diff --git a/.gitignore b/.gitignore
index 317e7b71c5..7978b509f7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,6 +41,7 @@ Thumbs.db
 .idea/
 .vscode/
 .claude/
+.ag/
 *.swp
 *.swo
 *~
@@ -48,3 +49,7 @@ Thumbs.db
 
 # Personal deploy scripts
 scripts/deploy-remote.sh
+
+# OpenCode repo-local state
+.ag/logs/
+.beads/
diff --git a/Cargo.lock b/Cargo.lock
index 2ca1a27262..19fbc32bf3 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4232,6 +4232,7 @@ dependencies = [
  "openfang-memory",
  "openfang-skills",
  "openfang-types",
+ "rand 0.8.5",
  "regex-lite",
  "reqwest 0.12.28",
  "rmcp",
diff --git a/crates/openfang-api/src/middleware.rs b/crates/openfang-api/src/middleware.rs
index 702a66be4a..fc4ecf4042 100644
--- a/crates/openfang-api/src/middleware.rs
+++ b/crates/openfang-api/src/middleware.rs
@@ -135,6 +135,10 @@ pub async fn auth(
         || path == "/api/logs/stream"  // SSE stream, read-only
         || (path.starts_with("/api/cron/") && is_get)
         || path.starts_with("/api/providers/github-copilot/oauth/")
+        || path.starts_with("/api/providers/openai-codex/oauth/")
+        || path.starts_with("/api/providers/gemini-oauth/oauth/")
+        || path.starts_with("/api/providers/qwen-oauth/oauth/")
+        || path.starts_with("/api/providers/minimax-oauth/oauth/")
         || path == "/api/auth/login"
         || path == "/api/auth/logout"
         || (path == "/api/auth/check" && is_get);
@@ -411,4 +415,48 @@ mod tests {
         let resp = app.oneshot(req).await.unwrap();
         assert_eq!(resp.status(), StatusCode::OK);
     }
+
+    #[test]
+    fn test_public_endpoint_paths() {
+        // Verify key GET endpoints are recognized as public
+        let is_get = true;
+        let public_get_paths = [
+            "/api/health",
+            "/api/health/detail",
+            "/api/status",
+            "/api/version",
+            "/api/agents",
+            "/api/models",
+            "/api/providers",
+            "/api/budget",
+        ];
+        for path in &public_get_paths {
+            let is_public = *path == "/"
+                || *path == "/api/health"
+                || *path == "/api/health/detail"
+                || *path == "/api/status"
+                || *path == "/api/version"
+                || (*path == "/api/agents" && is_get)
+                || (*path == "/api/models" && is_get)
+                || (*path == "/api/providers" && is_get)
+                || (*path == "/api/budget" && is_get);
+            assert!(is_public, "Expected {} to be public", path);
+        }
+    }
+
+    #[test]
+    fn test_oauth_routes_are_public() {
+        // OAuth routes should be public (don't require auth)
+        let copilot_start = "/api/providers/github-copilot/oauth/start";
+        let copilot_poll = "/api/providers/github-copilot/oauth/poll/abc123";
+        let codex_start = "/api/providers/openai-codex/oauth/start";
+        let gemini_start = "/api/providers/gemini-oauth/oauth/start";
+        let qwen_start = "/api/providers/qwen-oauth/oauth/start";
+        let minimax_start = "/api/providers/minimax-oauth/oauth/start";
+
+        let all_oauth = vec![copilot_start, copilot_poll, codex_start, gemini_start, qwen_start, minimax_start];
+        for path in &all_oauth {
+            assert!(path.starts_with("/api/providers/"), "Expected {} to be OAuth route", path);
+        }
+    }
 }
diff --git a/crates/openfang-api/src/routes.rs b/crates/openfang-api/src/routes.rs
index 14a2debfe4..1447a9012c 100644
--- a/crates/openfang-api/src/routes.rs
+++ b/crates/openfang-api/src/routes.rs
@@ -8497,6 +8497,46 @@ fn remove_secret_env(path: &std::path::Path, key: &str) -> Result<(), std::io::E
     Ok(())
 }
 
+// ── OAuth token persistence helpers ────────────────────────────────────
+
+/// Persist a single OAuth secret to vault, secrets.env, and the process env.
+fn persist_oauth_secret(state: &AppState, env_var: &str, value: &str) -> Result<(), String> {
+    state.kernel.store_credential(env_var, value);
+    let secrets_path = state.kernel.config.home_dir.join("secrets.env");
+    write_secret_env(&secrets_path, env_var, value)
+        .map_err(|e| format!("Failed to save {env_var}: {e}"))?;
+    std::env::set_var(env_var, value);
+    Ok(())
+}
+
+/// Persist an `OAuthTokenSet` to multiple env vars (de-duplicated).
+///
+/// * `access_env_vars` — one or more env var names that should receive the access token.
+/// * `refresh_env_var` — optional env var name for the refresh token.
+fn persist_oauth_tokens(
+    state: &AppState,
+    access_env_vars: &[&str],
+    refresh_env_var: Option<&str>,
+    tokens: &openfang_runtime::oauth_providers::OAuthTokenSet,
+) -> Result<(), String> {
+    let mut persisted = std::collections::BTreeSet::new();
+    for env_var in access_env_vars {
+        if persisted.insert(*env_var) {
+            persist_oauth_secret(state, env_var, &tokens.access_token)?;
+        }
+    }
+    if let (Some(env_var), Some(refresh_token)) = (refresh_env_var, tokens.refresh_token.as_deref()) {
+        persist_oauth_secret(state, env_var, refresh_token)?;
+    }
+    state
+        .kernel
+        .model_catalog
+        .write()
+        .unwrap_or_else(|e| e.into_inner())
+        .detect_auth();
+    Ok(())
+}
+
 // ── Config.toml channel management helpers ──────────────────────────
 
 /// Upsert a `[channels.<name>]` section in config.toml with the given non-secret fields.
@@ -11679,6 +11719,472 @@ pub async fn copilot_oauth_poll(
     }
 }
 
+// ---------------------------------------------------------------------------
+// OpenAI Codex OAuth endpoints
+// ---------------------------------------------------------------------------
+
+/// Active Codex OAuth flows, keyed by poll_id.
