Documentation 2026-05-18 22:01 UTC to 2026-05-19 18:43 UTC

1# Agent approvals & security1# Agent approvals & security – Codex

2 2 

3Codex helps protect your code and data and reduces the risk of misuse.3Codex helps protect your code and data and reduces the risk of misuse.

4 4 

5This page covers how to operate Codex safely, including sandboxing, approvals,5This page covers how to operate Codex safely, including sandboxing, approvals,

6 and network access. If you are looking for Codex Security, the product for6and network access. If you are looking for Codex Security, the product for

7 scanning connected GitHub repositories, see [Codex Security](https://developers.openai.com/codex/security).7scanning connected GitHub repositories, see [Codex Security](https://developers.openai.com/codex/security).

8 8 

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

10 10 

28 28 

29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

30 30 

31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn’t a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

32 32 

33## Network access <ElevatedRiskBadge class="ml-2" />33## Network access [Elevated Risk](https://help.openai.com/articles/20001061)

34 34 

35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

36 36 

37For the Codex app, CLI, or IDE Extension, the default `workspace-write` sandbox mode keeps network access turned off unless you enable it in your configuration:37For the Codex app, CLI, or IDE Extension, the default `workspace-write` sandbox mode keeps network access turned off unless you enable it in your configuration:

38 38 

39```toml39```

40[sandbox_workspace_write]40[sandbox_workspace_write]

41network_access = true41network_access = true

42```42```

48already enabled, turn on the `network_proxy` feature to constrain that traffic48already enabled, turn on the `network_proxy` feature to constrain that traffic

49to the network policy you configure.49to the network policy you configure.

50 50 

51```toml51```

52[features.network_proxy]52[features.network_proxy]

53enabled = true53enabled = true

54domains = { "api.openai.com" = "allow", "example.com" = "deny" }54domains = { "api.openai.com" = "allow", "example.com" = "deny" }

57For a one-off CLI session, use the boolean shorthand when you only need the57For a one-off CLI session, use the boolean shorthand when you only need the

58toggle, and the table form when you also set policy options:58toggle, and the table form when you also set policy options:

59 59 

60```bash60```

61codex \61codex \

62 -c 'features.network_proxy=true' \62 -c 'features.network_proxy=true' \

63 -c 'sandbox_workspace_write.network_access=true'63 -c 'sandbox_workspace_write.network_access=true'

137`network_proxy` is off by default. When you enable it:137`network_proxy` is off by default. When you enable it:

138 138 

139| Setting | Default | Behavior |139| Setting | Default | Behavior |

140| -------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |140| --- | --- | --- |

141| `enabled` | `false` | Starts sandboxed networking only when command network access is already on. |141| `enabled` | `false` | Starts sandboxed networking only when command network access is already on. |

142| `domains` | unset | Uses allowlist behavior, so no external destinations are allowed until you add `allow` rules. Supports exact hosts, scoped wildcards, and global `*` allow rules; `deny` always wins. |142| `domains` | unset | Uses allowlist behavior, so no external destinations are allowed until you add `allow` rules. Supports exact hosts, scoped wildcards, and global `*` allow rules; `deny` always wins. |

143| `unix_sockets` | unset | No Unix socket destinations are allowed until you add explicit `allow` rules. |143| `unix_sockets` | unset | No Unix socket destinations are allowed until you add explicit `allow` rules. |

150 150 

151You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:151You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

152 152 

153```toml153```

154web_search = "cached" # default154web_search = "cached" # default

155# web_search = "disabled"155# web_search = "disabled"

156# web_search = "live" # same as --search156# web_search = "live" # same as --search

186This is useful when a workspace should stay writable but specific sensitive186This is useful when a workspace should stay writable but specific sensitive

187files, such as local environment files, must stay unreadable:187files, such as local environment files, must stay unreadable:

188 188 

189```toml189```

190default_permissions = "workspace"190default_permissions = "workspace"

191 191 

192[permissions.workspace.filesystem]192[permissions.workspace.filesystem]

194glob_scan_max_depth = 3194glob_scan_max_depth = 3

195```195```

196 196 

197Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy197Use `"none"` for paths or globs that Codex shouldn’t read. The sandbox policy

198evaluates globs for local macOS and Linux command execution. On platforms that198evaluates globs for local macOS and Linux command execution. On platforms that

199pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for199pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for

200unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and200unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and

204 204 

205You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).205You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

206 206 

207This option works with all `--sandbox` modes, so you still control Codex's level of autonomy. Codex makes a best effort within the constraints you set.207This option works with all `--sandbox` modes, so you still control Codex’s level of autonomy. Codex makes a best effort within the constraints you set.

208 208 

209If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.209If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

210 210 

214 214 

215By default, approval requests route to you:215By default, approval requests route to you:

216 216 

217```toml217```

218approvals_reviewer = "user"218approvals_reviewer = "user"

219```219```

220 220 

223`approvals_reviewer = "auto_review"` to route eligible approval requests223`approvals_reviewer = "auto_review"` to route eligible approval requests

224through a reviewer agent before Codex runs the request:224through a reviewer agent before Codex runs the request:

225 225 

226```toml226```

227approval_policy = "on-request"227approval_policy = "on-request"

228approvals_reviewer = "auto_review"228approvals_reviewer = "auto_review"

229```229```

262### Common sandbox and approval combinations262### Common sandbox and approval combinations

263 263 

264| Intent | Flags / config | Effect |264| Intent | Flags / config | Effect |

265| ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |265| --- | --- | --- |

266| Auto (preset) | _no flags needed_ or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |266| Auto (preset) | *no flags needed* or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

267| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |267| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

268| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |268| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |

269| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |269| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

270| Auto-review mode | `--sandbox workspace-write --ask-for-approval on-request -c approvals_reviewer=auto_review` or `approvals_reviewer = "auto_review"` | Same sandbox boundary as standard on-request mode, but eligible approval requests are reviewed by Auto-review instead of surfacing to the user. |270| Auto-review mode | `--sandbox workspace-write --ask-for-approval on-request -c approvals_reviewer=auto_review` or `approvals_reviewer = "auto_review"` | Same sandbox boundary as standard on-request mode, but eligible approval requests are reviewed by Auto-review instead of surfacing to the user. |

271| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | <ElevatedRiskBadge /> No sandbox; no approvals _(not recommended)_ |271| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |

272 272 

273For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.273For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.

274 274 

278 278 

279For the broader configuration workflow, see [Config basics](https://developers.openai.com/codex/config-basic), [Advanced Config](https://developers.openai.com/codex/config-advanced#approval-policies-and-sandbox-modes), and the [Configuration Reference](https://developers.openai.com/codex/config-reference).279For the broader configuration workflow, see [Config basics](https://developers.openai.com/codex/config-basic), [Advanced Config](https://developers.openai.com/codex/config-advanced#approval-policies-and-sandbox-modes), and the [Configuration Reference](https://developers.openai.com/codex/config-reference).

280 280 

281```toml281```

282# Always ask for approval mode282# Always ask for approval mode

283approval_policy = "untrusted"283approval_policy = "untrusted"

284sandbox_mode = "read-only"284sandbox_mode = "read-only"

300 300 

301You can also save presets as profiles, then select them with `codex --profile <name>`:301You can also save presets as profiles, then select them with `codex --profile <name>`:

302 302 

303```toml303```

304[profiles.full_auto]304[profiles.full_auto]

305approval_policy = "on-request"305approval_policy = "on-request"

306sandbox_mode = "workspace-write"306sandbox_mode = "workspace-write"

314 314 

315To see what happens when a command runs under the Codex sandbox, use these Codex CLI commands:315To see what happens when a command runs under the Codex sandbox, use these Codex CLI commands:

316 316 

317```bash317```

318# macOS318# macOS

319codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...319codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...

320# Linux320# Linux

333- **Linux** uses `bwrap` plus `seccomp` by default.333- **Linux** uses `bwrap` plus `seccomp` by default.

334- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.334- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

335 335 

336If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:336If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it’s available:

337 337 

338```json338```

339{339{

340 "chatgpt.runCodexInWindowsSubsystemForLinux": true340 "chatgpt.runCodexInWindowsSubsystemForLinux": true

341}341}

345 345 

346When running natively on Windows, configure the native sandbox mode in `config.toml`:346When running natively on Windows, configure the native sandbox mode in `config.toml`:

347 347 

348```toml348```

349[windows]349[windows]

350sandbox = "unelevated" # or "elevated"350sandbox = "unelevated" # or "elevated"

351# sandbox_private_desktop = true # default; set false only for compatibility351# sandbox_private_desktop = true # default; set false only for compatibility

364Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.364Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.

