2 2
3## OpenAI authentication3## OpenAI authentication
4 4
5<a id="sign-in-with-chatgpt"></a>
6
7
8
5Codex supports two ways to sign in when using OpenAI models:9Codex supports two ways to sign in when using OpenAI models:
6 10
7- Sign in with ChatGPT for subscription access11- Sign in with ChatGPT for subscription access
8- Sign in with an API key for usage-based access12- Sign in with an API key for usage-based access
9 13
10Codex cloud requires signing in with ChatGPT. The Codex CLI and IDE extension support both sign-in methods.14The ChatGPT desktop app, Codex CLI, and IDE extension support both sign-in
15methods for local work. Codex cloud requires signing in with ChatGPT.
11 16
12Your sign-in method also determines which admin controls and data-handling policies apply.17Your sign-in method also determines which admin controls and data-handling policies apply.
13 18
14- With sign in with ChatGPT, Codex usage follows your ChatGPT workspace permissions, RBAC, and ChatGPT Enterprise retention and residency settings19- When you sign in with ChatGPT, Codex usage follows your ChatGPT workspace
15- With an API key, usage follows your API organization's retention and data-sharing settings instead20 permissions, role-based access control (RBAC), and ChatGPT Enterprise
16 21 retention and residency settings.
17For the CLI, Sign in with ChatGPT is the default authentication path when no valid session is available.22- With an API key, usage follows your API organization's retention and
23 data-sharing settings instead.
24
25For managed workspaces, authentication is only one layer of access. Workspace
26membership and provisioning determine who can sign in, while seats and
27workspace roles determine which product surfaces and features they can use.
28For local work in the ChatGPT desktop app, Codex CLI, or IDE extension,
29permission profiles constrain what the agent can do on the device. See
30[Groups and provisioning](https://learn.chatgpt.com/docs/enterprise/groups-and-provisioning)
31and [Roles and workspace permissions](https://learn.chatgpt.com/docs/enterprise/roles-and-workspace-permissions)
32to plan those controls.
18 33
19### Sign in with ChatGPT34### Sign in with ChatGPT
20 35
21When you sign in with ChatGPT from the Codex app, CLI, or IDE Extension, Codex opens a browser window for you to complete the login flow. After you sign in, the browser returns an access token to the CLI or IDE extension.36When you sign in with ChatGPT from the ChatGPT desktop app, Codex CLI, or IDE extension, the sign-in flow opens a browser window. After you sign in, the browser returns your credentials to Codex.
37
38
39
40
41
42
43
44#### ChatGPT desktop app
45
46On the signed-out screen, select **Continue to sign in**, then complete the
47browser flow.
48
49
50
51
52
53
54
55<a id="sign-in-with-an-api-key"></a>
22 56
23If your environment already provides a ChatGPT access token, the CLI can read
24it from stdin:
25 57
26```shell
27printenv CODEX_ACCESS_TOKEN | codex login --with-access-token
28```
29 58
30### Sign in with an API key59### Sign in with an API key
31 60
32You can also sign in to the Codex app, CLI, or IDE Extension with an API key. Get your API key from the [OpenAI dashboard](https://platform.openai.com/api-keys).61You can also sign in to the ChatGPT desktop app, Codex CLI, or IDE extension with an API key. Get your API key from the [OpenAI dashboard](https://platform.openai.com/api-keys).
62
63
64
65
66
67#### ChatGPT desktop app
68
69On the signed-out screen, select **Sign in another way**, enter your key, then
70select **Continue**.
71
72
73
74
75
76
77
78
33 79
34OpenAI bills API key usage through your OpenAI Platform account at standard API rates. See the [API pricing page](https://openai.com/api/pricing/).80OpenAI bills API key usage through your OpenAI Platform account at standard API rates. See the [API pricing page](https://openai.com/api/pricing/).
35 81
36API key authentication supports local Codex workflows, but some features that82API key authentication supports local Codex workflows, but some features that
37rely on ChatGPT workspace access or cloud services are limited or unavailable.83rely on ChatGPT workspace access or cloud services are limited or unavailable.
38Compare support by plan in84Compare support by plan in
39[Feature availability](https://developers.openai.com/codex/pricing#feature-availability).85[Feature availability](https://learn.chatgpt.com/docs/pricing#feature-availability).
40 86
41When you sign in with an API key, Codex uses standard API pricing instead of87When you sign in with an API key, Codex uses standard API pricing instead of
42included ChatGPT plan credits.88included ChatGPT plan credits.
