diff --git a/backend/internal/auth/codex_api.go b/backend/internal/auth/codex_api.go
index 71ff5b4..235384a 100644
--- a/backend/internal/auth/codex_api.go
+++ b/backend/internal/auth/codex_api.go
@@ -168,7 +168,11 @@ func (c *CodexAPIAuth) callSentinelReq(flow string) error {
 	body, _ := json.Marshal(payload)
 	req, _ := http.NewRequest("POST", "https://sentinel.openai.com/backend-api/sentinel/req", bytes.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Accept", "*/*")
+	req.Header.Set("Origin", "https://auth.openai.com")
+	req.Header.Set("Sec-Fetch-Dest", "empty")
+	req.Header.Set("Sec-Fetch-Mode", "cors")
+	req.Header.Set("Sec-Fetch-Site", "cross-site")
 
 	resp, err := c.client.Do(req)
 	if err != nil {
@@ -238,6 +242,17 @@ func (c *CodexAPIAuth) logError(step AuthStep, format string, args ...interface{
 	}
 }
 
+// setAPIHeaders 设置 API 请求的通用头 (模拟 XHR 请求而非页面导航)
+func (c *CodexAPIAuth) setAPIHeaders(req *http.Request, referer string) {
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "*/*")
+	req.Header.Set("Origin", "https://auth.openai.com")
+	req.Header.Set("Referer", referer)
+	req.Header.Set("Sec-Fetch-Dest", "empty")
+	req.Header.Set("Sec-Fetch-Mode", "cors")
+	req.Header.Set("Sec-Fetch-Site", "same-origin")
+}
+
 // ObtainAuthorizationCode 获取授权码
 func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	c.logStep(StepNavigate, "开始 Codex API 授权流程...")
@@ -292,10 +307,7 @@ func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	emailBody, _ := json.Marshal(emailPayload)
 
 	req, _ = http.NewRequest("POST", "https://auth.openai.com/api/accounts/authorize/continue", bytes.NewReader(emailBody))
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Origin", "https://auth.openai.com")
-	req.Header.Set("Referer", referer)
+	c.setAPIHeaders(req, referer)
 	req.Header.Set("OpenAI-Sentinel-Token", c.getSentinelHeader("authorize_continue"))
 
 	resp, err = c.client.Do(req)
@@ -330,10 +342,7 @@ func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	pwdBody, _ := json.Marshal(pwdPayload)
 
 	req, _ = http.NewRequest("POST", "https://auth.openai.com/api/accounts/password/verify", bytes.NewReader(pwdBody))
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Origin", "https://auth.openai.com")
-	req.Header.Set("Referer", referer)
+	c.setAPIHeaders(req, referer)
 	req.Header.Set("OpenAI-Sentinel-Token", c.getSentinelHeader("password_verify"))
 
 	resp, err = c.client.Do(req)
@@ -362,10 +371,7 @@ func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	wsBody, _ := json.Marshal(wsPayload)
 
 	req, _ = http.NewRequest("POST", "https://auth.openai.com/api/accounts/workspace/select", bytes.NewReader(wsBody))
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Origin", "https://auth.openai.com")
-	req.Header.Set("Referer", referer)
+	c.setAPIHeaders(req, referer)
 
 	resp, err = c.client.Do(req)
 	if err != nil {