Fixed: #86

feat(translator): add support for single input string in Codex responses parser

- Modified input parsing logic to handle cases where input is a single string instead of an array.
- Added functionality to convert single string inputs into structured JSON format.

MANAGEMENT_API.md

@@ -663,6 +663,17 @@ These endpoints initiate provider login flows and return a URL to open in a brow
     { "status": "ok", "url": "https://..." }
     ```
 
+- GET `/iflow-auth-url` — Start iFlow login
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      http://localhost:8317/v0/management/iflow-auth-url
+    ```
+  - Response:
+    ```json
+    { "status": "ok", "url": "https://..." }
+    ```
+
 - GET `/get-auth-status?state=<state>` — Poll OAuth flow status
   - Request:
     ```bash

MANAGEMENT_API_CN.md

@@ -663,6 +663,17 @@
     { "status": "ok", "url": "https://..." }
     ```
 
+- GET `/iflow-auth-url` — 开始 iFlow 登录
+  - 请求：
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      http://localhost:8317/v0/management/iflow-auth-url
+    ```
+  - 响应：
+    ```json
+    { "status": "ok", "url": "https://..." }
+    ```
+
 - GET `/get-auth-status?state=<state>` — 轮询 OAuth 流程状态
   - 请求：
     ```bash

README.md

@@ -8,7 +8,7 @@ It now also supports OpenAI Codex (GPT models) and Claude Code via OAuth.
 
 So you can use local or multi-account CLI access with OpenAI(include Responses)/Gemini/Claude-compatible clients and SDKs.
 
-The first Chinese provider has now been added: [Qwen Code](https://github.com/QwenLM/qwen-code).
+Chinese providers have now been added: [Qwen Code](https://github.com/QwenLM/qwen-code), [iFlow](https://iflow.cn/).
 
 ## Features
 
@@ -16,19 +16,21 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw
 - OpenAI Codex support (GPT models) via OAuth login
 - Claude Code support via OAuth login
 - Qwen Code support via OAuth login
+- iFlow support via OAuth login
 - Gemini Web support via cookie-based login
 - Streaming and non-streaming responses
 - Function calling/tools support
 - Multimodal input support (text and images)
-- Multiple accounts with round-robin load balancing (Gemini, OpenAI, Claude and Qwen)
-- Simple CLI authentication flows (Gemini, OpenAI, Claude and Qwen)
+- Multiple accounts with round-robin load balancing (Gemini, OpenAI, Claude, Qwen and iFlow)
+- Simple CLI authentication flows (Gemini, OpenAI, Claude, Qwen and iFlow)
 - Generative Language API Key support
 - Gemini CLI multi-account load balancing
 - Claude Code multi-account load balancing
 - Qwen Code multi-account load balancing
+- iFlow multi-account load balancing
 - OpenAI Codex multi-account load balancing
 - OpenAI-compatible upstream providers via config (e.g., OpenRouter)
-- Reusable Go SDK for embedding the proxy (see `docs/sdk-usage.md`, 中文: `docs/sdk-usage_CN.md`)
+- Reusable Go SDK for embedding the proxy (see `docs/sdk-usage.md`)
 
 ## Installation
 
@@ -39,6 +41,7 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw
 - An OpenAI account for Codex/GPT access (optional)
 - An Anthropic account for Claude Code access (optional)
 - A Qwen Chat account for Qwen Code access (optional)
+- An iFlow account for iFlow access (optional)
 
 ### Building from Source
 
@@ -76,7 +79,7 @@ Set `remote-management.disable-control-panel` to `true` if you prefer to host th
 
 ### Authentication
 
-You can authenticate for Gemini, OpenAI, and/or Claude. All can coexist in the same `auth-dir` and will be load balanced.
+You can authenticate for Gemini, OpenAI, Claude, Qwen, and/or iFlow. All can coexist in the same `auth-dir` and will be load balanced.
 
 - Gemini (Google):
   ```bash
@@ -115,6 +118,12 @@ You can authenticate for Gemini, OpenAI, and/or Claude. All can coexist in the s
   ```
   Options: add `--no-browser` to print the login URL instead of opening a browser. Use the Qwen Chat's OAuth device flow.
 
+- iFlow (iFlow via OAuth):
+  ```bash
+  ./cli-proxy-api --iflow-login
+  ```
+  Options: add `--no-browser` to print the login URL instead of opening a browser. The local OAuth callback uses port `11451`.
+
 
 ### Starting the Server
 
@@ -156,7 +165,7 @@ Request body example:
 ```
 
 Notes:
-- Use a `gemini-*` model for Gemini (e.g., "gemini-2.5-pro"), a `gpt-*` model for OpenAI (e.g., "gpt-5"), a `claude-*` model for Claude (e.g., "claude-3-5-sonnet-20241022"), or a `qwen-*` model for Qwen (e.g., "qwen3-coder-plus"). The proxy will route to the correct provider automatically.
+- Use a `gemini-*` model for Gemini (e.g., "gemini-2.5-pro"), a `gpt-*` model for OpenAI (e.g., "gpt-5"), a `claude-*` model for Claude (e.g., "claude-3-5-sonnet-20241022"), a `qwen-*` model for Qwen (e.g., "qwen3-coder-plus"), or an iFlow-supported model (e.g., "tstars2.0", "deepseek-v3.1", "kimi-k2", etc.). The proxy will route to the correct provider automatically.
 
 #### Claude Messages (SSE-compatible)
 
@@ -249,6 +258,7 @@ console.log(await claudeResponse.json());
 - gemini-2.5-pro
 - gemini-2.5-flash
 - gemini-2.5-flash-lite
+- gemini-2.5-flash-image-preview
 - gpt-5
 - gpt-5-codex
 - claude-opus-4-1-20250805
@@ -259,6 +269,16 @@ console.log(await claudeResponse.json());
 - claude-3-5-haiku-20241022
 - qwen3-coder-plus
 - qwen3-coder-flash
+- qwen3-max
+- qwen3-vl-plus
+- deepseek-v3.2
+- deepseek-v3.1
+- deepseek-r1
+- deepseek-v3
+- kimi-k2
+- glm-4.5
+- tstars2.0
+- And other iFlow-supported models
 - Gemini models auto-switch to preview variants when needed
 
 ## Configuration
@@ -532,6 +552,14 @@ export ANTHROPIC_MODEL=qwen3-coder-plus
 export ANTHROPIC_SMALL_FAST_MODEL=qwen3-coder-flash
 ```
 
+Using iFlow models:
+```bash
+export ANTHROPIC_BASE_URL=http://127.0.0.1:8317
+export ANTHROPIC_AUTH_TOKEN=sk-dummy
+export ANTHROPIC_MODEL=qwen3-max
+export ANTHROPIC_SMALL_FAST_MODEL=qwen3-235b-a22b-instruct
+```
+
 ## Codex with multiple account load balancing
 
 Start CLI Proxy API server, and then edit the `~/.codex/config.toml` and `~/.codex/auth.json` files.
@@ -587,6 +615,12 @@ Run the following command to login (Qwen OAuth):
 docker run -it -rm -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --qwen-login
 ```
 
+Run the following command to login (iFlow OAuth on port 11451):
+
+```bash
+docker run --rm -p 11451:11451 -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --iflow-login
+```
+
 Run the following command to start the server:
 
 ```bash
@@ -645,10 +679,14 @@ docker run --rm -p 8317:8317 -v /path/to/your/config.yaml:/CLIProxyAPI/config.ya
     ```bash
     docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --claude-login
     ```
-    - **Qwen**: 
+    - **Qwen**:
     ```bash
     docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --qwen-login
     ```
+    - **iFlow**:
+    ```bash
+    docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --iflow-login
+    ```
 
 5.  To view the server logs:
     ```bash
@@ -682,6 +720,17 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 4. Push to the branch (`git push origin feature/amazing-feature`)
 5. Open a Pull Request
 
+## Who is with us?
+
+Those projects are based on CLIProxyAPI:
+
+### [vibeproxy](https://github.com/automazeio/vibeproxy)
+
+Native macOS menu bar app to use your Claude Code & ChatGPT subscriptions with AI coding tools - no API keys needed
+
+> [!NOTE]  
+> If you developed a project based on CLIProxyAPI, please open a PR to add it to this list.
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

README_CN.md

@@ -28,7 +28,7 @@
 
 您可以使用本地或多账户的CLI方式，通过任何与 OpenAI（包括Responses）/Gemini/Claude 兼容的客户端和SDK进行访问。
 
-现已新增首个中国提供商：[Qwen Code](https://github.com/QwenLM/qwen-code)。
+现已新增国内提供商：[Qwen Code](https://github.com/QwenLM/qwen-code)、[iFlow](https://iflow.cn/)。
 
 ## 功能特性
 
@@ -36,19 +36,21 @@
 - 新增 OpenAI Codex（GPT 系列）支持（OAuth 登录）
 - 新增 Claude Code 支持（OAuth 登录）
 - 新增 Qwen Code 支持（OAuth 登录）
+- 新增 iFlow 支持（OAuth 登录）
 - 新增 Gemini Web 支持（通过 Cookie 登录）
 - 支持流式与非流式响应
 - 函数调用/工具支持
 - 多模态输入（文本、图片）
-- 多账户支持与轮询负载均衡（Gemini、OpenAI、Claude 与 Qwen）
-- 简单的 CLI 身份验证流程（Gemini、OpenAI、Claude 与 Qwen）
+- 多账户支持与轮询负载均衡（Gemini、OpenAI、Claude、Qwen 与 iFlow）
+- 简单的 CLI 身份验证流程（Gemini、OpenAI、Claude、Qwen 与 iFlow）
 - 支持 Gemini AIStudio API 密钥
 - 支持 Gemini CLI 多账户轮询
 - 支持 Claude Code 多账户轮询
 - 支持 Qwen Code 多账户轮询
+- 支持 iFlow 多账户轮询
 - 支持 OpenAI Codex 多账户轮询
 - 通过配置接入上游 OpenAI 兼容提供商（例如 OpenRouter）
-- 可复用的 Go SDK（见 `docs/sdk-usage.md`）
+- 可复用的 Go SDK（见 `docs/sdk-usage_CN.md`）
 
 ## 安装
 
@@ -59,6 +61,7 @@
 - 有权访问 OpenAI Codex/GPT 的 OpenAI 账户（可选）
 - 有权访问 Claude Code 的 Anthropic 账户（可选）
 - 有权访问 Qwen Code 的 Qwen Chat 账户（可选）
+- 有权访问 iFlow 的 iFlow 账户（可选）
 
 ### 从源码构建
 
@@ -89,7 +92,7 @@ CLIProxyAPI 的基于 Web 的管理中心。
 
 ### 身份验证
 
-您可以分别为 Gemini、OpenAI 和 Claude 进行身份验证，三者可同时存在于同一个 `auth-dir` 中并参与负载均衡。
+您可以分别为 Gemini、OpenAI、Claude、Qwen 和 iFlow 进行身份验证，它们可同时存在于同一个 `auth-dir` 中并参与负载均衡。
 
 - Gemini（Google）：
   ```bash
@@ -128,6 +131,12 @@ CLIProxyAPI 的基于 Web 的管理中心。
   ```
   选项：加上 `--no-browser` 可打印登录地址而不自动打开浏览器。使用 Qwen Chat 的 OAuth 设备登录流程。
 
+- iFlow（iFlow，OAuth）：
+  ```bash
+  ./cli-proxy-api --iflow-login
+  ```
+  选项：加上 `--no-browser` 可打印登录地址而不自动打开浏览器。本地 OAuth 回调端口为 `11451`。
+
 ### 启动服务器
 
 身份验证完成后，启动服务器：
@@ -168,7 +177,7 @@ POST http://localhost:8317/v1/chat/completions
 ```
 
 说明：
-- 使用 "gemini-*" 模型（例如 "gemini-2.5-pro"）来调用 Gemini，使用 "gpt-*" 模型（例如 "gpt-5"）来调用 OpenAI，使用 "claude-*" 模型（例如 "claude-3-5-sonnet-20241022"）来调用 Claude，或者使用 "qwen-*" 模型（例如 "qwen3-coder-plus"）来调用 Qwen。代理服务会自动将请求路由到相应的提供商。
+- 使用 "gemini-*" 模型（例如 "gemini-2.5-pro"）来调用 Gemini，使用 "gpt-*" 模型（例如 "gpt-5"）来调用 OpenAI，使用 "claude-*" 模型（例如 "claude-3-5-sonnet-20241022"）来调用 Claude，使用 "qwen-*" 模型（例如 "qwen3-coder-plus"）来调用 Qwen，或者使用 iFlow 支持的模型（例如 "tstars2.0"、"deepseek-v3.1"、"kimi-k2" 等）来调用 iFlow。代理服务会自动将请求路由到相应的提供商。
 
 #### Claude 消息（SSE 兼容）
 
@@ -261,6 +270,7 @@ console.log(await claudeResponse.json());
 - gemini-2.5-pro
 - gemini-2.5-flash
 - gemini-2.5-flash-lite
+- gemini-2.5-flash-image-preview
 - gpt-5
 - gpt-5-codex
 - claude-opus-4-1-20250805
@@ -271,6 +281,16 @@ console.log(await claudeResponse.json());
 - claude-3-5-haiku-20241022
 - qwen3-coder-plus
 - qwen3-coder-flash
+- qwen3-max
+- qwen3-vl-plus
+- deepseek-v3.2
+- deepseek-v3.1
+- deepseek-r1
+- deepseek-v3
+- kimi-k2
+- glm-4.5
+- tstars2.0
+- 以及其他 iFlow 支持的模型
 - Gemini 模型在需要时自动切换到对应的 preview 版本
 
 ## 配置
@@ -540,6 +560,14 @@ export ANTHROPIC_MODEL=qwen3-coder-plus
 export ANTHROPIC_SMALL_FAST_MODEL=qwen3-coder-flash
 ```
 
+使用 iFlow 模型：
+```bash
+export ANTHROPIC_BASE_URL=http://127.0.0.1:8317
+export ANTHROPIC_AUTH_TOKEN=sk-dummy
+export ANTHROPIC_MODEL=qwen3-max
+export ANTHROPIC_SMALL_FAST_MODEL=qwen3-235b-a22b-instruct
+```
+
 ## Codex 多账户负载均衡
 
