OpenAI OAuth First-Time Setup (BYOK)¶
This guide covers first-time setup for linking a user's existing OpenAI subscription to tldw_server through OAuth (instead of pasting an API key), while still supporting API-key fallback.
Who This Is For¶
- Operators/admins configuring a deployment
- End users linking their own OpenAI account in the BYOK UI
This flow requires multi-user mode with BYOK enabled.
One-Time Deployment Prerequisites (Operator)¶
Minimum required configuration:
AUTH_MODE=multi_user
BYOK_ENABLED=true
BYOK_ENCRYPTION_KEY=<base64-encoded-32-byte-key>
BYOK_ALLOWED_PROVIDERS=openai
OPENAI_OAUTH_ENABLED=true
OPENAI_OAUTH_CLIENT_ID=<client-id>
OPENAI_OAUTH_CLIENT_SECRET=<client-secret>
OPENAI_OAUTH_AUTH_URL=<provider-authorize-url>
OPENAI_OAUTH_TOKEN_URL=<provider-token-url>
Recommended optional settings:
OPENAI_OAUTH_SCOPES=openid profile api
OPENAI_OAUTH_STATE_TTL_MINUTES=10
OPENAI_OAUTH_REDIRECT_URI=https://<your-host>/api/v1/users/keys/openai/oauth/callback
OPENAI_OAUTH_ALLOWED_RETURN_PATH_PREFIXES=/,/byok,/settings
Notes:
- If
OPENAI_OAUTH_REDIRECT_URIis not set, the server computes it from request base URL. - OAuth setup fails closed if required OAuth settings are missing.
- If OpenAI is not in
BYOK_ALLOWED_PROVIDERS, OAuth endpoints return403.
First-Time User Workflow (WebUI)¶
- Sign in to
tldw_serverin multi-user mode. - Open the BYOK page (
/byok) and find OpenAI OAuth (Personal). - Click Connect OpenAI.
- Complete the provider consent flow in the opened tab/window.
- After callback, return to BYOK and click Refresh status.
- Confirm the card shows:
Source: oauthconnected=true(badge/source now indicates OAuth)ExpiresandScopepopulated when provided by token response.- Start using OpenAI normally (chat/embeddings/audio). Runtime resolves OpenAI credentials from your active BYOK source.
Current behavior:
- The callback endpoint returns a JSON response in the OAuth tab.
- You can close that tab and refresh status in BYOK.
If You Also Have an API Key Stored¶
When both API key and OAuth credentials exist, you can switch active source:
- Use OAuth: set active source to OAuth.
- Use API Key Instead: switch back to API key.
If API key source is unavailable, switching to API key returns 409 Requested auth source is unavailable.
API Workflow (Equivalent)¶
User endpoints:
POST /api/v1/users/keys/openai/oauth/authorizeGET /api/v1/users/keys/openai/oauth/callbackGET /api/v1/users/keys/openai/oauth/statusPOST /api/v1/users/keys/openai/oauth/refreshPOST /api/v1/users/keys/openai/sourceDELETE /api/v1/users/keys/openai/oauth
Typical sequence:
- Call
authorizeto getauth_url. - Redirect user to
auth_url. - Provider redirects to callback with
codeandstate. - Callback stores OAuth credentials and sets active source to
oauth. - Query
statusto confirm connection.
Troubleshooting¶
403 OpenAI OAuth is disabled in this deployment¶
- Set
OPENAI_OAUTH_ENABLED=trueand restart.
501 OpenAI OAuth is not fully configured¶
- Ensure all required OAuth settings are set:
OPENAI_OAUTH_CLIENT_IDOPENAI_OAUTH_CLIENT_SECRETOPENAI_OAUTH_AUTH_URLOPENAI_OAUTH_TOKEN_URL
403 Invalid or expired OAuth state¶
- Restart flow from Connect OpenAI.
- Complete provider consent before
OPENAI_OAUTH_STATE_TTL_MINUTESexpires (default: 10 minutes).
400 return_path is not allowed¶
- Keep return path app-relative (example:
/byok). - Add allowed prefixes in
OPENAI_OAUTH_ALLOWED_RETURN_PATH_PREFIXES.
Refresh/disconnect returns 404 OAuth credential not found¶
- User is not connected yet, or already disconnected.
- Run Connect OpenAI again.
Browser popup blocked¶
- Allow popups for the site, or repeat and complete flow in same tab if browser falls back to redirect.
Security and Auditing Notes¶
- OAuth state is one-time use and short-lived.
- PKCE (
S256) is used for authorization-code exchange. - OAuth tokens are encrypted at rest via BYOK encryption.
- Audit events are emitted for authorize/connect/refresh/disconnect/source-switch actions.
- Metrics are emitted for OAuth authorize/callback/refresh outcomes.