> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pullfrog.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ChatGPT subscription

If you have a ChatGPT Pro, Plus, Business, or Enterprise plan, you can use that with Pullfrog instead of paying for OpenAI API tokens on top. Pullfrog runs OpenAI models through your subscription via the [Codex CLI](https://developers.openai.com/codex/cli) — the same flow `codex login --device-auth` uses on your laptop.

<Note>
  Codex auth is for OpenAI models specifically. For other providers, see [BYOK](/keys) or [Pullfrog Router](/billing#pullfrog-router).
</Note>

## Setup

Run one command from inside your repo:

```bash theme={null}
npx pullfrog auth codex
```

The CLI:

1. Spawns `codex login --device-auth` in an isolated environment (your local `~/.codex/auth.json` is never touched).
2. Prints a URL and one-time code — open the URL, sign in to ChatGPT, approve the code.
3. Stores the resulting credential as `CODEX_AUTH_JSON` in Pullfrog's encrypted secret store.

That's it. The next workflow run on this repo will use your ChatGPT subscription instead of needing an OpenAI API key.

<Note>
  You don't need to install the Codex CLI separately if it's already on your PATH. If it isn't, the command will print install instructions. On org-owned repos, the CLI prompts you to pick a storage scope: **account** (shared across every repo your org owns) or **repo** (just this repo). User-owned repos always store at account scope.
</Note>

## When to use this

* You're already paying for ChatGPT and don't want to also pay per OpenAI API token.
* You want the simplest setup — one command, no API key management, no GitHub Actions secrets.
* You're OK with OpenAI's [Codex Terms of Service](https://openai.com/policies/business-terms) applying to your usage.

## How it works

Once stored, Pullfrog injects the credential at the start of each workflow run, routes it into OpenCode's `CodexAuthPlugin`, and OpenCode uses it for all OpenAI model calls (`gpt`, `gpt-pro`, `gpt-mini`, etc. — anything under the `openai/` provider).

If the credential refreshes during a run (OAuth refresh tokens rotate on use), Pullfrog automatically persists the new token back to its secret store. You shouldn't ever need to re-run `npx pullfrog auth codex` unless something goes wrong (revoked from ChatGPT settings, OAuth provider returns an error, etc.).

The credential lives on the workflow runner's disk only for the duration of the job, in a location the agent itself cannot read. It's never written to your repository, your GitHub Actions secrets, or anywhere else outside the encrypted Pullfrog store.

## Troubleshooting

**Device-code auth not enabled.** If `codex login --device-auth` exits immediately with a message about enabling device-code auth, go to [https://chatgpt.com/#settings/Security](https://chatgpt.com/#settings/Security), enable it, then re-run `npx pullfrog auth codex` (the CLI offers an interactive retry).

**Refresh fails mid-run.** Workflow logs include a line like `Token refresh failed: 4xx`. Usually means the refresh token was invalidated (you logged out of ChatGPT, the chain rotated past Pullfrog's copy, etc.). Re-run `npx pullfrog auth codex` to re-auth.

## See also

* [BYOK](/keys) — bring your own provider keys for other models.
* [Models](/models) — all supported OpenAI models and other providers.
* [Pullfrog Router](/billing#pullfrog-router) — the no-keys alternative; billed at raw provider cost.