 启动 CLI Proxy API 服务器, 修改 `~/.codex/config.toml` 和 `~/.codex/auth.json` 文件。
@@ -595,6 +623,12 @@ docker run --rm -p 54545:54545 -v /path/to/your/config.yaml:/CLIProxyAPI/config.
 docker run -it -rm -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --qwen-login
 ```
 
+运行以下命令进行登录（iFlow OAuth，端口 11451）：
+
+```bash
+docker run --rm -p 11451:11451 -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --iflow-login
+```
+
 
 运行以下命令启动服务器：
 
@@ -658,6 +692,10 @@ docker run --rm -p 8317:8317 -v /path/to/your/config.yaml:/CLIProxyAPI/config.ya
     ```bash
     docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --qwen-login
     ```
+    - **iFlow**:
+    ```bash
+    docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --iflow-login
+    ```
 
 5.  查看服务器日志：
     ```bash
@@ -691,6 +729,18 @@ docker run --rm -p 8317:8317 -v /path/to/your/config.yaml:/CLIProxyAPI/config.ya
 4. 推送到分支（`git push origin feature/amazing-feature`）
 5. 打开 Pull Request
 
+## 谁与我们在一起？
+
+这些项目基于 CLIProxyAPI:
+
+### [vibeproxy](https://github.com/automazeio/vibeproxy)
+
+一个原生 macOS 菜单栏应用，让您可以使用 Claude Code & ChatGPT 订阅服务和 AI 编程工具，无需 API 密钥。
+
+> [!NOTE]  
+> 如果你开发了基于 CLIProxyAPI 的项目，请提交一个 PR（拉取请求）将其添加到此列表中。
+
+
 ## 许可证
 
 此项目根据 MIT 许可证授权 - 有关详细信息，请参阅 [LICENSE](LICENSE) 文件。

cmd/server/main.go

@@ -4,7 +4,6 @@
 package main
 
 import (
-	"context"
 	"flag"
 	"fmt"
 	"os"
@@ -14,7 +13,6 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/cmd"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/managementasset"
 	_ "github.com/router-for-me/CLIProxyAPI/v6/internal/translator"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
@@ -23,9 +21,10 @@ import (
 )
 
 var (
-	Version   = "dev"
-	Commit    = "none"
-	BuildDate = "unknown"
+	Version           = "dev"
+	Commit            = "none"
+	BuildDate         = "unknown"
+	DefaultConfigPath = ""
 )
 
 // init initializes the shared logger setup.
@@ -44,6 +43,7 @@ func main() {
 	var codexLogin bool
 	var claudeLogin bool
 	var qwenLogin bool
+	var iflowLogin bool
 	var geminiWebAuth bool
 	var noBrowser bool
 	var projectID string
@@ -55,10 +55,11 @@ func main() {
 	flag.BoolVar(&codexLogin, "codex-login", false, "Login to Codex using OAuth")
 	flag.BoolVar(&claudeLogin, "claude-login", false, "Login to Claude using OAuth")
 	flag.BoolVar(&qwenLogin, "qwen-login", false, "Login to Qwen using OAuth")
+	flag.BoolVar(&iflowLogin, "iflow-login", false, "Login to iFlow using OAuth")
 	flag.BoolVar(&geminiWebAuth, "gemini-web-auth", false, "Auth Gemini Web using cookies")
 	flag.BoolVar(&noBrowser, "no-browser", false, "Don't open browser automatically for OAuth")
 	flag.StringVar(&projectID, "project_id", "", "Project ID (Gemini only, not required)")
-	flag.StringVar(&configPath, "config", "", "Configure File Path")
+	flag.StringVar(&configPath, "config", DefaultConfigPath, "Configure File Path")
 	flag.StringVar(&password, "password", "", "")
 
 	flag.CommandLine.Usage = func() {
@@ -116,13 +117,6 @@ func main() {
 	}
 	usage.SetStatisticsEnabled(cfg.UsageStatisticsEnabled)
 
-	staticDir := managementasset.StaticDir(configFilePath)
-	if !cfg.RemoteManagement.DisableControlPanel {
-		go managementasset.EnsureLatestManagementHTML(context.Background(), staticDir)
-	} else {
-		log.Debug("management control panel disabled; skip asset sync")
-	}
-
 	if err = logging.ConfigureLogOutput(cfg.LoggingToFile); err != nil {
 		log.Fatalf("failed to configure log output: %v", err)
 	}
@@ -162,6 +156,8 @@ func main() {
 		cmd.DoClaudeLogin(cfg, options)
 	} else if qwenLogin {
 		cmd.DoQwenLogin(cfg, options)
+	} else if iflowLogin {
+		cmd.DoIFlowLogin(cfg, options)
 	} else if geminiWebAuth {
 		cmd.DoGeminiWebAuth(cfg)
 	} else {

config.example.yaml

@@ -12,6 +12,9 @@ remote-management:
   # Leave empty to disable the Management API entirely (404 for all /v0/management routes).
   secret-key: ""
 
+  # Disable the bundled management control panel asset download and HTTP route when true.
+  disable-control-panel: false
+
 # Authentication directory (supports ~ for home directory)
 auth-dir: "~/.cli-proxy-api"
 

docker-compose.yml

@@ -15,9 +15,10 @@ services:
       - "8085:8085"
       - "1455:1455"
       - "54545:54545"
+      - "11451:11451"
     volumes:
       - ./config.yaml:/CLIProxyAPI/config.yaml
       - ./auths:/root/.cli-proxy-api
       - ./logs:/CLIProxyAPI/logs
       - ./conv:/CLIProxyAPI/conv
-    restart: unless-stopped
+    restart: unless-stopped

internal/api/handlers/management/auth_files.go

@@ -1,26 +1,32 @@
 package management
 
 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/claude"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/codex"
 	geminiAuth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
+	iflowauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/iflow"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/qwen"
 	// legacy client removed
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
@@ -37,6 +43,28 @@ var (
 
 var lastRefreshKeys = []string{"last_refresh", "lastRefresh", "last_refreshed_at", "lastRefreshedAt"}
 
+const (
+	anthropicCallbackPort   = 54545
+	geminiCallbackPort      = 8085
+	codexCallbackPort       = 1455
+	geminiCLIEndpoint       = "https://cloudcode-pa.googleapis.com"
+	geminiCLIVersion        = "v1internal"
+	geminiCLIUserAgent      = "google-api-nodejs-client/9.15.1"
+	geminiCLIApiClient      = "gl-node/22.17.0"
+	geminiCLIClientMetadata = "ideType=IDE_UNSPECIFIED,platform=PLATFORM_UNSPECIFIED,pluginType=GEMINI"
+)
+
+type callbackForwarder struct {
+	provider string
+	server   *http.Server
+	done     chan struct{}
+}
+
+var (
+	callbackForwardersMu sync.Mutex
+	callbackForwarders   = make(map[int]*callbackForwarder)
+)
+
 func extractLastRefreshTimestamp(meta map[string]any) (time.Time, bool) {
 	if len(meta) == 0 {
 		return time.Time{}, false
@@ -90,6 +118,120 @@ func parseLastRefreshValue(v any) (time.Time, bool) {
 	return time.Time{}, false
 }
 
+func isWebUIRequest(c *gin.Context) bool {
+	raw := strings.TrimSpace(c.Query("is_webui"))
+	if raw == "" {
+		return false
+	}
+	switch strings.ToLower(raw) {
+	case "1", "true", "yes", "on":
+		return true
+	default:
+		return false
+	}
+}
+
+func startCallbackForwarder(port int, provider, targetBase string) (*callbackForwarder, error) {
+	callbackForwardersMu.Lock()
+	prev := callbackForwarders[port]
+	if prev != nil {
+		delete(callbackForwarders, port)
+	}
+	callbackForwardersMu.Unlock()
+
+	if prev != nil {
+		stopForwarderInstance(port, prev)
+	}
+
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to listen on %s: %w", addr, err)
+	}
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		target := targetBase
+		if raw := r.URL.RawQuery; raw != "" {
+			if strings.Contains(target, "?") {
+				target = target + "&" + raw
+			} else {
+				target = target + "?" + raw
+			}
+		}
+		w.Header().Set("Cache-Control", "no-store")
+		http.Redirect(w, r, target, http.StatusFound)
+	})
+
+	srv := &http.Server{
+		Handler:           handler,
+		ReadHeaderTimeout: 5 * time.Second,
+		WriteTimeout:      5 * time.Second,
+	}
+	done := make(chan struct{})
+
+	go func() {
+		if errServe := srv.Serve(ln); errServe != nil && !errors.Is(errServe, http.ErrServerClosed) {
+			log.WithError(errServe).Warnf("callback forwarder for %s stopped unexpectedly", provider)
+		}
+		close(done)
+	}()
+
+	forwarder := &callbackForwarder{
+		provider: provider,
+		server:   srv,
+		done:     done,
+	}
+
+	callbackForwardersMu.Lock()
+	callbackForwarders[port] = forwarder
+	callbackForwardersMu.Unlock()
+
+	log.Infof("callback forwarder for %s listening on %s", provider, addr)
+
+	return forwarder, nil
+}
+
+func stopCallbackForwarder(port int) {
+	callbackForwardersMu.Lock()
+	forwarder := callbackForwarders[port]
+	if forwarder != nil {
+		delete(callbackForwarders, port)
+	}
+	callbackForwardersMu.Unlock()
+
+	stopForwarderInstance(port, forwarder)
+}
+
+func stopForwarderInstance(port int, forwarder *callbackForwarder) {
+	if forwarder == nil || forwarder.server == nil {
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	if err := forwarder.server.Shutdown(ctx); err != nil && !errors.Is(err, http.ErrServerClosed) {
+		log.WithError(err).Warnf("failed to shut down callback forwarder on port %d", port)
+	}
+
+	select {
+	case <-forwarder.done:
+	case <-time.After(2 * time.Second):
+	}
+
+	log.Infof("callback forwarder on port %d stopped", port)
+}
+
+func (h *Handler) managementCallbackURL(path string) (string, error) {
+	if h == nil || h.cfg == nil || h.cfg.Port <= 0 {
+		return "", fmt.Errorf("server port is not configured")
+	}
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+	return fmt.Sprintf("http://127.0.0.1:%d%s", h.cfg.Port, path), nil
+}
+
 // List auth files
 func (h *Handler) ListAuthFiles(c *gin.Context) {
 	entries, err := os.ReadDir(h.cfg.AuthDir)
@@ -389,9 +531,27 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 		log.Fatalf("Failed to generate authorization URL: %v", err)
 		return
 	}
-	// Override redirect_uri in authorization URL to current server port
+
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/anthropic/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute anthropic callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(anthropicCallbackPort, "anthropic", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start anthropic callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to start callback server"})
+			return
+		}
+	}
 
 	go func() {
+		if isWebUI {
+			defer stopCallbackForwarder(anthropicCallbackPort)
+		}
+
 		// Helper: wait for callback file
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-anthropic-%s.oauth", state))
 		waitForFile := func(path string, timeout time.Duration) (map[string]string, error) {
@@ -552,7 +712,26 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 	state := fmt.Sprintf("gem-%d", time.Now().UnixNano())
 	authURL := conf.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"))
 
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/google/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute gemini callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(geminiCallbackPort, "gemini", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start gemini callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to start callback server"})
+			return
+		}
+	}
+
 	go func() {
+		if isWebUI {
+			defer stopCallbackForwarder(geminiCallbackPort)
+		}
+
 		// Wait for callback file written by server route
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-gemini-%s.oauth", state))
 		fmt.Println("Waiting for authentication callback...")
@@ -592,6 +771,8 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 			return
 		}
 
+		requestedProjectID := strings.TrimSpace(projectID)
+
 		// Create token storage (mirrors internal/auth/gemini createTokenStorage)
 		httpClient := conf.Client(ctx, token)
 		req, errNewRequest := http.NewRequestWithContext(ctx, "GET", "https://www.googleapis.com/oauth2/v1/userinfo?alt=json", nil)
@@ -651,13 +832,14 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 
 		ts := geminiAuth.GeminiTokenStorage{
 			Token:     ifToken,
-			ProjectID: projectID,
+			ProjectID: requestedProjectID,
 			Email:     email,
+			Auto:      requestedProjectID == "",
 		}
 
 		// Initialize authenticated HTTP client via GeminiAuth to honor proxy settings
 		gemAuth := geminiAuth.NewGeminiAuth()
-		_, errGetClient := gemAuth.GetAuthenticatedClient(ctx, &ts, h.cfg, true)
+		gemClient, errGetClient := gemAuth.GetAuthenticatedClient(ctx, &ts, h.cfg, true)
 		if errGetClient != nil {
 			log.Fatalf("failed to get authenticated client: %v", errGetClient)
 			oauthStatus[state] = "Failed to get authenticated client"
@@ -665,15 +847,44 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 		}
 		fmt.Println("Authentication successful.")
 
+		if errEnsure := ensureGeminiProjectAndOnboard(ctx, gemClient, &ts, requestedProjectID); errEnsure != nil {
+			log.Errorf("Failed to complete Gemini CLI onboarding: %v", errEnsure)
+			oauthStatus[state] = "Failed to complete Gemini CLI onboarding"
+			return
+		}
+
+		if strings.TrimSpace(ts.ProjectID) == "" {
+			log.Error("Onboarding did not return a project ID")
+			oauthStatus[state] = "Failed to resolve project ID"
+			return
+		}
+
+		isChecked, errCheck := checkCloudAPIIsEnabled(ctx, gemClient, ts.ProjectID)
+		if errCheck != nil {
+			log.Errorf("Failed to verify Cloud AI API status: %v", errCheck)
+			oauthStatus[state] = "Failed to verify Cloud AI API status"
+			return
+		}
+		ts.Checked = isChecked
+		if !isChecked {
+			log.Error("Cloud AI API is not enabled for the selected project")
+			oauthStatus[state] = "Cloud AI API not enabled"
+			return
+		}
+
+		recordMetadata := map[string]any{
+			"email":      ts.Email,
+			"project_id": ts.ProjectID,
+			"auto":       ts.Auto,
+			"checked":    ts.Checked,
+		}
+
 		record := &coreauth.Auth{
-			ID:       fmt.Sprintf("gemini-%s.json", ts.Email),
+			ID:       fmt.Sprintf("gemini-%s-%s.json", ts.Email, ts.ProjectID),
 			Provider: "gemini",
-			FileName: fmt.Sprintf("gemini-%s.json", ts.Email),
+			FileName: fmt.Sprintf("gemini-%s-%s.json", ts.Email, ts.ProjectID),
 			Storage:  &ts,
-			Metadata: map[string]any{
-				"email":      ts.Email,
-				"project_id": ts.ProjectID,
-			},
+			Metadata: recordMetadata,
 		}
 		savedPath, errSave := h.saveTokenRecord(ctx, record)
 		if errSave != nil {
@@ -778,7 +989,26 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 		return
 	}
 
