Enhance parseArgsToMap with tolerant JSON parsing

- Introduced `tolerantParseJSONMap` to handle bareword values in streamed tool calls. - Added robust handling for JSON strings, objects, arrays, and numerical values. - Improved fallback mechanisms to ensure reliable parsing.
Update MANAGEMENT_API.md with expanded documentation for endpoints
2026-02-04 21:40:51 +08:00 · 2025-09-03 16:11:26 +08:00 · 2025-09-03 09:07:43 +08:00 · 2025-09-03 03:36:56 +08:00 · 2025-09-03 03:03:07 +08:00 · 2025-09-03 02:47:53 +08:00
12 changed files with 992 additions and 283 deletions
--- a/MANAGEMENT_API.md
+++ b/MANAGEMENT_API.md
@@ -1,240 +1,511 @@
 # Management API

-Base URL: `http://localhost:8317/v0/management`
+Base path: `http://localhost:8317/v0/management`

-This API manages runtime configuration and authentication files for the CLI Proxy API. All changes persist to the YAML config file and are hot‑reloaded by the server.
+This API manages the CLI Proxy API’s runtime configuration and authentication files. All changes are persisted to the YAML config file and hot‑reloaded by the service.

-Note: The following options cannot be changed via API and must be edited in the config file, then restart if needed:
+Note: The following options cannot be modified via API and must be set in the config file (restart if needed):
 - `allow-remote-management`
- `remote-management-key` (stored as bcrypt hash after startup if plaintext was provided)
+- `remote-management-key` (if plaintext is detected at startup, it is automatically bcrypt‑hashed and written back to the config)

 ## Authentication

- All requests (including localhost) must include a management key.
- Remote access additionally requires `allow-remote-management: true` in config.
- Provide the key via one of:
+- All requests (including localhost) must provide a valid management key.
+- Remote access requires enabling remote management in the config: `allow-remote-management: true`.
+- Provide the management key (in plaintext) via either:
  - `Authorization: Bearer <plaintext-key>`
  - `X-Management-Key: <plaintext-key>`

-If a plaintext key is present in the config on startup, it is bcrypt-hashed and written back to the config file automatically. If `remote-management-key` is empty, the Management API is entirely disabled (404 for `/v0/management/*`).
+If a plaintext key is detected in the config at startup, it will be bcrypt‑hashed and written back to the config file automatically.

 ## Request/Response Conventions

- Content type: `application/json` unless noted.
- Boolean/int/string updates use body: `{ "value": <type> }`.
- Array PUT bodies can be either a raw array (e.g. `["a","b"]`) or `{ "items": [ ... ] }`.
- Array PATCH accepts either `{ "old": "k1", "new": "k2" }` or `{ "index": 0, "value": "k2" }`.
- Object-array PATCH supports either index or key match (documented per endpoint).
+- Content-Type: `application/json` (unless otherwise noted).
+- Boolean/int/string updates: request body is `{ "value": <type> }`.
+- Array PUT: either a raw array (e.g. `["a","b"]`) or `{ "items": [ ... ] }`.
+- Array PATCH: supports `{ "old": "k1", "new": "k2" }` or `{ "index": 0, "value": "k2" }`.
+- Object-array PATCH: supports matching by index or by key field (specified per endpoint).

 ## Endpoints

 ### Debug
- GET `/debug` — get current debug flag
- PUT/PATCH `/debug` — set debug (boolean)
+- GET `/debug` — Get the current debug state
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/debug
+    ```
+  - Response:
+    ```json
+    { "debug": false }
+    ```
+- PUT/PATCH `/debug` — Set debug (boolean)
+  - Request:
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"value":true}' \
+      http://localhost:8317/v0/management/debug
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

-Example (set true):
-```bash
-curl -X PUT \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -H 'Content-Type: application/json' \
-  -d '{"value":true}' \
-  http://localhost:8317/v0/management/debug
-```
-Response:
-```json
-{ "status": "ok" }
-```
-
-### Proxy URL
- GET `/proxy-url` — get proxy URL string
- PUT/PATCH `/proxy-url` — set proxy URL string
- DELETE `/proxy-url` — clear proxy URL
-
-Example (set):
-```bash
-curl -X PATCH -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '{"value":"socks5://user:pass@127.0.0.1:1080/"}' \
-  http://localhost:8317/v0/management/proxy-url
-```
-Response:
-```json
-{ "status": "ok" }
-```
+### Proxy Server URL
+- GET `/proxy-url` — Get the proxy URL string
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/proxy-url
+    ```
+  - Response:
+    ```json
+    { "proxy-url": "socks5://user:pass@127.0.0.1:1080/" }
+    ```
+- PUT/PATCH `/proxy-url` — Set the proxy URL string
+  - Request (PUT):
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"value":"socks5://user:pass@127.0.0.1:1080/"}' \
+      http://localhost:8317/v0/management/proxy-url
+    ```
+  - Request (PATCH):
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"value":"http://127.0.0.1:8080"}' \
+      http://localhost:8317/v0/management/proxy-url
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+- DELETE `/proxy-url` — Clear the proxy URL
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE http://localhost:8317/v0/management/proxy-url
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

 ### Quota Exceeded Behavior
 - GET `/quota-exceeded/switch-project`
- PUT/PATCH `/quota-exceeded/switch-project` — boolean
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/quota-exceeded/switch-project
+    ```
+  - Response:
+    ```json
+    { "switch-project": true }
+    ```
+- PUT/PATCH `/quota-exceeded/switch-project` — Boolean
+  - Request:
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"value":false}' \
+      http://localhost:8317/v0/management/quota-exceeded/switch-project
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
 - GET `/quota-exceeded/switch-preview-model`
- PUT/PATCH `/quota-exceeded/switch-preview-model` — boolean
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/quota-exceeded/switch-preview-model
+    ```
+  - Response:
+    ```json
+    { "switch-preview-model": true }
+    ```
+- PUT/PATCH `/quota-exceeded/switch-preview-model` — Boolean
+  - Request:
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"value":true}' \
+      http://localhost:8317/v0/management/quota-exceeded/switch-preview-model
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

-Example:
-```bash
-curl -X PUT -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '{"value":false}' \
-  http://localhost:8317/v0/management/quota-exceeded/switch-project
-```
-Response:
-```json
-{ "status": "ok" }
-```
+### API Keys (proxy service auth)
+- GET `/api-keys` — Return the full list
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/api-keys
+    ```
+  - Response:
+    ```json
+    { "api-keys": ["k1","k2","k3"] }
+    ```
+- PUT `/api-keys` — Replace the full list
+  - Request:
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '["k1","k2","k3"]' \
+      http://localhost:8317/v0/management/api-keys
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+- PATCH `/api-keys` — Modify one item (`old/new` or `index/value`)
+  - Request (by old/new):
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"old":"k2","new":"k2b"}' \
+      http://localhost:8317/v0/management/api-keys
+    ```
+  - Request (by index/value):
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"index":0,"value":"k1b"}' \
+      http://localhost:8317/v0/management/api-keys
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+- DELETE `/api-keys` — Delete one (`?value=` or `?index=`)
+  - Request (by value):
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/api-keys?value=k1'
+    ```
+  - Request (by index):
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/api-keys?index=0'
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

