SpyBara
Go Premium

Documentation 2026-06-10 20:00 UTC to 2026-06-11 20:02 UTC

6 files changed +22 −22. View all changes and history on the product overview
2026
Fri 12 18:02 Thu 11 20:02 Wed 10 20:00 Tue 9 18:50 Sat 6 00:58 Fri 5 18:45 Thu 4 01:09 Wed 3 19:27 Tue 2 19:22

auth.md +5 −4

Details

46 46 

47### Use Codex access tokens for enterprise automation47### Use Codex access tokens for enterprise automation

48 48 

49In ChatGPT Enterprise workspaces, admins can allow permitted members to create49In ChatGPT Enterprise workspaces, admins can grant the access token

50Codex access tokens for trusted, non-interactive Codex local workflows. Use an50permission so permitted members can create Codex access tokens for trusted,

51access token when automation needs ChatGPT workspace access, ChatGPT-managed51non-interactive Codex local workflows. Use an access token when automation

52Codex entitlements, or enterprise workspace controls without a browser sign-in.52needs ChatGPT workspace access, ChatGPT-managed Codex entitlements, or

53enterprise workspace controls without a browser sign-in.

53 54 

54Access tokens are intended for trusted scripts, schedulers, and private CI55Access tokens are intended for trusted scripts, schedulers, and private CI

55runners. For general OpenAI API calls, continue to use Platform API keys.56runners. For general OpenAI API calls, continue to use Platform API keys.

Details

1568 "When `true`, Codex skips user, project, session, and plugin hooks while still allowing managed hooks from `requirements.toml` and other managed config layers.",1568 "When `true`, Codex skips user, project, session, and plugin hooks while still allowing managed hooks from `requirements.toml` and other managed config layers.",

1569 },1569 },

1570 {1570 {

1571 key: "plugin_sharing",1571 key: "features.plugin_sharing",

1572 type: "boolean",1572 type: "boolean",

1573 description:1573 description:

1574 "Set to `false` in cloud-managed `requirements.toml` to disable workspace sharing for locally built plugins.",1574 "Set to `false` in cloud-managed `requirements.toml` to disable workspace sharing for locally built plugins.",

Details

1# Access tokens1# Access tokens

2 2 

3Codex access tokens let trusted automation run Codex local with a ChatGPT workspace identity. Use them when a script, scheduled job, or CI runner needs repeatable, non-interactive Codex access.3Codex access tokens are ChatGPT access tokens scoped to Codex permissions that let trusted automation run Codex local with a ChatGPT workspace identity. Use them when a script, scheduled job, or CI runner needs repeatable, non-interactive Codex access.

4 4 

5Codex access tokens are currently supported for ChatGPT Business and5Codex access tokens are currently supported for ChatGPT Business and

6 Enterprise workspaces.6 Enterprise workspaces.

11 Codex access tokens when the workflow specifically needs ChatGPT workspace11 Codex access tokens when the workflow specifically needs ChatGPT workspace

12 access, ChatGPT-managed Codex entitlements, or enterprise workspace controls.12 access, ChatGPT-managed Codex entitlements, or enterprise workspace controls.

13 13 

14Need to trigger a published ChatGPT workspace agent from your own system? Use

15 a Workspace Agent access token for the Workspace Agents API instead. Codex

16 access tokens authenticate Codex local workflows; they do not authenticate

17 workspace agent trigger calls. See [Authenticate with Workspace Agent access

18 tokens](https://developers.openai.com/workspace-agents/authentication).

19 

14## How access tokens work20## How access tokens work

15 21 

16Use an access token when Codex needs to run without a user completing a browser sign-in. The token represents the ChatGPT workspace user who created it, so runs can use that user's Codex access and appear in workspace governance data.22Use an access token when Codex needs to run without a user completing a browser sign-in. The token represents the ChatGPT workspace user who created it, so runs can use that user's Codex access and appear in workspace governance data.

29- **Untrusted runners:** public CI, forked pull requests, or shared machines can expose tokens to people outside your workspace. Use access tokens only on trusted runners.35- **Untrusted runners:** public CI, forked pull requests, or shared machines can expose tokens to people outside your workspace. Use access tokens only on trusted runners.

30- **Shared identities:** one person's token reused across unrelated teams makes ownership and audit trails harder to interpret. Create tokens for a specific workflow owner.36- **Shared identities:** one person's token reused across unrelated teams makes ownership and audit trails harder to interpret. Create tokens for a specific workflow owner.

31- **Stale credentials:** long-lived tokens can remain active after the workflow changes. Prefer finite expirations and revoke tokens that are no longer used.37- **Stale credentials:** long-lived tokens can remain active after the workflow changes. Prefer finite expirations and revoke tokens that are no longer used.

