failed to start login server: 127.0.0.1:1455 (os error 10013)
Windows itself is blocking the port, not another app. In an admin terminal, run `net stop winnat`, then `codex login`, then `net start winnat` — this reshuffles the reserved port ranges that swallow 1455. For a permanent fix, run `netsh int ipv4 set dynamicport tcp start=49152 num=16384` (repeat for ipv6) and reboot. Or skip the local server: `codex login --device-auth` uses the device-code flow and never binds a port.
On Windows, codex login and the VS Code extension’s ChatGPT sign-in both work by starting a temporary OAuth callback server on 127.0.0.1:1455. When Windows refuses the bind, login dies with os error 10013 — the Winsock code for a socket access attempt forbidden by its permissions — before a browser tab ever opens.
Symptoms
codex loginon Windows fails immediately with this error; the sign-in page never loads.- The VS Code Codex extension’s sign-in fails the same way, sometimes with the Windows message text (“an attempt was made to access a socket in a way forbidden by its access permissions”) in place of the port.
- Port 1455 looks free — no process is listening on it, yet the bind still fails. That rules out the ordinary port-conflict explanation.
If your login server starts fine but the browser then can’t reach localhost:1455/auth/callback, that’s a different failure — see the community thread on the unreachable callback.
Cause
This is a port reservation, not a port conflict. Windows’ NAT service (winnat) auto-reserves blocks of ports for virtual networking — WSL2, Hyper-V, Docker Desktop, VPN clients, Tailscale, Android emulators, and proxy tools all trigger these reservations — and nothing else can bind inside a reserved block. In one documented case the excluded range was 1359–1458, which puts 1455 squarely inside it. Check your own ranges:
netsh interface ipv4 show excludedportrange protocol=tcp
If 1455 falls inside a listed range, you’ve found it.
Fix
-
Temporary (fastest). In an administrator terminal:
net stop winnat, runcodex login, thennet start winnat. Restarting winnat reassigns the excluded ranges, which typically frees 1455. Reservations can drift back over the port later. -
Permanent. Move the dynamic port range to the RFC-standard 49152+ so winnat’s reservations land far from 1455, then reboot:
netsh int ipv4 set dynamicport tcp start=49152 num=16384 netsh int ipv6 set dynamicport tcp start=49152 num=16384 -
Sidestep the port.
codex login --device-authuses the OAuth device-code flow — no local server, no bind. OpenAI’s docs recommend it when networking blocks the localhost callback; you first have to enable device code login in your ChatGPT security settings (workspace admins control it for workspace accounts). -
In the IDE extension, there’s no device-code button yet — that’s an open feature request from February 2026 — so extension users need the winnat route above.
Facts on this page verified July 15, 2026.
- Abolfazl Hosseini (Medium) — Fixing Codex Sign-In Error on Windows: When Dynamic Ports Break OAuth
- logomokona (cnblogs) — VS Code Codex 插件登录失败: os error 10013 的真实原因与修复
- OpenAI Codex docs — Authentication (device code login, SSH port forwarding)
- openai/codex #12263 — Add 'Sign in with Device Code' to handle localhost:1455 OAuth callback issues (open)
- OpenAI community forum — localhost:1455 callback unreachable after sign-in