My AI Told Me This Feature Was Fake: It Was Wrong
How I cut OpenClaw API costs from $10/day to $0 by arguing with my own AI agent about whether OAuth subscription auth was real.
I run OpenClaw, a multi-agent AI system, on my homelab Kubernetes cluster. Seven agents (an orchestrator, researchers, coders, reviewers), all routing through OpenRouter's API. The bill was running $5-10 per day. That's $150-300 per month in variable API costs. Meanwhile, I'm paying $20/month for ChatGPT Plus, which includes access to the same class of models I was paying per-token for. The math didn't make sense.
This is the second half of a cost optimization story. The first half covered Life Hub, my personal dashboard, where Claude Desktop pre-computes LLM outputs using my Claude Pro subscription instead of making paid Haiku API calls. Together, these two changes took my AI infrastructure from ~$230/month in variable API costs to effectively $0, on top of $40/month in subscriptions I was already paying for.
The Numbers Before
| System | Monthly Cost | How |
|---|---|---|
| OpenClaw (7 agents) | $150-300 | OpenRouter API per-token |
| Life Hub (pre-computable) | $2-5 | Anthropic Haiku API per-token |
| Life Hub (event-driven) | $1-2 | Anthropic Haiku API per-token |
| Total variable | $153-307 |
And I was already paying $20/month for ChatGPT Plus and $20/month for Claude Pro. Fixed costs I'd pay regardless.
The Argument
I asked Henry, OpenClaw's orchestrator agent, to set up OAuth subscription auth so the agents could route through my ChatGPT Plus subscription instead of burning API credits. His response was immediate and confident:
"OAuth via ChatGPT Plus: same story as Gemini. ChatGPT Plus is a consumer subscription; it doesn't expose an OAuth flow that OpenClaw (or any third-party app) can plug into. Full stop."
He was sure. He cited the separation between OpenAI's API and ChatGPT Plus as separate products. He flagged the Reddit posts I'd referenced as "hallucinated features." He pushed back three times. When I sent him a Reddit post about it, he read it and called out the fake parts (correctly identifying that the Gemini OAuth method was fiction) but dismissed the OpenAI Codex OAuth method along with it.
He was wrong about Codex.
I pointed him to the official OpenClaw documentation, which explicitly states: "OpenAI Codex OAuth is explicitly supported for use outside the Codex CLI, including OpenClaw workflows." The docs describe the full PKCE flow, the callback URL, the token storage format, everything.
To Henry's credit, once he read the actual docs, he corrected himself immediately: "You're right. I owe you a correction. OAuth is a real OpenClaw feature, and I was wrong to dismiss it so flatly." No hedging, no saving face. Just a clean reversal.
The meta-lesson: AI agents can be overconfident about what's "fake," especially when the information involves newer capabilities that postdate their training data. A good agent has strong opinions weakly held, and knows when to check the docs instead of arguing from priors. Henry got there, it just took pointing him at the source.
The Kubernetes Problem
Even after Henry conceded the feature was real, we hit a wall. OpenClaw runs in a Kubernetes pod on Talos Linux: an immutable, API-only OS with no SSH, no desktop, no browser. The OAuth flow needs three things that don't exist inside a container:
- An interactive TTY for the onboarding wizard
- A browser to authenticate with OpenAI
- A callback listener on
127.0.0.1:1455to receive the authorization code
The solution bridges the headless pod and the Mac where I have a browser:
# Terminal 1 — Route the OAuth callback into the pod
kubectl port-forward -n openclaw deploy/openclaw 1455:1455
# Terminal 2 — Run the onboard wizard with a TTY
kubectl exec -it -n openclaw deploy/openclaw -c openclaw -- sh -c 'openclaw onboard --auth-choice openai-codex --accept-risk'When the wizard generates the OAuth URL, you copy it and open it in your Mac's browser. After authenticating with your ChatGPT account, the browser redirects to http://127.0.0.1:1455/auth/callback?code=.... The port-forward catches that redirect and routes it into the pod, where the onboard wizard is waiting for it.