32- **Wrong credential type:** access tokens are for Codex local workflows. Use Platform API keys for general OpenAI API calls.38- **Wrong credential type:** Codex access tokens are for Codex local workflows. Use Workspace Agent access tokens to trigger published ChatGPT workspace agents, and use Platform API keys for general OpenAI API calls.

33 39 

34## Enable access token creation40## Enable access token creation

35 41 

36Use the Codex Local controls in workspace settings to turn on access token creation for allowed members.42Use the access token permission in workspace settings to turn on access token creation for allowed members.

37 43 

38<CodexScreenshot44<CodexScreenshot

39 alt="Access token access permission in ChatGPT workspace RBAC settings"45 alt="Access token access permission in ChatGPT workspace RBAC settings"

44/>50/>

45 51 

461. Go to [Workspace Settings > Permissions & roles](https://chatgpt.com/admin/settings).521. Go to [Workspace Settings > Permissions & roles](https://chatgpt.com/admin/settings).

472. In the Codex Local section, make sure **Allow members to use Codex Local** is turned on.532. In the **Access tokens** section, turn on **Allow users to create access tokens** if all allowed members should be able to create access tokens.

483. Turn on **Allow members to use Codex access tokens** if all allowed members should be able to create access tokens.543. If members need to use those tokens with the Codex app, CLI, or IDE extension, make sure **Allow members to use Codex Local** is also turned on in the **Codex Local** section.

494. If you use custom roles for a narrower rollout, assign the access token permission only to groups that need to create tokens.

50 55 

51Keep access token creation limited to people or service owners who understand where the token will be stored, which automation will use it, and how it will be rotated.56Keep access token creation limited to people or service owners who understand where the token will be stored, which automation will use it, and how it will be rotated.

52 57 

127 132 

128## Permission model133## Permission model

129 134 

130Access token permissions are separate from the general Codex local permission. A member can have access to the Codex app, CLI, or IDE extension without being allowed to create access tokens.135Access token creation is controlled by the workspace's access token permission, which is separate from the general Codex local permission. A member can have access to the Codex app, CLI, or IDE extension without being allowed to create access tokens.

131 136 

132| Capability | Workspace owners and admins | Member with access token permission | Member without access token permission |137| Capability | Workspace owners and admins | Member with access token permission | Member without access token permission |

133| ------------------------------------------------------------- | ---------------------------------------------------- | --------------------------------------------- | -------------------------------------- |138| ------------------------------------------------------------- | ---------------------------------------------------- | --------------------------------------------- | -------------------------------------- |

144 149 

145### The access tokens page returns 404 or forbidden150### The access tokens page returns 404 or forbidden

146 151 

147Ask a workspace owner or admin to confirm that Codex access tokens are enabled and that your role includes the access token permission.152Ask a workspace owner or admin to confirm that your role includes **Allow users to create access tokens** and that **Allow members to use Codex Local** is enabled if you plan to use the token with Codex.

148 153 

149### `codex login --with-access-token` fails154### `codex login --with-access-token` fails

150 155 

Details

59 59 

60This enables use of the Codex app, CLI, and IDE extension for allowed users.60This enables use of the Codex app, CLI, and IDE extension for allowed users.

61 61 

62If members need programmatic Codex local workflows, also turn on **Allow members to use Codex access tokens** or grant the access token permission through a custom role. Workspace owners and admins can use **Access token expiration limit** to set the longest expiration members can choose for new tokens. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).62If members need programmatic Codex local workflows, grant **Allow users to create access tokens** in the **Access tokens** section or through a custom role. Workspace owners and admins can use **Access token expiration limit** in the **Codex Local** section to set the longest expiration members can choose for new tokens. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).

63 63 

64If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”64If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”

65 65 

Details

242Codex app.242Codex app.

243 243 

244Workspace admins can disable plugin sharing from cloud-managed requirements by244Workspace admins can disable plugin sharing from cloud-managed requirements by

245adding `plugin_sharing = false` to `requirements.toml`:245adding `features.plugin_sharing = false` to `requirements.toml`:

246 246 

247```toml247```toml

248plugin_sharing = false248features.plugin_sharing = false

249```249```

250 250 

251### Marketplace metadata251### Marketplace metadata

Details

1# Remote connections1# Remote connections

2 2 

3import {

4 Desktop,

5 Storage,

6 Terminal,

7} from "@components/react/oai/platform/ui/Icon.react";

8 

9Remote connections let you use Codex from another device or another machine.3Remote connections let you use Codex from another device or another machine.

10Use Codex in the ChatGPT mobile app to work with Codex on a connected Mac or4Use Codex in the ChatGPT mobile app to work with Codex on a connected Mac or

11Windows device, continue work from another supported Codex App device, or connect5Windows device, continue work from another supported Codex App device, or connect