365 365 

366Devcontainers provide substantial protection, but they do not prevent every366Devcontainers provide substantial protection, but they do not prevent every

367 attack. If you run Codex with `--sandbox danger-full-access` or367attack. If you run Codex with `--sandbox danger-full-access` or

368 `--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious368`--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious

369 project can exfiltrate anything available inside the devcontainer, including369project can exfiltrate anything available inside the devcontainer, including

370 Codex credentials. Use this pattern only with trusted repositories, and370Codex credentials. Use this pattern only with trusted repositories, and

371 monitor Codex activity as you would in any other elevated environment.371monitor Codex activity as you would in any other elevated environment.

372 372 

373The reference implementation includes:373The reference implementation includes:

374 374 

382 382 

3831. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).3831. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).

3842. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.3842. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.

3853. In VS Code, run **Dev Containers: Open Folder in Container...** and select `.devcontainer/devcontainer.secure.json`.3853. In VS Code, run **Dev Containers: Open Folder in Container…** and select `.devcontainer/devcontainer.secure.json`.

3864. After the container starts, open a terminal and run `codex`.3864. After the container starts, open a terminal and run `codex`.

387 387 

388You can also start the container from the CLI:388You can also start the container from the CLI:

389 389 

390```bash390```

391devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json391devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json

392```392```

393 393 

401 401 

402Inside the container, choose one of these modes:402Inside the container, choose one of these modes:

403 403 

404- Keep Codex's Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.404- Keep Codex’s Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.

405- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.405- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.

406 406 

407## Version control407## Version control

426 426 

427Add an `[otel]` block to your Codex configuration (typically `~/.codex/config.toml`), choosing an exporter and whether to log prompt text.427Add an `[otel]` block to your Codex configuration (typically `~/.codex/config.toml`), choosing an exporter and whether to log prompt text.

428 428 

429```toml429```

430[otel]430[otel]

431environment = "staging" # dev | staging | prod431environment = "staging" # dev | staging | prod

432exporter = "none" # none | otlp-http | otlp-grpc432exporter = "none" # none | otlp-http | otlp-grpc

433log_user_prompt = false # redact prompt text unless policy allows433log_user_prompt = false # redact prompt text unless policy allows

434```434```

435 435 

436- `exporter = "none"` leaves instrumentation active but doesn't send data anywhere.436- `exporter = "none"` leaves instrumentation active but doesn’t send data anywhere.

437- To send events to your own collector, pick one of:437- To send events to your own collector, pick one of:

438 438 

439```toml439```

440[otel]440[otel]

441exporter = { otlp-http = {441exporter = { otlp-http = {

442 endpoint = "https://otel.example.com/v1/logs",442 endpoint = "https://otel.example.com/v1/logs",

445}}445}}

446```446```

447 447 

448```toml448```

449[otel]449[otel]

450exporter = { otlp-grpc = {450exporter = { otlp-grpc = {

451 endpoint = "https://otel.example.com:4317",451 endpoint = "https://otel.example.com:4317",

476- Keep `log_user_prompt = false` unless policy explicitly permits storing prompt contents. Prompts can include source code and sensitive data.476- Keep `log_user_prompt = false` unless policy explicitly permits storing prompt contents. Prompts can include source code and sensitive data.

477- Route telemetry only to collectors you control; apply retention limits and access controls aligned with your compliance requirements.477- Route telemetry only to collectors you control; apply retention limits and access controls aligned with your compliance requirements.

478- Treat tool arguments and outputs as sensitive. Favor redaction at the collector or SIEM when possible.478- Treat tool arguments and outputs as sensitive. Favor redaction at the collector or SIEM when possible.

479- Review local data retention settings (for example, `history.persistence` / `history.max_bytes`) if you don't want Codex to save session transcripts under `CODEX_HOME`. See [Advanced Config](https://developers.openai.com/codex/config-advanced#history-persistence) and [Configuration Reference](https://developers.openai.com/codex/config-reference).479- Review local data retention settings (for example, `history.persistence` / `history.max_bytes`) if you don’t want Codex to save session transcripts under `CODEX_HOME`. See [Advanced Config](https://developers.openai.com/codex/config-advanced#history-persistence) and [Configuration Reference](https://developers.openai.com/codex/config-reference).

480- If you run the CLI with network access turned off, OTel export can't reach your collector. To export, allow network access in `workspace-write` mode for the OTel endpoint, or export from Codex cloud with the collector domain on your approved list.480- If you run the CLI with network access turned off, OTel export can’t reach your collector. To export, allow network access in `workspace-write` mode for the OTel endpoint, or export from Codex cloud with the collector domain on your approved list.

481- Review events periodically for approval/sandbox changes and unexpected tool executions.481- Review events periodically for approval/sandbox changes and unexpected tool executions.

482 482 

483OTel is optional and designed to complement, not replace, the sandbox and approval protections described above.483OTel is optional and designed to complement, not replace, the sandbox and approval protections described above.

1# Codex app1# App – Codex

2 2 

3The Codex app is a focused desktop experience for working on Codex threads in parallel, with built-in worktree support, automations, and Git functionality.3The Codex app is a focused desktop experience for working on Codex threads in parallel, with built-in worktree support, automations, and Git functionality.

4 4 

5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what’s included](https://developers.openai.com/codex/pricing).

6 6 

7<PlatformSpecificContent>7![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)

8 <CodexScreenshot8 

9 slot="windows"9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)

10 alt="Codex app for Windows showing a project sidebar, active thread, and review pane"

11 lightSrc="/images/codex/windows/codex-windows-light.webp"

12 darkSrc="/images/codex/windows/codex-windows-dark.webp"

13 variant="no-wallpaper"

14 maxHeight="300px"

15 />

16 <CodexScreenshot

17 alt="Codex app window with a project sidebar, active thread, and review pane"

18 lightSrc="/images/codex/app/app-screenshot-light.webp"

19 darkSrc="/images/codex/app/app-screenshot-dark.webp"

20 variant="no-wallpaper"

21 maxHeight="300px"

22 />

23</PlatformSpecificContent>

24 10 

25## Getting started11## Getting started

26 12 

29Most Codex app features are available on both platforms. Platform-specific15Most Codex app features are available on both platforms. Platform-specific

30exceptions are noted in the relevant docs.16exceptions are noted in the relevant docs.

31 17 

32<WorkflowSteps variant="headings">

331. Download and install the Codex app181. Download and install the Codex app

34 19 

35 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.20 Download the Codex app for macOS or Windows. Choose the Intel build if you’re using an Intel-based Mac.

36 21 

37 <CodexAppDownloadCta client:load className="mb-4" />22 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)

38 23 

39 <div class="text-sm">24 Need a different operating system?

40 [Get notified for Linux](https://openai.com/form/codex-app/)

41 </div>

42 25 

26 [Download for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi)

27 

28 [Get notified for Linux](https://openai.com/form/codex-app/)

432. Open Codex and sign in292. Open Codex and sign in

44 30 

45 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.31 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

50 35 

51 Choose a project folder that you want Codex to work in.36 Choose a project folder that you want Codex to work in.

52 37 

53If you used the Codex app, CLI, or IDE Extension before you'll see past projects that you worked on.38If you used the Codex app, CLI, or IDE Extension before you’ll see past projects that you worked on.

54 39 

554. Send your first message404. Send your first message

56 41 

58 43 

59 You can ask Codex anything about the project or your computer in general. Here are some examples:44 You can ask Codex anything about the project or your computer in general. Here are some examples:

60 45 

61 <ExampleGallery>46- Tell me about this project

62 <ExampleTask47- Build a classic Snake game in this repo.

63 client:load48- Find and fix bugs in my codebase with minimal, high-confidence changes.

64 id="intro"

65 prompt="Tell me about this project"

66 iconName="brain"

67 />

68 <ExampleTask

69 client:load

70 id="snake-game"

71 shortDescription="Build a classic Snake game in this repo."

72 prompt={[

73 "Build a classic Snake game in this repo.",

74 "",

75 "Scope & constraints:",

76 "- Implement ONLY the classic Snake loop: grid movement, growing snake, food spawn, score, game-over, restart.",

77 "- Reuse existing project tooling/frameworks; do NOT add new dependencies unless truly required.",

78 "- Keep UI minimal and consistent with the repo’s existing styles (no new design systems, no extra animations).",

79 "",

80 "Implementation plan:",

81 "1) Inspect the repo to find the right place to add a small interactive game (existing pages/routes/components).",

82 "2) Implement game state (snake positions, direction, food, score, tick timer) with deterministic, testable logic.",

83 "3) Render: simple grid + snake + food; support keyboard controls (arrow keys/WASD) and on-screen controls if mobile is present in the repo.",

84 "4) Add basic tests for the core game logic (movement, collisions, growth, food placement) if the repo has a test runner.",

85 "",

86 "Deliverables:",

87 "- A small set of files/changes with clear names.",

88 "- Short run instructions (how to start dev server + where to navigate).",

89 "- A brief checklist of what to manually verify (controls, pause/restart, boundaries).",

90 ].join("\n")}

91 iconName="gamepad"

92 />

93 <ExampleTask

94 client:load

95 id="fix-bugs"

96 shortDescription="Find and fix bugs in my codebase with minimal, high-confidence changes."

