LoginWithChatGPT: Codex Subscription OAuth for Your App

On June 26, 2026, Savio Martin — 19-year-old co-founder and CTO of Result — posted an experiment that hit 186K+ views on X in hours: <LoginWithChatGPT />.

The pitch: embed a "Login with ChatGPT" button on your site. Users authorize with a one-time device code from ChatGPT settings. Your app runs prompts through Codex (demo uses gpt-5.5-codex-fast) — and usage draws from the user's ChatGPT plan, not your OpenAI API bill.

Demo: login-with-chatgpt.vercel.app

People immediately split into two camps: indie builders calling it genius for reviving side projects without API invoices, and compliance-minded developers asking whether it violates OpenAI's terms and triggers account bans — the same debate that already burned the Claude subscription reseller ecosystem.

This post answers what people actually search after seeing the thread — not a hype recap.

TL;DR

What problem does LoginWithChatGPT solve?

Indie SaaS math is brutal in 2026: every user prompt on gpt-5.5 or gpt-5.5-codex-fast at API rates adds up fast — especially agentic flows that burn 10×–100× more tokens than chat.

Subscription plans (ChatGPT Plus, Pro, Go) bundle model access at flat monthly prices tuned for human-shaped usage — not unlimited third-party inference farms, but enough that a single-user demo app can feel "free" to the developer if each visitor pays with their own plan.

LoginWithChatGPT externalizes inference cost exactly like OpenClaw's Codex OAuth path — except aimed at embedded web UX instead of a local terminal harness.

The demo site's copy states it plainly:

Add a Login with ChatGPT button to your site. Let users log in with their personal ChatGPT account and run prompts on it. You never pay OpenAI for usage. Works on any plan: Free, Go, Plus, or Pro.

Sample code from the live demo:

const codex = new Codex();

const res = await codex.responses.create({
  model: "gpt-5.5-codex-fast",
  input: "Write a haiku about the ocean.",
});

Output streams in the browser after the user completes device authorization.

How does the login flow work?

The implementation reverse-engineers OpenAI Codex CLI device authentication — the same family of flow CLI tools use when you codex login — into something web apps can trigger.

User steps (from the demo):

1. Click Login with ChatGPT
2. Browser opens ChatGPT; user enters a one-time code shown in your app
3. First-time setup: enable device code authorization for Codex under ChatGPT Settings → Security & Login
4. App receives authorized session; Codex SDK calls proceed against that user's entitlement

Savio described it on X as building "OAuth inside web/mobile" on top of a flow OpenAI already exposes for CLI and tools like OpenClaw and Hermes — not inventing a new backend API.

Security questions developers raised: token storage, session hijacking, and whether device codes belong in third-party origins at all. Savio has not published a full security model yet — another reason to treat this as experiment-only.

For end users: logging into a random site with your ChatGPT account is the same trust decision as "Sign in with Google" — you are granting a third party ability to spend your model quota. Read what the app requests; revoke device codes in ChatGPT settings if you stop using the app.

Is it against OpenAI's terms of service?

Nobody has a definitive yes/no — including Savio.

On X, developer Eli Abdeen asked the obvious question: "doesn't this violate their terms? if a site is trying to connect gpt models... it should be from the api right?"

Savio's reply (June 26–27, 2026):

OpenAI claims to allow 3rd party apps to access Codex via CLI — ie how OpenClaw/hermes access it. I reverse engineered a way to build this as an OAuth inside web/mobile. not sure how compliant this is to their TOS — Waiting for OpenAI to respond before open sourcing this

explainx.ai read: three layers of risk:

Similar services like usemysub.com already operate in this gray zone. That is not proof of safety — it is proof OpenAI has tolerated some patterns while Anthropic actively did not for Claude.

Do not ship production revenue on "OpenAI hasn't stopped me yet."

Who pays? Subscription vs API economics

This is the same wallet routing debate as Sam Altman's metered-utility vision vs flat subscriptions — except LoginWithChatGPT lets founders externalize metered cost to users' flat plans, which OpenAI may view as arbitrage if usage scales.

Savio confirmed in replies: all usage passes to the user's active subscription, including users on ChatGPT Free — with the obvious caveat that free tiers hit walls quickly on codex-fast workloads.

