Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pullfrog.com/llms.txt

Use this file to discover all available pages before exploring further.

If you have a ChatGPT Pro, Plus, Business, or Enterprise plan, you can use that with Pullfrog instead of paying for OpenAI API tokens on top. Pullfrog runs OpenAI models through your subscription via the Codex CLI — the same flow codex login --device-auth uses on your laptop.
Codex auth is for OpenAI models specifically. For other providers, see BYOK or Pullfrog Router.

Setup

Run one command from inside your repo: 
pullfrog auth codex
The CLI:
  1. Spawns codex login --device-auth in an isolated environment (your local ~/.codex/auth.json is never touched).
  2. Prints a URL and one-time code — open the URL, sign in to ChatGPT, approve the code.
  3. Stores the resulting credential as CODEX_AUTH_JSON in Pullfrog’s encrypted secret store.
That’s it. The next workflow run on this repo will use your ChatGPT subscription instead of needing an OpenAI API key.
You don’t need to install the Codex CLI separately if it’s already on your PATH. If it isn’t, the command will print install instructions. The CLI command supports --scope account|repo for org-owned repos (account scope is shared across every repo your org owns; repo scope is just this repo).

When to use this

  • You’re already paying for ChatGPT and don’t want to also pay per OpenAI API token.
  • You want the simplest setup — one command, no API key management, no GitHub Actions secrets.
  • You’re OK with OpenAI’s Codex Terms of Service applying to your usage.

How it works

Once stored, Pullfrog injects the credential at the start of each workflow run, routes it into OpenCode’s CodexAuthPlugin, and OpenCode uses it for all OpenAI model calls (gpt, gpt-pro, gpt-mini, etc. — anything under the openai/ provider). If the credential refreshes during a run (OAuth refresh tokens rotate on use), Pullfrog automatically persists the new token back to its secret store. You shouldn’t ever need to re-run pullfrog auth codex unless something goes wrong (revoked from ChatGPT settings, OAuth provider returns an error, etc.). The credential lives on the workflow runner’s disk only for the duration of the job, in a location the agent itself cannot read. It’s never written to your repository, your GitHub Actions secrets, or anywhere else outside the encrypted Pullfrog store.

Troubleshooting

Device-code auth not enabled. If codex login --device-auth exits immediately with a message about enabling device-code auth, go to https://chatgpt.com/#settings/Security, enable it, then re-run pullfrog auth codex (the CLI offers an interactive retry). Refresh fails mid-run. Workflow logs include a line like Token refresh failed: 4xx. Usually means the refresh token was invalidated (you logged out of ChatGPT, the chain rotated past Pullfrog’s copy, etc.). Re-run pullfrog auth codex to re-auth. pullfrog auth codex exits with “not installed”. Install Pullfrog’s CLI: npm i -g pullfrog. Or use npx pullfrog auth codex.

See also

  • BYOK — bring your own provider keys for other models.
  • Models — all supported OpenAI models and other providers.
  • Pullfrog Router — the no-keys alternative; billed at raw provider cost.