Skip to content

Codex Remote Control Setup Not Working? Check Localhost Cookies

If Codex remote control setup is not working and the local callback fails with HTTP ERROR 431, the problem may not be Codex, OAuth, Chrome, or your callback handler.

It may be old cookies from unrelated local apps.

http://localhost:1455/auth/callback?code=REDACTED&state=REDACTED

Instead of completing the flow, Chrome shows something like:

HTTP ERROR 431

That error means the request headers are too large. In local dev, the oversized header is often Cookie.

The root cause

Cookies are scoped by host/domain, not by port. Cookies set on bare localhost can be sent to all of these:

localhost:3000
localhost:5173
localhost:1455

Those are different ports, but the same host.

So an app on localhost:3000, another app on localhost:5173, and a Codex callback on localhost:1455 can accidentally share the same cookie jar. Enough auth/session/analytics cookies pile up, the callback request gets too large, and setup fails with 431.

The same pattern can happen on bare 127.0.0.1.

How to check

Don't paste full callback URLs, Cookie headers, auth tokens, or browser storage dumps into chat tools or tickets. You only need names, hosts, and approximate sizes.

  1. Open the failed callback in Chrome.
  2. Open DevTools -> Network.
  3. Click the failed callback request.
  4. Look for a huge Cookie request header.
  5. Open DevTools -> Application -> Cookies.
  6. Check http://localhost and http://127.0.0.1.

Immediate fix

Clear stale cookies for the bloated local host, then retry Codex remote control setup.

In Chrome, go to DevTools -> Application -> Cookies, select http://localhost, and delete old cookies you do not need. Repeat for http://127.0.0.1 if you use it.

Prevention pattern

Use project-specific local hosts instead of bare localhost:

http://app-a.localhost:3000
http://app-b.localhost:5173
http://oauth-test.localhost:1455

Cookies from app-a.localhost will not be sent to app-b.localhost. If your tooling does not resolve those names automatically, add host entries:

127.0.0.1 app-a.localhost
127.0.0.1 app-b.localhost
127.0.0.1 oauth-test.localhost

Then configure each app's allowed callback URLs, CORS origins, auth redirect URLs, and cookie settings to use its project-specific host.

Checklist

- [ ] If Codex remote control setup fails with HTTP 431, inspect localhost cookies before changing OAuth code.
- [ ] Use a project-specific host such as `app-a.localhost`, not bare `localhost`.
- [ ] Keep each app's OAuth redirect URLs on that same project-specific host.
- [ ] Avoid sharing `127.0.0.1` across unrelated browser apps.
- [ ] Never paste full `Cookie` headers, auth callback URLs, or token-like values into logs or support threads.

The practical rule: ports separate servers, not cookies.