OAuth Providers
OpenAI Codex and GitHub Copilot provider login flows.
Some providers are not configured by pasting API keys into providers.*.apiKey. Facio treats OpenAI Codex and GitHub Copilot as OAuth providers.
OAuth provider behavior
| Provider | Config key | Selection | Credential form |
|---|---|---|---|
| OpenAI Codex | openai_codex | Model prefix such as openai-codex/... or explicit provider | OAuth token stored by the provider login flow. |
| GitHub Copilot | github_copilot | Model prefix such as github_copilot/... or explicit provider | OAuth token stored by the Copilot provider flow. |
OAuth providers are excluded from normal provider key persistence. The management API will report OAuth connection state, but it does not return or accept raw OAuth tokens as ordinary API keys.
CLI login
facio provider login openai-codex
facio provider login github-copilotUse this when you operate Facio from a CLI-capable environment and want to complete provider authorization out of band.
Placet relay
Facio can also start OAuth flows through Placet where the user clicks an authorization link and Placet relays the authorization code back to the agent. This is useful when the operator is already working inside Placet and should not need direct shell access.
Disconnecting
Use the provider credential API to remove stored OAuth state:
curl -X DELETE http://localhost:8900/api/v1/credentials/providers/openai_codex \
-H "Authorization: Bearer $FACIO_MANAGEMENT_TOKEN"Operational notes
- OAuth providers require explicit selection; they are not generic fallback providers.
- Store OAuth tokens only in the runtime's provider storage, not in prompts or docs.
- If a model string looks ambiguous, force
providerin settings while testing. - For GitHub tasks that only need repository access, do not assume Copilot OAuth is the right credential; use a scoped GitHub token through the credential store when a CLI or MCP server needs it.