Summary
Droid/Factory login appears to fail in CodexBar 0.19.0 with:
Not logged in to Factory. Please log in via the CodexBar menu.
But the actual Factory auth is successful. The failure happens later when CodexBar calls:
POST /api/organization/subscription/usage
with a missing/null userId.
Environment
CodexBar: 0.19.0
macOS: macOS
Browser: Chrome
Factory account is logged in and browser cookies/local storage are present
auth.factory.ai cookies include session, access-token, __recent_auth
Chrome local storage includes workos:refresh-token
What I observed
CodexBar successfully gets a valid bearer token and can call:
GET https://api.factory.ai/api/app/auth/me
That request returns 200.
However, the later usage request fails if userId is missing:
POST https://api.factory.ai/api/organization/subscription/usage
Request body that fails
{"useCache":true}
or
{"useCache":true,"userId":null}
Response
{
"detail": "Must be manager to get usage for other users",
"status": 403,
"title": "Forbidden"
}
Request body that succeeds
{"useCache":true,"userId":"user_..."}
This returns 200 with usage data.
Likely root cause
It looks like CodexBar expects auth/me.userProfile.id, but Factory's current auth/me response no longer includes id
under userProfile.
In my current response shape, top-level keys are:
- featureFlags
- organization
- userProfile
And userProfile contains keys like:
- email
- role
- status
- threads
- droidPreferences
but not id.
Because of that, CodexBar likely derives userId = nil, then sends a usage request without the correct user id, which
Factory treats as "other users" access and rejects with 403.
Suggested fix
For the Factory provider, when building the request body for /api/organization/subscription/usage, fall back to the
bearer JWT sub claim if auth/me.userProfile.id is missing.
That would make the request use the current user id even when the auth/me schema changes.
Why the current error is misleading
The current UI/CLI error says:
Not logged in to Factory. Please log in via the CodexBar menu.
But login is actually successful. The real failure is a schema mismatch causing the usage request body to omit userId.
Summary
Droid/Factory login appears to fail in CodexBar 0.19.0 with:
Not logged in to Factory. Please log in via the CodexBar menu.
But the actual Factory auth is successful. The failure happens later when CodexBar calls:
POST /api/organization/subscription/usage
with a missing/null userId.
Environment
CodexBar: 0.19.0
macOS: macOS
Browser: Chrome
Factory account is logged in and browser cookies/local storage are present
auth.factory.ai cookies include session, access-token, __recent_auth
Chrome local storage includes workos:refresh-token
What I observed
CodexBar successfully gets a valid bearer token and can call:
GET https://api.factory.ai/api/app/auth/me
That request returns 200.
However, the later usage request fails if userId is missing:
POST https://api.factory.ai/api/organization/subscription/usage
Request body that fails
{"useCache":true}
or
{"useCache":true,"userId":null}
Response
{
"detail": "Must be manager to get usage for other users",
"status": 403,
"title": "Forbidden"
}
Request body that succeeds
{"useCache":true,"userId":"user_..."}
This returns 200 with usage data.
Likely root cause
It looks like CodexBar expects auth/me.userProfile.id, but Factory's current auth/me response no longer includes id
under userProfile.
In my current response shape, top-level keys are:
And userProfile contains keys like:
but not id.
Because of that, CodexBar likely derives userId = nil, then sends a usage request without the correct user id, which
Factory treats as "other users" access and rejects with 403.
Suggested fix
For the Factory provider, when building the request body for /api/organization/subscription/usage, fall back to the
bearer JWT sub claim if auth/me.userProfile.id is missing.
That would make the request use the current user id even when the auth/me schema changes.
Why the current error is misleading
The current UI/CLI error says:
But login is actually successful. The real failure is a schema mismatch causing the usage request body to omit userId.