+static CODEX_FLOWS: LazyLock<DashMap<String, CodexFlowState>> = LazyLock::new(DashMap::new);
+
+struct CodexFlowState {
+    device_code: String,
+    interval: u64,
+    expires_at: Instant,
+}
+
+/// POST /api/providers/openai-codex/oauth/start
+pub async fn openai_codex_oauth_start() -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::openai_codex_start_device_flow;
+
+    // Clean up expired flows first
+    CODEX_FLOWS.retain(|_, state| state.expires_at > Instant::now());
+
+    match openai_codex_start_device_flow().await {
+        Ok(resp) => {
+            let poll_id = uuid::Uuid::new_v4().to_string();
+            let interval = resp.interval.unwrap_or(5);
+
+            CODEX_FLOWS.insert(
+                poll_id.clone(),
+                CodexFlowState {
+                    device_code: resp.device_code,
+                    interval,
+                    expires_at: Instant::now() + std::time::Duration::from_secs(resp.expires_in),
+                },
+            );
+
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({
+                    "user_code": resp.user_code,
+                    "verification_uri": resp.verification_uri,
+                    "poll_id": poll_id,
+                    "expires_in": resp.expires_in,
+                    "interval": interval,
+                })),
+            )
+        }
+        Err(e) => (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(serde_json::json!({ "error": e })),
+        ),
+    }
+}
+
+/// GET /api/providers/openai-codex/oauth/poll/{poll_id}
+pub async fn openai_codex_oauth_poll(
+    State(state): State<Arc<AppState>>,
+    Path(poll_id): Path<String>,
+) -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::{openai_codex_poll_device_flow, DeviceFlowStatus};
+
+    let flow = match CODEX_FLOWS.get(&poll_id) {
+        Some(f) => f,
+        None => {
+            return (
+                StatusCode::NOT_FOUND,
+                Json(serde_json::json!({"status": "not_found", "error": "Unknown poll_id"})),
+            )
+        }
+    };
+
+    if flow.expires_at <= Instant::now() {
+        drop(flow);
+        CODEX_FLOWS.remove(&poll_id);
+        return (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "expired"})),
+        );
+    }
+
+    let device_code = flow.device_code.clone();
+    drop(flow);
+
+    match openai_codex_poll_device_flow(&device_code).await {
+        DeviceFlowStatus::Complete { tokens } => {
+            if let Err(e) = persist_oauth_tokens(
+                &state,
+                &["OPENAI_API_KEY", "OPENAI_CODEX_OAUTH_TOKEN"],
+                Some("OPENAI_CODEX_OAUTH_REFRESH_TOKEN"),
+                &tokens,
+            ) {
+                return (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    Json(serde_json::json!({"status": "error", "error": e})),
+                );
+            }
+
+            CODEX_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "complete"})),
+            )
+        }
+        DeviceFlowStatus::Pending => (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "pending"})),
+        ),
+        DeviceFlowStatus::SlowDown { new_interval } => {
+            if let Some(mut flow) = CODEX_FLOWS.get_mut(&poll_id) {
+                flow.interval = new_interval;
+            }
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "pending", "interval": new_interval})),
+            )
+        }
+        DeviceFlowStatus::Expired => {
+            CODEX_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "expired"})),
+            )
+        }
+        DeviceFlowStatus::AccessDenied => {
+            CODEX_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "denied"})),
+            )
+        }
+        DeviceFlowStatus::Error(e) => (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "error", "error": e})),
+        ),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Gemini OAuth endpoints
+// ---------------------------------------------------------------------------
+
+/// Active Gemini OAuth flows, keyed by poll_id.
+static GEMINI_FLOWS: LazyLock<DashMap<String, GeminiFlowState>> = LazyLock::new(DashMap::new);
+
+struct GeminiFlowState {
+    device_code: String,
+    interval: u64,
+    expires_at: Instant,
+}
+
+/// POST /api/providers/gemini-oauth/oauth/start
+pub async fn gemini_oauth_start() -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::gemini_start_device_flow;
+
+    // Clean up expired flows first
+    GEMINI_FLOWS.retain(|_, state| state.expires_at > Instant::now());
+
+    match gemini_start_device_flow().await {
+        Ok(resp) => {
+            let poll_id = uuid::Uuid::new_v4().to_string();
+            let interval = resp.interval.unwrap_or(5);
+
+        GEMINI_FLOWS.insert(
+            poll_id.clone(),
+            GeminiFlowState {
+                device_code: resp.device_code,
+                interval,
+                expires_at: Instant::now() + std::time::Duration::from_secs(resp.expires_in),
+            },
+        );
+
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({
+                    "user_code": resp.user_code,
+                    "verification_uri": resp.verification_uri,
+                    "poll_id": poll_id,
+                    "expires_in": resp.expires_in,
+                    "interval": interval,
+                })),
+            )
+        }
+        Err(e) => (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(serde_json::json!({ "error": e })),
+        ),
+    }
+}
+
+/// GET /api/providers/gemini-oauth/oauth/poll/{poll_id}
+pub async fn gemini_oauth_poll(
+    State(state): State<Arc<AppState>>,
+    Path(poll_id): Path<String>,
+) -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::{gemini_poll_device_flow, DeviceFlowStatus};
+
+    let flow = match GEMINI_FLOWS.get(&poll_id) {
+        Some(f) => f,
+        None => {
+            return (
+                StatusCode::NOT_FOUND,
+                Json(serde_json::json!({"status": "not_found", "error": "Unknown poll_id"})),
+            )
+        }
+    };
+
+    if flow.expires_at <= Instant::now() {
+        drop(flow);
+        GEMINI_FLOWS.remove(&poll_id);
+        return (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "expired"})),
+        );
+    }
+
+    let device_code = flow.device_code.clone();
+    drop(flow);
+
+    match gemini_poll_device_flow(&device_code).await {
+        DeviceFlowStatus::Complete { tokens } => {
+            if let Err(e) = persist_oauth_tokens(
+                &state,
+                &["GEMINI_API_KEY", "GEMINI_OAUTH_TOKEN"],
+                Some("GEMINI_OAUTH_REFRESH_TOKEN"),
+                &tokens,
+            ) {
+                return (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    Json(serde_json::json!({"status": "error", "error": e})),
+                );
+            }
+
+            GEMINI_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "complete"})),
+            )
+        }
+        DeviceFlowStatus::Pending => (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "pending"})),
+        ),
+            DeviceFlowStatus::SlowDown { new_interval } => {
+                // Update interval server-side like Copilot/Codex
+                if let Some(mut f) = GEMINI_FLOWS.get_mut(&poll_id) {
+                    f.interval = new_interval;
+                }
+                (
+                    StatusCode::OK,
+                    Json(serde_json::json!({"status": "pending", "interval": new_interval})),
+                )
+            }
+        DeviceFlowStatus::Expired => {
+            GEMINI_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "expired"})),
+            )
+        }
+        DeviceFlowStatus::AccessDenied => {
+            GEMINI_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "denied"})),
+            )
+        }
+        DeviceFlowStatus::Error(e) => (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "error", "error": e})),
+        ),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Qwen OAuth endpoints
+// ---------------------------------------------------------------------------
+
+/// Active Qwen OAuth flows, keyed by poll_id.
+static QWEN_FLOWS: LazyLock<DashMap<String, QwenFlowState>> = LazyLock::new(DashMap::new);
+
+struct QwenFlowState {
+    start_time: Instant,
+    expires_in: u64,
+}
+
+/// POST /api/providers/qwen-oauth/oauth/start
+pub async fn qwen_oauth_start() -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::qwen_start_oauth_flow;
+
+    // Clean up expired flows first
+    QWEN_FLOWS.retain(|_, state| {
+        state.start_time + std::time::Duration::from_secs(state.expires_in) > Instant::now()
+    });
+
+    match qwen_start_oauth_flow().await {
+        Ok(_) => {
+            let poll_id = uuid::Uuid::new_v4().to_string();
+            QWEN_FLOWS.insert(
+                poll_id.clone(),
+                QwenFlowState {
+                    start_time: Instant::now(),
+                    expires_in: 300, // 5 minutes for Qwen
+                },
+            );
+
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({
+                    "status": "ready",
+                    "poll_id": poll_id,
+                    "message": "Qwen OAuth credentials loaded from ~/.qwen/oauth_creds.json",
+                })),
+            )
+        }
+        Err(e) => (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(serde_json::json!({ "error": e })),
+        ),
+    }
+}
+
+/// GET /api/providers/qwen-oauth/oauth/poll/{poll_id}
+pub async fn qwen_oauth_poll(
+    State(state): State<Arc<AppState>>,
+    Path(poll_id): Path<String>,
+) -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::qwen_poll_oauth_flow;
+
+    let flow = match QWEN_FLOWS.get(&poll_id) {
+        Some(f) => f,
+        None => {
+            return (
+                StatusCode::NOT_FOUND,
+                Json(serde_json::json!({"status": "not_found", "error": "Unknown poll_id"})),
+            )
+        }
+    };
+
+    if flow.start_time + std::time::Duration::from_secs(flow.expires_in) <= Instant::now() {
+        drop(flow);
+        QWEN_FLOWS.remove(&poll_id);
+        return (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "expired"})),
+        );
+    }
+
+    drop(flow);
+
+    match qwen_poll_oauth_flow().await {
+        Ok(tokens) => {
+            if let Err(e) = persist_oauth_tokens(
+                &state,
+                &["DASHSCOPE_API_KEY", "QWEN_OAUTH_TOKEN"],
+                Some("QWEN_OAUTH_REFRESH_TOKEN"),
+                &tokens,
+            ) {
+                return (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    Json(serde_json::json!({"status": "error", "error": e})),
+                );
+            }
+
+            QWEN_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({"status": "complete"})),
+            )
+        }
+        Err(e) => (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "error", "error": e})),
+        ),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// MiniMax OAuth endpoints
+// ---------------------------------------------------------------------------
+
+/// Active MiniMax OAuth flows, keyed by poll_id.