97 prompt={[

98 "Find and fix bugs in my codebase with minimal, high-confidence changes.",

99 "",

100 "Method (grounded + disciplined):",

101 "1) Reproduce: run tests/lint/build (or follow the existing repo scripts). If I provided an error, reproduce that exact failure.",

102 "2) Localize: identify the smallest set of files/lines involved (stack traces, failing tests, logs).",

103 "3) Fix: implement the minimal change that resolves the issue without refactors or unrelated cleanup.",

104 "4) Prove: add/update a focused test (or a tight repro) that fails before and passes after.",

105 "",

106 "Constraints:",

107 "- Do NOT invent errors or pretend to run commands you cannot run.",

108 "- No scope drift: no new features, no UI embellishments, no style overhauls.",

109 "- If information is missing, state what you can confirm from the repo and what remains unknown.",

110 "",

111 "Output:",

112 "- Summary (3–6 sentences max): what was broken, why, and the fix.",

113 "- Then ≤5 bullets: What changed, Where (paths), Evidence (tests/logs), Risks, Next steps.",

114 ].join("\n")}

115 iconName="search"

116 />

117 </ExampleGallery>

118 49 

119 If you need more inspiration, explore [Codex use cases](https://developers.openai.com/codex/use-cases).50 If you need more inspiration, explore [Codex use cases](https://developers.openai.com/codex/use-cases).

120 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).51 If you’re new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

121 

122</WorkflowSteps>

123 52 

124---53---

125 54 

126## Work with the Codex app55## Work with the Codex app

127 56 

128<BentoContainer class="mt-6">57[### Multitask across projects

129 <BentoContent href="/codex/app/features#multitask-across-projects">

130 

131### Multitask across projects

132 

133Run project threads side by side and switch between them quickly.

134 58 

135 </BentoContent>59Run project threads side by side and switch between them quickly.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Worktrees

136 <BentoContent href="/codex/app/worktrees">

137 60 

138### Worktrees61Keep parallel code changes isolated with built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Remote connections

139 

140Keep parallel code changes isolated with built-in Git worktree support.

141 

142 </BentoContent>

143 <BentoContent href="/codex/remote-connections">

144 

145### Remote connections

146 62 

147Use the ChatGPT mobile app to start, steer, approve, and review Codex work on a63Use the ChatGPT mobile app to start, steer, approve, and review Codex work on a

148connected host.64connected host.](https://developers.openai.com/codex/remote-connections)[### Computer use

149 

150 </BentoContent>

151 <BentoContent href="/codex/app/computer-use">

152 

153### Computer use

154 

155Let Codex use macOS apps for GUI tasks, browser flows, and native app testing.

156 

157 </BentoContent>

158 <BentoContent href="/codex/app/review">

159 

160### Review and ship changes

161 

162Inspect diffs, address PR feedback, stage files, commit, and push.

163 65 

164 </BentoContent>66Let Codex use macOS apps for GUI tasks, browser flows, and native app testing.](https://developers.openai.com/codex/app/computer-use)[### Review and ship changes

165 <BentoContent href="/codex/app/features#integrated-terminal">

166 67 

167### Terminal and actions68Inspect diffs, address PR feedback, stage files, commit, and push.](https://developers.openai.com/codex/app/review)[### Terminal and actions

168 69 

169Run commands in each thread and launch repeatable project actions.70Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser

170 71 

171 </BentoContent>72Open rendered pages, leave comments, or let Codex operate local browser flows.](https://developers.openai.com/codex/app/browser)[### Chrome extension

172 <BentoContent href="/codex/app/browser">

173 73 

174### In-app browser74Add the Chrome plugin so Codex can use Chrome for signed-in browser tasks while you manage website approvals.](https://developers.openai.com/codex/app/chrome-extension)[### Image generation

175 75 

176Open rendered pages, leave comments, or let Codex operate local browser flows.76Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations

177 77 

178 </BentoContent>78Schedule recurring tasks, or wake up the same thread for ongoing checks.](https://developers.openai.com/codex/app/automations)[### Skills

179 <BentoContent href="/codex/app/chrome-extension">

180 79 

181### Chrome extension80Reuse instructions and workflows across the app, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Sidebar and artifacts

182 81 

183Add the Chrome plugin so Codex can use Chrome for signed-in browser tasks while you manage website approvals.82Follow plans, sources, task summaries, and generated file previews.](https://developers.openai.com/codex/app/features#richer-outputs-and-artifacts)[### Plugins

184 83 

185 </BentoContent>84Connect apps, skills, and MCP servers to extend what Codex can do.](https://developers.openai.com/codex/plugins)[### IDE Extension sync

186 <BentoContent href="/codex/app/features#image-generation">

187 85 

188### Image generation86Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)

189 

190Generate or edit images in a thread while you work on the surrounding code and assets.

191 

192 </BentoContent>

193 <BentoContent href="/codex/app/automations">

194 

195### Automations

196 

197Schedule recurring tasks, or wake up the same thread for ongoing checks.

198 

199 </BentoContent>

200 <BentoContent href="/codex/app/features#skills-support">

201 

202### Skills

203 

204Reuse instructions and workflows across the app, CLI, and IDE Extension.

205 

206 </BentoContent>

207 <BentoContent href="/codex/app/features#richer-outputs-and-artifacts">

208 

209### Sidebar and artifacts

210 

211Follow plans, sources, task summaries, and generated file previews.

212 

213 </BentoContent>

214 <BentoContent href="/codex/plugins">

215 

216### Plugins

217 

218Connect apps, skills, and MCP servers to extend what Codex can do.

219 

220 </BentoContent>

221 <BentoContent href="/codex/app/features#sync-with-the-ide-extension">

222 

223### IDE Extension sync

224 

225Share Auto Context and active threads across app and IDE sessions.

226 

227 </BentoContent>

228</BentoContainer>

229 87 

230---88---

231 89 

1# Codex App Server1# App Server – Codex

2 2 

3Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.3Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.

4 4 

5If you are automating jobs or running Codex in CI, use the5If you are automating jobs or running Codex in CI, use the

6 <a href="/codex/sdk">Codex SDK</a> instead.6[Codex SDK](https://developers.openai.com/codex/sdk) instead.

7 7 

8## Protocol8## Protocol

9 9 

15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one

16 JSON-RPC message per WebSocket text frame.16 JSON-RPC message per WebSocket text frame.

17- Unix socket (`--listen unix://` or `--listen unix://PATH`): WebSocket17- Unix socket (`--listen unix://` or `--listen unix://PATH`): WebSocket

18 connections over Codex's default app-server control socket or a custom Unix18 connections over Codex’s default app-server control socket or a custom Unix

19 socket path, using the standard HTTP Upgrade handshake.19 socket path, using the standard HTTP Upgrade handshake.

20- `off` (`--listen off`): don't expose a local transport.20- `off` (`--listen off`): don’t expose a local transport.

21 21 

22When you run with `--listen ws://IP:PORT`, the same listener also serves basic22When you run with `--listen ws://IP:PORT`, the same listener also serves basic

23HTTP health probes:23HTTP health probes:

24 24 

25- `GET /readyz` returns `200 OK` once the listener accepts new connections.25- `GET /readyz` returns `200 OK` once the listener accepts new connections.

26- `GET /healthz` returns `200 OK` when the request doesn't include an `Origin`26- `GET /healthz` returns `200 OK` when the request doesn’t include an `Origin`

27 header.27 header.

28- Requests with an `Origin` header are rejected with `403 Forbidden`.28- Requests with an `Origin` header are rejected with `403 Forbidden`.