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/codex/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute codex callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(codexCallbackPort, "codex", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start codex callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to start callback server"})
+			return
+		}
+	}
+
 	go func() {
+		if isWebUI {
+			defer stopCallbackForwarder(codexCallbackPort)
+		}
+
 		// Wait for callback file
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-codex-%s.oauth", state))
 		deadline := time.Now().Add(5 * time.Minute)
@@ -958,6 +1188,474 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 	c.JSON(200, gin.H{"status": "ok", "url": authURL, "state": state})
 }
 
+func (h *Handler) RequestIFlowToken(c *gin.Context) {
+	ctx := context.Background()
+
+	fmt.Println("Initializing iFlow authentication...")
+
+	state := fmt.Sprintf("ifl-%d", time.Now().UnixNano())
+	authSvc := iflowauth.NewIFlowAuth(h.cfg)
+	authURL, redirectURI := authSvc.AuthorizationURL(state, iflowauth.CallbackPort)
+
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/iflow/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute iflow callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(iflowauth.CallbackPort, "iflow", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start iflow callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "error": "failed to start callback server"})
+			return
+		}
+
+		go func() {
+			defer stopCallbackForwarder(iflowauth.CallbackPort)
+			fmt.Println("Waiting for authentication...")
+
+			waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-iflow-%s.oauth", state))
+			deadline := time.Now().Add(5 * time.Minute)
+			var resultMap map[string]string
+			for {
+				if time.Now().After(deadline) {
+					oauthStatus[state] = "Authentication failed"
+					fmt.Println("Authentication failed: timeout waiting for callback")
+					return
+				}
+				if data, errR := os.ReadFile(waitFile); errR == nil {
+					_ = os.Remove(waitFile)
+					_ = json.Unmarshal(data, &resultMap)
+					break
+				}
+				time.Sleep(500 * time.Millisecond)
+			}
+
+			if errStr := strings.TrimSpace(resultMap["error"]); errStr != "" {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Printf("Authentication failed: %s\n", errStr)
+				return
+			}
+			if resultState := strings.TrimSpace(resultMap["state"]); resultState != state {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Println("Authentication failed: state mismatch")
+				return
+			}
+
+			code := strings.TrimSpace(resultMap["code"])
+			if code == "" {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Println("Authentication failed: code missing")
+				return
+			}
+
+			tokenData, errExchange := authSvc.ExchangeCodeForTokens(ctx, code, redirectURI)
+			if errExchange != nil {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Printf("Authentication failed: %v\n", errExchange)
+				return
+			}
+
+			tokenStorage := authSvc.CreateTokenStorage(tokenData)
+			identifier := strings.TrimSpace(tokenStorage.Email)
+			if identifier == "" {
+				identifier = fmt.Sprintf("iflow-%d", time.Now().UnixMilli())
+				tokenStorage.Email = identifier
+			}
+			record := &coreauth.Auth{
+				ID:         fmt.Sprintf("iflow-%s.json", identifier),
+				Provider:   "iflow",
+				FileName:   fmt.Sprintf("iflow-%s.json", identifier),
+				Storage:    tokenStorage,
+				Metadata:   map[string]any{"email": identifier, "api_key": tokenStorage.APIKey},
+				Attributes: map[string]string{"api_key": tokenStorage.APIKey},
+			}
+
+			savedPath, errSave := h.saveTokenRecord(ctx, record)
+			if errSave != nil {
+				oauthStatus[state] = "Failed to save authentication tokens"
+				log.Fatalf("Failed to save authentication tokens: %v", errSave)
+				return
+			}
+
+			fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
+			if tokenStorage.APIKey != "" {
+				fmt.Println("API key obtained and saved")
+			}
+			fmt.Println("You can now use iFlow services through this CLI")
+			delete(oauthStatus, state)
+		}()
+
+		oauthStatus[state] = ""
+		c.JSON(http.StatusOK, gin.H{"status": "ok", "url": authURL, "state": state})
+		return
+	}
+
+	oauthServer := iflowauth.NewOAuthServer(iflowauth.CallbackPort)
+	if err := oauthServer.Start(); err != nil {
+		oauthStatus[state] = "Failed to start authentication server"
+		log.Errorf("Failed to start iFlow OAuth server: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "error": "failed to start local oauth server"})
+		return
+	}
+
+	go func() {
+		fmt.Println("Waiting for authentication...")
+		defer func() {
+			stopCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+			defer cancel()
+			if err := oauthServer.Stop(stopCtx); err != nil {
+				log.Warnf("Failed to stop iFlow OAuth server: %v", err)
+			}
+		}()
+
+		result, err := oauthServer.WaitForCallback(5 * time.Minute)
+		if err != nil {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Printf("Authentication failed: %v\n", err)
+			return
+		}
+
+		if result.Error != "" {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Printf("Authentication failed: %s\n", result.Error)
+			return
+		}
+
+		if result.State != state {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Println("Authentication failed: state mismatch")
+			return
+		}
+
+		tokenData, errExchange := authSvc.ExchangeCodeForTokens(ctx, result.Code, redirectURI)
+		if errExchange != nil {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Printf("Authentication failed: %v\n", errExchange)
+			return
+		}
+
+		tokenStorage := authSvc.CreateTokenStorage(tokenData)
+		identifier := strings.TrimSpace(tokenStorage.Email)
+		if identifier == "" {
+			identifier = fmt.Sprintf("iflow-%d", time.Now().UnixMilli())
+			tokenStorage.Email = identifier
+		}
+		record := &coreauth.Auth{
+			ID:         fmt.Sprintf("iflow-%s.json", identifier),
+			Provider:   "iflow",
+			FileName:   fmt.Sprintf("iflow-%s.json", identifier),
+			Storage:    tokenStorage,
+			Metadata:   map[string]any{"email": identifier, "api_key": tokenStorage.APIKey},
+			Attributes: map[string]string{"api_key": tokenStorage.APIKey},
+		}
+
+		savedPath, errSave := h.saveTokenRecord(ctx, record)
+		if errSave != nil {
+			oauthStatus[state] = "Failed to save authentication tokens"
+			log.Fatalf("Failed to save authentication tokens: %v", errSave)
+			return
+		}
+
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
+		if tokenStorage.APIKey != "" {
+			fmt.Println("API key obtained and saved")
+		}
+		fmt.Println("You can now use iFlow services through this CLI")
+		delete(oauthStatus, state)
+	}()
+
+	oauthStatus[state] = ""
+	c.JSON(http.StatusOK, gin.H{"status": "ok", "url": authURL, "state": state})
+}
+
+type projectSelectionRequiredError struct{}
+
+func (e *projectSelectionRequiredError) Error() string {
+	return "gemini cli: project selection required"
+}
+
+func ensureGeminiProjectAndOnboard(ctx context.Context, httpClient *http.Client, storage *geminiAuth.GeminiTokenStorage, requestedProject string) error {
+	if storage == nil {
+		return fmt.Errorf("gemini storage is nil")
+	}
+
+	trimmedRequest := strings.TrimSpace(requestedProject)
+	if trimmedRequest == "" {
+		projects, errProjects := fetchGCPProjects(ctx, httpClient)
+		if errProjects != nil {
+			return fmt.Errorf("fetch project list: %w", errProjects)
+		}
+		if len(projects) == 0 {
+			return fmt.Errorf("no Google Cloud projects available for this account")
+		}
+		trimmedRequest = strings.TrimSpace(projects[0].ProjectID)
+		if trimmedRequest == "" {
+			return fmt.Errorf("resolved project id is empty")
+		}
+		storage.Auto = true
+	} else {
+		storage.Auto = false
+	}
+
+	if err := performGeminiCLISetup(ctx, httpClient, storage, trimmedRequest); err != nil {
+		return err
+	}
+
+	if strings.TrimSpace(storage.ProjectID) == "" {
+		storage.ProjectID = trimmedRequest
+	}
+
+	return nil
+}
+
+func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage *geminiAuth.GeminiTokenStorage, requestedProject string) error {
+	metadata := map[string]string{
+		"ideType":    "IDE_UNSPECIFIED",
+		"platform":   "PLATFORM_UNSPECIFIED",
+		"pluginType": "GEMINI",
+	}
+
+	trimmedRequest := strings.TrimSpace(requestedProject)
+	explicitProject := trimmedRequest != ""
+
+	loadReqBody := map[string]any{
+		"metadata": metadata,
+	}
+	if explicitProject {
+		loadReqBody["cloudaicompanionProject"] = trimmedRequest
+	}
+
+	var loadResp map[string]any
+	if errLoad := callGeminiCLI(ctx, httpClient, "loadCodeAssist", loadReqBody, &loadResp); errLoad != nil {
+		return fmt.Errorf("load code assist: %w", errLoad)
+	}
+
+	tierID := "legacy-tier"
+	if tiers, okTiers := loadResp["allowedTiers"].([]any); okTiers {
+		for _, rawTier := range tiers {
+			tier, okTier := rawTier.(map[string]any)
+			if !okTier {
+				continue
+			}
+			if isDefault, okDefault := tier["isDefault"].(bool); okDefault && isDefault {
+				if id, okID := tier["id"].(string); okID && strings.TrimSpace(id) != "" {
+					tierID = strings.TrimSpace(id)
+					break
+				}
+			}
+		}
+	}
+
+	projectID := trimmedRequest
+	if projectID == "" {
+		if id, okProject := loadResp["cloudaicompanionProject"].(string); okProject {
+			projectID = strings.TrimSpace(id)
+		}
+		if projectID == "" {
+			if projectMap, okProject := loadResp["cloudaicompanionProject"].(map[string]any); okProject {
+				if id, okID := projectMap["id"].(string); okID {
+					projectID = strings.TrimSpace(id)
+				}
+			}
+		}
+	}
+	if projectID == "" {
+		return &projectSelectionRequiredError{}
+	}
+
+	onboardReqBody := map[string]any{
+		"tierId":                  tierID,
+		"metadata":                metadata,
+		"cloudaicompanionProject": projectID,
+	}
+
+	storage.ProjectID = projectID
+
+	for {
+		var onboardResp map[string]any
+		if errOnboard := callGeminiCLI(ctx, httpClient, "onboardUser", onboardReqBody, &onboardResp); errOnboard != nil {
+			return fmt.Errorf("onboard user: %w", errOnboard)
+		}
+
+		if done, okDone := onboardResp["done"].(bool); okDone && done {
+			responseProjectID := ""
+			if resp, okResp := onboardResp["response"].(map[string]any); okResp {
+				switch projectValue := resp["cloudaicompanionProject"].(type) {
+				case map[string]any:
+					if id, okID := projectValue["id"].(string); okID {
+						responseProjectID = strings.TrimSpace(id)
+					}
+				case string:
+					responseProjectID = strings.TrimSpace(projectValue)
+				}
+			}
+
+			finalProjectID := projectID
+			if responseProjectID != "" {
+				if explicitProject && !strings.EqualFold(responseProjectID, projectID) {
+					log.Warnf("Gemini onboarding returned project %s instead of requested %s; keeping requested project ID.", responseProjectID, projectID)
+				} else {
+					finalProjectID = responseProjectID
+				}
+			}
+
+			storage.ProjectID = strings.TrimSpace(finalProjectID)
+			if storage.ProjectID == "" {
+				storage.ProjectID = strings.TrimSpace(projectID)
+			}
+			if storage.ProjectID == "" {
+				return fmt.Errorf("onboard user completed without project id")
+			}
+			log.Infof("Onboarding complete. Using Project ID: %s", storage.ProjectID)
+			return nil
+		}
+
+		log.Println("Onboarding in progress, waiting 5 seconds...")
+		time.Sleep(5 * time.Second)
+	}
+}
+
+func callGeminiCLI(ctx context.Context, httpClient *http.Client, endpoint string, body any, result any) error {
+	endPointURL := fmt.Sprintf("%s/%s:%s", geminiCLIEndpoint, geminiCLIVersion, endpoint)
+	if strings.HasPrefix(endpoint, "operations/") {
+		endPointURL = fmt.Sprintf("%s/%s", geminiCLIEndpoint, endpoint)
+	}
+
+	var reader io.Reader
+	if body != nil {
+		rawBody, errMarshal := json.Marshal(body)
+		if errMarshal != nil {
+			return fmt.Errorf("marshal request body: %w", errMarshal)
+		}
+		reader = bytes.NewReader(rawBody)
+	}
+
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodPost, endPointURL, reader)
+	if errRequest != nil {
+		return fmt.Errorf("create request: %w", errRequest)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", geminiCLIUserAgent)
+	req.Header.Set("X-Goog-Api-Client", geminiCLIApiClient)
+	req.Header.Set("Client-Metadata", geminiCLIClientMetadata)
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return fmt.Errorf("execute request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("api request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	if result == nil {
+		_, _ = io.Copy(io.Discard, resp.Body)
+		return nil
+	}
+
+	if errDecode := json.NewDecoder(resp.Body).Decode(result); errDecode != nil {
+		return fmt.Errorf("decode response body: %w", errDecode)
+	}
+
+	return nil
+}
+
+func fetchGCPProjects(ctx context.Context, httpClient *http.Client) ([]interfaces.GCPProjectProjects, error) {
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodGet, "https://cloudresourcemanager.googleapis.com/v1/projects", nil)
+	if errRequest != nil {
+		return nil, fmt.Errorf("could not create project list request: %w", errRequest)
+	}
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return nil, fmt.Errorf("failed to execute project list request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("project list request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	var projects interfaces.GCPProject
+	if errDecode := json.NewDecoder(resp.Body).Decode(&projects); errDecode != nil {
+		return nil, fmt.Errorf("failed to unmarshal project list: %w", errDecode)
+	}
+
+	return projects.Projects, nil
+}
+
+func checkCloudAPIIsEnabled(ctx context.Context, httpClient *http.Client, projectID string) (bool, error) {
+	serviceUsageURL := "https://serviceusage.googleapis.com"
+	requiredServices := []string{
+		"cloudaicompanion.googleapis.com",
+	}
+	for _, service := range requiredServices {
