ChatGPT login token exchange may fail with 403 unsupported country when system/VPN routing is not fully captured

[luolinjian45]

While preparing codex-fast-proxy for ChatGPT account login, provider auth split succeeded and the proxy status became ready:

• provider: packycode
• base_url: http://127.0.0.1:8787/v1
• upstream_base: https://www.packyapi.com/v1
• login_mode: chatgpt
• chatgpt_auth: true
• chatgpt_login_compatible: true
• upstream_auth: override_configured
• upstream_api_key_source: provider_auth_file
• needs_restart: false
• fast_behavior: app_controlled

However, during ChatGPT official account login, Codex App showed:

Login server error: Token exchange failed: token endpoint returned status 403 Forbidden: Country, region, or territory not supported

The login later succeeded after closing ccswitch and switching VPN to global + TUN mode.

This seems to indicate that the ChatGPT OAuth/token exchange request may depend on the system/WebView network route rather than only the Codex model provider proxy. If VPN/proxy rules do not capture all traffic, OpenAI may see an unsupported egress region and reject the token exchange.

Suggested docs improvement:
Add troubleshooting for this specific ChatGPT login error:

• Confirm codex-fast-proxy status is ready and needs_restart=false.
• Confirm provider auth split is prepared.
• Check whether system proxy/VPN/TUN mode captures Codex App/WebView login traffic.
• Check whether tools such as ccswitch or provider switchers are changing routing/proxy behavior.
• Mention OpenAI’s unsupported region/token exchange behavior separately from provider auth failures.

[gaoguobin]

@codex

[chatgpt-codex-connector]

Summary

• Added a new ChatGPT-login troubleshooting section for Token exchange failed ... 403 Forbidden: Country, region, or territory not supported in README.md. It now explicitly guides users to verify proxy readiness (needs_restart=false), provider-auth preparation, full system/WebView routing capture (including VPN/TUN), and to disable route switchers like ccswitch when diagnosing this error. It also clarifies this is an OpenAI OAuth region/routing issue, separate from third-party provider auth failures.
• Committed the change on the current branch with commit message: docs: add ChatGPT token exchange 403 routing troubleshooting.

Testing

• ✅ rg --files -g 'AGENTS.md'
• ✅ find .. -name AGENTS.md -print
• ✅ rg -n "chatgpt|login|unsupported country|token exchange|ccswitch|VPN|TUN|needs_restart|auth split|provider auth" README.md docs -S
• ✅ git add README.md && git commit -m "docs: add ChatGPT token exchange 403 routing troubleshooting" && git status --short
• ✅ nl -ba README.md | sed -n '120,170p'

Also completed: created the follow-up PR metadata via make_pr with title “docs: add troubleshooting for ChatGPT token exchange 403 unsupported region errors” and a body summarizing the documentation update.

View task →