29 29 

58 58 

59Requests include `method`, `params`, and `id`:59Requests include `method`, `params`, and `id`:

60 60 

61```json61```

62{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.4" } }62{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.4" } }

63```63```

64 64 

65Responses echo the `id` with either `result` or `error`:65Responses echo the `id` with either `result` or `error`:

66 66 

67```json67```

68{ "id": 10, "result": { "thread": { "id": "thr_123" } } }68{ "id": 10, "result": { "thread": { "id": "thr_123" } } }

69```69```

70 70 

71```json71```

72{ "id": 10, "error": { "code": 123, "message": "Something went wrong" } }72{ "id": 10, "error": { "code": 123, "message": "Something went wrong" } }

73```73```

74 74 

75Notifications omit `id` and use only `method` and `params`:75Notifications omit `id` and use only `method` and `params`:

76 76 

77```json77```

78{ "method": "turn/started", "params": { "turn": { "id": "turn_456" } } }78{ "method": "turn/started", "params": { "turn": { "id": "turn_456" } } }

79```79```

80 80 

81You can generate a TypeScript schema or a JSON Schema bundle from the CLI. Each output is specific to the Codex version you ran, so the generated artifacts match that version exactly:81You can generate a TypeScript schema or a JSON Schema bundle from the CLI. Each output is specific to the Codex version you ran, so the generated artifacts match that version exactly:

82 82 

83```bash83```

84codex app-server generate-ts --out ./schemas84codex app-server generate-ts --out ./schemas

85codex app-server generate-json-schema --out ./schemas85codex app-server generate-json-schema --out ./schemas

86```86```

95 95 

96Example (Node.js / TypeScript):96Example (Node.js / TypeScript):

97 97 

98```ts98```

99 99import { spawn } from "node:child_process";

100 100import readline from "node:readline";

101 101 

102const proc = spawn("codex", ["app-server"], {102const proc = spawn("codex", ["app-server"], {

103 stdio: ["pipe", "pipe", "inherit"],103 stdio: ["pipe", "pipe", "inherit"],

171 171 

172Example (from the Codex VS Code extension):172Example (from the Codex VS Code extension):

173 173 

174```json174```

175{175{

176 "method": "initialize",176 "method": "initialize",

177 "id": 0,177 "id": 0,

187 187 

188Example with notification opt-out:188Example with notification opt-out:

189 189 

190```json190```

191{191{

192 "method": "initialize",192 "method": "initialize",

193 "id": 1,193 "id": 1,

212- Omit `capabilities` (or set `experimentalApi` to `false`) to stay on the stable API surface, and the server rejects experimental methods/fields.212- Omit `capabilities` (or set `experimentalApi` to `false`) to stay on the stable API surface, and the server rejects experimental methods/fields.

213- Set `capabilities.experimentalApi` to `true` to enable experimental methods and fields.213- Set `capabilities.experimentalApi` to `true` to enable experimental methods and fields.

214 214 

215```json215```

216{216{

217 "method": "initialize",217 "method": "initialize",

218 "id": 1,218 "id": 1,

240- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread. Returned threads include `forkedFromId` when available.240- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread. Returned threads include `forkedFromId` when available.

241- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.241- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

242- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.242- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.

243- `thread/turns/list` - page through a stored thread's turn history without resuming it. `itemsView` controls whether turn items are omitted, summarized, or fully loaded.243- `thread/turns/list` - page through a stored thread’s turn history without resuming it. `itemsView` controls whether turn items are omitted, summarized, or fully loaded.

244- `thread/turns/items/list` - reserved for paged turn-item loading; currently returns unsupported.244- `thread/turns/items/list` - reserved for paged turn-item loading; currently returns unsupported.

245- `thread/loaded/list` - list the thread ids currently loaded in memory.245- `thread/loaded/list` - list the thread ids currently loaded in memory.

246- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.246- `thread/name/set` - set or update a thread’s user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

247- `thread/goal/set` - set the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/updated`.247- `thread/goal/set` - set the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/updated`.

248- `thread/goal/get` - read the current goal for a loaded thread (experimental; requires `capabilities.experimentalApi`).248- `thread/goal/get` - read the current goal for a loaded thread (experimental; requires `capabilities.experimentalApi`).

249- `thread/goal/clear` - clear the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/cleared`.249- `thread/goal/clear` - clear the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/cleared`.

250- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.250- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.

251- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.251- `thread/archive` - move a thread’s log file into the archived directory; returns `{}` on success and emits `thread/archived`.

252- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.252- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.

253- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.253- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

254- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.254- `thread/status/changed` - notification emitted when a loaded thread’s runtime `status` changes.

255- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.255- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

256- `thread/shellCommand` - run a user-initiated shell command against a thread. This runs outside the sandbox with full access and doesn't inherit the thread sandbox policy.256- `thread/shellCommand` - run a user-initiated shell command against a thread. This runs outside the sandbox with full access and doesn’t inherit the thread sandbox policy.

257- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).257- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

258- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.258- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

259- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."259- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means “use built-in instructions for the selected mode.”

260- `thread/inject_items` - append raw Responses API items to a loaded thread's model-visible history without starting a user turn.260- `thread/inject_items` - append raw Responses API items to a loaded thread’s model-visible history without starting a user turn.

261- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.261- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

262- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.262- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

263- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.263- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

266- `command/exec/resize` - resize a running PTY-backed `command/exec` session.266- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

267- `command/exec/terminate` - stop a running `command/exec` session.267- `command/exec/terminate` - stop a running `command/exec` session.

268- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.268- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.

269- `process/spawn` - start an explicit process session outside Codex's sandbox (experimental; requires `capabilities.experimentalApi`).269- `process/spawn` - start an explicit process session outside Codex’s sandbox (experimental; requires `capabilities.experimentalApi`).

270- `process/writeStdin` - write stdin bytes to a running `process/spawn` session or close stdin (experimental).270- `process/writeStdin` - write stdin bytes to a running `process/spawn` session or close stdin (experimental).

271- `process/resizePty` - resize a running PTY-backed process session (experimental).271- `process/resizePty` - resize a running PTY-backed process session (experimental).

272- `process/kill` - terminate a running process session (experimental).272- `process/kill` - terminate a running process session (experimental).

278- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).278- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

279- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).279- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

280- `skills/changed` (notify) - emitted when watched local skill files change.280- `skills/changed` (notify) - emitted when watched local skill files change.

281- `marketplace/add` - add a remote plugin marketplace and persist it into the user's marketplace config.281- `marketplace/add` - add a remote plugin marketplace and persist it into the user’s marketplace config.

282- `marketplace/upgrade` - refresh a configured Git marketplace, or all configured Git marketplaces when you omit the marketplace name.282- `marketplace/upgrade` - refresh a configured Git marketplace, or all configured Git marketplaces when you omit the marketplace name.

283- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.283- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.

284- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.284- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.

291- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.291- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

292- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.292- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

293- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.293- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

294- `mcpServer/tool/call` - call a tool on a thread's configured MCP server.294- `mcpServer/tool/call` - call a tool on a thread’s configured MCP server.

295- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread.295- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server’s startup status changes for a loaded thread.

296- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.296- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

297- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).297- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

298- `config/read` - fetch the effective configuration on disk after resolving configuration layering.298- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

299- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).299- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

300- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home). Supported item types include config, skills, `AGENTS.md`, plugins, MCP server config, subagents, hooks, commands, and sessions; plugin imports emit `externalAgentConfig/import/completed`.300- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home). Supported item types include config, skills, `AGENTS.md`, plugins, MCP server config, subagents, hooks, commands, and sessions; plugin imports emit `externalAgentConfig/import/completed`.

301- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.301- `config/value/write` - write a single configuration key/value to the user’s `config.toml` on disk.

302- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.302- `config/batchWrite` - apply configuration edits atomically to the user’s `config.toml` on disk.

303- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).303- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven’t set any up).

304- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.304- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.

305 305 

306Plugin summaries include a `source` union. Local plugins return306Plugin summaries include a `source` union. Local plugins return

317 317 

318Call `model/list` to discover available models and their capabilities before rendering model or personality selectors.318Call `model/list` to discover available models and their capabilities before rendering model or personality selectors.

319 319 

320```json320```

321{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }321{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }

322{ "id": 6, "result": {322{ "id": 6, "result": {

323 "data": [{323 "data": [{

357 357 

358Use this endpoint to discover feature flags with metadata and lifecycle stage:358Use this endpoint to discover feature flags with metadata and lifecycle stage:

359 359 

360```json360```

361{ "method": "experimentalFeature/list", "id": 7, "params": { "limit": 20 } }361{ "method": "experimentalFeature/list", "id": 7, "params": { "limit": 20 } }

362{ "id": 7, "result": {362{ "id": 7, "result": {

363 "data": [{363 "data": [{

378## Threads378## Threads

379 379 

380- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.380- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.

381- `thread/turns/list` pages through a stored thread's turn history without381- `thread/turns/list` pages through a stored thread’s turn history without

382 resuming it. Use `itemsView` to choose whether turn items are omitted,382 resuming it. Use `itemsView` to choose whether turn items are omitted,

383 summarized, or fully loaded.383 summarized, or fully loaded.

384- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.384- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.

385- `thread/loaded/list` returns the thread IDs currently in memory.385- `thread/loaded/list` returns the thread IDs currently in memory.

386- `thread/archive` moves the thread's persisted JSONL log into the archived directory.386- `thread/archive` moves the thread’s persisted JSONL log into the archived directory.

387- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.387- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.

388- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.388- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.

389- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.389- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

390- `thread/compact/start` triggers compaction and returns `{}` immediately.390- `thread/compact/start` triggers compaction and returns `{}` immediately.

391- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.391- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread’s persisted JSONL log.

392- `thread/inject_items` appends raw Responses API items to a loaded thread's model-visible history without starting a user turn.392- `thread/inject_items` appends raw Responses API items to a loaded thread’s model-visible history without starting a user turn.

393 393 

394### Start or resume a thread394### Start or resume a thread

395 395 

396Start a fresh thread when you need a new Codex conversation.396Start a fresh thread when you need a new Codex conversation.

397 397 

398```json398```

399{ "method": "thread/start", "id": 10, "params": {399{ "method": "thread/start", "id": 10, "params": {

400 "model": "gpt-5.4",400 "model": "gpt-5.4",

401 "cwd": "/Users/me/project",401 "cwd": "/Users/me/project",

417{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }417{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }

418```418```

419 419 

420`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration's service name.420`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration’s service name.

421 421 

422`thread.sessionId` identifies the current live session tree root. Root threads422`thread.sessionId` identifies the current live session tree root. Root threads

423use their own thread id as the session id; forked threads keep the session id423use their own thread id as the session id; forked threads keep the session id

426 426 

427To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:427To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:

428 428 

429```json429```

430{ "method": "thread/resume", "id": 11, "params": {430{ "method": "thread/resume", "id": 11, "params": {

431 "threadId": "thr_123",431 "threadId": "thr_123",

432 "personality": "friendly"432 "personality": "friendly"

434{ "id": 11, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false } } }434{ "id": 11, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false } } }

435```435```

436 436 

437Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.437Resuming a thread doesn’t update `thread.updatedAt` (or the rollout file’s modified time) by itself. The timestamp updates when you start a turn.

438 438 

439If you mark an enabled MCP server as `required` in config and that server fails to initialize, `thread/start` and `thread/resume` fail instead of continuing without it.439If you mark an enabled MCP server as `required` in config and that server fails to initialize, `thread/start` and `thread/resume` fail instead of continuing without it.

440 440 

441`dynamicTools` on `thread/start` is an experimental field (requires `capabilities.experimentalApi = true`). Codex persists these dynamic tools in the thread rollout metadata and restores them on `thread/resume` when you don't supply new dynamic tools.441`dynamicTools` on `thread/start` is an experimental field (requires `capabilities.experimentalApi = true`). Codex persists these dynamic tools in the thread rollout metadata and restores them on `thread/resume` when you don’t supply new dynamic tools.

442 442 

443If you resume with a different model than the one recorded in the rollout, Codex emits a warning and applies a one-time model-switch instruction on the next turn.443If you resume with a different model than the one recorded in the rollout, Codex emits a warning and applies a one-time model-switch instruction on the next turn.

444 444 

448and require `capabilities.experimentalApi = true` plus the `goals` feature. Use448and require `capabilities.experimentalApi = true` plus the `goals` feature. Use

449them for the same persisted goal state surfaced by `/goal` in the TUI.449them for the same persisted goal state surfaced by `/goal` in the TUI.

450 450 

451```json451```

452{ "method": "thread/goal/set", "id": 13, "params": {452{ "method": "thread/goal/set", "id": 13, "params": {

453 "threadId": "thr_123",453 "threadId": "thr_123",

454 "objective": "Finish the migration and keep tests green",454 "objective": "Finish the migration and keep tests green",

483 483 

484To branch from a stored session, call `thread/fork` with the `thread.id`. This creates a new thread id and emits a `thread/started` notification for it:484To branch from a stored session, call `thread/fork` with the `thread.id`. This creates a new thread id and emits a `thread/started` notification for it:

485 485 

486```json486```

487{ "method": "thread/fork", "id": 12, "params": { "threadId": "thr_123" } }487{ "method": "thread/fork", "id": 12, "params": { "threadId": "thr_123" } }

488{ "id": 12, "result": { "thread": { "id": "thr_456", "sessionId": "thr_123", "forkedFromId": "thr_123" } } }488{ "id": 12, "result": { "thread": { "id": "thr_456", "sessionId": "thr_123", "forkedFromId": "thr_123" } } }

489{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }489{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }

493 493 

494### Read a stored thread (without resuming)494### Read a stored thread (without resuming)

495 495 

496Use `thread/read` when you want stored thread data but don't want to resume the thread or subscribe to its events.496Use `thread/read` when you want stored thread data but don’t want to resume the thread or subscribe to its events.

497 497 

498- `includeTurns` - when `true`, the response includes the thread's turns; when `false` or omitted, you get the thread summary only.498- `includeTurns` - when `true`, the response includes the thread’s turns; when `false` or omitted, you get the thread summary only.

499- Returned `thread` objects include runtime `status` (`notLoaded`, `idle`, `systemError`, or `active` with `activeFlags`).499- Returned `thread` objects include runtime `status` (`notLoaded`, `idle`, `systemError`, or `active` with `activeFlags`).

500 500 

501```json501```

502{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }502{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }

503{ "id": 19, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false, "status": { "type": "notLoaded" }, "turns": [] } } }503{ "id": 19, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false, "status": { "type": "notLoaded" }, "turns": [] } } }

504```504```

505 505 

506Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.506Unlike `thread/resume`, `thread/read` doesn’t load the thread into memory or emit `thread/started`.

507 507 

508### List thread turns508### List thread turns

509 509 

510Use `thread/turns/list` to page a stored thread's turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.510Use `thread/turns/list` to page a stored thread’s turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.

511 511 

512`itemsView` controls how much turn-item data the response includes:512`itemsView` controls how much turn-item data the response includes:

513 513 

515- `summary` returns summarized item data and is the default when omitted.515- `summary` returns summarized item data and is the default when omitted.

516- `full` returns full item data.516- `full` returns full item data.

517 517 

518```json518```

519{ "method": "thread/turns/list", "id": 20, "params": {519{ "method": "thread/turns/list", "id": 20, "params": {

520 "threadId": "thr_123",520 "threadId": "thr_123",

521 "limit": 50,521 "limit": 50,

560 560 

561Example:561Example:

562 562 

563```json563```

564{ "method": "thread/list", "id": 20, "params": {564{ "method": "thread/list", "id": 20, "params": {

565 "cursor": null,565 "cursor": null,

566 "limit": 25,566 "limit": 25,

581 581 

582Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.582Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.

583 583 

584```json584```

585{ "method": "thread/metadata/update", "id": 21, "params": {585{ "method": "thread/metadata/update", "id": 21, "params": {

586 "threadId": "thr_123",586 "threadId": "thr_123",

587 "gitInfo": { "branch": "feature/sidebar-pr" }587 "gitInfo": { "branch": "feature/sidebar-pr" }

596 596 

597### Track thread status changes597### Track thread status changes

598 598 

599`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.599`thread/status/changed` is emitted whenever a loaded thread’s runtime status changes. The payload includes `threadId` and the new `status`.

600 600 

601```json601```

602{602{

603 "method": "thread/status/changed",603 "method": "thread/status/changed",

604 "params": {604 "params": {

612 612 

613`thread/loaded/list` returns thread IDs currently loaded in memory.613`thread/loaded/list` returns thread IDs currently loaded in memory.

614 614 

615```json615```

616{ "method": "thread/loaded/list", "id": 21 }616{ "method": "thread/loaded/list", "id": 21 }

617{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }617{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }

618```618```

619 619 

620### Unsubscribe from a loaded thread620### Unsubscribe from a loaded thread

621 621 

622`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:622`thread/unsubscribe` removes the current connection’s subscription to a thread. The response status is one of:

623 623 

624- `unsubscribed` when the connection was subscribed and is now removed.624- `unsubscribed` when the connection was subscribed and is now removed.

625- `notSubscribed` when the connection wasn't subscribed to that thread.625- `notSubscribed` when the connection wasn’t subscribed to that thread.

626- `notLoaded` when the thread isn't loaded.626- `notLoaded` when the thread isn’t loaded.

627 627 

628If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.628If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

629 629 

630```json630```

631{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }631{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

632{ "id": 22, "result": { "status": "unsubscribed" } }632{ "id": 22, "result": { "status": "unsubscribed" } }

633```633```

634 634 

635If the thread later expires:635If the thread later expires:

636 636 

637```json637```

638{ "method": "thread/status/changed", "params": {638{ "method": "thread/status/changed", "params": {

639 "threadId": "thr_123",639 "threadId": "thr_123",

640 "status": { "type": "notLoaded" }640 "status": { "type": "notLoaded" }

646 646 

647Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.647Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.