+		checkURL := fmt.Sprintf("%s/v1/projects/%s/services/%s", serviceUsageURL, projectID, service)
+		req, errRequest := http.NewRequestWithContext(ctx, http.MethodGet, checkURL, nil)
+		if errRequest != nil {
+			return false, fmt.Errorf("failed to create request: %w", errRequest)
+		}
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("User-Agent", geminiCLIUserAgent)
+		resp, errDo := httpClient.Do(req)
+		if errDo != nil {
+			return false, fmt.Errorf("failed to execute request: %w", errDo)
+		}
+
+		if resp.StatusCode == http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			if gjson.GetBytes(bodyBytes, "state").String() == "ENABLED" {
+				_ = resp.Body.Close()
+				continue
+			}
+		}
+		_ = resp.Body.Close()
+
+		enableURL := fmt.Sprintf("%s/v1/projects/%s/services/%s:enable", serviceUsageURL, projectID, service)
+		req, errRequest = http.NewRequestWithContext(ctx, http.MethodPost, enableURL, strings.NewReader("{}"))
+		if errRequest != nil {
+			return false, fmt.Errorf("failed to create request: %w", errRequest)
+		}
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("User-Agent", geminiCLIUserAgent)
+		resp, errDo = httpClient.Do(req)
+		if errDo != nil {
+			return false, fmt.Errorf("failed to execute request: %w", errDo)
+		}
+
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		errMessage := string(bodyBytes)
+		errMessageResult := gjson.GetBytes(bodyBytes, "error.message")
+		if errMessageResult.Exists() {
+			errMessage = errMessageResult.String()
+		}
+		if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusCreated {
+			_ = resp.Body.Close()
+			continue
+		} else if resp.StatusCode == http.StatusBadRequest {
+			_ = resp.Body.Close()
+			if strings.Contains(strings.ToLower(errMessage), "already enabled") {
+				continue
+			}
+		}
+		return false, fmt.Errorf("project activation required: %s", errMessage)
+	}
+	return true, nil
+}
+
 func (h *Handler) GetAuthStatus(c *gin.Context) {
 	state := c.Query("state")
 	if err, ok := oauthStatus[state]; ok {

internal/api/server.go

@@ -13,6 +13,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync/atomic"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -33,6 +34,8 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+const oauthCallbackSuccessHTML = `<html><head><meta charset="utf-8"><title>Authentication successful</title><script>setTimeout(function(){window.close();},5000);</script></head><body><h1>Authentication successful!</h1><p>You can close this window.</p><p>This window will close automatically in 5 seconds.</p></body></html>`
+
 type serverOptionConfig struct {
 	extraMiddleware      []gin.HandlerFunc
 	engineConfigurator   func(*gin.Engine)
@@ -126,6 +129,11 @@ type Server struct {
 	// management handler
 	mgmt *managementHandlers.Handler
 
+	// managementRoutesRegistered tracks whether the management routes have been attached to the engine.
+	managementRoutesRegistered atomic.Bool
+	// managementRoutesEnabled controls whether management endpoints serve real handlers.
+	managementRoutesEnabled atomic.Bool
+
 	localPassword string
 
 	keepAliveEnabled   bool
@@ -210,6 +218,12 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 		optionState.routerConfigurator(engine, s.handlers, cfg)
 	}
 
+	// Register management routes only when a secret is present at startup.
+	s.managementRoutesEnabled.Store(cfg.RemoteManagement.SecretKey != "")
+	if cfg.RemoteManagement.SecretKey != "" {
+		s.registerManagementRoutes()
+	}
+
 	if optionState.keepAliveEnabled {
 		s.enableKeepAlive(optionState.keepAliveTimeout, optionState.keepAliveOnTimeout)
 	}
@@ -281,7 +295,7 @@ func (s *Server) setupRoutes() {
 			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
 		}
 		c.Header("Content-Type", "text/html; charset=utf-8")
-		c.String(http.StatusOK, "<html><body><h1>Authentication successful!</h1><p>You can close this window.</p></body></html>")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
 	})
 
 	s.engine.GET("/codex/callback", func(c *gin.Context) {
@@ -293,7 +307,7 @@ func (s *Server) setupRoutes() {
 			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
 		}
 		c.Header("Content-Type", "text/html; charset=utf-8")
-		c.String(http.StatusOK, "<html><body><h1>Authentication successful!</h1><p>You can close this window.</p></body></html>")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
 	})
 
 	s.engine.GET("/google/callback", func(c *gin.Context) {
@@ -305,88 +319,120 @@ func (s *Server) setupRoutes() {
 			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
 		}
 		c.Header("Content-Type", "text/html; charset=utf-8")
-		c.String(http.StatusOK, "<html><body><h1>Authentication successful!</h1><p>You can close this window.</p></body></html>")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
 	})
 
-	// Management API routes (delegated to management handlers)
-	// New logic: if remote-management-key is empty, do not expose any management endpoint (404).
-	if s.cfg.RemoteManagement.SecretKey != "" {
-		mgmt := s.engine.Group("/v0/management")
-		mgmt.Use(s.mgmt.Middleware())
-		{
-			mgmt.GET("/usage", s.mgmt.GetUsageStatistics)
-			mgmt.GET("/config", s.mgmt.GetConfig)
-
-			mgmt.GET("/debug", s.mgmt.GetDebug)
-			mgmt.PUT("/debug", s.mgmt.PutDebug)
-			mgmt.PATCH("/debug", s.mgmt.PutDebug)
-
-			mgmt.GET("/logging-to-file", s.mgmt.GetLoggingToFile)
-			mgmt.PUT("/logging-to-file", s.mgmt.PutLoggingToFile)
-			mgmt.PATCH("/logging-to-file", s.mgmt.PutLoggingToFile)
-
-			mgmt.GET("/usage-statistics-enabled", s.mgmt.GetUsageStatisticsEnabled)
-			mgmt.PUT("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
-			mgmt.PATCH("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
-
-			mgmt.GET("/proxy-url", s.mgmt.GetProxyURL)
-			mgmt.PUT("/proxy-url", s.mgmt.PutProxyURL)
-			mgmt.PATCH("/proxy-url", s.mgmt.PutProxyURL)
-			mgmt.DELETE("/proxy-url", s.mgmt.DeleteProxyURL)
-
-			mgmt.GET("/quota-exceeded/switch-project", s.mgmt.GetSwitchProject)
-			mgmt.PUT("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
-			mgmt.PATCH("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
-
-			mgmt.GET("/quota-exceeded/switch-preview-model", s.mgmt.GetSwitchPreviewModel)
-			mgmt.PUT("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
-			mgmt.PATCH("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
-
-			mgmt.GET("/api-keys", s.mgmt.GetAPIKeys)
-			mgmt.PUT("/api-keys", s.mgmt.PutAPIKeys)
-			mgmt.PATCH("/api-keys", s.mgmt.PatchAPIKeys)
-			mgmt.DELETE("/api-keys", s.mgmt.DeleteAPIKeys)
-
-			mgmt.GET("/generative-language-api-key", s.mgmt.GetGlKeys)
-			mgmt.PUT("/generative-language-api-key", s.mgmt.PutGlKeys)
-			mgmt.PATCH("/generative-language-api-key", s.mgmt.PatchGlKeys)
-			mgmt.DELETE("/generative-language-api-key", s.mgmt.DeleteGlKeys)
-
-			mgmt.GET("/request-log", s.mgmt.GetRequestLog)
-			mgmt.PUT("/request-log", s.mgmt.PutRequestLog)
-			mgmt.PATCH("/request-log", s.mgmt.PutRequestLog)
-
-			mgmt.GET("/request-retry", s.mgmt.GetRequestRetry)
-			mgmt.PUT("/request-retry", s.mgmt.PutRequestRetry)
-			mgmt.PATCH("/request-retry", s.mgmt.PutRequestRetry)
-
-			mgmt.GET("/claude-api-key", s.mgmt.GetClaudeKeys)
-			mgmt.PUT("/claude-api-key", s.mgmt.PutClaudeKeys)
-			mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey)
-			mgmt.DELETE("/claude-api-key", s.mgmt.DeleteClaudeKey)
-
-			mgmt.GET("/codex-api-key", s.mgmt.GetCodexKeys)
-			mgmt.PUT("/codex-api-key", s.mgmt.PutCodexKeys)
-			mgmt.PATCH("/codex-api-key", s.mgmt.PatchCodexKey)
-			mgmt.DELETE("/codex-api-key", s.mgmt.DeleteCodexKey)
-
-			mgmt.GET("/openai-compatibility", s.mgmt.GetOpenAICompat)
-			mgmt.PUT("/openai-compatibility", s.mgmt.PutOpenAICompat)
-			mgmt.PATCH("/openai-compatibility", s.mgmt.PatchOpenAICompat)
-			mgmt.DELETE("/openai-compatibility", s.mgmt.DeleteOpenAICompat)
-
-			mgmt.GET("/auth-files", s.mgmt.ListAuthFiles)
-			mgmt.GET("/auth-files/download", s.mgmt.DownloadAuthFile)
-			mgmt.POST("/auth-files", s.mgmt.UploadAuthFile)
-			mgmt.DELETE("/auth-files", s.mgmt.DeleteAuthFile)
-
-			mgmt.GET("/anthropic-auth-url", s.mgmt.RequestAnthropicToken)
-			mgmt.GET("/codex-auth-url", s.mgmt.RequestCodexToken)
-			mgmt.GET("/gemini-cli-auth-url", s.mgmt.RequestGeminiCLIToken)
-			mgmt.POST("/gemini-web-token", s.mgmt.CreateGeminiWebToken)
-			mgmt.GET("/qwen-auth-url", s.mgmt.RequestQwenToken)
-			mgmt.GET("/get-auth-status", s.mgmt.GetAuthStatus)
+	s.engine.GET("/iflow/callback", func(c *gin.Context) {
+		code := c.Query("code")
+		state := c.Query("state")
+		errStr := c.Query("error")
+		if state != "" {
+			file := fmt.Sprintf("%s/.oauth-iflow-%s.oauth", s.cfg.AuthDir, state)
+			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
 		}
+		c.Header("Content-Type", "text/html; charset=utf-8")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
+	})
+
+	// Management routes are registered lazily by registerManagementRoutes when a secret is configured.
+}
+
+func (s *Server) registerManagementRoutes() {
+	if s == nil || s.engine == nil || s.mgmt == nil {
+		return
+	}
+	if !s.managementRoutesRegistered.CompareAndSwap(false, true) {
+		return
+	}
+
+	log.Info("management routes registered after secret key configuration")
+
+	mgmt := s.engine.Group("/v0/management")
+	mgmt.Use(s.managementAvailabilityMiddleware(), s.mgmt.Middleware())
+	{
+		mgmt.GET("/usage", s.mgmt.GetUsageStatistics)
+		mgmt.GET("/config", s.mgmt.GetConfig)
+
+		mgmt.GET("/debug", s.mgmt.GetDebug)
+		mgmt.PUT("/debug", s.mgmt.PutDebug)
+		mgmt.PATCH("/debug", s.mgmt.PutDebug)
+
+		mgmt.GET("/logging-to-file", s.mgmt.GetLoggingToFile)
+		mgmt.PUT("/logging-to-file", s.mgmt.PutLoggingToFile)
+		mgmt.PATCH("/logging-to-file", s.mgmt.PutLoggingToFile)
+
+		mgmt.GET("/usage-statistics-enabled", s.mgmt.GetUsageStatisticsEnabled)
+		mgmt.PUT("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+		mgmt.PATCH("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+
+		mgmt.GET("/proxy-url", s.mgmt.GetProxyURL)
+		mgmt.PUT("/proxy-url", s.mgmt.PutProxyURL)
+		mgmt.PATCH("/proxy-url", s.mgmt.PutProxyURL)
+		mgmt.DELETE("/proxy-url", s.mgmt.DeleteProxyURL)
+
+		mgmt.GET("/quota-exceeded/switch-project", s.mgmt.GetSwitchProject)
+		mgmt.PUT("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
+		mgmt.PATCH("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
+
+		mgmt.GET("/quota-exceeded/switch-preview-model", s.mgmt.GetSwitchPreviewModel)
+		mgmt.PUT("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
+		mgmt.PATCH("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
+
+		mgmt.GET("/api-keys", s.mgmt.GetAPIKeys)
+		mgmt.PUT("/api-keys", s.mgmt.PutAPIKeys)
+		mgmt.PATCH("/api-keys", s.mgmt.PatchAPIKeys)
+		mgmt.DELETE("/api-keys", s.mgmt.DeleteAPIKeys)
+
+		mgmt.GET("/generative-language-api-key", s.mgmt.GetGlKeys)
+		mgmt.PUT("/generative-language-api-key", s.mgmt.PutGlKeys)
+		mgmt.PATCH("/generative-language-api-key", s.mgmt.PatchGlKeys)
+		mgmt.DELETE("/generative-language-api-key", s.mgmt.DeleteGlKeys)
+
+		mgmt.GET("/request-log", s.mgmt.GetRequestLog)
+		mgmt.PUT("/request-log", s.mgmt.PutRequestLog)
+		mgmt.PATCH("/request-log", s.mgmt.PutRequestLog)
+
+		mgmt.GET("/request-retry", s.mgmt.GetRequestRetry)
+		mgmt.PUT("/request-retry", s.mgmt.PutRequestRetry)
+		mgmt.PATCH("/request-retry", s.mgmt.PutRequestRetry)
+
+		mgmt.GET("/claude-api-key", s.mgmt.GetClaudeKeys)
+		mgmt.PUT("/claude-api-key", s.mgmt.PutClaudeKeys)
+		mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey)
+		mgmt.DELETE("/claude-api-key", s.mgmt.DeleteClaudeKey)
+
+		mgmt.GET("/codex-api-key", s.mgmt.GetCodexKeys)
+		mgmt.PUT("/codex-api-key", s.mgmt.PutCodexKeys)
+		mgmt.PATCH("/codex-api-key", s.mgmt.PatchCodexKey)
+		mgmt.DELETE("/codex-api-key", s.mgmt.DeleteCodexKey)
+
+		mgmt.GET("/openai-compatibility", s.mgmt.GetOpenAICompat)
+		mgmt.PUT("/openai-compatibility", s.mgmt.PutOpenAICompat)
+		mgmt.PATCH("/openai-compatibility", s.mgmt.PatchOpenAICompat)
+		mgmt.DELETE("/openai-compatibility", s.mgmt.DeleteOpenAICompat)
+
+		mgmt.GET("/auth-files", s.mgmt.ListAuthFiles)
+		mgmt.GET("/auth-files/download", s.mgmt.DownloadAuthFile)
+		mgmt.POST("/auth-files", s.mgmt.UploadAuthFile)
+		mgmt.DELETE("/auth-files", s.mgmt.DeleteAuthFile)
+
+		mgmt.GET("/anthropic-auth-url", s.mgmt.RequestAnthropicToken)
+		mgmt.GET("/codex-auth-url", s.mgmt.RequestCodexToken)
+		mgmt.GET("/gemini-cli-auth-url", s.mgmt.RequestGeminiCLIToken)
+		mgmt.POST("/gemini-web-token", s.mgmt.CreateGeminiWebToken)
+		mgmt.GET("/qwen-auth-url", s.mgmt.RequestQwenToken)
+		mgmt.GET("/iflow-auth-url", s.mgmt.RequestIFlowToken)
+		mgmt.GET("/get-auth-status", s.mgmt.GetAuthStatus)
+	}
+}
+
+func (s *Server) managementAvailabilityMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if !s.managementRoutesEnabled.Load() {
+			c.AbortWithStatus(http.StatusNotFound)
+			return
+		}
+		c.Next()
 	}
 }
 
@@ -405,7 +451,7 @@ func (s *Server) serveManagementControlPanel(c *gin.Context) {
 
 	if _, err := os.Stat(filePath); err != nil {
 		if os.IsNotExist(err) {
-			go managementasset.EnsureLatestManagementHTML(context.Background(), managementasset.StaticDir(s.configFilePath))
+			go managementasset.EnsureLatestManagementHTML(context.Background(), managementasset.StaticDir(s.configFilePath), cfg.ProxyURL)
 			c.AbortWithStatus(http.StatusNotFound)
 			return
 		}
@@ -641,13 +687,36 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 		}
 	}
 
+	prevSecretEmpty := true
+	if oldCfg != nil {
+		prevSecretEmpty = oldCfg.RemoteManagement.SecretKey == ""
+	}
+	newSecretEmpty := cfg.RemoteManagement.SecretKey == ""
+	switch {
+	case prevSecretEmpty && !newSecretEmpty:
+		s.registerManagementRoutes()
+		if s.managementRoutesEnabled.CompareAndSwap(false, true) {