The Debugging
It wasn't smooth. A few things bit us:
Shell splitting. The kubectl exec command kept getting split across lines by zsh, causing the inner command to be interpreted as a separate shell command. The fix: wrap everything in sh -c '...' with single quotes.
Missing plugin vs built-in flow. We first tried openclaw models auth login --provider openai, which requires a provider plugin. But the OpenAI Codex OAuth flow is built into the onboard wizard, not a plugin. The error ("Unknown provider 'openai'. Loaded providers: ollama, sglang, vllm") sent us down the wrong path before we realized the correct entry point was onboard --auth-choice openai-codex.
OpenAI outage. The first successful OAuth attempt hit OpenAI's consent page and got "Service Unavailable." We waited, retried, and it worked on the second attempt.
Ephemeral config. Henry updated the config inside the pod, but the pod filesystem is ephemeral. The change was wiped on the next restart. The fix: update the Kubernetes ConfigMap in the GitOps repo so the config survives pod restarts. The OAuth token itself lives on a persistent volume, so it was fine.
The Configuration Change
Once authenticated, we switched all seven agents from OpenRouter (paid per-token) to the Codex subscription as primary, with OpenRouter as fallback:
| Agent | Primary | Fallback |
| ----------------------------- | --------------------------- | ----------------------- |
| Henry, Kit | openai-codex/gpt-5.3-codex | Opus → Sonnet (OR) |
| Petra, Thane, Margaux, Callum | openai-codex/gpt-5.3-codex | Sonnet → Haiku (OR) |
| Declan | openai-codex/gpt-5.3-codex | Haiku → Sonnet (OR) |Every agent hits the ChatGPT subscription first. If Codex is unavailable (rate limit, outage, token expired), it falls back to OpenRouter automatically.
Token Management
The access token expires in 10 days, but OpenClaw handles refresh automatically. The refresh token itself lasts 30-90 days. When that expires, you need to redo the browser-based OAuth dance: there's no way to automate the interactive login headlessly. Henry added a heartbeat check that alerts me at 7 days before expiry with the exact kubectl commands to re-auth.
One gotcha the docs warn about: if you authenticate with OpenAI from both OpenClaw and the Codex CLI, one of them may get logged out. OpenAI can invalidate older refresh tokens when new ones are issued. The fix: only authenticate through OpenClaw.
The Full Cost Picture
Combined with the Life Hub pre-computed cache from the same weekend:
| System | Before | After | How |
|---|---|---|---|
| OpenClaw (7 agents) | $150-300/mo | $0 | ChatGPT Plus OAuth |
| Life Hub (pre-computable) | $2-5/mo | ~$0 | Claude Desktop pre-compute |
| Life Hub (event-driven) | $1-2/mo | $1-2/mo | Still Haiku API (Phase 3) |
| Total variable | $153-307/mo | ~$1-2/mo | |
| Subscriptions (fixed) | $40/mo | $40/mo | ChatGPT Plus + Claude Pro |
The remaining $1-2/month is Life Hub's event-driven LLM calls: trigger commentary, thought classification, journal sentiment analysis, advisor chat. These fire in response to user actions and can't be pre-computed. Phase 3 of the roadmap routes these through the Codex OAuth token too, which would bring variable costs to true zero.
The Pattern
Both optimizations exploit the same arbitrage: subscription pricing includes models at fixed cost that are expensive per-token via API.
- Claude Desktop (Claude Pro, $20/mo) → pre-computes Life Hub content with Opus every 2 hours
- ChatGPT Plus ($20/mo) → routes all OpenClaw agent work through Codex OAuth
- API keys → fallback only, fires 5% of the time on rate limits or outages
The fallback is what makes it production-viable. Subscriptions have rate limits, outages, token expiry. The per-token API is always there as a safety net. You get the cost savings 95% of the time and graceful degradation the other 5%.
The tools are here. The subscription model creates an arbitrage opportunity, and the AI agents are learning to exploit it, once you convince them the feature actually exists.