usemysub.com — OpenAI-compatible proxy that routes requests through your Codex subscription credentials.
Existing projects such as ephraimduncan/codex-cursor, Firzus/codex-cursor-proxy, and 0oAstro/codex-openai-proxy are useful prior art for request translation, model aliases, OAuth refresh, and SSE conversion. They are local CLI/server processes, often fronted by tunnels, and read a local ~/.codex/auth.json for one account. This project is greenfield because the target is Cloudflare-native, multi-user, server-side encrypted token storage with per-user Durable Object refresh serialization.
src/index.tsroutes Worker requests.src/openai-compatible.tsimplements/v1/models,/v1/chat/completions, and/v1/responses.src/auth.tsverifies proxy API keys by HMAC hash only.src/auth-broker.tsis a per-user Durable Object that serializes OAuth token refresh and persists rotated refresh tokens to D1.src/crypto.tsuses Web Crypto HMAC-SHA-256 for API key hashes and AES-GCM for encrypted token bundles.src/transform.tsconverts Chat Completions requests to Responses requests and Codex Responses SSE back to Chat Completions SSE.migrations/0001_init.sqlcreatesusers,api_keys, andcodex_tokens.
Install dependencies and generate Worker binding types:
npm install
npm run cf-typesCreate a D1 database and replace the placeholder database_id in wrangler.jsonc:
npx wrangler d1 create codex-proxy-db
npx wrangler d1 migrations apply codex-proxy-db --localSet secrets locally in .dev.vars and remotely with Wrangler. Use random values; do not reuse examples.
cp .dev.vars.example .dev.vars
npx wrangler secret put API_KEY_PEPPER
npx wrangler secret put TOKEN_ENCRYPTION_KEYTOKEN_ENCRYPTION_KEY must decode to exactly 32 bytes. A base64url value or a 64-character hex value is accepted.
Optional secrets and vars:
UPSTREAM_RELAY_TOKEN— shared secret for the upstream relay (X-Relay-Tokenheader). Set on both the Worker and relay container.ENABLE_EXTERNAL_RELAY=true— required to useCODEX_RELAY_URL(external relay hosts must end in.workers.devor.fly.dev).RESEND_API_KEY— Resend API key for magic-link sign-in emails (production).AUTH_FROM_EMAIL— verified sender, e.g.UseMySub <auth@usemysub.com>.PUBLIC_APP_ORIGIN— base URL for links in emails (defaults tohttps://usemysub.comin production).DEV_RETURN_MAGIC_LINK=true— local dev only: return the sign-in URL in the API response instead of sending email.
Each teammate must authenticate their own Codex CLI first so they have a local Codex auth file. Then import that file into D1:
TOKEN_ENCRYPTION_KEY="..." API_KEY_PEPPER="..." \
npm run provision -- \
--email teammate@example.com \
--display-name "Teammate" \
--auth-file ~/.codex/auth.jsonAdd --remote to write to the deployed D1 database. The script prints the proxy API key once; only its HMAC hash is stored.
Users can also sign up at /login with any email — a magic link creates the account on first sign-in. After sign-in, /onboarding walks through ChatGPT OAuth: open the sign-in link, then paste the http://localhost:1455/auth/callback?... redirect URL from your browser.
The CLI provision script remains available for admins who prefer importing ~/.codex/auth.json directly.
Sign in at /login with your email. UseMySub sends a one-time magic link (15 minute expiry). New accounts are created automatically on first sign-in.
Point any OpenAI-compatible client at:
- Base URL:
https://usemysub.com/v1 - API key: a generated
cpk_...proxy key from the dashboard - Model: one listed by
/v1/models, for examplegpt-5.5orgpt-5.5-codex
Codex is the only supported backend for now.
npm test
npm run typecheck
npm run deploy:dry-run
npx wrangler devThe real-account smoke test is disabled by default:
RUN_CODEX_SMOKE=1 CODEX_PROXY_BASE_URL="https://usemysub.com" CODEX_PROXY_API_KEY="cpk_..." npm testProduction is served at https://usemysub.com (HTTPS via Cloudflare Universal SSL on the custom domain routes in wrangler.jsonc).
Apply migrations remotely before first production use:
npx wrangler d1 migrations apply codex-proxy-db --remote
npm run deployThe domain must be on your Cloudflare account. Wrangler attaches usemysub.com and www.usemysub.com as custom domains and provisions DNS + TLS automatically on deploy.
Before team rollout, verify that proxying subscription-backed Codex access for this use case is allowed by the relevant OpenAI/Codex terms. Do not share one user's subscription credentials across the team; each proxy key should map to that user's own Codex account.
The container and Fly relay forward Codex traffic. Do not expose a relay publicly without UPSTREAM_RELAY_TOKEN authentication. The Worker sends X-Relay-Token when the secret is configured.
CODEX_RELAY_URL redirects all upstream Codex traffic to an external URL and is only honored when ENABLE_EXTERNAL_RELAY=true with an allowlisted host suffix.