on the OpenAI SDK, if they want to use the Codex model access included in the subscription service, they must rewrite the authentication logic and request format, resulting in high migration costs.

The value of the proxy layer lies in decoupling: allowing the application layer to maintain the standard OpenAI API calling method, while the proxy layer handles protocol conversion with the subscription service.

codex-openai-proxy is a single-binary Rust program whose core responsibilities include:

The project implements the standard OAuth 2.0 PKCE (Proof Key for Code Exchange) flow, which is the best practice for modern OAuth applications:

1. The user executes the login command, and the proxy starts a local HTTP server to listen for callbacks
2. Automatically opens the browser to guide the user through OpenAI's OAuth authorization
3. The authorization code is passed back to the local server via the callback, and the proxy exchanges it for an access token and refresh token
4. Credentials are encrypted and stored in ~/.codex/auth.json, supporting subsequent automatic refresh

The PKCE mechanism prevents authorization code interception attacks, ensuring the authentication process remains reliable even in insecure network environments.

The proxy implements a comprehensive token management strategy:

• Pre-refresh mechanism: Proactively refreshes 5 minutes before the token expires to avoid request interruptions
• 401 automatic retry: When a request returns an authentication failure, it automatically triggers a refresh and retries the original request
• Status query: Provides the auth status command to check the current credential status and expiration time

These mechanisms ensure that long-running services can maintain authentication validity without manual intervention.

The proxy exposes three core endpoints, fully compatible with the OpenAI API specification:

Returns a list of available models, with data cached for 5 minutes. Models supported by the subscription service (e.g., the gpt-5.5 series) are mapped to the standard OpenAI model object format.

A direct pass-through endpoint for the Codex Responses API. Requests and responses retain their original format, suitable for scenarios requiring Codex-specific features (e.g., code execution environment). Supports SSE streaming responses.