+static MINIMAX_FLOWS: LazyLock<DashMap<String, MiniMaxFlowState>> = LazyLock::new(DashMap::new);
+
+struct MiniMaxFlowState {
+    start_time: Instant,
+    expires_in: u64,
+}
+
+/// POST /api/providers/minimax-oauth/oauth/start
+pub async fn minimax_oauth_start() -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::minimax_start_oauth_flow;
+
+    // Clean up expired flows first
+    MINIMAX_FLOWS.retain(|_, state| {
+        state.start_time + std::time::Duration::from_secs(state.expires_in) > Instant::now()
+    });
+
+    match minimax_start_oauth_flow().await {
+        Ok(_) => {
+            let poll_id = uuid::Uuid::new_v4().to_string();
+            MINIMAX_FLOWS.insert(
+                poll_id.clone(),
+                MiniMaxFlowState {
+                    start_time: Instant::now(),
+                    expires_in: 300, // 5 minutes for MiniMax
+                },
+            );
+
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({
+                    "status": "ready",
+                    "poll_id": poll_id,
+                    "message": "MiniMax OAuth flow initiated",
+                })),
+            )
+        }
+        Err(e) => (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(serde_json::json!({ "error": e })),
+        ),
+    }
+}
+
+/// GET /api/providers/minimax-oauth/oauth/poll/{poll_id}
+pub async fn minimax_oauth_poll(Path(poll_id): Path<String>) -> impl IntoResponse {
+    use openfang_runtime::oauth_providers::minimax_poll_oauth_flow;
+
+    let flow = match MINIMAX_FLOWS.get(&poll_id) {
+        Some(f) => f,
+        None => {
+            return (
+                StatusCode::NOT_FOUND,
+                Json(serde_json::json!({"status": "not_found", "error": "Unknown poll_id"})),
+            )
+        }
+    };
+
+    if flow.start_time + std::time::Duration::from_secs(flow.expires_in) <= Instant::now() {
+        drop(flow);
+        MINIMAX_FLOWS.remove(&poll_id);
+        return (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "expired"})),
+        );
+    }
+
+    drop(flow);
+
+    match minimax_poll_oauth_flow().await {
+        Ok(tokens) => {
+            MINIMAX_FLOWS.remove(&poll_id);
+            (
+                StatusCode::OK,
+                Json(serde_json::json!({
+                    "status": "complete",
+                    "access_token": tokens.access_token,
+                    "refresh_token": tokens.refresh_token,
+                })),
+            )
+        }
+        Err(e) => (
+            StatusCode::OK,
+            Json(serde_json::json!({"status": "pending", "error": e})),
+        ),
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Agent Communication (Comms) endpoints
 // ---------------------------------------------------------------------------
diff --git a/crates/openfang-api/src/server.rs b/crates/openfang-api/src/server.rs
index ed773fcb7b..72a9757165 100644
--- a/crates/openfang-api/src/server.rs
+++ b/crates/openfang-api/src/server.rs
@@ -596,6 +596,42 @@ pub async fn build_router(
             "/api/providers/github-copilot/oauth/poll/{poll_id}",
             axum::routing::get(routes::copilot_oauth_poll),
         )
+        // OpenAI Codex OAuth
+        .route(
+            "/api/providers/openai-codex/oauth/start",
+            axum::routing::post(routes::openai_codex_oauth_start),
+        )
+        .route(
+            "/api/providers/openai-codex/oauth/poll/{poll_id}",
+            axum::routing::get(routes::openai_codex_oauth_poll),
+        )
+        // Gemini OAuth
+        .route(
+            "/api/providers/gemini-oauth/oauth/start",
+            axum::routing::post(routes::gemini_oauth_start),
+        )
+        .route(
+            "/api/providers/gemini-oauth/oauth/poll/{poll_id}",
+            axum::routing::get(routes::gemini_oauth_poll),
+        )
+        // Qwen OAuth
+        .route(
+            "/api/providers/qwen-oauth/oauth/start",
+            axum::routing::post(routes::qwen_oauth_start),
+        )
+        .route(
+            "/api/providers/qwen-oauth/oauth/poll/{poll_id}",
+            axum::routing::get(routes::qwen_oauth_poll),
+        )
+        // MiniMax OAuth
+        .route(
+            "/api/providers/minimax-oauth/oauth/start",
+            axum::routing::post(routes::minimax_oauth_start),
+        )
+        .route(
+            "/api/providers/minimax-oauth/oauth/poll/{poll_id}",
+            axum::routing::get(routes::minimax_oauth_poll),
+        )
         .route(
             "/api/providers/{name}/key",
             axum::routing::post(routes::set_provider_key).delete(routes::delete_provider_key),
diff --git a/crates/openfang-api/static/index_body.html b/crates/openfang-api/static/index_body.html
index f70d737a7f..f12c920771 100644
--- a/crates/openfang-api/static/index_body.html
+++ b/crates/openfang-api/static/index_body.html
@@ -3605,6 +3605,43 @@ <h4>LLM Providers</h4>
                       </div>
                     </div>
                   </template>
+
+                  <!-- OpenAI Codex OAuth button -->
+                  <template x-if="p.id === 'openai-codex' && p.auth_status !== 'configured'">
+                    <div class="mt-2">
+                      <button class="btn btn-primary btn-sm" @click="startCodexOAuth()" :disabled="codexOAuth.polling" x-show="!codexOAuth.userCode">Login with OpenAI</button>
+                      <div x-show="codexOAuth.userCode" class="mt-2">
+                        <div class="text-sm">Visit <a :href="codexOAuth.verificationUri" target="_blank" x-text="codexOAuth.verificationUri" style="color:var(--accent-light)"></a> and enter:</div>
+                        <div style="font-size:24px;font-weight:bold;letter-spacing:4px;margin:8px 0;color:var(--accent-light)" x-text="codexOAuth.userCode"></div>
+                        <div class="text-xs text-dim"><span class="spinner" style="width:10px;height:10px;border-width:2px;display:inline-block;vertical-align:middle"></span> Waiting for authorization...</div>
+                      </div>
+                    </div>
+                  </template>
+                  <!-- Gemini OAuth button -->
+                  <template x-if="p.id === 'gemini-oauth' && p.auth_status !== 'configured'">
+                    <div class="mt-2">
+                      <button class="btn btn-primary btn-sm" @click="startGeminiOAuth()" :disabled="geminiOAuth.polling" x-show="!geminiOAuth.userCode">Login with Google</button>
+                      <div x-show="geminiOAuth.userCode" class="mt-2">
+                        <div class="text-sm">Visit <a :href="geminiOAuth.verificationUri" target="_blank" x-text="geminiOAuth.verificationUri" style="color:var(--accent-light)"></a> and enter:</div>
+                        <div style="font-size:24px;font-weight:bold;letter-spacing:4px;margin:8px 0;color:var(--accent-light)" x-text="geminiOAuth.userCode"></div>
+                        <div class="text-xs text-dim"><span class="spinner" style="width:10px;height:10px;border-width:2px;display:inline-block;vertical-align:middle"></span> Waiting for authorization...</div>
+                      </div>
+                    </div>
+                  </template>
+                  <!-- Qwen OAuth button -->