-### API Keys (proxy server auth)
- GET `/api-keys` — return the full list
- PUT `/api-keys` — replace the full list
- PATCH `/api-keys` — update one entry (by `old/new` or `index/value`)
- DELETE `/api-keys` — remove one entry (by `?value=` or `?index=`)
-
-Examples:
-```bash
-# Replace list
-curl -X PUT -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '["k1","k2","k3"]' \
-  http://localhost:8317/v0/management/api-keys
-
-# Patch: replace k2 -> k2b
-curl -X PATCH -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '{"old":"k2","new":"k2b"}' \
-  http://localhost:8317/v0/management/api-keys
-
-# Delete by value
-curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/api-keys?value=k1'
-```
-Response (GET):
-```json
-{ "api-keys": ["k1","k2b","k3"] }
-```
-
-### Generative Language API Keys (Gemini)
+### Gemini API Key (Generative Language)
 - GET `/generative-language-api-key`
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/generative-language-api-key
+    ```
+  - Response:
+    ```json
+    { "generative-language-api-key": ["AIzaSy...01","AIzaSy...02"] }
+    ```
 - PUT `/generative-language-api-key`
+  - Request:
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '["AIzaSy-1","AIzaSy-2"]' \
+      http://localhost:8317/v0/management/generative-language-api-key
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
 - PATCH `/generative-language-api-key`
+  - Request:
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"old":"AIzaSy-1","new":"AIzaSy-1b"}' \
+      http://localhost:8317/v0/management/generative-language-api-key
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
 - DELETE `/generative-language-api-key`
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/generative-language-api-key?value=AIzaSy-2'
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

-Same request/response shapes as API keys.
+### Codex API KEY (object array)
+- GET `/codex-api-key` — List all
+    - Request:
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/codex-api-key
+      ```
+    - Response:
+      ```json
+      { "codex-api-key": [ { "api-key": "sk-a", "base-url": "" } ] }
+      ```
+- PUT `/codex-api-key` — Replace the list
+    - Request:
+      ```bash
+      curl -X PUT -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
+        http://localhost:8317/v0/management/codex-api-key
+      ```
+    - Response:
+      ```json
+      { "status": "ok" }
+      ```
+- PATCH `/codex-api-key` — Modify one (by `index` or `match`)
+    - Request (by index):
+      ```bash
+      curl -X PATCH -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
+        http://localhost:8317/v0/management/codex-api-key
+      ```
+    - Request (by match):
+      ```bash
+      curl -X PATCH -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
+        http://localhost:8317/v0/management/codex-api-key
+      ```
+    - Response:
+      ```json
+      { "status": "ok" }
+      ```
+- DELETE `/codex-api-key` — Delete one (`?api-key=` or `?index=`)
+    - Request (by api-key):
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/codex-api-key?api-key=sk-b2'
+      ```
+    - Request (by index):
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/codex-api-key?index=0'
+      ```
+    - Response:
+      ```json
+      { "status": "ok" }
+      ```

-### Request Logging
- GET `/request-log` — get boolean
- PUT/PATCH `/request-log` — set boolean
-
-### Request Retry
- GET `/request-retry` — get integer
- PUT/PATCH `/request-retry` — set integer
+### Request Retry Count
+- GET `/request-retry` — Get integer
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/request-retry
+    ```
+  - Response:
+    ```json
+    { "request-retry": 3 }
+    ```
+- PUT/PATCH `/request-retry` — Set integer
+  - Request:
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"value":5}' \
+      http://localhost:8317/v0/management/request-retry
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

 ### Allow Localhost Unauthenticated
- GET `/allow-localhost-unauthenticated` — get boolean
- PUT/PATCH `/allow-localhost-unauthenticated` — set boolean
+- GET `/allow-localhost-unauthenticated` — Get boolean
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/allow-localhost-unauthenticated
+    ```
+  - Response:
+    ```json
+    { "allow-localhost-unauthenticated": false }
+    ```
+- PUT/PATCH `/allow-localhost-unauthenticated` — Set boolean
+  - Request:
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"value":true}' \
+      http://localhost:8317/v0/management/allow-localhost-unauthenticated
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

-### Claude API Keys (object array)
- GET `/claude-api-key` — full list
- PUT `/claude-api-key` — replace list
- PATCH `/claude-api-key` — update one item (by `index` or `match` API key)
- DELETE `/claude-api-key` — remove one item (`?api-key=` or `?index=`)
-
-Object shape:
-```json
-{
-  "api-key": "sk-...",
-  "base-url": "https://custom.example.com"   // optional
-}
-```
-
-Examples:
-```bash
-# Replace list
-curl -X PUT -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
-  http://localhost:8317/v0/management/claude-api-key
-
-# Patch by index
-curl -X PATCH -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
-  http://localhost:8317/v0/management/claude-api-key
-
-# Patch by match (api-key)
-curl -X PATCH -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
-  http://localhost:8317/v0/management/claude-api-key
-
-# Delete by api-key
-curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/claude-api-key?api-key=sk-b2'
-```
-Response (GET):
-```json
-{
-  "claude-api-key": [
-    { "api-key": "sk-a", "base-url": "" }
-  ]
-}
-```
+### Claude API KEY (object array)
+- GET `/claude-api-key` — List all
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/claude-api-key
+    ```
+  - Response:
+    ```json
+    { "claude-api-key": [ { "api-key": "sk-a", "base-url": "" } ] }
+    ```
+- PUT `/claude-api-key` — Replace the list
+  - Request:
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
+      http://localhost:8317/v0/management/claude-api-key
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+- PATCH `/claude-api-key` — Modify one (by `index` or `match`)
+  - Request (by index):
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
+      http://localhost:8317/v0/management/claude-api-key
+    ```
+  - Request (by match):
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
+      http://localhost:8317/v0/management/claude-api-key
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+- DELETE `/claude-api-key` — Delete one (`?api-key=` or `?index=`)
+  - Request (by api-key):
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/claude-api-key?api-key=sk-b2'
+    ```
+  - Request (by index):
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/claude-api-key?index=0'
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

 ### OpenAI Compatibility Providers (object array)
- GET `/openai-compatibility` — full list
- PUT `/openai-compatibility` — replace list
- PATCH `/openai-compatibility` — update one item by `index` or `name`
- DELETE `/openai-compatibility` — remove by `?name=` or `?index=`
+- GET `/openai-compatibility` — List all
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/openai-compatibility
+    ```
+  - Response:
+    ```json
+    { "openai-compatibility": [ { "name": "openrouter", "base-url": "https://openrouter.ai/api/v1", "api-keys": [], "models": [] } ] }
+    ```
+- PUT `/openai-compatibility` — Replace the list
+  - Request:
+    ```bash
+    curl -X PUT -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk"],"models":[{"name":"m","alias":"a"}]}]' \
+      http://localhost:8317/v0/management/openai-compatibility
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+- PATCH `/openai-compatibility` — Modify one (by `index` or `name`)
+  - Request (by name):
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"name":"openrouter","value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":[],"models":[]}}' \
+      http://localhost:8317/v0/management/openai-compatibility
+    ```
+  - Request (by index):
+    ```bash
+    curl -X PATCH -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d '{"index":0,"value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":[],"models":[]}}' \
+      http://localhost:8317/v0/management/openai-compatibility
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+- DELETE `/openai-compatibility` — Delete (`?name=` or `?index=`)
+  - Request (by name):
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/openai-compatibility?name=openrouter'
+    ```
+  - Request (by index):
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/openai-compatibility?index=0'
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