+			log.Info("management routes enabled after secret key update")
+		} else {
+			s.managementRoutesEnabled.Store(true)
+		}
+	case !prevSecretEmpty && newSecretEmpty:
+		if s.managementRoutesEnabled.CompareAndSwap(true, false) {
+			log.Info("management routes disabled after secret key removal")
+		} else {
+			s.managementRoutesEnabled.Store(false)
+		}
+	default:
+		s.managementRoutesEnabled.Store(!newSecretEmpty)
+	}
+
 	s.applyAccessConfig(oldCfg, cfg)
 	s.cfg = cfg
 	s.handlers.UpdateClients(&cfg.SDKConfig)
 
 	if !cfg.RemoteManagement.DisableControlPanel {
 		staticDir := managementasset.StaticDir(s.configFilePath)
-		go managementasset.EnsureLatestManagementHTML(context.Background(), staticDir)
+		go managementasset.EnsureLatestManagementHTML(context.Background(), staticDir, cfg.ProxyURL)
 	}
 	if s.mgmt != nil {
 		s.mgmt.SetConfig(cfg)

internal/auth/iflow/iflow_auth.go

@@ -0,0 +1,275 @@
+package iflow
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// OAuth endpoints and client metadata are derived from the reference Python implementation.
+	iFlowOAuthTokenEndpoint     = "https://iflow.cn/oauth/token"
+	iFlowOAuthAuthorizeEndpoint = "https://iflow.cn/oauth"
+	iFlowUserInfoEndpoint       = "https://iflow.cn/api/oauth/getUserInfo"
+	iFlowSuccessRedirectURL     = "https://iflow.cn/oauth/success"
+
+	// Client credentials provided by iFlow for the Code Assist integration.
+	iFlowOAuthClientID     = "10009311001"
+	iFlowOAuthClientSecret = "4Z3YjXycVsQvyGF1etiNlIBB4RsqSDtW"
+)
+
+// DefaultAPIBaseURL is the canonical chat completions endpoint.
+const DefaultAPIBaseURL = "https://apis.iflow.cn/v1"
+
+// SuccessRedirectURL is exposed for consumers needing the official success page.
+const SuccessRedirectURL = iFlowSuccessRedirectURL
+
+// CallbackPort defines the local port used for OAuth callbacks.
+const CallbackPort = 11451
+
+// IFlowAuth encapsulates the HTTP client helpers for the OAuth flow.
+type IFlowAuth struct {
+	httpClient *http.Client
+}
+
+// NewIFlowAuth constructs a new IFlowAuth with proxy-aware transport.
+func NewIFlowAuth(cfg *config.Config) *IFlowAuth {
+	client := &http.Client{Timeout: 30 * time.Second}
+	return &IFlowAuth{httpClient: util.SetProxy(&cfg.SDKConfig, client)}
+}
+
+// AuthorizationURL builds the authorization URL and matching redirect URI.
+func (ia *IFlowAuth) AuthorizationURL(state string, port int) (authURL, redirectURI string) {
+	redirectURI = fmt.Sprintf("http://localhost:%d/oauth2callback", port)
+	values := url.Values{}
+	values.Set("loginMethod", "phone")
+	values.Set("type", "phone")
+	values.Set("redirect", redirectURI)
+	values.Set("state", state)
+	values.Set("client_id", iFlowOAuthClientID)
+	authURL = fmt.Sprintf("%s?%s", iFlowOAuthAuthorizeEndpoint, values.Encode())
+	return authURL, redirectURI
+}
+
+// ExchangeCodeForTokens exchanges an authorization code for access and refresh tokens.
+func (ia *IFlowAuth) ExchangeCodeForTokens(ctx context.Context, code, redirectURI string) (*IFlowTokenData, error) {
+	form := url.Values{}
+	form.Set("grant_type", "authorization_code")
+	form.Set("code", code)
+	form.Set("redirect_uri", redirectURI)
+	form.Set("client_id", iFlowOAuthClientID)
+	form.Set("client_secret", iFlowOAuthClientSecret)
+
+	req, err := ia.newTokenRequest(ctx, form)
+	if err != nil {
+		return nil, err
+	}
+
+	return ia.doTokenRequest(ctx, req)
+}
+
+// RefreshTokens exchanges a refresh token for a new access token.
+func (ia *IFlowAuth) RefreshTokens(ctx context.Context, refreshToken string) (*IFlowTokenData, error) {
+	form := url.Values{}
+	form.Set("grant_type", "refresh_token")
+	form.Set("refresh_token", refreshToken)
+	form.Set("client_id", iFlowOAuthClientID)
+	form.Set("client_secret", iFlowOAuthClientSecret)
+
+	req, err := ia.newTokenRequest(ctx, form)
+	if err != nil {
+		return nil, err
+	}
+
+	return ia.doTokenRequest(ctx, req)
+}
+
+func (ia *IFlowAuth) newTokenRequest(ctx context.Context, form url.Values) (*http.Request, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, iFlowOAuthTokenEndpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, fmt.Errorf("iflow token: create request failed: %w", err)
+	}
+
+	basic := base64.StdEncoding.EncodeToString([]byte(iFlowOAuthClientID + ":" + iFlowOAuthClientSecret))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", "Basic "+basic)
+	return req, nil
+}
+
+func (ia *IFlowAuth) doTokenRequest(ctx context.Context, req *http.Request) (*IFlowTokenData, error) {
+	resp, err := ia.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("iflow token: request failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("iflow token: read response failed: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		log.Debugf("iflow token request failed: status=%d body=%s", resp.StatusCode, string(body))
+		return nil, fmt.Errorf("iflow token: %d %s", resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+
+	var tokenResp IFlowTokenResponse
+	if err = json.Unmarshal(body, &tokenResp); err != nil {
+		return nil, fmt.Errorf("iflow token: decode response failed: %w", err)
+	}
+
+	data := &IFlowTokenData{
+		AccessToken:  tokenResp.AccessToken,
+		RefreshToken: tokenResp.RefreshToken,
+		TokenType:    tokenResp.TokenType,
+		Scope:        tokenResp.Scope,
+		Expire:       time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second).Format(time.RFC3339),
+	}
+
+	if tokenResp.AccessToken == "" {
+		return nil, fmt.Errorf("iflow token: missing access token in response")
+	}
+
+	info, errAPI := ia.FetchUserInfo(ctx, tokenResp.AccessToken)
+	if errAPI != nil {
+		return nil, fmt.Errorf("iflow token: fetch user info failed: %w", errAPI)
+	}
+	if strings.TrimSpace(info.APIKey) == "" {
+		return nil, fmt.Errorf("iflow token: empty api key returned")
+	}
+	email := strings.TrimSpace(info.Email)
+	if email == "" {
+		email = strings.TrimSpace(info.Phone)
+	}
+	if email == "" {
+		return nil, fmt.Errorf("iflow token: missing account email/phone in user info")
+	}
+	data.APIKey = info.APIKey
+	data.Email = email
+
+	return data, nil
+}
+
+// FetchUserInfo retrieves account metadata (including API key) for the provided access token.
+func (ia *IFlowAuth) FetchUserInfo(ctx context.Context, accessToken string) (*userInfoData, error) {
+	if strings.TrimSpace(accessToken) == "" {
+		return nil, fmt.Errorf("iflow api key: access token is empty")
+	}
+
+	endpoint := fmt.Sprintf("%s?accessToken=%s", iFlowUserInfoEndpoint, url.QueryEscape(accessToken))
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
+	if err != nil {
+		return nil, fmt.Errorf("iflow api key: create request failed: %w", err)
+	}
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := ia.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("iflow api key: request failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("iflow api key: read response failed: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		log.Debugf("iflow api key failed: status=%d body=%s", resp.StatusCode, string(body))
+		return nil, fmt.Errorf("iflow api key: %d %s", resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+
+	var result userInfoResponse
+	if err = json.Unmarshal(body, &result); err != nil {
+		return nil, fmt.Errorf("iflow api key: decode body failed: %w", err)
+	}
+
+	if !result.Success {
+		return nil, fmt.Errorf("iflow api key: request not successful")
+	}
+
+	if result.Data.APIKey == "" {
+		return nil, fmt.Errorf("iflow api key: missing api key in response")
+	}
+
+	return &result.Data, nil
+}
+
+// CreateTokenStorage converts token data into persistence storage.
+func (ia *IFlowAuth) CreateTokenStorage(data *IFlowTokenData) *IFlowTokenStorage {
+	if data == nil {
+		return nil
+	}
+	return &IFlowTokenStorage{
+		AccessToken:  data.AccessToken,
+		RefreshToken: data.RefreshToken,
+		LastRefresh:  time.Now().Format(time.RFC3339),
+		Expire:       data.Expire,
+		APIKey:       data.APIKey,
+		Email:        data.Email,
+		TokenType:    data.TokenType,
+		Scope:        data.Scope,
+	}
+}
+
+// UpdateTokenStorage updates the persisted token storage with latest token data.
+func (ia *IFlowAuth) UpdateTokenStorage(storage *IFlowTokenStorage, data *IFlowTokenData) {
+	if storage == nil || data == nil {
+		return
+	}
+	storage.AccessToken = data.AccessToken
+	storage.RefreshToken = data.RefreshToken
+	storage.LastRefresh = time.Now().Format(time.RFC3339)
+	storage.Expire = data.Expire
+	if data.APIKey != "" {
+		storage.APIKey = data.APIKey
+	}
+	if data.Email != "" {
+		storage.Email = data.Email
+	}
+	storage.TokenType = data.TokenType
+	storage.Scope = data.Scope
+}
+
+// IFlowTokenResponse models the OAuth token endpoint response.
+type IFlowTokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"`
+	TokenType    string `json:"token_type"`
+	Scope        string `json:"scope"`
+}
+
+// IFlowTokenData captures processed token details.
+type IFlowTokenData struct {
+	AccessToken  string
+	RefreshToken string
+	TokenType    string
+	Scope        string
+	Expire       string
+	APIKey       string
+	Email        string
+}
+
+// userInfoResponse represents the structure returned by the user info endpoint.
+type userInfoResponse struct {
+	Success bool         `json:"success"`
+	Data    userInfoData `json:"data"`
+}
+
+type userInfoData struct {
+	APIKey string `json:"apiKey"`
+	Email  string `json:"email"`
+	Phone  string `json:"phone"`
+}

internal/auth/iflow/iflow_token.go

@@ -0,0 +1,43 @@
+package iflow
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
+)
+
+// IFlowTokenStorage persists iFlow OAuth credentials alongside the derived API key.
+type IFlowTokenStorage struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	LastRefresh  string `json:"last_refresh"`
+	Expire       string `json:"expired"`
+	APIKey       string `json:"api_key"`
+	Email        string `json:"email"`
+	TokenType    string `json:"token_type"`
+	Scope        string `json:"scope"`
+	Type         string `json:"type"`
+}
+
+// SaveTokenToFile serialises the token storage to disk.
+func (ts *IFlowTokenStorage) SaveTokenToFile(authFilePath string) error {
+	misc.LogSavingCredentials(authFilePath)
+	ts.Type = "iflow"
+	if err := os.MkdirAll(filepath.Dir(authFilePath), 0o700); err != nil {
+		return fmt.Errorf("iflow token: create directory failed: %w", err)
+	}
+
+	f, err := os.Create(authFilePath)
+	if err != nil {
+		return fmt.Errorf("iflow token: create file failed: %w", err)
+	}
+	defer func() { _ = f.Close() }()
+
+	if err = json.NewEncoder(f).Encode(ts); err != nil {
+		return fmt.Errorf("iflow token: encode token failed: %w", err)
+	}
+	return nil
+}

internal/auth/iflow/oauth_server.go

@@ -0,0 +1,143 @@
+package iflow
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const errorRedirectURL = "https://iflow.cn/oauth/error"
+
+// OAuthResult captures the outcome of the local OAuth callback.
+type OAuthResult struct {
+	Code  string
+	State string
+	Error string
+}
+
+// OAuthServer provides a minimal HTTP server for handling the iFlow OAuth callback.
+type OAuthServer struct {
+	server  *http.Server
+	port    int
+	result  chan *OAuthResult
+	errChan chan error
+	mu      sync.Mutex
+	running bool
+}
+
+// NewOAuthServer constructs a new OAuthServer bound to the provided port.
+func NewOAuthServer(port int) *OAuthServer {
+	return &OAuthServer{
+		port:    port,
+		result:  make(chan *OAuthResult, 1),
+		errChan: make(chan error, 1),
+	}
+}
+
+// Start launches the callback listener.
+func (s *OAuthServer) Start() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.running {
+		return fmt.Errorf("iflow oauth server already running")
+	}
+	if !s.isPortAvailable() {
+		return fmt.Errorf("port %d is already in use", s.port)
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/oauth2callback", s.handleCallback)
+
+	s.server = &http.Server{
+		Addr:         fmt.Sprintf(":%d", s.port),
+		Handler:      mux,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
+
+	s.running = true
+
+	go func() {
+		if err := s.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			s.errChan <- err
+		}
+	}()
+
+	time.Sleep(100 * time.Millisecond)
+	return nil
+}
+
+// Stop gracefully terminates the callback listener.
+func (s *OAuthServer) Stop(ctx context.Context) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if !s.running || s.server == nil {
+		return nil
+	}
+	defer func() {
+		s.running = false
+		s.server = nil
+	}()
+	return s.server.Shutdown(ctx)
+}
+
+// WaitForCallback blocks until a callback result, server error, or timeout occurs.
+func (s *OAuthServer) WaitForCallback(timeout time.Duration) (*OAuthResult, error) {
+	select {
+	case res := <-s.result:
+		return res, nil
+	case err := <-s.errChan:
+		return nil, err
+	case <-time.After(timeout):
+		return nil, fmt.Errorf("timeout waiting for OAuth callback")
+	}
+}
+
+func (s *OAuthServer) handleCallback(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	query := r.URL.Query()
+	if errParam := strings.TrimSpace(query.Get("error")); errParam != "" {
+		s.sendResult(&OAuthResult{Error: errParam})
+		http.Redirect(w, r, errorRedirectURL, http.StatusFound)
+		return
+	}
+
+	code := strings.TrimSpace(query.Get("code"))
+	if code == "" {
+		s.sendResult(&OAuthResult{Error: "missing_code"})
+		http.Redirect(w, r, errorRedirectURL, http.StatusFound)
+		return
+	}
+
+	state := query.Get("state")
+	s.sendResult(&OAuthResult{Code: code, State: state})
+	http.Redirect(w, r, SuccessRedirectURL, http.StatusFound)
+}
+
+func (s *OAuthServer) sendResult(res *OAuthResult) {
+	select {
+	case s.result <- res:
+	default:
+		log.Debug("iflow oauth result channel full, dropping result")
+	}
+}
+