+                  <template x-if="p.id === 'qwen-oauth' && p.auth_status !== 'configured'">
+                    <div class="mt-2">
+                      <button class="btn btn-primary btn-sm" @click="startQwenOAuth()" :disabled="qwenOAuth.polling">Load Qwen Credentials</button>
+                      <div x-show="qwenOAuth.message" class="mt-2 text-sm" style="color:var(--accent-light)" x-text="qwenOAuth.message"></div>
+                    </div>
+                  </template>
+                  <!-- MiniMax OAuth button -->
+                  <template x-if="p.id === 'minimax-oauth' && p.auth_status !== 'configured'">
+                    <div class="mt-2">
+                      <button class="btn btn-primary btn-sm" @click="startMiniMaxOAuth()" :disabled="minimaxOAuth.polling">Login with MiniMax</button>
+                      <div x-show="minimaxOAuth.message" class="mt-2 text-sm" style="color:var(--accent-light)" x-text="minimaxOAuth.message"></div>
+                    </div>
+                  </template>
                   <!-- Claude Code install hint -->
                   <template x-if="p.id === 'claude-code' && p.auth_status !== 'configured'">
                     <div class="mt-2 text-xs text-dim">Install: <code style="color:var(--accent-light);background:var(--bg);padding:1px 4px;border-radius:2px">npm install -g @anthropic-ai/claude-code</code></div>
diff --git a/crates/openfang-api/static/js/pages/settings.js b/crates/openfang-api/static/js/pages/settings.js
index 662004c6e2..e184e74b34 100644
--- a/crates/openfang-api/static/js/pages/settings.js
+++ b/crates/openfang-api/static/js/pages/settings.js
@@ -26,6 +26,10 @@ function settingsPage() {
     providerTesting: {},
     providerTestResults: {},
     copilotOAuth: { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 },
+      codexOAuth: { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 },
+      geminiOAuth: { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 },
+      qwenOAuth: { polling: false, status: '', pollId: '', message: '' },
+      minimaxOAuth: { polling: false, status: '', pollId: '', message: '' },
     customProviderName: '',
     customProviderUrl: '',
     customProviderKey: '',
@@ -474,6 +478,193 @@ function settingsPage() {
       }, self.copilotOAuth.interval * 1000);
     },
 
+    // OpenAI Codex OAuth
+    async startCodexOAuth() {
+      this.codexOAuth.polling = true;
+      this.codexOAuth.userCode = '';
+      try {
+        var resp = await OpenFangAPI.post('/api/providers/openai-codex/oauth/start', {});
+        this.codexOAuth.userCode = resp.user_code;
+        this.codexOAuth.verificationUri = resp.verification_uri;
+        this.codexOAuth.pollId = resp.poll_id;
+        this.codexOAuth.interval = resp.interval || 5;
+        window.open(resp.verification_uri, '_blank');
+        this.pollCodexOAuth();
+      } catch(e) {
+        OpenFangToast.error('Failed to start Codex login: ' + e.message);
+        this.codexOAuth.polling = false;
+      }
+    },
+
+    pollCodexOAuth() {
+      var self = this;
+      setTimeout(async function() {
+        if (!self.codexOAuth.pollId) return;
+        try {
+          var resp = await OpenFangAPI.get('/api/providers/openai-codex/oauth/poll/' + self.codexOAuth.pollId);
+          if (resp.status === 'complete') {
+            OpenFangToast.success('OpenAI Codex authenticated successfully!');
+            self.codexOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+            await self.loadProviders();
+            await self.loadModels();
+          } else if (resp.status === 'pending') {
+            if (resp.interval) self.codexOAuth.interval = resp.interval;
+            self.pollCodexOAuth();
+          } else if (resp.status === 'expired') {
+            OpenFangToast.error('Device code expired. Please try again.');
+            self.codexOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+          } else if (resp.status === 'denied') {
+            OpenFangToast.error('Access denied by user.');
+            self.codexOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+          } else {
+            OpenFangToast.error('OAuth error: ' + (resp.error || resp.status));
+            self.codexOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+          }
+        } catch(e) {
+          OpenFangToast.error('Poll error: ' + e.message);
+          self.codexOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+        }
+      }, self.codexOAuth.interval * 1000);
+    },
+
+    // Gemini OAuth
+    async startGeminiOAuth() {
+      this.geminiOAuth.polling = true;
+      this.geminiOAuth.userCode = '';
+      try {
+        var resp = await OpenFangAPI.post('/api/providers/gemini-oauth/oauth/start', {});
+        this.geminiOAuth.userCode = resp.user_code;
+        this.geminiOAuth.verificationUri = resp.verification_uri;
+        this.geminiOAuth.pollId = resp.poll_id;
+        this.geminiOAuth.interval = resp.interval || 5;
+        window.open(resp.verification_uri, '_blank');
+        this.pollGeminiOAuth();
+      } catch(e) {
+        OpenFangToast.error('Failed to start Gemini login: ' + e.message);
+        this.geminiOAuth.polling = false;
+      }
+    },
+
+    pollGeminiOAuth() {
+      var self = this;
+      setTimeout(async function() {
+        if (!self.geminiOAuth.pollId) return;
+        try {
+          var resp = await OpenFangAPI.get('/api/providers/gemini-oauth/oauth/poll/' + self.geminiOAuth.pollId);
+          if (resp.status === 'complete') {
+            OpenFangToast.success('Google Gemini authenticated successfully!');
+            self.geminiOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+            await self.loadProviders();
+            await self.loadModels();
+          } else if (resp.status === 'pending') {
+            if (resp.interval) self.geminiOAuth.interval = resp.interval;
+            self.pollGeminiOAuth();
+          } else if (resp.status === 'expired') {
+            OpenFangToast.error('Device code expired. Please try again.');
+            self.geminiOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+          } else if (resp.status === 'denied') {
+            OpenFangToast.error('Access denied by user.');
+            self.geminiOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+          } else {
+            OpenFangToast.error('OAuth error: ' + (resp.error || resp.status));
+            self.geminiOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+          }
+        } catch(e) {
+          OpenFangToast.error('Poll error: ' + e.message);
+          self.geminiOAuth = { polling: false, userCode: '', verificationUri: '', pollId: '', interval: 5 };
+        }
+      }, self.geminiOAuth.interval * 1000);
+    },
+
+    // Qwen OAuth (file-based)
+    async startQwenOAuth() {
+      this.qwenOAuth.polling = true;
+      this.qwenOAuth.status = 'loading';
+      this.qwenOAuth.message = '';
+      try {
+        var resp = await OpenFangAPI.post('/api/providers/qwen-oauth/oauth/start', {});
+        this.qwenOAuth.pollId = resp.poll_id;
+        this.qwenOAuth.status = 'ready';
+        this.qwenOAuth.message = resp.message || 'Credentials loaded';
+        this.pollQwenOAuth();
+      } catch(e) {