-Object shape:
-```json
-{
-  "name": "openrouter",
-  "base-url": "https://openrouter.ai/api/v1",
-  "api-keys": ["sk-..."],
-  "models": [ {"name": "moonshotai/kimi-k2:free", "alias": "kimi-k2"} ]
-}
-```
+### Auth File Management

-Examples:
-```bash
-# Replace list
-curl -X PUT -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk"],"models":[{"name":"m","alias":"a"}]}]' \
-  http://localhost:8317/v0/management/openai-compatibility
+Manage JSON token files under `auth-dir`: list, download, upload, delete.

-# Patch by name
-curl -X PATCH -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-  -d '{"name":"openrouter","value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":[],"models":[]}}' \
-  http://localhost:8317/v0/management/openai-compatibility
-
-# Delete by index
-curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/openai-compatibility?index=0'
-```
-Response (GET):
-```json
-{ "openai-compatibility": [ { "name": "openrouter", "base-url": "...", "api-keys": [], "models": [] } ] }
-```
-
-### Auth Files Management
-
-List JSON token files under `auth-dir`, download/upload/delete.
-
- GET `/auth-files` — list
+- GET `/auth-files` — List
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/auth-files
+    ```
  - Response:
    ```json
    { "files": [ { "name": "acc1.json", "size": 1234, "modtime": "2025-08-30T12:34:56Z" } ] }
    ```

- GET `/auth-files/download?name=<file.json>` — download a single file
+- GET `/auth-files/download?name=<file.json>` — Download a single file
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -OJ 'http://localhost:8317/v0/management/auth-files/download?name=acc1.json'
+    ```

- POST `/auth-files` — upload
-  - Multipart form: field `file` (must be `.json`)
-  - Or raw JSON body with `?name=<file.json>`
-  - Response: `{ "status": "ok" }`
+- POST `/auth-files` — Upload
+  - Request (multipart):
+    ```bash
+    curl -X POST -F 'file=@/path/to/acc1.json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      http://localhost:8317/v0/management/auth-files
+    ```
+  - Request (raw JSON):
+    ```bash
+    curl -X POST -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      -d @/path/to/acc1.json \
+      'http://localhost:8317/v0/management/auth-files?name=acc1.json'
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```

- DELETE `/auth-files?name=<file.json>` — delete a single file
- DELETE `/auth-files?all=true` — delete all `.json` files in `auth-dir`
+- DELETE `/auth-files?name=<file.json>` — Delete a single file
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/auth-files?name=acc1.json'
+    ```
+  - Response:
+    ```json
+    { "status": "ok" }
+    ```
+
+- DELETE `/auth-files?all=true` — Delete all `.json` files under `auth-dir`
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/auth-files?all=true'
+    ```
+  - Response:
+    ```json
+    { "status": "ok", "deleted": 3 }
+    ```

 ## Error Responses

-Generic error shapes:
+Generic error format:
 - 400 Bad Request: `{ "error": "invalid body" }`
 - 401 Unauthorized: `{ "error": "missing management key" }` or `{ "error": "invalid management key" }`
 - 403 Forbidden: `{ "error": "remote management disabled" }`
@@ -243,6 +514,6 @@ Generic error shapes:

 ## Notes

- Changes are written to the YAML configuration file and picked up by the server’s file watcher to hot-reload clients and settings.
- `allow-remote-management` and `remote-management-key` must be edited in the configuration file and cannot be changed via the API.
+- Changes are written back to the YAML config file and hot‑reloaded by the file watcher and clients.
+- `allow-remote-management` and `remote-management-key` cannot be changed via the API; configure them in the config file.

--- a/MANAGEMENT_API_CN.md
+++ b/MANAGEMENT_API_CN.md
@@ -233,28 +233,60 @@
    { "status": "ok" }
    ```

-### 开启请求日志
- GET `/request-log` — 获取布尔值
-  - 请求：
-    ```bash
-    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/request-log
-    ```
-  - 响应：
-    ```json
-    { "request-log": true }
-    ```
- PUT/PATCH `/request-log` — 设置布尔值
-  - 请求：
-    ```bash
-    curl -X PUT -H 'Content-Type: application/json' \
-    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"value":true}' \
-      http://localhost:8317/v0/management/request-log
-    ```
-  - 响应：
-    ```json
-    { "status": "ok" }
-    ```
+### Codex API KEY（对象数组）
+- GET `/codex-api-key` — 列出全部
+    - 请求：
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/codex-api-key
+      ```
+    - 响应：
+      ```json
+      { "codex-api-key": [ { "api-key": "sk-a", "base-url": "" } ] }
+      ```
+- PUT `/codex-api-key` — 完整改写列表
+    - 请求：
+      ```bash
+      curl -X PUT -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
+        http://localhost:8317/v0/management/codex-api-key
+      ```
+    - 响应：
+      ```json
+      { "status": "ok" }
+      ```
+- PATCH `/codex-api-key` — 修改其中一个（按 `index` 或 `match`）
+    - 请求（按索引）：
+      ```bash
+      curl -X PATCH -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
+        http://localhost:8317/v0/management/codex-api-key
+      ```
+    - 请求（按匹配）：
+      ```bash
+      curl -X PATCH -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
+        http://localhost:8317/v0/management/codex-api-key
+      ```
+    - 响应：
+      ```json
+      { "status": "ok" }
+      ```
+- DELETE `/codex-api-key` — 删除其中一个（`?api-key=` 或 `?index=`）
+    - 请求（按 api-key）：
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/codex-api-key?api-key=sk-b2'
+      ```
+    - 请求（按索引）：
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' -X DELETE 'http://localhost:8317/v0/management/codex-api-key?index=0'
+      ```
+    - 响应：
+      ```json
+      { "status": "ok" }
+      ```

 ### 请求重试次数
 - GET `/request-retry` — 获取整数
--- a/README.md
+++ b/README.md
@@ -2,11 +2,11 @@

 English | [中文](README_CN.md)

-A proxy server that provides OpenAI/Gemini/Claude compatible API interfaces for CLI.
+A proxy server that provides OpenAI/Gemini/Claude/Codex compatible API interfaces for CLI.