+func (s *OAuthServer) isPortAvailable() bool {
+	addr := fmt.Sprintf(":%d", s.port)
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return false
+	}
+	_ = listener.Close()
+	return true
+}

internal/cmd/auth_manager.go

@@ -17,6 +17,7 @@ func newAuthManager() *sdkAuth.Manager {
 		sdkAuth.NewCodexAuthenticator(),
 		sdkAuth.NewClaudeAuthenticator(),
 		sdkAuth.NewQwenAuthenticator(),
+		sdkAuth.NewIFlowAuthenticator(),
 	)
 	return manager
 }

internal/cmd/iflow_login.go

@@ -0,0 +1,54 @@
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
+	log "github.com/sirupsen/logrus"
+)
+
+// DoIFlowLogin performs the iFlow OAuth login via the shared authentication manager.
+func DoIFlowLogin(cfg *config.Config, options *LoginOptions) {
+	if options == nil {
+		options = &LoginOptions{}
+	}
+
+	manager := newAuthManager()
+
+	promptFn := options.Prompt
+	if promptFn == nil {
+		promptFn = func(prompt string) (string, error) {
+			fmt.Println()
+			fmt.Println(prompt)
+			var value string
+			_, err := fmt.Scanln(&value)
+			return value, err
+		}
+	}
+
+	authOpts := &sdkAuth.LoginOptions{
+		NoBrowser: options.NoBrowser,
+		Metadata:  map[string]string{},
+		Prompt:    promptFn,
+	}
+
+	_, savedPath, err := manager.Login(context.Background(), "iflow", cfg, authOpts)
+	if err != nil {
+		var emailErr *sdkAuth.EmailRequiredError
+		if errors.As(err, &emailErr) {
+			log.Error(emailErr.Error())
+			return
+		}
+		fmt.Printf("iFlow authentication failed: %v\n", err)
+		return
+	}
+
+	if savedPath != "" {
+		fmt.Printf("Authentication saved to %s\n", savedPath)
+	}
+
+	fmt.Println("iFlow authentication successful!")
+}

internal/cmd/login.go

@@ -154,11 +154,14 @@ func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage
 		"pluginType": "GEMINI",
 	}
 
+	trimmedRequest := strings.TrimSpace(requestedProject)
+	explicitProject := trimmedRequest != ""
+
 	loadReqBody := map[string]any{
 		"metadata": metadata,
 	}
-	if requestedProject != "" {
-		loadReqBody["cloudaicompanionProject"] = requestedProject
+	if explicitProject {
+		loadReqBody["cloudaicompanionProject"] = trimmedRequest
 	}
 
 	var loadResp map[string]any
@@ -182,11 +185,18 @@ func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage
 		}
 	}
 
-	projectID := strings.TrimSpace(requestedProject)
+	projectID := trimmedRequest
 	if projectID == "" {
 		if id, okProject := loadResp["cloudaicompanionProject"].(string); okProject {
 			projectID = strings.TrimSpace(id)
 		}
+		if projectID == "" {
+			if projectMap, okProject := loadResp["cloudaicompanionProject"].(map[string]any); okProject {
+				if id, okID := projectMap["id"].(string); okID {
+					projectID = strings.TrimSpace(id)
+				}
+			}
+		}
 	}
 	if projectID == "" {
 		return &projectSelectionRequiredError{}
@@ -208,16 +218,30 @@ func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage
 		}
 
 		if done, okDone := onboardResp["done"].(bool); okDone && done {
+			responseProjectID := ""
 			if resp, okResp := onboardResp["response"].(map[string]any); okResp {
-				if project, okProject := resp["cloudaicompanionProject"].(map[string]any); okProject {
-					if id, okID := project["id"].(string); okID && strings.TrimSpace(id) != "" {
-						storage.ProjectID = strings.TrimSpace(id)
+				switch projectValue := resp["cloudaicompanionProject"].(type) {
+				case map[string]any:
+					if id, okID := projectValue["id"].(string); okID {
+						responseProjectID = strings.TrimSpace(id)
 					}
+				case string:
+					responseProjectID = strings.TrimSpace(projectValue)
 				}
 			}
-			storage.ProjectID = strings.TrimSpace(storage.ProjectID)
+
+			finalProjectID := projectID
+			if responseProjectID != "" {
+				if explicitProject && !strings.EqualFold(responseProjectID, projectID) {
+					log.Warnf("Gemini onboarding returned project %s instead of requested %s; keeping requested project ID.", responseProjectID, projectID)
+				} else {
+					finalProjectID = responseProjectID
+				}
+			}
+
+			storage.ProjectID = strings.TrimSpace(finalProjectID)
 			if storage.ProjectID == "" {
-				storage.ProjectID = projectID
+				storage.ProjectID = strings.TrimSpace(projectID)
 			}
 			if storage.ProjectID == "" {
 				return fmt.Errorf("onboard user completed without project id")
@@ -409,8 +433,8 @@ func showProjectSelectionHelp(email string, projects []interfaces.GCPProjectProj
 func checkCloudAPIIsEnabled(ctx context.Context, httpClient *http.Client, projectID string) (bool, error) {
 	serviceUsageURL := "https://serviceusage.googleapis.com"
 	requiredServices := []string{
-		"geminicloudassist.googleapis.com", // Gemini Cloud Assist API
-		"cloudaicompanion.googleapis.com",  // Gemini for Google Cloud API
+		// "geminicloudassist.googleapis.com", // Gemini Cloud Assist API
+		"cloudaicompanion.googleapis.com", // Gemini for Google Cloud API
 	}
 	for _, service := range requiredServices {
 		checkUrl := fmt.Sprintf("%s/v1/projects/%s/services/%s", serviceUsageURL, projectID, service)

internal/managementasset/updater.go

@@ -14,6 +14,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -26,7 +28,14 @@ const (
 // ManagementFileName exposes the control panel asset filename.
 const ManagementFileName = managementAssetName
 
-var httpClient = &http.Client{Timeout: 15 * time.Second}
+func newHTTPClient(proxyURL string) *http.Client {
+	client := &http.Client{Timeout: 15 * time.Second}
+
+	sdkCfg := &sdkconfig.SDKConfig{ProxyURL: strings.TrimSpace(proxyURL)}
+	util.SetProxy(sdkCfg, client)
+
+	return client
+}
 
 type releaseAsset struct {
 	Name               string `json:"name"`
@@ -59,7 +68,7 @@ func FilePath(configFilePath string) string {
 
 // EnsureLatestManagementHTML checks the latest management.html asset and updates the local copy when needed.
 // The function is designed to run in a background goroutine and will never panic.
-func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
+func EnsureLatestManagementHTML(ctx context.Context, staticDir string, proxyURL string) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
@@ -75,6 +84,8 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 		return
 	}
 
+	client := newHTTPClient(proxyURL)
+
 	localPath := filepath.Join(staticDir, managementAssetName)
 	localHash, err := fileSHA256(localPath)
 	if err != nil {
@@ -84,7 +95,7 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 		localHash = ""
 	}
 
-	asset, remoteHash, err := fetchLatestAsset(ctx)
+	asset, remoteHash, err := fetchLatestAsset(ctx, client)
 	if err != nil {
 		log.WithError(err).Warn("failed to fetch latest management release information")
 		return
@@ -95,7 +106,7 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 		return
 	}
 
-	data, downloadedHash, err := downloadAsset(ctx, asset.BrowserDownloadURL)
+	data, downloadedHash, err := downloadAsset(ctx, client, asset.BrowserDownloadURL)
 	if err != nil {
 		log.WithError(err).Warn("failed to download management asset")
 		return
@@ -113,7 +124,7 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 	log.Infof("management asset updated successfully (hash=%s)", downloadedHash)
 }
 
-func fetchLatestAsset(ctx context.Context) (*releaseAsset, string, error) {
+func fetchLatestAsset(ctx context.Context, client *http.Client) (*releaseAsset, string, error) {
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, managementReleaseURL, nil)
 	if err != nil {
 		return nil, "", fmt.Errorf("create release request: %w", err)
@@ -121,7 +132,7 @@ func fetchLatestAsset(ctx context.Context) (*releaseAsset, string, error) {
 	req.Header.Set("Accept", "application/vnd.github+json")
 	req.Header.Set("User-Agent", httpUserAgent)
 
-	resp, err := httpClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, "", fmt.Errorf("execute release request: %w", err)
 	}
@@ -150,7 +161,7 @@ func fetchLatestAsset(ctx context.Context) (*releaseAsset, string, error) {
 	return nil, "", fmt.Errorf("management asset %s not found in latest release", managementAssetName)
 }
 
-func downloadAsset(ctx context.Context, downloadURL string) ([]byte, string, error) {
+func downloadAsset(ctx context.Context, client *http.Client, downloadURL string) ([]byte, string, error) {
 	if strings.TrimSpace(downloadURL) == "" {
 		return nil, "", fmt.Errorf("empty download url")
 	}
@@ -161,7 +172,7 @@ func downloadAsset(ctx context.Context, downloadURL string) ([]byte, string, err
 	}
 	req.Header.Set("User-Agent", httpUserAgent)
 
-	resp, err := httpClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, "", fmt.Errorf("execute download request: %w", err)
 	}

internal/registry/model_definitions.go

@@ -152,6 +152,20 @@ func GetGeminiCLIModels() []*ModelInfo {
 			OutputTokenLimit:           65536,
 			SupportedGenerationMethods: []string{"generateContent", "countTokens", "createCachedContent", "batchGenerateContent"},
 		},
+		{
+			ID:                         "gemini-2.5-flash-image-preview",
+			Object:                     "model",
+			Created:                    time.Now().Unix(),
+			OwnedBy:                    "google",
+			Type:                       "gemini",
+			Name:                       "models/gemini-2.5-flash-image-preview",
+			Version:                    "2.5",
+			DisplayName:                "Gemini 2.5 Flash Image Preview",
+			Description:                "State-of-the-art image generation and editing model.",
+			InputTokenLimit:            1048576,
+			OutputTokenLimit:           8192,
+			SupportedGenerationMethods: []string{"generateContent", "countTokens", "createCachedContent", "batchGenerateContent"},
+		},
 	}
 }
 
@@ -322,3 +336,45 @@ func GetQwenModels() []*ModelInfo {
 		},
 	}
 }
+
+// GetIFlowModels returns supported models for iFlow OAuth accounts.
+
+func GetIFlowModels() []*ModelInfo {
+	created := time.Now().Unix()
+	entries := []struct {
+		ID          string
+		DisplayName string
+		Description string
+	}{
+		{ID: "tstars2.0", DisplayName: "TStars-2.0", Description: "iFlow TStars-2.0 multimodal assistant"},
+		{ID: "qwen3-coder-plus", DisplayName: "Qwen3-Coder-Plus", Description: "Qwen3 Coder Plus code generation"},
+		{ID: "qwen3-coder", DisplayName: "Qwen3-Coder-480B-A35B", Description: "Qwen3 Coder 480B A35B"},
+		{ID: "qwen3-max", DisplayName: "Qwen3-Max", Description: "Qwen3 flagship model"},
+		{ID: "qwen3-vl-plus", DisplayName: "Qwen3-VL-Plus", Description: "Qwen3 multimodal vision-language"},
+		{ID: "qwen3-max-preview", DisplayName: "Qwen3-Max-Preview", Description: "Qwen3 Max preview build"},
+		{ID: "kimi-k2-0905", DisplayName: "Kimi-K2-Instruct-0905", Description: "Moonshot Kimi K2 instruct 0905"},
+		{ID: "glm-4.5", DisplayName: "GLM-4.5", Description: "Zhipu GLM 4.5 general model"},
+		{ID: "kimi-k2", DisplayName: "Kimi-K2", Description: "Moonshot Kimi K2 general model"},
+		{ID: "deepseek-v3.2", DisplayName: "DeepSeek-V3.2-Exp", Description: "DeepSeek V3.2 experimental"},
+		{ID: "deepseek-v3.1", DisplayName: "DeepSeek-V3.1-Terminus", Description: "DeepSeek V3.1 Terminus"},
+		{ID: "deepseek-r1", DisplayName: "DeepSeek-R1", Description: "DeepSeek reasoning model R1"},
+		{ID: "deepseek-v3", DisplayName: "DeepSeek-V3-671B", Description: "DeepSeek V3 671B"},
+		{ID: "qwen3-32b", DisplayName: "Qwen3-32B", Description: "Qwen3 32B"},
+		{ID: "qwen3-235b-a22b-thinking-2507", DisplayName: "Qwen3-235B-A22B-Thinking", Description: "Qwen3 235B A22B Thinking (2507)"},
+		{ID: "qwen3-235b-a22b-instruct", DisplayName: "Qwen3-235B-A22B-Instruct", Description: "Qwen3 235B A22B Instruct"},
+		{ID: "qwen3-235b", DisplayName: "Qwen3-235B-A22B", Description: "Qwen3 235B A22B"},
+	}
+	models := make([]*ModelInfo, 0, len(entries))
+	for _, entry := range entries {
+		models = append(models, &ModelInfo{
+			ID:          entry.ID,
+			Object:      "model",
+			Created:     created,
+			OwnedBy:     "iflow",
+			Type:        "iflow",
+			DisplayName: entry.DisplayName,
+			Description: entry.Description,
+		})
+	}
+	return models
+}

internal/runtime/executor/claude_executor.go

@@ -144,8 +144,8 @@ func (e *ClaudeExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
-		scanner.Buffer(buf, 1024*1024)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/runtime/executor/codex_executor.go

@@ -76,6 +76,7 @@ func (e *CodexExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	}
 
 	body, _ = sjson.SetBytes(body, "stream", true)
+	body, _ = sjson.DeleteBytes(body, "previous_response_id")
 
 	url := strings.TrimSuffix(baseURL, "/") + "/responses"
 	recordAPIRequest(ctx, e.cfg, body)
@@ -161,6 +162,8 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 		}
 	}
 
+	body, _ = sjson.DeleteBytes(body, "previous_response_id")
+
 	url := strings.TrimSuffix(baseURL, "/") + "/responses"
 	recordAPIRequest(ctx, e.cfg, body)
 	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(body))
@@ -186,8 +189,8 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
-		scanner.Buffer(buf, 1024*1024)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/runtime/executor/gemini_cli_executor.go

@@ -212,8 +212,8 @@ func (e *GeminiCLIExecutor) ExecuteStream(ctx context.Context, auth *cliproxyaut
 			defer func() { _ = resp.Body.Close() }()
 			if opts.Alt == "" {
 				scanner := bufio.NewScanner(resp.Body)
-				buf := make([]byte, 1024*1024)
-				scanner.Buffer(buf, 1024*1024)
+				buf := make([]byte, 20_971_520)
+				scanner.Buffer(buf, 20_971_520)
 				var param any
 				for scanner.Scan() {
 					line := scanner.Bytes()

internal/runtime/executor/gemini_executor.go

@@ -173,8 +173,8 @@ func (e *GeminiExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
-		scanner.Buffer(buf, 1024*1024)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/runtime/executor/iflow_executor.go