+        OpenFangToast.error('Failed to load Qwen credentials: ' + e.message);
+        this.qwenOAuth = { polling: false, status: '', pollId: '', message: '' };
+      }
+    },
+
+    pollQwenOAuth() {
+      var self = this;
+      setTimeout(async function() {
+        if (!self.qwenOAuth.pollId) return;
+        try {
+          var resp = await OpenFangAPI.get('/api/providers/qwen-oauth/oauth/poll/' + self.qwenOAuth.pollId);
+          if (resp.status === 'complete') {
+            OpenFangToast.success('Qwen authenticated successfully!');
+            self.qwenOAuth = { polling: false, status: '', pollId: '', message: '' };
+            await self.loadProviders();
+            await self.loadModels();
+          } else if (resp.status === 'expired') {
+            OpenFangToast.error('Qwen OAuth expired. Please try again.');
+            self.qwenOAuth = { polling: false, status: '', pollId: '', message: '' };
+          } else if (resp.status === 'pending') {
+            self.pollQwenOAuth();
+          } else {
+            OpenFangToast.error('OAuth error: ' + (resp.error || resp.status));
+            self.qwenOAuth = { polling: false, status: '', pollId: '', message: '' };
+          }
+        } catch(e) {
+          OpenFangToast.error('Poll error: ' + e.message);
+          self.qwenOAuth = { polling: false, status: '', pollId: '', message: '' };
+        }
+      }, 2000);
+    },
+
+    // MiniMax OAuth
+    async startMiniMaxOAuth() {
+      this.minimaxOAuth.polling = true;
+      this.minimaxOAuth.status = 'loading';
+      this.minimaxOAuth.message = '';
+      try {
+        var resp = await OpenFangAPI.post('/api/providers/minimax-oauth/oauth/start', {});
+        this.minimaxOAuth.pollId = resp.poll_id;
+        this.minimaxOAuth.status = 'ready';
+        this.minimaxOAuth.message = resp.message || 'OAuth initiated';
+        this.pollMiniMaxOAuth();
+      } catch(e) {
+        OpenFangToast.error('Failed to start MiniMax OAuth: ' + e.message);
+        this.minimaxOAuth = { polling: false, status: '', pollId: '', message: '' };
+      }
+    },
+
+    pollMiniMaxOAuth() {
+      var self = this;
+      setTimeout(async function() {
+        if (!self.minimaxOAuth.pollId) return;
+        try {
+          var resp = await OpenFangAPI.get('/api/providers/minimax-oauth/oauth/poll/' + self.minimaxOAuth.pollId);
+          if (resp.status === 'complete') {
+            OpenFangToast.success('MiniMax authenticated successfully!');
+            self.minimaxOAuth = { polling: false, status: '', pollId: '', message: '' };
+            await self.loadProviders();
+            await self.loadModels();
+          } else if (resp.status === 'expired') {
+            OpenFangToast.error('MiniMax OAuth expired. Please try again.');
+            self.minimaxOAuth = { polling: false, status: '', pollId: '', message: '' };
+          } else if (resp.status === 'pending') {
+            self.pollMiniMaxOAuth();
+          } else {
+            OpenFangToast.error('OAuth error: ' + (resp.error || resp.status));
+            self.minimaxOAuth = { polling: false, status: '', pollId: '', message: '' };
+          }
+        } catch(e) {
+          OpenFangToast.error('Poll error: ' + e.message);
+          self.minimaxOAuth = { polling: false, status: '', pollId: '', message: '' };
+        }
+      }, 2000);
+    },
+
+
     async testProvider(provider) {
       this.providerTesting[provider.id] = true;
       this.providerTestResults[provider.id] = null;
diff --git a/crates/openfang-runtime/Cargo.toml b/crates/openfang-runtime/Cargo.toml
index aff9a80291..44fdf4bac2 100644
--- a/crates/openfang-runtime/Cargo.toml
+++ b/crates/openfang-runtime/Cargo.toml
@@ -34,6 +34,7 @@ rmcp = { workspace = true }
 http = "1"
 tokio-tungstenite = "0.24"
 shlex = "1"
+rand = { workspace = true }
 
 [dev-dependencies]
 tokio-test = { workspace = true }
diff --git a/crates/openfang-runtime/src/lib.rs b/crates/openfang-runtime/src/lib.rs
index bde54ab199..21ec9fed46 100644
--- a/crates/openfang-runtime/src/lib.rs
+++ b/crates/openfang-runtime/src/lib.rs
@@ -33,6 +33,7 @@ pub mod llm_errors;
 pub mod loop_guard;
 pub mod mcp;
 pub mod mcp_server;
+pub mod oauth_providers;
 pub mod media_understanding;
 pub mod model_catalog;
 pub mod process_manager;
diff --git a/crates/openfang-runtime/src/oauth_providers.rs b/crates/openfang-runtime/src/oauth_providers.rs
new file mode 100644
index 0000000000..c640133309
--- /dev/null
+++ b/crates/openfang-runtime/src/oauth_providers.rs
@@ -0,0 +1,672 @@
+//! OAuth providers for LLM services — OpenAI Codex, Gemini, Qwen, MiniMax.
+//!
+//! This module implements OAuth2 authentication flows for:
+//! - OpenAI Codex (ChatGPT subscription) — device code flow + PKCE
+//! - Gemini (Google OAuth) — PKCE + device code
+//! - Qwen (Alibaba) — **file-based token import** from ~/.qwen/oauth_creds.json
+//!   (not a true OAuth flow — reads pre-existing tokens from Qwen CLI)
+//! - MiniMax — refresh token based (requires stored refresh token in vault)
+//!
+//! All tokens are stored in the credential vault.
+
+use base64::Engine;
+use chrono::{DateTime, Utc};
+use reqwest::Client;
+use serde::{Deserialize, Serialize};
+use std::time::Duration;
+
+// ─── Constants ───────────────────────────────────────────────────────────────────
+
+// OpenAI Codex OAuth
+pub const OPENAI_CODEX_CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";
+pub const OPENAI_CODEX_AUTH_URL: &str = "https://auth.openai.com/oauth/authorize";
+pub const OPENAI_CODEX_TOKEN_URL: &str = "https://auth.openai.com/oauth/token";
+pub const OPENAI_CODEX_DEVICE_URL: &str = "https://auth.openai.com/oauth/device/code";
+pub const OPENAI_CODEX_CALLBACK_URI: &str = "http://localhost:1455/auth/callback";
+pub const OPENAI_CODEX_RESPONSES_URL: &str = "https://chatgpt.com/backend-api/codex/responses";
+
+// Gemini OAuth (requires GEMINI_OAUTH_CLIENT_ID and GEMINI_OAUTH_CLIENT_SECRET env vars)
+pub const GOOGLE_AUTH_URL: &str = "https://accounts.google.com/o/oauth2/v2/auth";
+pub const GOOGLE_TOKEN_URL: &str = "https://oauth2.googleapis.com/token";
+pub const GOOGLE_DEVICE_URL: &str = "https://oauth2.googleapis.com/device/code";
+pub const GOOGLE_CALLBACK_URI: &str = "http://localhost:1456/auth/callback";
+pub const GEMINI_SCOPES: &str =
+    "openid profile email https://www.googleapis.com/auth/cloud-platform";
+
+// Qwen OAuth
+pub const QWEN_OAUTH_TOKEN_ENDPOINT: &str = "https://chat.qwen.ai/api/v1/oauth2/token";
+pub const QWEN_OAUTH_CREDENTIAL_FILE: &str = ".qwen/oauth_creds.json";
+pub const QWEN_OAUTH_CLIENT_ID: &str = "f0304373b74a44d2b584a3fb70ca9e56";
+
+// MiniMax OAuth
+pub const MINIMAX_OAUTH_TOKEN_ENDPOINT: &str = "https://api.minimax.io/oauth/token";
+pub const MINIMAX_OAUTH_CLIENT_ID: &str = "78257093-7e40-4613-99e0-527b14b39113";
+
+// ─── Token Storage ────────────────────────────────────────────────────────────────
+
+/// OAuth tokens stored in vault.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct OAuthTokenSet {
+    pub access_token: String,
+    pub refresh_token: Option<String>,
+    pub expires_at: Option<DateTime<Utc>>,
+    pub provider: String,
+}
+
+impl OAuthTokenSet {
+    /// Check if token is expired (with 60-second buffer).