 It now also supports OpenAI Codex (GPT models) and Claude Code via OAuth.

-So you can use local or multi-account CLI access with OpenAI-compatible clients and SDKs.
+So you can use local or multi-account CLI access with OpenAI(include Responses)/Gemini/Claude-compatible clients and SDKs.

 The first Chinese provider has now been added: [Qwen Code](https://github.com/QwenLM/qwen-code).

@@ -25,6 +25,7 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw
 - Gemini CLI multi-account load balancing
 - Claude Code multi-account load balancing
 - Qwen Code multi-account load balancing
+- OpenAI Codex multi-account load balancing
 - OpenAI-compatible upstream providers via config (e.g., OpenRouter)

 ## Installation
--- a/README_CN.md
+++ b/README_CN.md
@@ -1,18 +1,36 @@
+# 写给所有中国网友的
+
+对于项目前期的确有很多用户使用上遇到各种各样的奇怪问题，大部分是因为配置或我说明文档不全导致的。
+
+对说明文档我已经尽可能的修补，有些重要的地方我甚至已经写到了打包的配置文件里。
+
+已经写在 README 中的功能，都是**可用**的，经过**验证**的，并且我自己**每天**都在使用的。
+
+可能在某些场景中使用上效果并不是很出色，但那基本上是模型和工具的原因，比如用 Claude Code 的时候，有的模型就无法正确使用工具，比如 Gemini，就在 Claude Code 和 Codex 的下使用的相当扭捏，有时能完成大部分工作，但有时候却只说不做。
+
+目前来说 Claude 和 GPT-5 是目前使用各种第三方CLI工具运用的最好的模型，我自己也是多个账号做均衡负载使用。
+
+实事求是的说，最初的几个版本我根本就没有中文文档，我至今所有文档也都是使用英文更新让后让 Gemini 翻译成中文的。但是无论如何都不会出现中文文档无法理解的问题。因为所有的中英文文档我都是再三校对，并且发现未及时更改的更新的地方都快速更新掉了。
+
+最后，烦请在发 Issue 之前请认真阅读这篇文档。
+
+另外中文需要交流的用户可以加 QQ 群：188637136
+
 # CLI 代理 API

 [English](README.md) | 中文

-一个为 CLI 提供 OpenAI/Gemini/Claude 兼容 API 接口的代理服务器。
+一个为 CLI 提供 OpenAI/Gemini/Claude/Codex 兼容 API 接口的代理服务器。

 现已支持通过 OAuth 登录接入 OpenAI Codex（GPT 系列）和 Claude Code。

-您可以使用本地或多账户的CLI方式，通过任何与OpenAI兼容的客户端和SDK进行访问。
+您可以使用本地或多账户的CLI方式，通过任何与 OpenAI（包括Responses）/Gemini/Claude 兼容的客户端和SDK进行访问。

 现已新增首个中国提供商：[Qwen Code](https://github.com/QwenLM/qwen-code)。

 ## 功能特性

- 为 CLI 模型提供 OpenAI/Gemini/Claude 兼容的 API 端点
+- 为 CLI 模型提供 OpenAI/Gemini/Claude/Codex 兼容的 API 端点
 - 新增 OpenAI Codex（GPT 系列）支持（OAuth 登录）
 - 新增 Claude Code 支持（OAuth 登录）
 - 新增 Qwen Code 支持（OAuth 登录）
@@ -25,6 +43,7 @@
 - 支持 Gemini CLI 多账户轮询
 - 支持 Claude Code 多账户轮询
 - 支持 Qwen Code 多账户轮询
+- 支持 OpenAI Codex 多账户轮询
 - 通过配置接入上游 OpenAI 兼容提供商（例如 OpenRouter）

 ## 安装
--- a/internal/api/handlers/management/config_lists.go
+++ b/internal/api/handlers/management/config_lists.go
@@ -250,3 +250,77 @@ func (h *Handler) DeleteOpenAICompat(c *gin.Context) {
 	}
 	c.JSON(400, gin.H{"error": "missing name or index"})
 }
+
+// codex-api-key: []CodexKey
+func (h *Handler) GetCodexKeys(c *gin.Context) {
+	c.JSON(200, gin.H{"codex-api-key": h.cfg.CodexKey})
+}
+func (h *Handler) PutCodexKeys(c *gin.Context) {
+	data, err := c.GetRawData()
+	if err != nil {
+		c.JSON(400, gin.H{"error": "failed to read body"})
+		return
+	}
+	var arr []config.CodexKey
+	if err = json.Unmarshal(data, &arr); err != nil {
+		var obj struct {
+			Items []config.CodexKey `json:"items"`
+		}
+		if err2 := json.Unmarshal(data, &obj); err2 != nil || len(obj.Items) == 0 {
+			c.JSON(400, gin.H{"error": "invalid body"})
+			return
+		}
+		arr = obj.Items
+	}
+	h.cfg.CodexKey = arr
+	h.persist(c)
+}
+func (h *Handler) PatchCodexKey(c *gin.Context) {
+	var body struct {
+		Index *int             `json:"index"`
+		Match *string          `json:"match"`
+		Value *config.CodexKey `json:"value"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil || body.Value == nil {
+		c.JSON(400, gin.H{"error": "invalid body"})
+		return
+	}
+	if body.Index != nil && *body.Index >= 0 && *body.Index < len(h.cfg.CodexKey) {
+		h.cfg.CodexKey[*body.Index] = *body.Value
+		h.persist(c)
+		return
+	}
+	if body.Match != nil {
+		for i := range h.cfg.CodexKey {
+			if h.cfg.CodexKey[i].APIKey == *body.Match {
+				h.cfg.CodexKey[i] = *body.Value
+				h.persist(c)
+				return
+			}
+		}
+	}
+	c.JSON(404, gin.H{"error": "item not found"})
+}
+func (h *Handler) DeleteCodexKey(c *gin.Context) {
+	if val := c.Query("api-key"); val != "" {
+		out := make([]config.CodexKey, 0, len(h.cfg.CodexKey))
+		for _, v := range h.cfg.CodexKey {
+			if v.APIKey != val {
+				out = append(out, v)
+			}
+		}
+		h.cfg.CodexKey = out
+		h.persist(c)
+		return
+	}
+	if idxStr := c.Query("index"); idxStr != "" {
+		var idx int
+		_, err := fmt.Sscanf(idxStr, "%d", &idx)
+		if err == nil && idx >= 0 && idx < len(h.cfg.CodexKey) {
+			h.cfg.CodexKey = append(h.cfg.CodexKey[:idx], h.cfg.CodexKey[idx+1:]...)
+			h.persist(c)
+			return
+		}
+	}
+	c.JSON(400, gin.H{"error": "missing api-key or index"})
+}
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -193,6 +193,11 @@ func (s *Server) setupRoutes() {
 			mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey)
 			mgmt.DELETE("/claude-api-key", s.mgmt.DeleteClaudeKey)