@@ -0,0 +1,261 @@
+package executor
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	iflowauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/iflow"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+	sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
+	log "github.com/sirupsen/logrus"
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
+)
+
+const (
+	iflowDefaultEndpoint = "/chat/completions"
+	iflowUserAgent       = "iFlow-Cli"
+)
+
+// IFlowExecutor executes OpenAI-compatible chat completions against the iFlow API using API keys derived from OAuth.
+type IFlowExecutor struct {
+	cfg *config.Config
+}
+
+// NewIFlowExecutor constructs a new executor instance.
+func NewIFlowExecutor(cfg *config.Config) *IFlowExecutor { return &IFlowExecutor{cfg: cfg} }
+
+// Identifier returns the provider key.
+func (e *IFlowExecutor) Identifier() string { return "iflow" }
+
+// PrepareRequest implements ProviderExecutor but requires no preprocessing.
+func (e *IFlowExecutor) PrepareRequest(_ *http.Request, _ *cliproxyauth.Auth) error { return nil }
+
+// Execute performs a non-streaming chat completion request.
+func (e *IFlowExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
+	apiKey, baseURL := iflowCreds(auth)
+	if strings.TrimSpace(apiKey) == "" {
+		return cliproxyexecutor.Response{}, fmt.Errorf("iflow executor: missing api key")
+	}
+	if baseURL == "" {
+		baseURL = iflowauth.DefaultAPIBaseURL
+	}
+
+	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
+
+	from := opts.SourceFormat
+	to := sdktranslator.FromString("openai")
+	body := sdktranslator.TranslateRequest(from, to, req.Model, bytes.Clone(req.Payload), false)
+
+	endpoint := strings.TrimSuffix(baseURL, "/") + iflowDefaultEndpoint
+	recordAPIRequest(ctx, e.cfg, body)
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewReader(body))
+	if err != nil {
+		return cliproxyexecutor.Response{}, err
+	}
+	applyIFlowHeaders(httpReq, apiKey, false)
+
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
+	resp, err := httpClient.Do(httpReq)
+	if err != nil {
+		return cliproxyexecutor.Response{}, err
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		b, _ := io.ReadAll(resp.Body)
+		appendAPIResponseChunk(ctx, e.cfg, b)
+		log.Debugf("iflow request error: status %d body %s", resp.StatusCode, string(b))
+		return cliproxyexecutor.Response{}, statusErr{code: resp.StatusCode, msg: string(b)}
+	}
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return cliproxyexecutor.Response{}, err
+	}
+	appendAPIResponseChunk(ctx, e.cfg, data)
+	reporter.publish(ctx, parseOpenAIUsage(data))
+
+	var param any
+	out := sdktranslator.TranslateNonStream(ctx, to, from, req.Model, bytes.Clone(opts.OriginalRequest), body, data, &param)
+	return cliproxyexecutor.Response{Payload: []byte(out)}, nil
+}
+
+// ExecuteStream performs a streaming chat completion request.
+func (e *IFlowExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (<-chan cliproxyexecutor.StreamChunk, error) {
+	apiKey, baseURL := iflowCreds(auth)
+	if strings.TrimSpace(apiKey) == "" {
+		return nil, fmt.Errorf("iflow executor: missing api key")
+	}
+	if baseURL == "" {
+		baseURL = iflowauth.DefaultAPIBaseURL
+	}
+
+	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
+
+	from := opts.SourceFormat
+	to := sdktranslator.FromString("openai")
+	body := sdktranslator.TranslateRequest(from, to, req.Model, bytes.Clone(req.Payload), true)
+
+	// Ensure tools array exists to avoid provider quirks similar to Qwen's behaviour.
+	toolsResult := gjson.GetBytes(body, "tools")
+	if toolsResult.Exists() && toolsResult.IsArray() && len(toolsResult.Array()) == 0 {
+		body = ensureToolsArray(body)
+	}
+
+	endpoint := strings.TrimSuffix(baseURL, "/") + iflowDefaultEndpoint
+	recordAPIRequest(ctx, e.cfg, body)
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	applyIFlowHeaders(httpReq, apiKey, true)
+
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
+	resp, err := httpClient.Do(httpReq)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		defer func() { _ = resp.Body.Close() }()
+		b, _ := io.ReadAll(resp.Body)
+		appendAPIResponseChunk(ctx, e.cfg, b)
+		log.Debugf("iflow streaming error: status %d body %s", resp.StatusCode, string(b))
+		return nil, statusErr{code: resp.StatusCode, msg: string(b)}
+	}
+
+	out := make(chan cliproxyexecutor.StreamChunk)
+	go func() {
+		defer close(out)
+		defer func() { _ = resp.Body.Close() }()
+
+		scanner := bufio.NewScanner(resp.Body)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
+		var param any
+		for scanner.Scan() {
+			line := scanner.Bytes()
+			appendAPIResponseChunk(ctx, e.cfg, line)
+			if detail, ok := parseOpenAIStreamUsage(line); ok {
+				reporter.publish(ctx, detail)
+			}
+			chunks := sdktranslator.TranslateStream(ctx, to, from, req.Model, bytes.Clone(opts.OriginalRequest), body, bytes.Clone(line), &param)
+			for i := range chunks {
+				out <- cliproxyexecutor.StreamChunk{Payload: []byte(chunks[i])}
+			}
+		}
+		if err := scanner.Err(); err != nil {
+			out <- cliproxyexecutor.StreamChunk{Err: err}
+		}
+	}()
+
+	return out, nil
+}
+
+// CountTokens is not implemented for iFlow.
+func (e *IFlowExecutor) CountTokens(context.Context, *cliproxyauth.Auth, cliproxyexecutor.Request, cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
+	return cliproxyexecutor.Response{Payload: nil}, fmt.Errorf("not implemented")
+}
+
+// Refresh refreshes OAuth tokens and updates the stored API key.
+func (e *IFlowExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (*cliproxyauth.Auth, error) {
+	log.Debugf("iflow executor: refresh called")
+	if auth == nil {
+		return nil, fmt.Errorf("iflow executor: auth is nil")
+	}
+
+	refreshToken := ""
+	if auth.Metadata != nil {
+		if v, ok := auth.Metadata["refresh_token"].(string); ok {
+			refreshToken = strings.TrimSpace(v)
+		}
+	}
+	if refreshToken == "" {
+		return auth, nil
+	}
+
+	svc := iflowauth.NewIFlowAuth(e.cfg)
+	tokenData, err := svc.RefreshTokens(ctx, refreshToken)
+	if err != nil {
+		return nil, err
+	}
+
+	if auth.Metadata == nil {
+		auth.Metadata = make(map[string]any)
+	}
+	auth.Metadata["access_token"] = tokenData.AccessToken
+	if tokenData.RefreshToken != "" {
+		auth.Metadata["refresh_token"] = tokenData.RefreshToken
+	}
+	if tokenData.APIKey != "" {
+		auth.Metadata["api_key"] = tokenData.APIKey
+	}
+	auth.Metadata["expired"] = tokenData.Expire
+	auth.Metadata["type"] = "iflow"
+	auth.Metadata["last_refresh"] = time.Now().Format(time.RFC3339)
+
+	if auth.Attributes == nil {
+		auth.Attributes = make(map[string]string)
+	}
+	if tokenData.APIKey != "" {
+		auth.Attributes["api_key"] = tokenData.APIKey
+	}
+
+	return auth, nil
+}
+
+func applyIFlowHeaders(r *http.Request, apiKey string, stream bool) {
+	r.Header.Set("Content-Type", "application/json")
+	r.Header.Set("Authorization", "Bearer "+apiKey)
+	r.Header.Set("User-Agent", iflowUserAgent)
+	if stream {
+		r.Header.Set("Accept", "text/event-stream")
+	} else {
+		r.Header.Set("Accept", "application/json")
+	}
+}
+
+func iflowCreds(a *cliproxyauth.Auth) (apiKey, baseURL string) {
+	if a == nil {
+		return "", ""
+	}
+	if a.Attributes != nil {
+		if v := strings.TrimSpace(a.Attributes["api_key"]); v != "" {
+			apiKey = v
+		}
+		if v := strings.TrimSpace(a.Attributes["base_url"]); v != "" {
+			baseURL = v
+		}
+	}
+	if apiKey == "" && a.Metadata != nil {
+		if v, ok := a.Metadata["api_key"].(string); ok {
+			apiKey = strings.TrimSpace(v)
+		}
+	}
+	if baseURL == "" && a.Metadata != nil {
+		if v, ok := a.Metadata["base_url"].(string); ok {
+			baseURL = strings.TrimSpace(v)
+		}
+	}
+	return apiKey, baseURL
+}
+
+func ensureToolsArray(body []byte) []byte {
+	placeholder := `[{"type":"function","function":{"name":"noop","description":"Placeholder tool to stabilise streaming","parameters":{"type":"object"}}}]`
+	updated, err := sjson.SetRawBytes(body, "tools", []byte(placeholder))
+	if err != nil {
+		return body
+	}
+	return updated
+}

internal/runtime/executor/openai_compat_executor.go

@@ -40,8 +40,8 @@ func (e *OpenAICompatExecutor) PrepareRequest(_ *http.Request, _ *cliproxyauth.A
 
 func (e *OpenAICompatExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
 	baseURL, apiKey := e.resolveCredentials(auth)
-	if baseURL == "" || apiKey == "" {
-		return cliproxyexecutor.Response{}, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL or apiKey"}
+	if baseURL == "" {
+		return cliproxyexecutor.Response{}, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL"}
 	}
 	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
 
@@ -60,7 +60,9 @@ func (e *OpenAICompatExecutor) Execute(ctx context.Context, auth *cliproxyauth.A
 		return cliproxyexecutor.Response{}, err
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	if apiKey != "" {
+		httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	}
 	httpReq.Header.Set("User-Agent", "cli-proxy-openai-compat")
 
 	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
@@ -89,8 +91,8 @@ func (e *OpenAICompatExecutor) Execute(ctx context.Context, auth *cliproxyauth.A
 
 func (e *OpenAICompatExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (<-chan cliproxyexecutor.StreamChunk, error) {
 	baseURL, apiKey := e.resolveCredentials(auth)
-	if baseURL == "" || apiKey == "" {
-		return nil, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL or apiKey"}
+	if baseURL == "" {
+		return nil, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL"}
 	}
 	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
 	from := opts.SourceFormat
@@ -107,7 +109,9 @@ func (e *OpenAICompatExecutor) ExecuteStream(ctx context.Context, auth *cliproxy
 		return nil, err
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	if apiKey != "" {
+		httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	}
 	httpReq.Header.Set("User-Agent", "cli-proxy-openai-compat")
 	httpReq.Header.Set("Accept", "text/event-stream")
 	httpReq.Header.Set("Cache-Control", "no-cache")
@@ -129,8 +133,8 @@ func (e *OpenAICompatExecutor) ExecuteStream(ctx context.Context, auth *cliproxy
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
-		scanner.Buffer(buf, 1024*1024)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()
@@ -171,8 +175,8 @@ func (e *OpenAICompatExecutor) resolveCredentials(auth *cliproxyauth.Auth) (base
 		return "", ""
 	}
 	if auth.Attributes != nil {
-		baseURL = auth.Attributes["base_url"]
-		apiKey = auth.Attributes["api_key"]
+		baseURL = strings.TrimSpace(auth.Attributes["base_url"])
+		apiKey = strings.TrimSpace(auth.Attributes["api_key"])
 	}
 	return
 }

internal/runtime/executor/qwen_executor.go

@@ -126,8 +126,8 @@ func (e *QwenExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Aut
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
-		scanner.Buffer(buf, 1024*1024)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/translator/claude/gemini/claude_gemini_response.go

@@ -331,8 +331,8 @@ func ConvertClaudeResponseToGeminiNonStream(_ context.Context, modelName string,
 	streamingEvents := make([][]byte, 0)
 
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
-	scanner.Buffer(buffer, 10240*1024)
+	buffer := make([]byte, 20_971_520)
+	scanner.Buffer(buffer, 20_971_520)
 	for scanner.Scan() {
 		line := scanner.Bytes()
 		// log.Debug(string(line))

internal/translator/claude/openai/responses/claude_openai-responses_response.go

@@ -445,8 +445,8 @@ func ConvertClaudeResponseToOpenAIResponsesNonStream(_ context.Context, _ string
 		// Use a simple scanner to iterate through raw bytes
 		// Note: extremely large responses may require increasing the buffer
 		scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-		buf := make([]byte, 10240*1024)
-		scanner.Buffer(buf, 10240*1024)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
 		for scanner.Scan() {
 			line := scanner.Bytes()
 			if !bytes.HasPrefix(line, dataTag) {

internal/translator/codex/claude/codex_claude_response.go

@@ -181,8 +181,8 @@ func ConvertCodexResponseToClaude(_ context.Context, _ string, originalRequestRa
 //   - string: A Claude Code-compatible JSON response containing all message content and metadata
 func ConvertCodexResponseToClaudeNonStream(_ context.Context, _ string, originalRequestRawJSON, _ []byte, rawJSON []byte, _ *any) string {
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
-	scanner.Buffer(buffer, 10240*1024)
+	buffer := make([]byte, 20_971_520)
+	scanner.Buffer(buffer, 20_971_520)
 	revNames := buildReverseMapFromClaudeOriginalShortToOriginal(originalRequestRawJSON)
 
 	for scanner.Scan() {

internal/translator/codex/gemini/codex_gemini_response.go

@@ -153,8 +153,8 @@ func ConvertCodexResponseToGemini(_ context.Context, modelName string, originalR
 //   - string: A Gemini-compatible JSON response containing all message content and metadata
 func ConvertCodexResponseToGeminiNonStream(_ context.Context, modelName string, originalRequestRawJSON, requestRawJSON, rawJSON []byte, _ *any) string {
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
-	scanner.Buffer(buffer, 10240*1024)
+	buffer := make([]byte, 20_971_520)
+	scanner.Buffer(buffer, 20_971_520)
 	for scanner.Scan() {
 		line := scanner.Bytes()
 		// log.Debug(string(line))

internal/translator/codex/openai/responses/codex_openai-responses_request.go

@@ -34,9 +34,17 @@ func ConvertOpenAIResponsesRequestToCodex(modelName string, inputRawJSON []byte,
 	}
 
 	inputResult := gjson.GetBytes(rawJSON, "input")
-	inputResults := []gjson.Result{}
-	if inputResult.Exists() && inputResult.IsArray() {
-		inputResults = inputResult.Array()
+	var inputResults []gjson.Result
+	if inputResult.Exists() {
+		if inputResult.IsArray() {
