Files
codex-oauth-plus-onboarding…/skill/codex-oauth-plus-onboarding/references/openai-phone-long-run-335-and-workspace-pitfalls-2026-05-11.md
T

4.4 KiB
Raw Blame History

OpenAI phone verification long-run + post-phone OAuth pitfalls (2026-05-11)

Session-specific notes from a long Codex/CPA onboarding run using ClawEmail + 5sim + visible Chrome/CDP.

Outcome

  • Account: chickliu.efxudmrg@claw.163.com.
  • Phone verification finally received SMS on activation 1007069622.
  • Successful country: indonesia (+62).
  • Total real 5sim activations used before SMS success: 335.
  • no free phones was not counted; only bought activation ids counted.

Long-run runner lessons

  1. For “run until it works”, persist counters in a state file on every bought activation:
    • current_activation_id
    • new_numbers
    • total_numbers
    • country
  2. Add a large but explicit safety cap, e.g. MAX_NEW_NUMBERS=300, so runaway spend is bounded while still honoring “run until success”.
  3. Always write the latest activation id to /tmp/current_fivesim_activation_id.txt so an interrupted runner can check/cancel/finish the order.
  4. CDP WebSocketTimeoutException during submit/verification should be treated as automation failure, not proof of phone failure. Immediately inspect:
    • runner tail
    • state file
    • current activation id
    • 5sim /user/check/<activation_id>
  5. If logs show sms_received before the crash, do not buy more numbers. Resume code submission against the existing RECEIVED activation.

SMS code extraction pitfall

The first generic regex (?<!\d)(\d{4,8})(?!\d) selected a 4-digit substring from the SMS/order text while OpenAIs page required exactly 6 characters.

Preferred extraction:

cands = re.findall(r'(?<!\d)(\d{6})(?!\d)', text)
if not cands:
    cands = re.findall(r'(?<!\d)(\d{4,8})(?!\d)', text)
code = cands[-1] if cands else ''

Check the OpenAI page text for “验证码应正好包含 6 个字符” / “code should contain exactly 6 characters” and prefer 6-digit candidates when present.

5sim finish ordering pitfall

If an incorrect/truncated code was submitted but the correct SMS was already retrieved, the order may have been FINISHED prematurely. This does not necessarily prevent submitting the correct code to OpenAI if the code is already known, but future runners should only call /user/finish/<activation_id> after OpenAI leaves phone-verification.

About-you form pitfall

OpenAI about-you had visible required fields:

input[name=name]
input[name=age]
input[name=birthday] hidden

A naive loop that wrote Boss into all visible inputs left validation errors. Use native React-compatible setters by name:

function setVal(sel, val) {
  const el = document.querySelector(sel);
  const proto = HTMLInputElement.prototype;
  Object.getOwnPropertyDescriptor(proto, 'value').set.call(el, val);
  el.dispatchEvent(new Event('input', {bubbles:true}));
  el.dispatchEvent(new Event('change', {bubbles:true}));
}
setVal('input[name=name]', 'Boss');
setVal('input[name=age]', '35');
setVal('input[name=birthday]', '1991-01-01');

After phone + about-you success, Codex OAuth consent can fail with:

hydra_api_accept_login_request_error
Workspaces not found in client auth session

Observed state:

  • auth.openai.com/sign-in-with-chatgpt/codex/consent showed the account email and a Continue button.
  • Clicking Continue produced “Workspaces not found in client auth session”.
  • Opening https://chatgpt.com/ in the same profile showed not logged in (“登录 / 免费注册”), so ChatGPT workspace/session was not initialized despite OpenAI auth phone completion.

Recommended recovery:

  1. Do not buy more phone numbers; phone verification is done.
  2. Initialize/login ChatGPT in the same visible Chrome profile first.
  3. Then generate a fresh CPA OAuth URL and redo Codex consent.
  4. If password login fails for the freshly created account, avoid stale OAuth states; use a fresh CPA URL and the visible ChatGPT/OpenAI login path. OTP links on stale password pages can return invalid_state.

CDP navigation pitfall

Runtime.evaluate(... awaitPromise=True) around a click that navigates may fail with:

Inspected target navigated or closed

For navigation clicks, prefer:

  1. Inspect current DOM.
  2. Execute a non-awaited click (awaitPromise=False) or dispatch input/click and close the websocket.
  3. Sleep briefly.
  4. Reattach to the current tab via /json/list and inspect the new URL.

This avoids treating a normal navigation as a fatal browser failure.