+			mgmt.GET("/codex-api-key", s.mgmt.GetCodexKeys)
+			mgmt.PUT("/codex-api-key", s.mgmt.PutCodexKeys)
+			mgmt.PATCH("/codex-api-key", s.mgmt.PatchCodexKey)
+			mgmt.DELETE("/codex-api-key", s.mgmt.DeleteCodexKey)
+
 			mgmt.GET("/openai-compatibility", s.mgmt.GetOpenAICompat)
 			mgmt.PUT("/openai-compatibility", s.mgmt.PutOpenAICompat)
 			mgmt.PATCH("/openai-compatibility", s.mgmt.PatchOpenAICompat)
--- a/internal/client/codex_client.go
+++ b/internal/client/codex_client.go
@@ -19,6 +19,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/luispater/CLIProxyAPI/internal/auth"
 	"github.com/luispater/CLIProxyAPI/internal/auth/codex"
+	"github.com/luispater/CLIProxyAPI/internal/auth/empty"
 	"github.com/luispater/CLIProxyAPI/internal/config"
 	. "github.com/luispater/CLIProxyAPI/internal/constant"
 	"github.com/luispater/CLIProxyAPI/internal/interfaces"
@@ -38,9 +39,11 @@ const (
 type CodexClient struct {
 	ClientBase
 	codexAuth *codex.CodexAuth
+	// apiKeyIndex is the index of the API key to use from the config, -1 if not using API keys
+	apiKeyIndex int
 }

-// NewCodexClient creates a new OpenAI client instance
+// NewCodexClient creates a new OpenAI client instance using token-based authentication
 //
 // Parameters:
 //   - cfg: The application configuration.
@@ -63,7 +66,8 @@ func NewCodexClient(cfg *config.Config, ts *codex.CodexTokenStorage) (*CodexClie
 			modelQuotaExceeded: make(map[string]*time.Time),
 			tokenStorage:       ts,
 		},
-		codexAuth: codex.NewCodexAuth(cfg),
+		codexAuth:   codex.NewCodexAuth(cfg),
+		apiKeyIndex: -1,
 	}

 	// Initialize model registry and register OpenAI models
@@ -73,6 +77,41 @@ func NewCodexClient(cfg *config.Config, ts *codex.CodexTokenStorage) (*CodexClie
 	return client, nil
 }

+// NewCodexClientWithKey creates a new Codex client instance using API key authentication.
+// It initializes the client with the provided configuration and selects the API key
+// at the specified index from the configuration.
+//
+// Parameters:
+//   - cfg: The application configuration.
+//   - apiKeyIndex: The index of the API key to use from the configuration.
+//
+// Returns:
+//   - *CodexClient: A new Codex client instance.
+func NewCodexClientWithKey(cfg *config.Config, apiKeyIndex int) *CodexClient {
+	httpClient := util.SetProxy(cfg, &http.Client{})
+
+	// Generate unique client ID for API key client
+	clientID := fmt.Sprintf("codex-apikey-%d-%d", apiKeyIndex, time.Now().UnixNano())
+
+	client := &CodexClient{
+		ClientBase: ClientBase{
+			RequestMutex:       &sync.Mutex{},
+			httpClient:         httpClient,
+			cfg:                cfg,
+			modelQuotaExceeded: make(map[string]*time.Time),
+			tokenStorage:       &empty.EmptyStorage{},
+		},
+		codexAuth:   codex.NewCodexAuth(cfg),
+		apiKeyIndex: apiKeyIndex,
+	}
+
+	// Initialize model registry and register OpenAI models
+	client.InitializeModelRegistry(clientID)
+	client.RegisterModels("codex", registry.GetOpenAIModels())
+
+	return client
+}
+
 // Type returns the client type
 func (c *CodexClient) Type() string {
 	return CODEX
@@ -102,6 +141,16 @@ func (c *CodexClient) CanProvideModel(modelName string) bool {
 	return util.InArray(models, modelName)
 }

+// GetAPIKey returns the API key for Codex API requests.
+// If an API key index is specified, it returns the corresponding key from the configuration.
+// Otherwise, it returns an empty string, indicating token-based authentication should be used.
+func (c *CodexClient) GetAPIKey() string {
+	if c.apiKeyIndex != -1 {
+		return c.cfg.CodexKey[c.apiKeyIndex].APIKey
+	}
+	return ""
+}
+
 // GetUserAgent returns the user agent string for OpenAI API requests
 func (c *CodexClient) GetUserAgent() string {
 	return "codex-cli"
@@ -283,6 +332,11 @@ func (c *CodexClient) SaveTokenToFile() error {
 // Returns:
 //   - error: An error if the refresh operation fails, nil otherwise.
 func (c *CodexClient) RefreshTokens(ctx context.Context) error {
+	// Check if we have a valid refresh token
+	if c.apiKeyIndex != -1 {
+		return fmt.Errorf("no refresh token available")
+	}
+
 	if c.tokenStorage == nil || c.tokenStorage.(*codex.CodexTokenStorage).RefreshToken == "" {
 		return fmt.Errorf("no refresh token available")
 	}
@@ -364,6 +418,18 @@ func (c *CodexClient) APIRequest(ctx context.Context, modelName, endpoint string
 	}

 	url := fmt.Sprintf("%s%s", chatGPTEndpoint, endpoint)
+	accessToken := ""
+
+	if c.apiKeyIndex != -1 {
+		// Using API key authentication - use configured base URL if provided
+		if c.cfg.CodexKey[c.apiKeyIndex].BaseURL != "" {
+			url = fmt.Sprintf("%s%s", c.cfg.CodexKey[c.apiKeyIndex].BaseURL, endpoint)
+		}
+		accessToken = c.cfg.CodexKey[c.apiKeyIndex].APIKey
+	} else {
+		// Using OAuth token authentication - use ChatGPT endpoint
+		accessToken = c.tokenStorage.(*codex.CodexTokenStorage).AccessToken
+	}