+    pub fn is_expired(&self) -> bool {
+        if let Some(expires_at) = self.expires_at {
+            expires_at < Utc::now() + chrono::Duration::seconds(60)
+        } else {
+            false
+        }
+    }
+
+    /// Create from token response.
+    pub fn from_response(resp: TokenResponse, provider: &str) -> Self {
+        let expires_at = resp
+            .expires_in
+            .map(|secs| Utc::now() + chrono::Duration::seconds(secs));
+        Self {
+            access_token: resp.access_token,
+            refresh_token: resp.refresh_token,
+            expires_at,
+            provider: provider.to_string(),
+        }
+    }
+}
+
+/// Token response from OAuth provider.
+#[derive(Debug, Deserialize)]
+pub struct TokenResponse {
+    pub access_token: String,
+    #[serde(default)]
+    pub refresh_token: Option<String>,
+    #[serde(default)]
+    pub id_token: Option<String>,
+    #[serde(default)]
+    pub expires_in: Option<i64>,
+    #[serde(default)]
+    pub token_type: Option<String>,
+    #[serde(default)]
+    pub scope: Option<String>,
+}
+
+/// Device code start response.
+#[derive(Debug, Deserialize)]
+pub struct DeviceCodeResponse {
+    pub device_code: String,
+    pub user_code: String,
+    pub verification_uri: String,
+    #[serde(default)]
+    pub verification_uri_complete: Option<String>,
+    pub expires_in: u64,
+    #[serde(default)]
+    pub interval: Option<u64>,
+}
+
+/// Device code flow status.
+pub enum DeviceFlowStatus {
+    Pending,
+    Complete { tokens: OAuthTokenSet },
+    SlowDown { new_interval: u64 },
+    Expired,
+    AccessDenied,
+    Error(String),
+}
+
+// ─── OpenAI Codex OAuth ───────────────────────────────────────────────────────
+
+/// Start OpenAI Codex device code flow.
+pub async fn openai_codex_start_device_flow() -> Result<DeviceCodeResponse, String> {
+    let client = Client::builder()
+        .timeout(Duration::from_secs(15))
+        .build()
+        .map_err(|e| format!("HTTP client error: {e}"))?;
+
+    let resp = client
+        .post(OPENAI_CODEX_DEVICE_URL)
+        .header("Accept", "application/json")
+        .form(&[
+            ("client_id", OPENAI_CODEX_CLIENT_ID),
+            ("scope", "openid profile email offline_access"),
+        ])
+        .send()
+        .await
+        .map_err(|e| format!("Device code request failed: {e}"))?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(format!("Device code request returned {status}: {body}"));
+    }
+
+    resp.json::<DeviceCodeResponse>()
+        .await
+        .map_err(|e| format!("Failed to parse device code response: {e}"))
+}
+
+/// Poll OpenAI Codex device flow.
+pub async fn openai_codex_poll_device_flow(device_code: &str) -> DeviceFlowStatus {
+    let client = match Client::builder().timeout(Duration::from_secs(15)).build() {
+        Ok(c) => c,
+        Err(e) => return DeviceFlowStatus::Error(format!("HTTP client error: {e}")),
+    };
+
+    let resp = match client
+        .post(OPENAI_CODEX_TOKEN_URL)
+        .header("Accept", "application/json")
+        .form(&[
+            ("grant_type", "urn:ietf:params:oauth:grant-type:device_code"),
+            ("device_code", device_code),
+            ("client_id", OPENAI_CODEX_CLIENT_ID),
+        ])
+        .send()
+        .await
+    {
+        Ok(r) => r,
+        Err(e) => return DeviceFlowStatus::Error(format!("Token poll failed: {e}")),
+    };
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        if let Ok(err) = serde_json::from_str::<serde_json::Value>(&body) {
+            if let Some(error) = err.get("error").and_then(|v| v.as_str()) {
+                return match error {
+                    "authorization_pending" => DeviceFlowStatus::Pending,
+                    "slow_down" => {
+                        let interval = err.get("interval").and_then(|v| v.as_u64()).unwrap_or(10);
+                        DeviceFlowStatus::SlowDown {
+                            new_interval: interval,
+                        }
+                    }
+                    "expired_token" => DeviceFlowStatus::Expired,
+                    "access_denied" => DeviceFlowStatus::AccessDenied,
+                    _ => DeviceFlowStatus::Error(error.to_string()),
+                };
+            }
+        }
+        return DeviceFlowStatus::Error(format!("HTTP {status}: {body}"));
+    }
+
+    match resp.json::<TokenResponse>().await {
+        Ok(tokens) => DeviceFlowStatus::Complete {
+            tokens: OAuthTokenSet::from_response(tokens, "openai-codex"),
+        },
+        Err(e) => DeviceFlowStatus::Error(format!("Failed to parse token response: {e}")),
+    }
+}
+
+/// Build OpenAI Codex authorization URL for PKCE flow.
+pub fn openai_codex_build_authorize_url(state: &str, code_challenge: &str) -> String {
+    let params = [
+        ("response_type", "code"),
+        ("client_id", OPENAI_CODEX_CLIENT_ID),
+        ("redirect_uri", OPENAI_CODEX_CALLBACK_URI),
+        ("scope", "openid profile email offline_access"),
+        ("code_challenge", code_challenge),
+        ("code_challenge_method", "S256"),
+        ("state", state),
+        ("codex_cli_simplified_flow", "true"),
+        ("id_token_add_organizations", "true"),
+    ];
+
+    let encoded: Vec<String> = params
+        .iter()
+        .map(|(k, v)| format!("{}={}", url_encode(k), url_encode(v)))
+        .collect();
+
+    format!("{}?{}", OPENAI_CODEX_AUTH_URL, encoded.join("&"))
+}
+
+/// Exchange authorization code for tokens.
+pub async fn openai_codex_exchange_code(
+    code: &str,
+    code_verifier: &str,
+) -> Result<OAuthTokenSet, String> {
+    let client = Client::new();
+
+    let form = [
+        ("grant_type", "authorization_code"),
+        ("code", code),
+        ("client_id", OPENAI_CODEX_CLIENT_ID),
+        ("redirect_uri", OPENAI_CODEX_CALLBACK_URI),
+        ("code_verifier", code_verifier),
+    ];
+
+    let resp = client
+        .post(OPENAI_CODEX_TOKEN_URL)
+        .form(&form)
+        .send()
+        .await
+        .map_err(|e| format!("Token exchange failed: {e}"))?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(format!("Token exchange failed ({status}): {body}"));
+    }
+
+    let tokens: TokenResponse = resp
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse token response: {e}"))?;
+
+    Ok(OAuthTokenSet::from_response(tokens, "openai-codex"))
+}
+
+/// Refresh OpenAI Codex access token.
