Bug: ChatGPT OAuth login missing `api.connectors` scopes — free-tier users get `insufficient_quota` on all models

[expiren]

Problem

Users who log in with a free ChatGPT account via OpenCode's "Login with ChatGPT" flow get insufficient_quota (429) errors on every OpenAI model call. Meanwhile, OpenAI's own Codex CLI works perfectly with the same free account and the same OAuth client ID.

ERROR service=llm providerID=openai modelID=gpt-5.5 error=insufficient_quota stream error

Root Cause

OpenCode already has the full Codex backend implementation:

• ✅ Codex backend URL (chatgpt.com/backend-api/codex/responses)
• ✅ Model routing set (gpt-5.5, gpt-5.2, gpt-5.3-codex, gpt-5.3-codex-spark, gpt-5.4, gpt-5.4-mini)
• ✅ chatgpt_account_id extraction from JWT
• ✅ codex_cli_simplified_flow=true OAuth param
• ✅ id_token_add_organizations=true OAuth param
• ❌ Missing OAuth scopes: api.connectors.read api.connectors.invoke

Both OpenCode and Codex CLI use the same OAuth client ID (app_EMoamEEZ73f0CkXaXp7hrann) and Auth0 server (auth.openai.com), but OpenCode requests fewer scopes:

OpenCode (current)

scope: "openid profile email offline_access"

Codex CLI

scope: "openid profile email offline_access api.connectors.read api.connectors.invoke"

Source: OpenCode's scope is in packages/opencode/src/plugin/openai/codex.ts line 85. Codex CLI's scope is at codex-rs/login/src/server.rs line 501 in openai/codex.

Without the api.connectors scopes, the token cannot authorize requests to the Codex backend (chatgpt.com/backend-api/codex/responses). The existing routing code in OpenCode never triggers because the token lacks the required permissions, so all requests fall through to the standard API endpoint (api.openai.com/v1/chat/completions) which requires paid API credits.

Verified Fix

I tested end-to-end on a free ChatGPT account with $0 API credits using a token that had the full Codex scopes:

POST https://chatgpt.com/backend-api/codex/responses
Headers: chatgpt-account-id: <account-id-from-jwt>
Body: {"model":"gpt-5.5","instructions":"You are a helpful assistant.","store":false,"stream":true,"input":[{"role":"user","content":"Say hello in exactly one word."}]}

Result: HTTP 200 OK
Model: gpt-5.5
Usage: input=23 output=5 total=28
Response: "Hello"

Proposed Fix

One-line change in packages/opencode/src/plugin/openai/codex.ts:

- scope: "openid profile email offline_access",
+ scope: "openid profile email offline_access api.connectors.read api.connectors.invoke",

That's it. The Codex backend routing, Responses API format conversion, chatgpt-account-id header injection, and model routing are all already implemented in OpenCode. They just never activate because the token lacks the required scopes.

Note: Existing users will need to re-login after this fix to obtain a new token with the updated scopes.

Impact

This one-line fix would enable all free ChatGPT users to use OpenAI models in OpenCode — the same experience they already get with Codex CLI. The Codex backend draws from the user's "agentic usage" quota, which OpenAI provides to all ChatGPT accounts (including free tier).

Environment

• OpenCode CLI (Scoop) — latest version
• OpenCode Desktop v1.15.13
• Free ChatGPT account (Microsoft OAuth)
• Windows 11
• Tested with gpt-5.5 model