 	// log.Debug(string(jsonBody))
 	// log.Debug(url)
@@ -381,9 +447,16 @@ func (c *CodexClient) APIRequest(ctx context.Context, modelName, endpoint string
 	req.Header.Set("Openai-Beta", "responses=experimental")
 	req.Header.Set("Session_id", sessionID)
 	req.Header.Set("Accept", "text/event-stream")
-	req.Header.Set("Chatgpt-Account-Id", c.tokenStorage.(*codex.CodexTokenStorage).AccountID)
-	req.Header.Set("Originator", "codex_cli_rs")
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.tokenStorage.(*codex.CodexTokenStorage).AccessToken))
+
+	if c.apiKeyIndex != -1 {
+		// Using API key authentication
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
+	} else {
+		// Using OAuth token authentication - include ChatGPT specific headers
+		req.Header.Set("Chatgpt-Account-Id", c.tokenStorage.(*codex.CodexTokenStorage).AccountID)
+		req.Header.Set("Originator", "codex_cli_rs")
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
+	}

 	if c.cfg.RequestLog {
 		if ginContext, ok := ctx.Value("gin").(*gin.Context); ok {
@@ -391,7 +464,11 @@ func (c *CodexClient) APIRequest(ctx context.Context, modelName, endpoint string
 		}
 	}

-	log.Debugf("Use ChatGPT account %s for model %s", c.GetEmail(), modelName)
+	if c.apiKeyIndex != -1 {
+		log.Debugf("Use Codex API key %s for model %s", util.HideAPIKey(c.cfg.CodexKey[c.apiKeyIndex].APIKey), modelName)
+	} else {
+		log.Debugf("Use ChatGPT account %s for model %s", c.GetEmail(), modelName)
+	}

 	resp, err := c.httpClient.Do(req)
 	if err != nil {
@@ -413,7 +490,11 @@ func (c *CodexClient) APIRequest(ctx context.Context, modelName, endpoint string
 }

 // GetEmail returns the email associated with the client's token storage.
+// If the client is using API key authentication, it returns the API key.
 func (c *CodexClient) GetEmail() string {
+	if c.apiKeyIndex != -1 {
+		return c.cfg.CodexKey[c.apiKeyIndex].APIKey
+	}
 	return c.tokenStorage.(*codex.CodexTokenStorage).Email
 }

--- a/internal/cmd/run.go
+++ b/internal/cmd/run.go
@@ -150,6 +150,15 @@ func StartService(cfg *config.Config, configPath string) {
 		}
 	}

+	if len(cfg.CodexKey) > 0 {
+		// Initialize clients with Codex API Keys if provided in configuration.
+		for i := 0; i < len(cfg.CodexKey); i++ {
+			log.Debug("Initializing with Codex API Key...")
+			cliClient := client.NewCodexClientWithKey(cfg, i)
+			cliClients = append(cliClients, cliClient)
+		}
+	}
+
 	if len(cfg.OpenAICompatibility) > 0 {
 		// Initialize clients for OpenAI compatibility configurations
 		for _, compatConfig := range cfg.OpenAICompatibility {
@@ -223,12 +232,13 @@ func StartService(cfg *config.Config, configPath string) {
 		checkAndRefresh := func() {
 			for i := 0; i < len(cliClients); i++ {
 				if codexCli, ok := cliClients[i].(*client.CodexClient); ok {
-					ts := codexCli.TokenStorage().(*codex.CodexTokenStorage)
-					if ts != nil && ts.Expire != "" {
-						if expTime, errParse := time.Parse(time.RFC3339, ts.Expire); errParse == nil {
-							if time.Until(expTime) <= 5*24*time.Hour {
-								log.Debugf("refreshing codex tokens for %s", codexCli.GetEmail())
-								_ = codexCli.RefreshTokens(ctxRefresh)
+					if ts, isCodexTS := codexCli.TokenStorage().(*claude.ClaudeTokenStorage); isCodexTS {
+						if ts != nil && ts.Expire != "" {
+							if expTime, errParse := time.Parse(time.RFC3339, ts.Expire); errParse == nil {
+								if time.Until(expTime) <= 5*24*time.Hour {
+									log.Debugf("refreshing codex tokens for %s", codexCli.GetEmail())
+									_ = codexCli.RefreshTokens(ctxRefresh)
+								}
 							}
 						}
 					}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -44,6 +44,9 @@ type Config struct {
 	// ClaudeKey defines a list of Claude API key configurations as specified in the YAML configuration file.
 	ClaudeKey []ClaudeKey `yaml:"claude-api-key"`

+	// Codex defines a list of Codex API key configurations as specified in the YAML configuration file.
+	CodexKey []CodexKey `yaml:"codex-api-key"`
+
 	// OpenAICompatibility defines OpenAI API compatibility configurations for external providers.
 	OpenAICompatibility []OpenAICompatibility `yaml:"openai-compatibility"`

@@ -83,6 +86,17 @@ type ClaudeKey struct {
 	BaseURL string `yaml:"base-url"`
 }

+// CodexKey represents the configuration for a Codex API key,
+// including the API key itself and an optional base URL for the API endpoint.
+type CodexKey struct {
+	// APIKey is the authentication key for accessing Codex API services.
+	APIKey string `yaml:"api-key"`
+
+	// BaseURL is the base URL for the Codex API endpoint.
+	// If empty, the default Codex API URL will be used.
+	BaseURL string `yaml:"base-url"`
+}
+
 // OpenAICompatibility represents the configuration for OpenAI API compatibility
 // with external providers, allowing model aliases to be routed through OpenAI API format.
 type OpenAICompatibility struct {
@@ -286,58 +300,6 @@ func getOrCreateMapValue(mapNode *yaml.Node, key string) *yaml.Node {
 	return val
 }