648 648 

649```json649```

650{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }650{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }

651{ "id": 22, "result": {} }651{ "id": 22, "result": {} }

652{ "method": "thread/archived", "params": { "threadId": "thr_b" } }652{ "method": "thread/archived", "params": { "threadId": "thr_b" } }

653```653```

654 654 

655Archived threads won't appear in future calls to `thread/list` unless you pass `archived: true`.655Archived threads won’t appear in future calls to `thread/list` unless you pass `archived: true`.

656 656 

657### Unarchive a thread657### Unarchive a thread

658 658 

659Use `thread/unarchive` to move an archived thread rollout back into the active sessions directory.659Use `thread/unarchive` to move an archived thread rollout back into the active sessions directory.

660 660 

661```json661```

662{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }662{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }

663{ "id": 24, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes" } } }663{ "id": 24, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes" } } }

664{ "method": "thread/unarchived", "params": { "threadId": "thr_b" } }664{ "method": "thread/unarchived", "params": { "threadId": "thr_b" } }

670 670 

671App-server emits progress as standard `turn/*` and `item/*` notifications on the same `threadId`, including a `contextCompaction` item lifecycle (`item/started` then `item/completed`).671App-server emits progress as standard `turn/*` and `item/*` notifications on the same `threadId`, including a `contextCompaction` item lifecycle (`item/started` then `item/completed`).

672 672 

673```json673```

674{ "method": "thread/compact/start", "id": 25, "params": { "threadId": "thr_b" } }674{ "method": "thread/compact/start", "id": 25, "params": { "threadId": "thr_b" } }

675{ "id": 25, "result": {} }675{ "id": 25, "result": {} }

676```676```

679 679 

680Use `thread/shellCommand` for user-initiated shell commands that belong to a thread. The request returns immediately with `{}` while progress streams through standard `turn/*` and `item/*` notifications.680Use `thread/shellCommand` for user-initiated shell commands that belong to a thread. The request returns immediately with `{}` while progress streams through standard `turn/*` and `item/*` notifications.

681 681 

682This API runs outside the sandbox with full access and doesn't inherit the thread sandbox policy. Clients should expose it only for explicit user-initiated commands.682This API runs outside the sandbox with full access and doesn’t inherit the thread sandbox policy. Clients should expose it only for explicit user-initiated commands.

683 683 

684If the thread already has an active turn, the command runs as an auxiliary action on that turn and its formatted output is injected into the turn's message stream. If the thread is idle, app-server starts a standalone turn for the shell command.684If the thread already has an active turn, the command runs as an auxiliary action on that turn and its formatted output is injected into the turn’s message stream. If the thread is idle, app-server starts a standalone turn for the shell command.

685 685 

686```json686```

687{ "method": "thread/shellCommand", "id": 26, "params": { "threadId": "thr_b", "command": "git status --short" } }687{ "method": "thread/shellCommand", "id": 26, "params": { "threadId": "thr_b", "command": "git status --short" } }

688{ "id": 26, "result": {} }688{ "id": 26, "result": {} }

689```689```

692 692 

693Use `thread/backgroundTerminals/clean` to stop all running background terminals associated with a thread. This method is experimental and requires `capabilities.experimentalApi = true`.693Use `thread/backgroundTerminals/clean` to stop all running background terminals associated with a thread. This method is experimental and requires `capabilities.experimentalApi = true`.

694 694 

695```json695```

696{ "method": "thread/backgroundTerminals/clean", "id": 27, "params": { "threadId": "thr_b" } }696{ "method": "thread/backgroundTerminals/clean", "id": 27, "params": { "threadId": "thr_b" } }

697{ "id": 27, "result": {} }697{ "id": 27, "result": {} }

698```698```

701 701 

702Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.702Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.

703 703 

704```json704```

705{ "method": "thread/rollback", "id": 28, "params": { "threadId": "thr_b", "numTurns": 1 } }705{ "method": "thread/rollback", "id": 28, "params": { "threadId": "thr_b", "numTurns": 1 } }

706{ "id": 28, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }706{ "id": 28, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }

707```707```

716 716 

717You can override configuration settings per turn (model, effort, personality, `cwd`, sandbox policy, summary). When specified, these settings become the defaults for later turns on the same thread. `outputSchema` applies only to the current turn. For `sandboxPolicy.type = "externalSandbox"`, set `networkAccess` to `restricted` or `enabled`; for `workspaceWrite`, `networkAccess` remains a boolean.717You can override configuration settings per turn (model, effort, personality, `cwd`, sandbox policy, summary). When specified, these settings become the defaults for later turns on the same thread. `outputSchema` applies only to the current turn. For `sandboxPolicy.type = "externalSandbox"`, set `networkAccess` to `restricted` or `enabled`; for `workspaceWrite`, `networkAccess` remains a boolean.

718 718 

719For `turn/start.collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode" rather than clearing mode instructions.719For `turn/start.collaborationMode`, `settings.developer_instructions: null` means “use built-in instructions for the selected mode” rather than clearing mode instructions.

720 720 

721### Sandbox read access (`ReadOnlyAccess`)721### Sandbox read access (`ReadOnlyAccess`)

722 722 

727 727 

728Restricted read access shape:728Restricted read access shape:

729 729 

730```json730```

731{731{

732 "type": "restricted",732 "type": "restricted",

733 "includePlatformDefaults": true,733 "includePlatformDefaults": true,

739 739 

740Examples:740Examples:

741 741 

742```json742```

743{ "type": "readOnly", "access": { "type": "fullAccess" } }743{ "type": "readOnly", "access": { "type": "fullAccess" } }

744```744```

745 745 

746```json746```

747{747{

748 "type": "workspaceWrite",748 "type": "workspaceWrite",

749 "writableRoots": ["/Users/me/project"],749 "writableRoots": ["/Users/me/project"],

758 758 

759### Start a turn759### Start a turn

760 760 

761```json761```

762{ "method": "turn/start", "id": 30, "params": {762{ "method": "turn/start", "id": 30, "params": {

763 "threadId": "thr_123",763 "threadId": "thr_123",

764 "input": [ { "type": "text", "text": "Run tests" } ],764 "input": [ { "type": "text", "text": "Run tests" } ],

785 785 

786### Inject items into a thread786### Inject items into a thread

787 787 

788Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread's prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.788Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread’s prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.

789 789 

790```json790```

791{ "method": "thread/inject_items", "id": 31, "params": {791{ "method": "thread/inject_items", "id": 31, "params": {

792 "threadId": "thr_123",792 "threadId": "thr_123",

793 "items": [793 "items": [

807 807 

808- Include `expectedTurnId`; it must match the active turn id.808- Include `expectedTurnId`; it must match the active turn id.

809- The request fails if there is no active turn on the thread.809- The request fails if there is no active turn on the thread.

810- `turn/steer` doesn't emit a new `turn/started` notification.810- `turn/steer` doesn’t emit a new `turn/started` notification.

811- `turn/steer` doesn't accept turn-level overrides (`model`, `cwd`, `sandboxPolicy`, or `outputSchema`).811- `turn/steer` doesn’t accept turn-level overrides (`model`, `cwd`, `sandboxPolicy`, or `outputSchema`).

812 812 

813```json813```

814{ "method": "turn/steer", "id": 32, "params": {814{ "method": "turn/steer", "id": 32, "params": {

815 "threadId": "thr_123",815 "threadId": "thr_123",

816 "input": [ { "type": "text", "text": "Actually focus on failing tests first." } ],816 "input": [ { "type": "text", "text": "Actually focus on failing tests first." } ],

823 823 

824Invoke a skill explicitly by including `$<skill-name>` in the text input and adding a `skill` input item alongside it.824Invoke a skill explicitly by including `$<skill-name>` in the text input and adding a `skill` input item alongside it.

825 825 

826```json826```

827{ "method": "turn/start", "id": 33, "params": {827{ "method": "turn/start", "id": 33, "params": {

828 "threadId": "thr_123",828 "threadId": "thr_123",

829 "input": [829 "input": [

836 836 

837### Interrupt a turn837### Interrupt a turn

838 838 

839```json839```

840{ "method": "turn/interrupt", "id": 31, "params": { "threadId": "thr_123", "turnId": "turn_456" } }840{ "method": "turn/interrupt", "id": 31, "params": { "threadId": "thr_123", "turnId": "turn_456" } }

841{ "id": 31, "result": {} }841{ "id": 31, "result": {} }

842```842```

856 856 

857Example request/response:857Example request/response:

858 858 

859```json859```

860{ "method": "review/start", "id": 40, "params": {860{ "method": "review/start", "id": 40, "params": {

861 "threadId": "thr_123",861 "threadId": "thr_123",

862 "delivery": "inline",862 "delivery": "inline",

879 879 

880Codex streams the usual `turn/started` notification followed by an `item/started` with an `enteredReviewMode` item:880Codex streams the usual `turn/started` notification followed by an `item/started` with an `enteredReviewMode` item:

881 881 

882```json882```

883{883{

884 "method": "item/started",884 "method": "item/started",

885 "params": {885 "params": {

894 894 

895When the reviewer finishes, the server emits `item/started` and `item/completed` containing an `exitedReviewMode` item with the final review text:895When the reviewer finishes, the server emits `item/started` and `item/completed` containing an `exitedReviewMode` item with the final review text:

896 896 

897```json897```

898{898{

899 "method": "item/completed",899 "method": "item/completed",

900 "params": {900 "params": {

912## Process execution912## Process execution

913 913 

914`process/*` is an experimental, explicit process-control API. It requires914`process/*` is an experimental, explicit process-control API. It requires

915`capabilities.experimentalApi = true` and runs outside Codex's sandbox. Use it915`capabilities.experimentalApi = true` and runs outside Codex’s sandbox. Use it

916only when your client intentionally exposes local process control without a916only when your client intentionally exposes local process control without a

917sandbox.917sandbox.