+pub async fn openai_codex_refresh_token(refresh_token: &str) -> Result<OAuthTokenSet, String> {
+    let client = Client::new();
+
+    let form = [
+        ("grant_type", "refresh_token"),
+        ("refresh_token", refresh_token),
+        ("client_id", OPENAI_CODEX_CLIENT_ID),
+    ];
+
+    let resp = client
+        .post(OPENAI_CODEX_TOKEN_URL)
+        .form(&form)
+        .send()
+        .await
+        .map_err(|e| format!("Token refresh failed: {e}"))?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(format!("Token refresh failed ({status}): {body}"));
+    }
+
+    let tokens: TokenResponse = resp
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse token response: {e}"))?;
+
+    Ok(OAuthTokenSet::from_response(tokens, "openai-codex"))
+}
+
+// ─── Gemini OAuth ───────────────────────────────────────────────────────────────
+
+/// Get Gemini OAuth credentials from environment.
+pub fn gemini_oauth_credentials() -> Option<(String, String)> {
+    let client_id = std::env::var("GEMINI_OAUTH_CLIENT_ID").ok()?;
+    let client_secret = std::env::var("GEMINI_OAUTH_CLIENT_SECRET").ok()?;
+    if client_id.is_empty() || client_secret.is_empty() {
+        return None;
+    }
+    Some((client_id, client_secret))
+}
+
+/// Start Gemini device code flow.
+pub async fn gemini_start_device_flow() -> Result<DeviceCodeResponse, String> {
+    let (client_id, _client_secret) = gemini_oauth_credentials()
+        .ok_or("GEMINI_OAUTH_CLIENT_ID and GEMINI_OAUTH_CLIENT_SECRET required")?;
+
+    let client = Client::builder()
+        .timeout(Duration::from_secs(15))
+        .build()
+        .map_err(|e| format!("HTTP client error: {e}"))?;
+
+    let scope_str =
+        "openid profile email https://www.googleapis.com/auth/cloud-platform".to_string();
+    let resp = client
+        .post(GOOGLE_DEVICE_URL)
+        .header("Accept", "application/json")
+        .form(&[("client_id", &client_id), ("scope", &scope_str)])
+        .send()
+        .await
+        .map_err(|e| format!("Device code request failed: {e}"))?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(format!("Device code request returned {status}: {body}"));
+    }
+
+    #[derive(Deserialize)]
+    struct GoogleDeviceResponse {
+        device_code: String,
+        user_code: String,
+        verification_url: String,
+        expires_in: Option<u64>,
+        interval: Option<u64>,
+    }
+
+    let google_resp: GoogleDeviceResponse = resp
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse device code response: {e}"))?;
+
+    Ok(DeviceCodeResponse {
+        device_code: google_resp.device_code,
+        user_code: google_resp.user_code,
+        verification_uri: google_resp.verification_url,
+        verification_uri_complete: None,
+        expires_in: google_resp.expires_in.unwrap_or(300),
+        interval: google_resp.interval,
+    })
+}
+
+/// Poll Gemini device flow.
+pub async fn gemini_poll_device_flow(device_code: &str) -> DeviceFlowStatus {
+    let (client_id, client_secret) = match gemini_oauth_credentials() {
+        Some(c) => c,
+        None => return DeviceFlowStatus::Error("Missing OAuth credentials".to_string()),
+    };
+
+    let client = match Client::builder().timeout(Duration::from_secs(15)).build() {
+        Ok(c) => c,
+        Err(e) => return DeviceFlowStatus::Error(format!("HTTP client error: {e}")),
+    };
+
+    let form = [
+        ("grant_type", "urn:ietf:params:oauth:grant-type:device_code"),
+        ("device_code", device_code),
+        ("client_id", &client_id),
+        ("client_secret", &client_secret),
+    ];
+
+    let resp = match client
+        .post(GOOGLE_TOKEN_URL)
+        .header("Accept", "application/json")
+        .form(&form)
+        .send()
+        .await
+    {
+        Ok(r) => r,
+        Err(e) => return DeviceFlowStatus::Error(format!("Token poll failed: {e}")),
+    };
+
+    if !resp.status().is_success() {
+        let body = resp.text().await.unwrap_or_default();
+        if let Ok(err) = serde_json::from_str::<serde_json::Value>(&body) {
+            if let Some(error) = err.get("error").and_then(|v| v.as_str()) {
+                return match error {
+                    "authorization_pending" => DeviceFlowStatus::Pending,
+                    "slow_down" => {
+                        let interval = err.get("interval").and_then(|v| v.as_u64()).unwrap_or(5);
+                        DeviceFlowStatus::SlowDown {
+                            new_interval: interval,
+                        }
+                    }
+                    "expired_token" => DeviceFlowStatus::Expired,
+                    "access_denied" => DeviceFlowStatus::AccessDenied,
+                    _ => DeviceFlowStatus::Error(error.to_string()),
+                };
+            }
+        }
+        return DeviceFlowStatus::Error(format!("HTTP error: {body}"));
+    }
+
+    match resp.json::<TokenResponse>().await {
+        Ok(tokens) => DeviceFlowStatus::Complete {
+            tokens: OAuthTokenSet::from_response(tokens, "gemini-oauth"),
+        },
+        Err(e) => DeviceFlowStatus::Error(format!("Failed to parse token response: {e}")),
+    }
+}
+
+// ─── Qwen OAuth ────────────────────────────────────────────────────────────────
+
+/// Find Qwen OAuth credentials file.
+pub fn qwen_credentials_path() -> Option<std::path::PathBuf> {
+    let home = home_dir()?;
+    let qwen_path = home.join(QWEN_OAUTH_CREDENTIAL_FILE);
+    if qwen_path.exists() {
+        Some(qwen_path)
+    } else {
+        None
+    }
+}
+
+/// Cross-platform home directory (same as qwen_code.rs).
+fn home_dir() -> Option<std::path::PathBuf> {
+    #[cfg(target_os = "windows")]
+    {
+        std::env::var("USERPROFILE")
+            .ok()
+            .map(std::path::PathBuf::from)
+    }
+    #[cfg(not(target_os = "windows"))]
+    {
+        std::env::var("HOME").ok().map(std::path::PathBuf::from)
+    }
+}
+
+/// Read Qwen OAuth credentials from file.
+pub fn read_qwen_credentials() -> Option<OAuthTokenSet> {
+    let path = qwen_credentials_path()?;
+    let content = std::fs::read_to_string(&path).ok()?;
+
+    #[derive(Deserialize)]
+    struct QwenCredsFile {
+        access_token: String,
+        refresh_token: Option<String>,
+        expires_at: Option<String>,
+    }
+
+    let creds: QwenCredsFile = serde_json::from_str(&content).ok()?;
+
+    let expires_at = creds.expires_at.and_then(|s| {
+        DateTime::parse_from_rfc3339(&s)
+            .ok()
+            .map(|dt| dt.with_timezone(&Utc))
+    });
+
+    Some(OAuthTokenSet {
+        access_token: creds.access_token,
+        refresh_token: creds.refresh_token,
+        expires_at,
+        provider: "qwen-oauth".to_string(),
+    })
+}
+
+/// Start Qwen "OAuth" flow — reads tokens from ~/.qwen/oauth_creds.json.
+///
+/// **Note**: This is NOT a true OAuth flow. Qwen tokens must first be obtained
+/// via the Qwen CLI (`qwen login`), which creates the credential file.
+/// This function merely imports those pre-existing tokens into OpenFang's vault.
+pub async fn qwen_start_oauth_flow() -> Result<(), String> {
+    // Qwen OAuth is file-based, just verify we can read the credentials
+    read_qwen_credentials().ok_or_else(|| {
+        "Failed to read Qwen credentials from ~/.qwen/oauth_creds.json. Run 'qwen login' first."