-// Helpers to update sequences in place to preserve existing comments/anchors
-func setStringListInPlace(mapNode *yaml.Node, key string, arr []string) {
-	if len(arr) == 0 {
-		setNullValue(mapNode, key)
-		return
-	}
-	v := getOrCreateMapValue(mapNode, key)
-	if v.Kind != yaml.SequenceNode {
-		v.Kind = yaml.SequenceNode
-		v.Tag = "!!seq"
-		v.Content = nil
-	}
-	// Update in place
-	oldLen := len(v.Content)
-	minLen := oldLen
-	if len(arr) < minLen {
-		minLen = len(arr)
-	}
-	for i := 0; i < minLen; i++ {
-		if v.Content[i] == nil {
-			v.Content[i] = &yaml.Node{Kind: yaml.ScalarNode, Tag: "!!str"}
-		}
-		v.Content[i].Kind = yaml.ScalarNode
-		v.Content[i].Tag = "!!str"
-		v.Content[i].Value = arr[i]
-	}
-	if len(arr) > oldLen {
-		for i := oldLen; i < len(arr); i++ {
-			v.Content = append(v.Content, &yaml.Node{Kind: yaml.ScalarNode, Tag: "!!str", Value: arr[i]})
-		}
-	} else if len(arr) < oldLen {
-		v.Content = v.Content[:len(arr)]
-	}
-}
-
-func setMappingScalar(mapNode *yaml.Node, key string, val string) {
-	v := getOrCreateMapValue(mapNode, key)
-	v.Kind = yaml.ScalarNode
-	v.Tag = "!!str"
-	v.Value = val
-}
-
-// setNullValue ensures a mapping key exists and is set to an explicit null scalar,
-// so that it renders as `key:` without `[]`.
-func setNullValue(mapNode *yaml.Node, key string) {
-	// Represent as YAML null scalar without explicit value so it renders as `key:`
-	v := getOrCreateMapValue(mapNode, key)
-	v.Kind = yaml.ScalarNode
-	v.Tag = "!!null"
-	v.Value = ""
-}
-
 // mergeMappingPreserve merges keys from src into dst mapping node while preserving
 // key order and comments of existing keys in dst. Unknown keys from src are appended
 // to dst at the end, copying their node structure from src.
--- a/internal/translator/gemini-cli/openai/responses/cli_openai-responses_request.go
+++ b/internal/translator/gemini-cli/openai/responses/cli_openai-responses_request.go
@@ -10,6 +10,5 @@ import (
 func ConvertOpenAIResponsesRequestToGeminiCLI(modelName string, inputRawJSON []byte, stream bool) []byte {
 	rawJSON := bytes.Clone(inputRawJSON)
 	rawJSON = ConvertOpenAIResponsesRequestToGemini(modelName, rawJSON, stream)
-	// log.Debug(string(rawJSON))
 	return ConvertGeminiRequestToGeminiCLI(modelName, rawJSON, stream)
 }
--- a/internal/translator/openai/gemini/openai_gemini_response.go
+++ b/internal/translator/openai/gemini/openai_gemini_response.go
@@ -8,6 +8,7 @@ package gemini
 import (
 	"context"
 	"encoding/json"
+	"strconv"
 	"strings"

 	"github.com/tidwall/gjson"
@@ -248,14 +249,253 @@ func parseArgsToMap(argsStr string) map[string]interface{} {
 	if trimmed == "" || trimmed == "{}" {
 		return map[string]interface{}{}
 	}
+
+	// First try strict JSON
 	var out map[string]interface{}
-	if err := json.Unmarshal([]byte(trimmed), &out); err == nil {
+	if errUnmarshal := json.Unmarshal([]byte(trimmed), &out); errUnmarshal == nil {
 		return out
 	}
+
+	// Tolerant parse: handle streams where values are barewords (e.g., 北京, celsius)
+	tolerant := tolerantParseJSONMap(trimmed)
+	if len(tolerant) > 0 {
+		return tolerant
+	}
+
 	// Fallback: return empty object when parsing fails
 	return map[string]interface{}{}
 }

+// tolerantParseJSONMap attempts to parse a JSON-like object string into a map, tolerating
+// bareword values (unquoted strings) commonly seen during streamed tool calls.
+// Example input: {"location": 北京, "unit": celsius}
+func tolerantParseJSONMap(s string) map[string]interface{} {
+	// Ensure we operate within the outermost braces if present
+	start := strings.Index(s, "{")
+	end := strings.LastIndex(s, "}")
+	if start == -1 || end == -1 || start >= end {
+		return map[string]interface{}{}
+	}
+	content := s[start+1 : end]
+
+	runes := []rune(content)
+	n := len(runes)
+	i := 0
+	result := make(map[string]interface{})
+
+	for i < n {
+		// Skip whitespace and commas
+		for i < n && (runes[i] == ' ' || runes[i] == '\n' || runes[i] == '\r' || runes[i] == '\t' || runes[i] == ',') {
+			i++
+		}
+		if i >= n {
+			break
+		}
+
+		// Expect quoted key
+		if runes[i] != '"' {
+			// Unable to parse this segment reliably; skip to next comma
+			for i < n && runes[i] != ',' {
+				i++
+			}
+			continue
+		}
+
+		// Parse JSON string for key
+		keyToken, nextIdx := parseJSONStringRunes(runes, i)
+		if nextIdx == -1 {
+			break
+		}
+		keyName := jsonStringTokenToRawString(keyToken)
+		i = nextIdx
+
+		// Skip whitespace
+		for i < n && (runes[i] == ' ' || runes[i] == '\n' || runes[i] == '\r' || runes[i] == '\t') {
+			i++
+		}
+		if i >= n || runes[i] != ':' {
+			break
+		}
+		i++ // skip ':'
+		// Skip whitespace
+		for i < n && (runes[i] == ' ' || runes[i] == '\n' || runes[i] == '\r' || runes[i] == '\t') {
+			i++
+		}
+		if i >= n {
+			break
+		}
+
+		// Parse value (string, number, object/array, bareword)
+		var value interface{}
+		switch runes[i] {
+		case '"':
+			// JSON string
+			valToken, ni := parseJSONStringRunes(runes, i)
+			if ni == -1 {
+				// Malformed; treat as empty string
+				value = ""
+				i = n
+			} else {
+				value = jsonStringTokenToRawString(valToken)
+				i = ni
+			}
+		case '{', '[':
+			// Bracketed value: attempt to capture balanced structure
+			seg, ni := captureBracketed(runes, i)
+			if ni == -1 {
+				i = n
+			} else {
+				var anyVal interface{}
+				if errUnmarshal := json.Unmarshal([]byte(seg), &anyVal); errUnmarshal == nil {
+					value = anyVal
+				} else {
+					value = seg
+				}
+				i = ni
+			}
+		default:
+			// Bare token until next comma or end
+			j := i
+			for j < n && runes[j] != ',' {
+				j++
+			}
+			token := strings.TrimSpace(string(runes[i:j]))
+			// Interpret common JSON atoms and numbers; otherwise treat as string
+			if token == "true" {
+				value = true
+			} else if token == "false" {
+				value = false
+			} else if token == "null" {
+				value = nil
+			} else if numVal, ok := tryParseNumber(token); ok {
+				value = numVal
+			} else {
+				value = token
+			}
+			i = j
+		}
+
+		result[keyName] = value
+
+		// Skip trailing whitespace and optional comma before next pair
+		for i < n && (runes[i] == ' ' || runes[i] == '\n' || runes[i] == '\r' || runes[i] == '\t') {
+			i++
+		}
+		if i < n && runes[i] == ',' {
+			i++
+		}
+	}
+
+	return result
+}
+
+// parseJSONStringRunes returns the JSON string token (including quotes) and the index just after it.
+func parseJSONStringRunes(runes []rune, start int) (string, int) {
+	if start >= len(runes) || runes[start] != '"' {
+		return "", -1
+	}
+	i := start + 1
+	escaped := false
+	for i < len(runes) {
+		r := runes[i]
+		if r == '\\' && !escaped {
+			escaped = true
+			i++
+			continue
+		}
+		if r == '"' && !escaped {
+			return string(runes[start : i+1]), i + 1
+		}
+		escaped = false
+		i++
+	}
+	return string(runes[start:]), -1
+}
+
+// jsonStringTokenToRawString converts a JSON string token (including quotes) to a raw Go string value.
+func jsonStringTokenToRawString(token string) string {
+	var s string
+	if errUnmarshal := json.Unmarshal([]byte(token), &s); errUnmarshal == nil {
+		return s
+	}
+	// Fallback: strip surrounding quotes if present
+	if len(token) >= 2 && token[0] == '"' && token[len(token)-1] == '"' {
+		return token[1 : len(token)-1]
+	}
+	return token
+}
+
+// captureBracketed captures a balanced JSON object/array starting at index i.
+// Returns the segment string and the index just after it; -1 if malformed.
+func captureBracketed(runes []rune, i int) (string, int) {
+	if i >= len(runes) {
+		return "", -1
+	}
+	startRune := runes[i]
+	var endRune rune
+	if startRune == '{' {
+		endRune = '}'
+	} else if startRune == '[' {
+		endRune = ']'
+	} else {
+		return "", -1
+	}
+	depth := 0
+	j := i
+	inStr := false
+	escaped := false
+	for j < len(runes) {
+		r := runes[j]
+		if inStr {
+			if r == '\\' && !escaped {
+				escaped = true
+				j++
+				continue
+			}
+			if r == '"' && !escaped {
+				inStr = false
+			} else {
+				escaped = false
+			}
+			j++
+			continue
+		}
+		if r == '"' {
+			inStr = true
+			j++
+			continue
+		}
+		if r == startRune {
+			depth++
+		} else if r == endRune {
+			depth--
+			if depth == 0 {
+				return string(runes[i : j+1]), j + 1
+			}
+		}
+		j++
+	}
+	return string(runes[i:]), -1
+}
+
+// tryParseNumber attempts to parse a string as an int or float.
+func tryParseNumber(s string) (interface{}, bool) {
+	if s == "" {
+		return nil, false
+	}
+	// Try integer
+	if i64, errParseInt := strconv.ParseInt(s, 10, 64); errParseInt == nil {
+		return i64, true
+	}
+	if u64, errParseUInt := strconv.ParseUint(s, 10, 64); errParseUInt == nil {
+		return u64, true
+	}
+	if f64, errParseFloat := strconv.ParseFloat(s, 64); errParseFloat == nil {
+		return f64, true
+	}
+	return nil, false
+}
+
 // ConvertOpenAIResponseToGeminiNonStream converts a non-streaming OpenAI response to a non-streaming Gemini response.
 //
 // Parameters:
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -185,6 +185,9 @@ func (w *Watcher) reloadConfig() {
 		if len(oldConfig.ClaudeKey) != len(newConfig.ClaudeKey) {
 			log.Debugf("  claude-api-key count: %d -> %d", len(oldConfig.ClaudeKey), len(newConfig.ClaudeKey))
 		}
+		if len(oldConfig.CodexKey) != len(newConfig.CodexKey) {
+			log.Debugf("  codex-api-key count: %d -> %d", len(oldConfig.CodexKey), len(newConfig.CodexKey))
+		}
 		if oldConfig.AllowLocalhostUnauthenticated != newConfig.AllowLocalhostUnauthenticated {
 			log.Debugf("  allow-localhost-unauthenticated: %t -> %t", oldConfig.AllowLocalhostUnauthenticated, newConfig.AllowLocalhostUnauthenticated)
 		}
@@ -364,6 +367,18 @@ func (w *Watcher) reloadClients() {
 		log.Debugf("Successfully initialized %d Claude API Key clients", claudeAPIKeyCount)
 	}