918 918 

921`process/outputDelta` notifications and completion streams through921`process/outputDelta` notifications and completion streams through

922`process/exited`.922`process/exited`.

923 923 

924```json924```

925{ "method": "process/spawn", "id": 48, "params": {925{ "method": "process/spawn", "id": 48, "params": {

926 "command": ["python3", "-m", "pytest", "-q"],926 "command": ["python3", "-m", "pytest", "-q"],

927 "processHandle": "pytest-1",927 "processHandle": "pytest-1",

948 948 

949`command/exec` runs a single command (`argv` array) under the server sandbox without creating a thread.949`command/exec` runs a single command (`argv` array) under the server sandbox without creating a thread.

950 950 

951```json951```

952{ "method": "command/exec", "id": 50, "params": {952{ "method": "command/exec", "id": 50, "params": {

953 "command": ["ls", "-la"],953 "command": ["ls", "-la"],

954 "cwd": "/Users/me/project",954 "cwd": "/Users/me/project",

972 972 

973Use `configRequirements/read` to inspect the effective admin requirements loaded from `requirements.toml` and/or MDM.973Use `configRequirements/read` to inspect the effective admin requirements loaded from `requirements.toml` and/or MDM.

974 974 

975```json975```

976{ "method": "configRequirements/read", "id": 52, "params": {} }976{ "method": "configRequirements/read", "id": 52, "params": {} }

977{ "id": 52, "result": {977{ "id": 52, "result": {

978 "requirements": {978 "requirements": {

998 998 

999Custom Windows clients can trigger sandbox setup asynchronously instead of blocking on startup checks.999Custom Windows clients can trigger sandbox setup asynchronously instead of blocking on startup checks.

1000 1000 

1001```json1001```

1002{ "method": "windowsSandbox/setupStart", "id": 53, "params": { "mode": "elevated" } }1002{ "method": "windowsSandbox/setupStart", "id": 53, "params": { "mode": "elevated" } }

1003{ "id": 53, "result": { "started": true } }1003{ "id": 53, "result": { "started": true } }

1004```1004```

1005 1005 

1006App-server starts setup in the background and later emits a completion notification:1006App-server starts setup in the background and later emits a completion notification:

1007 1007 

1008```json1008```

1009{1009{

1010 "method": "windowsSandbox/setupCompleted",1010 "method": "windowsSandbox/setupCompleted",

1011 "params": { "mode": "elevated", "success": true, "error": null }1011 "params": { "mode": "elevated", "success": true, "error": null }

1021 1021 

1022The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.1022The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.

1023 1023 

1024```json1024```

1025{ "method": "fs/watch", "id": 54, "params": {1025{ "method": "fs/watch", "id": 54, "params": {

1026 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",1026 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

1027 "path": "/Users/me/project/.git/HEAD"1027 "path": "/Users/me/project/.git/HEAD"

1050- Exact-match only: `item/agentMessage/delta` suppresses only that method.1050- Exact-match only: `item/agentMessage/delta` suppresses only that method.

1051- Unknown method names are ignored.1051- Unknown method names are ignored.

1052- Applies to the current `thread/*`, `turn/*`, `item/*`, and related v2 notifications.1052- Applies to the current `thread/*`, `turn/*`, `item/*`, and related v2 notifications.

1053- Doesn't apply to requests, responses, or errors.1053- Doesn’t apply to requests, responses, or errors.

1054 1054 

1055### Fuzzy file search events (experimental)1055### Fuzzy file search events (experimental)

1056 1056 

1129 1129 

1130## Approvals1130## Approvals

1131 1131 

1132Depending on a user's Codex settings, command execution and file changes may require approval. The app-server sends a server-initiated JSON-RPC request to the client, and the client responds with a decision payload.1132Depending on a user’s Codex settings, command execution and file changes may require approval. The app-server sends a server-initiated JSON-RPC request to the client, and the client responds with a decision payload.

1133 1133 

1134- Command execution decisions: `accept`, `acceptForSession`, `decline`, `cancel`, or `{ "acceptWithExecpolicyAmendment": { "execpolicy_amendment": ["cmd", "..."] } }`.1134- Command execution decisions: `accept`, `acceptForSession`, `decline`, `cancel`, or `{ "acceptWithExecpolicyAmendment": { "execpolicy_amendment": ["cmd", "..."] } }`.

1135- File change decisions: `accept`, `acceptForSession`, `decline`, `cancel`.1135- File change decisions: `accept`, `acceptForSession`, `decline`, `cancel`.

1187 1186 

1188Invoke a skill by including `$<skill-name>` in the user text input. Add a `skill` input item (recommended) so the server injects full skill instructions instead of relying on the model to resolve the name.1187Invoke a skill by including `$<skill-name>` in the user text input. Add a `skill` input item (recommended) so the server injects full skill instructions instead of relying on the model to resolve the name.

1189 1188 

1190```json1189```

1191{1190{

1192 "method": "turn/start",1191 "method": "turn/start",

1193 "id": 101,1192 "id": 101,

1216$skill-creator Add a new skill for triaging flaky CI and include step-by-step usage.1215$skill-creator Add a new skill for triaging flaky CI and include step-by-step usage.

1217```1216```

1218 1217 

1219Use `skills/list` to fetch available skills (optionally scoped by `cwds`, with `forceReload`). You can also include `perCwdExtraUserRoots` to scan extra absolute paths as `user` scope for specific `cwd` values. App-server ignores entries whose `cwd` isn't present in `cwds`. `skills/list` may reuse a cached result per `cwd`; set `forceReload: true` to refresh from disk. When present, the server reads `interface` and `dependencies` from `SKILL.json`.1218Use `skills/list` to fetch available skills (optionally scoped by `cwds`, with `forceReload`). You can also include `perCwdExtraUserRoots` to scan extra absolute paths as `user` scope for specific `cwd` values. App-server ignores entries whose `cwd` isn’t present in `cwds`. `skills/list` may reuse a cached result per `cwd`; set `forceReload: true` to refresh from disk. When present, the server reads `interface` and `dependencies` from `SKILL.json`.

1220 1219 

1221```json1220```

1222{ "method": "skills/list", "id": 25, "params": {1221{ "method": "skills/list", "id": 25, "params": {

1223 "cwds": ["/Users/me/project", "/Users/me/other-project"],1222 "cwds": ["/Users/me/project", "/Users/me/other-project"],

1224 "forceReload": true,1223 "forceReload": true,

1267 1266 

1268To enable or disable a skill by path:1267To enable or disable a skill by path:

1269 1268 

1270```json1269```

1271{1270{

1272 "method": "skills/config/write",1271 "method": "skills/config/write",

1273 "id": 26,1272 "id": 26,

1282 1281 

1283Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state. App entries can also include optional `branding`, `appMetadata`, and `labels` fields.1282Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state. App entries can also include optional `branding`, `appMetadata`, and `labels` fields.

1284 1283 

1285```json1284```

1286{ "method": "app/list", "id": 50, "params": {1285{ "method": "app/list", "id": 50, "params": {

1287 "cursor": null,1286 "cursor": null,

1288 "limit": 50,1287 "limit": 50,

1310} }1309} }

1311```1310```

1312 1311 

1313If you provide `threadId`, app feature gating (`features.apps`) uses that thread's config snapshot. When omitted, app-server uses the latest global config.1312If you provide `threadId`, app feature gating (`features.apps`) uses that thread’s config snapshot. When omitted, app-server uses the latest global config.

1314 1313 

1315`app/list` returns after both accessible apps and directory apps load. Set `forceRefetch: true` to bypass app caches and fetch fresh data. Cache entries are only replaced when refreshes succeed.1314`app/list` returns after both accessible apps and directory apps load. Set `forceRefetch: true` to bypass app caches and fetch fresh data. Cache entries are only replaced when refreshes succeed.