+            .to_string()
+    })?;
+    Ok(())
+}
+
+/// Poll Qwen "OAuth" flow — returns tokens from the credential file.
+///
+/// **Note**: This is a file import, not a polling mechanism.
+/// The tokens are read directly from ~/.qwen/oauth_creds.json.
+pub async fn qwen_poll_oauth_flow() -> Result<OAuthTokenSet, String> {
+    read_qwen_credentials()
+        .ok_or_else(|| "Failed to read Qwen credentials. Run 'qwen login' first.".to_string())
+}
+
+/// Refresh Qwen OAuth token.
+pub async fn refresh_qwen_token(refresh_token: &str) -> Result<OAuthTokenSet, String> {
+    let client = Client::new();
+
+    let form = [
+        ("grant_type", "refresh_token"),
+        ("refresh_token", refresh_token),
+        ("client_id", QWEN_OAUTH_CLIENT_ID),
+    ];
+
+    let resp = client
+        .post(QWEN_OAUTH_TOKEN_ENDPOINT)
+        .header("Accept", "application/json")
+        .form(&form)
+        .send()
+        .await
+        .map_err(|e| format!("Token refresh failed: {e}"))?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(format!("Token refresh failed ({status}): {body}"));
+    }
+
+    let tokens: TokenResponse = resp
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse token response: {e}"))?;
+
+    Ok(OAuthTokenSet::from_response(tokens, "qwen-oauth"))
+}
+
+// ─── MiniMax OAuth ───────────────────────────────────────────────────────────
+
+/// Refresh MiniMax OAuth token.
+pub async fn refresh_minimax_token(
+    refresh_token: &str,
+    region: &str,
+) -> Result<OAuthTokenSet, String> {
+    let endpoint = match region {
+        "cn" => "https://api.minimaxi.com/oauth/token",
+        _ => MINIMAX_OAUTH_TOKEN_ENDPOINT,
+    };
+
+    let client = Client::new();
+
+    let form = [
+        ("grant_type", "refresh_token"),
+        ("refresh_token", refresh_token),
+        ("client_id", MINIMAX_OAUTH_CLIENT_ID),
+    ];
+
+    let resp = client
+        .post(endpoint)
+        .header("Accept", "application/json")
+        .form(&form)
+        .send()
+        .await
+        .map_err(|e| format!("Token refresh failed: {e}"))?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(format!("Token refresh failed ({status}): {body}"));
+    }
+
+    let tokens: TokenResponse = resp
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse token response: {e}"))?;
+
+    Ok(OAuthTokenSet::from_response(tokens, "minimax-oauth"))
+}
+
+/// Start MiniMax OAuth flow — requires a stored refresh token.
+///
+/// MiniMax does not support device code or authorization code flow;
+/// authentication must be initiated externally (e.g. via their console)
+/// and the resulting refresh token stored in the vault before calling
+/// [`refresh_minimax_token`].
+pub async fn minimax_start_oauth_flow() -> Result<(), String> {
+    Err("MiniMax does not support browser-based OAuth. Store a refresh token in the vault first, then use the refresh endpoint.".to_string())
+}
+
+/// Check whether a MiniMax refresh token is available in the vault.
+///
+/// Returns `Ok(())` if a refresh token exists for MiniMax, `Err` otherwise.
+/// This is not a traditional OAuth poll — MiniMax has no device code flow.
+pub async fn minimax_poll_oauth_flow() -> Result<OAuthTokenSet, String> {
+    Err("MiniMax has no device code flow. Store a refresh token in the vault first.".to_string())
+}
+
+// ─── Utility Functions ────────────────────────────────────────────────────────
+
+/// URL-encode a string.
+fn url_encode(input: &str) -> String {
+    input
+        .bytes()
+        .map(|b| match b {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
+                (b as char).to_string()
+            }
+            _ => format!("%{:02X}", b),
+        })
+        .collect::<String>()
+}
+
+/// Generate PKCE code verifier and challenge using a cryptographically secure RNG.
+///
+/// Uses `OsRng` as the entropy source per RFC 7636 §4.1 requirements.
+/// The verifier is 32 bytes (256 bits) of CSPRNG output, base64url-encoded.
+/// The challenge is the SHA-256 hash of the verifier, base64url-encoded.
+pub fn generate_pkce() -> (String, String) {
+    use rand::RngCore;
+    let mut bytes = [0u8; 32];
+    rand::rngs::OsRng.fill_bytes(&mut bytes);
+    let verifier = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes);
+
+    use sha2::{Digest, Sha256};
+    let digest = Sha256::digest(verifier.as_bytes());
+    let challenge = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(digest);
+
+    (verifier, challenge)
+}
+
+/// Generate a cryptographically random OAuth state parameter (128 bits from OsRng).
+///
+/// Per RFC 6749 §10.12, the state parameter must be unguessable to prevent CSRF.
+pub fn generate_state() -> String {
+    use rand::RngCore;
+    let mut bytes = [0u8; 16];
+    rand::rngs::OsRng.fill_bytes(&mut bytes);
+    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+}
+
+// ─── Tests ───────────────────────────────────────────────────────────────────
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_openai_constants() {
+        assert!(OPENAI_CODEX_AUTH_URL.starts_with("https://"));
+        assert!(OPENAI_CODEX_TOKEN_URL.starts_with("https://"));
+    }
+
+    #[test]
+    fn test_pkce_generation() {
+        let (verifier, challenge) = generate_pkce();
+        assert!(!verifier.is_empty());
+        assert!(!challenge.is_empty());
+        assert_ne!(verifier, challenge);
+        // Verifier should be 43 chars (32 bytes base64url no-pad)
+        assert_eq!(
+            verifier.len(),
+            43,
+            "PKCE verifier must be 43 chars (256-bit base64url)"
+        );
+    }
+
+    #[test]
+    fn test_pkce_uniqueness() {
+        // Two consecutive calls must produce different verifiers (CSPRNG)
+        let (v1, _) = generate_pkce();
+        let (v2, _) = generate_pkce();
+        assert_ne!(v1, v2, "CSPRNG must produce unique verifiers");
+    }
+
+    #[test]
+    fn test_state_uniqueness() {
+        let s1 = generate_state();
+        let s2 = generate_state();
+        assert_ne!(s1, s2, "CSPRNG must produce unique state values");
+    }
+
+    #[test]
+    fn test_url_encode() {
+        assert_eq!(url_encode("hello"), "hello");
+        assert_eq!(url_encode("hello world"), "hello%20world");
+        assert_eq!(url_encode("a=b"), "a%3Db");
+    }
+}
diff --git a/crates/openfang-types/src/config.rs b/crates/openfang-types/src/config.rs
index 698e5f3bc0..0e5ce66e65 100644
--- a/crates/openfang-types/src/config.rs
+++ b/crates/openfang-types/src/config.rs
@@ -1213,6 +1213,11 @@ pub struct AuthConfig {
     pub password_hash: String,
     /// Session token lifetime in hours (default: 168 = 7 days).
     pub session_ttl_hours: u64,
+    /// Allow unauthenticated access when no API key is configured.
+    /// When true (default), matches legacy behavior: no key = open access.
+/// When false, requires auth even if no API key is set (fail-close).
+    #[serde(default = "default_true")]
+    pub allow_no_auth: bool,
 }
 
 impl Default for AuthConfig {
@@ -1222,6 +1227,7 @@ impl Default for AuthConfig {
             username: "admin".to_string(),
             password_hash: String::new(),
             session_ttl_hours: 168,
+            allow_no_auth: true,
         }
     }
 }