+	codexAPIKeyCount := 0
+	if len(cfg.CodexKey) > 0 {
+		log.Debugf("processing %d Codex API Keys", len(cfg.CodexKey))
+		for i := 0; i < len(cfg.CodexKey); i++ {
+			log.Debugf("Initializing with Codex API Key %d...", i+1)
+			cliClient := client.NewCodexClientWithKey(cfg, i)
+			newClients = append(newClients, cliClient)
+			codexAPIKeyCount++
+		}
+		log.Debugf("Successfully initialized %d Codex API Key clients", codexAPIKeyCount)
+	}
+
 	// Add clients for OpenAI compatibility providers if configured
 	openAICompatCount := 0
 	if len(cfg.OpenAICompatibility) > 0 {
Author	SHA1	Message	Date
Luis Pater	6d2f7e3ce0	Enhance `parseArgsToMap` with tolerant JSON parsing - Introduced `tolerantParseJSONMap` to handle bareword values in streamed tool calls. - Added robust handling for JSON strings, objects, arrays, and numerical values. - Improved fallback mechanisms to ensure reliable parsing.	2025-09-03 16:11:26 +08:00
Luis Pater	caf386c877	Update MANAGEMENT_API.md with expanded documentation for endpoints - Refined API documentation structure and enhanced clarity for various endpoints, including `/debug`, `/proxy-url`, `/quota-exceeded`, and authentication management. - Added comprehensive examples for request and response bodies across endpoints. - Detailed object-array API key management for Codex, Gemini, Claude, and OpenAI compatibility providers. - Enhanced descriptions for request retry logic and request logging endpoints. - Improved authentication key handling descriptions and updated examples for YAML configuration impacts.	2025-09-03 09:07:43 +08:00
Luis Pater	c4a42eb1f0	Add support for Codex API key authentication - Introduced functionality to handle Codex API keys, including initialization and management via new endpoints in the management API. - Updated Codex client to support both OAuth and API key authentication. - Documented Codex API key configuration in both English and Chinese README files. - Enhanced logging to distinguish between API key and OAuth usage scenarios.	2025-09-03 03:36:56 +08:00
Luis Pater	b6f8677b01	Remove commented debug logging in `ConvertOpenAIResponsesRequestToGeminiCLI`	2025-09-03 03:03:07 +08:00
Luis Pater	36ee21ea8f	Update README to include Codex support and multi-account load balancing details - Added OpenAI Codex (GPT models) support in both English and Chinese README versions. - Documented multi-account load balancing for Codex in the feature list.	2025-09-03 02:47:53 +08:00
Luis Pater	30d5d87ca6	Update README to include Codex support and multi-account load balancing details - Added OpenAI Codex (GPT models) support in both English and Chinese README versions. - Documented multi-account load balancing for Codex in the feature list.	2025-09-03 02:16:56 +08:00
Luis Pater	ce5d2bad97	Add OpenAI Responses support	2025-09-03 00:09:23 +08:00