+			inputResults = inputResult.Array()
+		} else if inputResult.Type == gjson.String {
+			newInput := `[{"type":"message","role":"user","content":[{"type":"input_text","text":""}]}]`
+			newInput, _ = sjson.Set(newInput, "0.content.0.text", inputResult.String())
+			inputResults = gjson.Parse(newInput).Array()
+		}
+	} else {
+		inputResults = []gjson.Result{}
 	}
 
 	extractedSystemInstructions := false

internal/translator/codex/openai/responses/codex_openai-responses_response.go

@@ -30,8 +30,8 @@ func ConvertCodexResponseToOpenAIResponses(ctx context.Context, modelName string
 // from a non-streaming OpenAI Chat Completions response.
 func ConvertCodexResponseToOpenAIResponsesNonStream(_ context.Context, modelName string, originalRequestRawJSON, requestRawJSON, rawJSON []byte, _ *any) string {
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
-	scanner.Buffer(buffer, 10240*1024)
+	buffer := make([]byte, 20_971_520)
+	scanner.Buffer(buffer, 20_971_520)
 	dataTag := []byte("data:")
 	for scanner.Scan() {
 		line := scanner.Bytes()

internal/watcher/watcher.go

@@ -430,8 +430,15 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 		}
 		fmt.Printf("config file changed, reloading: %s\n", w.configPath)
 		if w.reloadConfig() {
+			finalHash := newHash
+			if updatedData, errRead := os.ReadFile(w.configPath); errRead == nil && len(updatedData) > 0 {
+				sumUpdated := sha256.Sum256(updatedData)
+				finalHash = hex.EncodeToString(sumUpdated[:])
+			} else if errRead != nil {
+				log.WithError(errRead).Debug("failed to compute updated config hash after reload")
+			}
 			w.clientsMutex.Lock()
-			w.lastConfigHash = newHash
+			w.lastConfigHash = finalHash
 			w.clientsMutex.Unlock()
 		}
 		return
@@ -532,6 +539,21 @@ func (w *Watcher) reloadConfig() bool {
 		if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote {
 			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
 		}
+		if oldConfig.RemoteManagement.SecretKey != newConfig.RemoteManagement.SecretKey {
+			switch {
+			case oldConfig.RemoteManagement.SecretKey == "" && newConfig.RemoteManagement.SecretKey != "":
+				log.Debug("  remote-management.secret-key: created")
+			case oldConfig.RemoteManagement.SecretKey != "" && newConfig.RemoteManagement.SecretKey == "":
+				log.Debug("  remote-management.secret-key: deleted")
+			default:
+				log.Debug("  remote-management.secret-key: updated")
+			}
+			if newConfig.RemoteManagement.SecretKey == "" {
+				log.Info("management routes will be disabled after secret key removal")
+			} else {
+				log.Info("management routes will be enabled after secret key update")
+			}
+		}
 		if oldConfig.RemoteManagement.DisableControlPanel != newConfig.RemoteManagement.DisableControlPanel {
 			log.Debugf("  remote-management.disable-control-panel: %t -> %t", oldConfig.RemoteManagement.DisableControlPanel, newConfig.RemoteManagement.DisableControlPanel)
 		}
@@ -799,23 +821,23 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 			base := strings.TrimSpace(compat.BaseURL)
 
 			// Handle new APIKeyEntries format (preferred)
+			createdEntries := 0
 			if len(compat.APIKeyEntries) > 0 {
 				for j := range compat.APIKeyEntries {
 					entry := &compat.APIKeyEntries[j]
 					key := strings.TrimSpace(entry.APIKey)
-					if key == "" {
-						continue
-					}
 					proxyURL := strings.TrimSpace(entry.ProxyURL)
 					idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
 					id, token := idGen.next(idKind, key, base, proxyURL)
 					attrs := map[string]string{
 						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
 						"base_url":     base,
-						"api_key":      key,
 						"compat_name":  compat.Name,
 						"provider_key": providerName,
 					}
+					if key != "" {
+						attrs["api_key"] = key
+					}
 					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
 						attrs["models_hash"] = hash
 					}
@@ -830,6 +852,7 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 						UpdatedAt:  now,
 					}
 					out = append(out, a)
+					createdEntries++
 				}
 			} else {
 				// Handle legacy APIKeys format for backward compatibility
@@ -843,10 +866,10 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 					attrs := map[string]string{
 						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
 						"base_url":     base,
-						"api_key":      key,
 						"compat_name":  compat.Name,
 						"provider_key": providerName,
 					}
+					attrs["api_key"] = key
 					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
 						attrs["models_hash"] = hash
 					}
@@ -860,8 +883,32 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 						UpdatedAt:  now,
 					}
 					out = append(out, a)
+					createdEntries++
 				}
 			}
+			if createdEntries == 0 {
+				idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+				id, token := idGen.next(idKind, base)
+				attrs := map[string]string{
+					"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
+					"base_url":     base,
+					"compat_name":  compat.Name,
+					"provider_key": providerName,
+				}
+				if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
+					attrs["models_hash"] = hash
+				}
+				a := &coreauth.Auth{
+					ID:         id,
+					Provider:   providerName,
+					Label:      compat.Name,
+					Status:     coreauth.StatusActive,
+					Attributes: attrs,
+					CreatedAt:  now,
+					UpdatedAt:  now,
+				}
+				out = append(out, a)
+			}
 		}
 	}
 	// Also synthesize auth entries directly from auth files (for OAuth/file-backed providers)

sdk/auth/iflow.go

@@ -0,0 +1,131 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/iflow"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/browser"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+	log "github.com/sirupsen/logrus"
+)
+
+// IFlowAuthenticator implements the OAuth login flow for iFlow accounts.
+type IFlowAuthenticator struct{}
+
+// NewIFlowAuthenticator constructs a new authenticator instance.
+func NewIFlowAuthenticator() *IFlowAuthenticator { return &IFlowAuthenticator{} }
+
+// Provider returns the provider key for the authenticator.
+func (a *IFlowAuthenticator) Provider() string { return "iflow" }
+
+// RefreshLead indicates how soon before expiry a refresh should be attempted.
+func (a *IFlowAuthenticator) RefreshLead() *time.Duration {
+	d := 3 * time.Hour
+	return &d
+}
+
+// Login performs the OAuth code flow using a local callback server.
+func (a *IFlowAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
+	if cfg == nil {
+		return nil, fmt.Errorf("cliproxy auth: configuration is required")
+	}
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	if opts == nil {
+		opts = &LoginOptions{}
+	}
+
+	authSvc := iflow.NewIFlowAuth(cfg)
+
+	oauthServer := iflow.NewOAuthServer(iflow.CallbackPort)
+	if err := oauthServer.Start(); err != nil {
+		if strings.Contains(err.Error(), "already in use") {
+			return nil, fmt.Errorf("iflow authentication server port in use: %w", err)
+		}
+		return nil, fmt.Errorf("iflow authentication server failed: %w", err)
+	}
+	defer func() {
+		stopCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if stopErr := oauthServer.Stop(stopCtx); stopErr != nil {
+			log.Warnf("iflow oauth server stop error: %v", stopErr)
+		}
+	}()
+
+	state, err := misc.GenerateRandomState()
+	if err != nil {
+		return nil, fmt.Errorf("iflow auth: failed to generate state: %w", err)
+	}
+
+	authURL, redirectURI := authSvc.AuthorizationURL(state, iflow.CallbackPort)
+
+	if !opts.NoBrowser {
+		fmt.Println("Opening browser for iFlow authentication")
+		if !browser.IsAvailable() {
+			log.Warn("No browser available; please open the URL manually")
+			util.PrintSSHTunnelInstructions(iflow.CallbackPort)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
+		} else if err = browser.OpenURL(authURL); err != nil {
+			log.Warnf("Failed to open browser automatically: %v", err)
+			util.PrintSSHTunnelInstructions(iflow.CallbackPort)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
+		}
+	} else {
+		util.PrintSSHTunnelInstructions(iflow.CallbackPort)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
+	}
+
+	fmt.Println("Waiting for iFlow authentication callback...")
+
+	result, err := oauthServer.WaitForCallback(5 * time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("iflow auth: callback wait failed: %w", err)
+	}
+	if result.Error != "" {
+		return nil, fmt.Errorf("iflow auth: provider returned error %s", result.Error)
+	}
+	if result.State != state {
+		return nil, fmt.Errorf("iflow auth: state mismatch")
+	}
+
+	tokenData, err := authSvc.ExchangeCodeForTokens(ctx, result.Code, redirectURI)
+	if err != nil {
+		return nil, fmt.Errorf("iflow authentication failed: %w", err)
+	}
+
+	tokenStorage := authSvc.CreateTokenStorage(tokenData)
+
+	email := strings.TrimSpace(tokenStorage.Email)
+	if email == "" {
+		return nil, fmt.Errorf("iflow authentication failed: missing account identifier")
+	}
+
+	fileName := fmt.Sprintf("iflow-%s.json", email)
+	metadata := map[string]any{
+		"email":         email,
+		"api_key":       tokenStorage.APIKey,
+		"access_token":  tokenStorage.AccessToken,
+		"refresh_token": tokenStorage.RefreshToken,
+		"expired":       tokenStorage.Expire,
+	}
+
+	fmt.Println("iFlow authentication successful")
+
+	return &coreauth.Auth{
+		ID:       fileName,
+		Provider: a.Provider(),
+		FileName: fileName,
+		Storage:  tokenStorage,
+		Metadata: metadata,
+		Attributes: map[string]string{
+			"api_key": tokenStorage.APIKey,
+		},
+	}, nil
+}

sdk/auth/refresh_registry.go

@@ -10,6 +10,7 @@ func init() {
 	registerRefreshLead("codex", func() Authenticator { return NewCodexAuthenticator() })
 	registerRefreshLead("claude", func() Authenticator { return NewClaudeAuthenticator() })
 	registerRefreshLead("qwen", func() Authenticator { return NewQwenAuthenticator() })
+	registerRefreshLead("iflow", func() Authenticator { return NewIFlowAuthenticator() })
 	registerRefreshLead("gemini", func() Authenticator { return NewGeminiAuthenticator() })
 	registerRefreshLead("gemini-cli", func() Authenticator { return NewGeminiAuthenticator() })
 	registerRefreshLead("gemini-web", func() Authenticator { return NewGeminiWebAuthenticator() })

sdk/cliproxy/service.go

@@ -232,10 +232,40 @@ func (s *Service) applyCoreAuthRemoval(ctx context.Context, id string) {
 	}
 }
 
+func openAICompatInfoFromAuth(a *coreauth.Auth) (providerKey string, compatName string, ok bool) {
+	if a == nil {
+		return "", "", false
+	}
+	if len(a.Attributes) > 0 {
+		providerKey = strings.TrimSpace(a.Attributes["provider_key"])
+		compatName = strings.TrimSpace(a.Attributes["compat_name"])
+		if providerKey != "" || compatName != "" {
+			if providerKey == "" {
+				providerKey = compatName
+			}
+			return strings.ToLower(providerKey), compatName, true
+		}
+	}
+	if strings.EqualFold(strings.TrimSpace(a.Provider), "openai-compatibility") {
+		return "openai-compatibility", strings.TrimSpace(a.Label), true
+	}
+	return "", "", false
+}
+
 func (s *Service) ensureExecutorsForAuth(a *coreauth.Auth) {
 	if s == nil || a == nil {
 		return
 	}
+	if compatProviderKey, _, isCompat := openAICompatInfoFromAuth(a); isCompat {
+		if compatProviderKey == "" {
+			compatProviderKey = strings.ToLower(strings.TrimSpace(a.Provider))
+		}
+		if compatProviderKey == "" {
+			compatProviderKey = "openai-compatibility"
+		}
+		s.coreManager.RegisterExecutor(executor.NewOpenAICompatExecutor(compatProviderKey, s.cfg))
+		return
+	}
 	switch strings.ToLower(a.Provider) {
 	case "gemini":
 		s.coreManager.RegisterExecutor(executor.NewGeminiExecutor(s.cfg))
@@ -250,6 +280,8 @@ func (s *Service) ensureExecutorsForAuth(a *coreauth.Auth) {
 		s.coreManager.RegisterExecutor(executor.NewCodexExecutor(s.cfg))
 	case "qwen":
 		s.coreManager.RegisterExecutor(executor.NewQwenExecutor(s.cfg))
+	case "iflow":
+		s.coreManager.RegisterExecutor(executor.NewIFlowExecutor(s.cfg))
 	default:
 		providerKey := strings.ToLower(strings.TrimSpace(a.Provider))
 		if providerKey == "" {
@@ -482,6 +514,10 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 		}
 	}
 	provider := strings.ToLower(strings.TrimSpace(a.Provider))
+	compatProviderKey, compatDisplayName, compatDetected := openAICompatInfoFromAuth(a)
+	if compatDetected {
+		provider = "openai-compatibility"
+	}
 	var models []*ModelInfo
 	switch provider {
 	case "gemini":
@@ -496,12 +532,23 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 		models = registry.GetOpenAIModels()
 	case "qwen":
 		models = registry.GetQwenModels()
+	case "iflow":
+		models = registry.GetIFlowModels()
 	default:
 		// Handle OpenAI-compatibility providers by name using config
 		if s.cfg != nil {
 			providerKey := provider
 			compatName := strings.TrimSpace(a.Provider)
 			isCompatAuth := false
+			if compatDetected {
+				if compatProviderKey != "" {
+					providerKey = compatProviderKey
+				}
+				if compatDisplayName != "" {
+					compatName = compatDisplayName
+				}
+				isCompatAuth = true
+			}
 			if strings.EqualFold(providerKey, "openai-compatibility") {
 				isCompatAuth = true
 				if a.Attributes != nil {
@@ -534,8 +581,13 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 					ms := make([]*ModelInfo, 0, len(compat.Models))
 					for j := range compat.Models {
 						m := compat.Models[j]
+						// Use alias as model ID, fallback to name if alias is empty
+						modelID := m.Alias
+						if modelID == "" {
+							modelID = m.Name
+						}
 						ms = append(ms, &ModelInfo{
-							ID:          m.Alias,
+							ID:          modelID,
 							Object:      "model",
 							Created:     time.Now().Unix(),
 							OwnedBy:     compat.Name,