1316 1315 

1317The server also emits `app/list/updated` notifications whenever either source (accessible apps or directory apps) finishes loading. Each notification includes the latest merged app list.1316The server also emits `app/list/updated` notifications whenever either source (accessible apps or directory apps) finishes loading. Each notification includes the latest merged app list.

1318 1317 

1319```json1318```

1320{1319{

1321 "method": "app/list/updated",1320 "method": "app/list/updated",

1322 "params": {1321 "params": {

1342 1341 

1343Invoke an app by inserting `$<app-slug>` in the text input and adding a `mention` input item with the `app://<id>` path (recommended).1342Invoke an app by inserting `$<app-slug>` in the text input and adding a `mention` input item with the `app://<id>` path (recommended).

1344 1343 

1345```json1344```

1346{1345{

1347 "method": "turn/start",1346 "method": "turn/start",

1348 "id": 51,1347 "id": 51,

1369 1368 

1370Read the effective app config shape (including `_default` and per-tool overrides):1369Read the effective app config shape (including `_default` and per-tool overrides):

1371 1370 

1372```json1371```

1373{ "method": "config/read", "id": 60, "params": { "includeLayers": false } }1372{ "method": "config/read", "id": 60, "params": { "includeLayers": false } }

1374{ "id": 60, "result": {1373{ "id": 60, "result": {

1375 "config": {1374 "config": {

1394 1393 

1395Update a single app setting:1394Update a single app setting:

1396 1395 

1397```json1396```

1398{1397{

1399 "method": "config/value/write",1398 "method": "config/value/write",

1400 "id": 61,1399 "id": 61,

1408 1407 

1409Apply multiple app edits atomically:1408Apply multiple app edits atomically:

1410 1409 

1411```json1410```

1412{1411{

1413 "method": "config/batchWrite",1412 "method": "config/batchWrite",

1414 "id": 62,1413 "id": 62,

1435 1434 

1436Detection example:1435Detection example:

1437 1436 

1438```json1437```

1439{ "method": "externalAgentConfig/detect", "id": 63, "params": {1438{ "method": "externalAgentConfig/detect", "id": 63, "params": {

1440 "includeHome": true,1439 "includeHome": true,

1441 "cwds": ["/Users/me/project"]1440 "cwds": ["/Users/me/project"]

1458 1457 

1459Import example:1458Import example:

1460 1459 

1461```json1460```

1462{ "method": "externalAgentConfig/import", "id": 64, "params": {1461{ "method": "externalAgentConfig/import", "id": 64, "params": {

1463 "migrationItems": [1462 "migrationItems": [

1464 {1463 {

1478`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection1477`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection

1479returns only items that still have work to do. For example, Codex skips AGENTS1478returns only items that still have work to do. For example, Codex skips AGENTS

1480migration when `AGENTS.md` already exists and is non-empty, and skill imports1479migration when `AGENTS.md` already exists and is non-empty, and skill imports

1481don't overwrite existing skill directories.1480don’t overwrite existing skill directories.

1482 1481 

1483When detecting plugins from `.claude/settings.json`, Codex reads configured1482When detecting plugins from `.claude/settings.json`, Codex reads configured

1484marketplace sources from `extraKnownMarketplaces`. If `enabledPlugins` contains1483marketplace sources from `extraKnownMarketplaces`. If `enabledPlugins` contains

1495 1494 

1496- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.1495- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.

1497- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.1496- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.

1498- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user's ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.1497- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user’s ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.

1499 1498 

1500### API overview1499### API overview

1501 1500 

1507- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.1506- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.

1508- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.1507- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.

1509- `account/rateLimits/read` - fetch ChatGPT rate limits.1508- `account/rateLimits/read` - fetch ChatGPT rate limits.

1510- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.1509- `account/rateLimits/updated` (notify) - emitted whenever a user’s ChatGPT rate limits change.

1511- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.1510- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.

1512- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.1511- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.

1513- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread; payload includes `{ name, status, error }`.1512- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server’s startup status changes for a loaded thread; payload includes `{ name, status, error }`.

1514 1513 

1515### 1) Check auth state1514### 1) Check auth state

1516 1515 

1517Request:1516Request:

1518 1517 

1519```json1518```

1520{ "method": "account/read", "id": 1, "params": { "refreshToken": false } }1519{ "method": "account/read", "id": 1, "params": { "refreshToken": false } }

1521```1520```

1522 1521 

1523Response examples:1522Response examples:

1524 1523 

1525```json1524```

1526{ "id": 1, "result": { "account": null, "requiresOpenaiAuth": false } }1525{ "id": 1, "result": { "account": null, "requiresOpenaiAuth": false } }

1527```1526```

1528 1527 

1529```json1528```

1530{ "id": 1, "result": { "account": null, "requiresOpenaiAuth": true } }1529{ "id": 1, "result": { "account": null, "requiresOpenaiAuth": true } }

1531```1530```

1532 1531 

1533```json1532```

1534{1533{

1535 "id": 1,1534 "id": 1,

1536 "result": { "account": { "type": "apiKey" }, "requiresOpenaiAuth": true }1535 "result": { "account": { "type": "apiKey" }, "requiresOpenaiAuth": true }

1537}1536}

1538```1537```

1539 1538 

1540```json1539```

1541{1540{

1542 "id": 1,1541 "id": 1,

1543 "result": {1542 "result": {

1560 1559 

15611. Send:15601. Send:

1562 1561 

1563 ```json1562 ```

1564 {1563 {

1565 "method": "account/login/start",1564 "method": "account/login/start",

1566 "id": 2,1565 "id": 2,

1567 "params": { "type": "apiKey", "apiKey": "sk-..." }1566 "params": { "type": "apiKey", "apiKey": "sk-..." }

1568 }1567 }

1569 ```1568 ```

1570 

15712. Expect:15692. Expect:

1572 1570 

1573 ```json1571 ```

1574 { "id": 2, "result": { "type": "apiKey" } }1572 { "id": 2, "result": { "type": "apiKey" } }

1575 ```1573 ```

1576 

15773. Notifications:15743. Notifications:

1578 1575 

1579 ```json1576 ```

1580 {1577 {

1581 "method": "account/login/completed",1578 "method": "account/login/completed",

1582 "params": { "loginId": null, "success": true, "error": null }1579 "params": { "loginId": null, "success": true, "error": null }

1583 }1580 }

1584 ```1581 ```

1585 1582 

1586 ```json1583 ```

1587 {1584 {

1588 "method": "account/updated",1585 "method": "account/updated",

1589 "params": { "authMode": "apikey", "planType": null }1586 "params": { "authMode": "apikey", "planType": null }

1594 1591 

15951. Start:15921. Start:

1596 1593 

1597 ```json1594 ```

1598 { "method": "account/login/start", "id": 3, "params": { "type": "chatgpt" } }1595 { "method": "account/login/start", "id": 3, "params": { "type": "chatgpt" } }

1599 ```1596 ```

1600 1597 

1601 ```json1598 ```

1602 {1599 {

1603 "id": 3,1600 "id": 3,

1604 "result": {1601 "result": {

16122. Open `authUrl` in a browser; the app-server hosts the local callback.16082. Open `authUrl` in a browser; the app-server hosts the local callback.

16133. Wait for notifications:16093. Wait for notifications:

1614 1610 

1615 ```json1611 ```

1616 {1612 {

1617 "method": "account/login/completed",1613 "method": "account/login/completed",

1618 "params": { "loginId": "<uuid>", "success": true, "error": null }1614 "params": { "loginId": "<uuid>", "success": true, "error": null }

1619 }1615 }

1620 ```1616 ```

1621 1617 

1622 ```json1618 ```

1623 {1619 {

1624 "method": "account/updated",1620 "method": "account/updated",

1625 "params": { "authMode": "chatgpt", "planType": "plus" }1621 "params": { "authMode": "chatgpt", "planType": "plus" }

1632 1628 

16331. Start:16291. Start:

1634 1630 

1635 ```json1631 ```

1636 {1632 {

1637 "method": "account/login/start",1633 "method": "account/login/start",

1638 "id": 4,1634 "id": 4,

1640 }1636 }

1641 ```1637 ```

1642 1638 

1643 ```json1639 ```

1644 {1640 {

1645 "id": 4,1641 "id": 4,

1646 "result": {1642 "result": {

16552. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.16502. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.

16563. Wait for notifications:16513. Wait for notifications:

1657 1652 

1658 ```json1653 ```

1659 {1654 {

1660 "method": "account/login/completed",1655 "method": "account/login/completed",

1661 "params": { "loginId": "<uuid>", "success": true, "error": null }1656 "params": { "loginId": "<uuid>", "success": true, "error": null }