Why hasn't OpenAI shipped this officially?

Peer Richelsen (Cal.com) summarized the product gap: surprised OpenAI has not shipped first-party "Login with ChatGPT for developers" OAuth for embedded apps.

Plausible reasons OpenAI moves slowly:

• Subscription economics — embedding plan quota in arbitrary third-party sites breaks usage forecasting
• Abuse surface — same class of problem as 25,000 fake accounts distilling Claude, but on OpenAI's consumer graph
• GPT-5.6 gating — limited preview with government vetting shows frontier models already under access control; consumer OAuth bridges make that harder to enforce
• ChatGPT Apps / platform play — OpenAI may prefer partners inside a sanctioned store over arbitrary <LoginWithChatGPT /> embeds

Marko Kraemer noted on X that teams like Kortix are already "CODEX SUB MAXXING" — treating ChatGPT/Codex subscriptions as the default inference wallet for agent products, which makes LoginWithChatGPT less a novelty and more an inevitable product shape.

Comparisons developers ask about

vs OpenClaw + Codex OAuth

OpenClaw authenticates locally — user's machine, user's subscription, user's risk. LoginWithChatGPT moves that pattern to multi-tenant web where your users log in through your domain. Higher leverage for SaaS; higher TOS and security scrutiny.

vs usemysub.com and subscription resellers

Reseller APIs pool or route subscription credentials server-side — often opaque to end users. LoginWithChatGPT is transparent BYOS (bring your own subscription): users know they are spending their ChatGPT quota. Regulators and platforms may treat both similarly if scale grows.

vs Pi /login and harness OAuth

Pi documents /login for subscription OAuth providers in a local harness context. Same economic idea — subscription instead of API key — different deployment surface (terminal TUI vs React component).

vs official Codex in Claude Code / Codex CLI

First-party tools are always the safe path. Compare stacks in our Codex vs Claude Code guide if you are choosing a harness anyway.

Should Savio open-source it?

The X thread's most-liked replies say yes — democratize the pattern. Savio's restraint (wait for OpenAI) is the responsible move:

• Legal clarity benefits everyone — users, Result, and OpenAI
• Open-sourcing before TOS read accelerates abuse clones (wrappers, resellers, malware login pages)
• A blessed OpenAI embed would obsolete the hack overnight — or trigger enforcement against forks

If OpenAI blesses CLI-adjacent OAuth for web, expect an official component. If they condemn it, early adopters face retroactive enforcement.

What should builders do today?

Safe paths:

• Production SaaS → OpenAI API keys with clear user billing; see Claude/OpenAI pricing guides for comparison math
• Personal agents → Codex CLI, Claude Code, or OpenClaw on your machine with your subscription
• Cost control → token governance and prompt caching — do not rely on subscription arbitrage at scale

Experiment paths:

• Fork the demo UX locally; do not collect user ChatGPT credentials on shared infra without a security review
• Watch Savio's X and login-with-chatgpt.vercel.app for OSS drop and OpenAI statement
• Assume GPT-5.6 preview gating is the direction — consumer subscription bridges may narrow, not widen

Where this fits the 2026 access-control stack

June 2026 is the month frontier access became political: Fable 5 suspended, Mythos partial restore for critical infrastructure, GPT-5.6 preview vetted by Washington. LoginWithChatGPT is the indie hacker mirror image — routing around developer API bills by piggybacking consumer entitlements.

OpenAI and Anthropic are not symmetric: OpenAI enabled Codex OAuth for OpenClaw; Anthropic closed subscription loops for third parties. LoginWithChatGPT tests how far OpenAI's permissive side stretches into embedded web before someone gets banned.

Related reading

• OpenClaw meets ChatGPT Plus — subscription vs API
• Why AI companies want you using agents — token economics
• AI token black market and Claude resellers
• Is OpenClaw safe? Anthropic subscription boundaries
• Codex vs Claude Code comparison
• Pi harness /login and providers

Primary sources: login-with-chatgpt.vercel.app · Savio Martin's June 26, 2026 X thread on LoginWithChatGPT · OpenAI Codex documentation

Demo behavior, model ids, and TOS posture reflect public posts and the live demo as of June 27, 2026. OpenAI has not issued a public response to LoginWithChatGPT at publish time — verify before production use.