43 89
44We recommend API key authentication for programmatic Codex CLI workflows, such90Use API key authentication for programmatic Codex CLI workflows, such as CI/CD
45as CI/CD jobs. Don't expose Codex execution in untrusted or public environments.91jobs. Don't expose Codex execution in untrusted or public environments.
92
93
94
95### Check authentication or sign out
96
97
98
99
100
101Open the profile menu to see the active account or API key status. Select
102**Log out** to clear the current credentials.
103
104
105
106
107
108
109
110
46 111
47### Use Codex access tokens for enterprise automation112### Use Codex access tokens for enterprise automation
48 113
56runners. For general OpenAI API calls, continue to use Platform API keys.121runners. For general OpenAI API calls, continue to use Platform API keys.
57 122
58For setup steps, permissions, rotation, and revocation guidance, see123For setup steps, permissions, rotation, and revocation guidance, see
59[Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).124[Access tokens](https://learn.chatgpt.com/docs/enterprise/access-tokens).
125
126
127
128
129
130
60 131
61## Secure your Codex cloud account132## Secure your Codex cloud account
62 133
76 147
77If your account supports more than one login method and one of them is email and password, you must set up MFA before accessing Codex, even if you sign in another way.148If your account supports more than one login method and one of them is email and password, you must set up MFA before accessing Codex, even if you sign in another way.
78 149
150
151
152<a id="login-caching"></a>
153
154
155
79## Login caching156## Login caching
80 157
81When you sign in to the Codex app, CLI, or IDE Extension using either ChatGPT or an API key, Codex caches your login details and reuses them the next time you start the CLI or extension. The CLI and extension share the same cached login details. If you log out from either one, you'll need to sign in again the next time you start the CLI or extension.158When you sign in to the ChatGPT desktop app, Codex CLI, or IDE extension using either ChatGPT or an API key, your login details are cached and reused. The CLI and extension share the same cached login details. If you log out from either one, you'll need to sign in again the next time you start the CLI or extension.
82 159
83Codex caches login details locally in a plaintext file at `~/.codex/auth.json` or in your OS-specific credential store.160Codex caches login details locally in a plaintext file at `~/.codex/auth.json` or in your OS-specific credential store.
84 161
85For sign in with ChatGPT sessions, Codex refreshes tokens automatically during use before they expire, so active sessions usually continue without requiring another browser login.162For sign in with ChatGPT sessions, Codex refreshes tokens automatically during use before they expire, so active sessions usually continue without requiring another browser login.
86 163
164
165
166<a id="credential-storage"></a>
167<a id="enforce-a-login-method-or-workspace"></a>
168
169
170
87## Credential storage171## Credential storage
88 172
89Use `cli_auth_credentials_store` to control where the Codex CLI stores cached credentials:173Use `cli_auth_credentials_store` to control where the Codex CLI stores cached credentials:
97- `keyring` stores credentials in your operating system credential store.181- `keyring` stores credentials in your operating system credential store.
98- `auto` uses the OS credential store when available, otherwise falls back to `auth.json`.182- `auto` uses the OS credential store when available, otherwise falls back to `auth.json`.
99 183
184See the [configuration reference](https://learn.chatgpt.com/docs/config-file/config-reference) for the complete
185`config.toml` schema.
186
100If you use file-based storage, treat `~/.codex/auth.json` like a password: it187If you use file-based storage, treat `~/.codex/auth.json` like a password: it
101 contains access tokens. Don't commit it, paste it into tickets, or share it in188 contains access tokens. Don't commit it, paste it into tickets, or share it in
102 chat.189 chat.
115 202
116If the active credentials don't match the configured restrictions, Codex logs the user out and exits.203If the active credentials don't match the configured restrictions, Codex logs the user out and exits.
117 204
118These settings are commonly applied via managed configuration rather than per-user setup. See [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).205These settings are commonly applied via managed configuration rather than per-user setup. See [Managed configuration](https://learn.chatgpt.com/docs/enterprise/managed-configuration).
119
120## Login diagnostics
121
122Direct `codex login` runs write a dedicated `codex-login.log` file under
123your configured log directory. Use it when you need to debug browser-login or
124device-code failures, or when support asks for login-specific logs.
125 206
126## Custom CA bundles
127
128If your network uses a corporate TLS proxy or private root CA, set
129`CODEX_CA_CERTIFICATE` to a PEM bundle before logging in. When
130`CODEX_CA_CERTIFICATE` is unset, Codex falls back to `SSL_CERT_FILE`. The same
131custom CA settings apply to login, normal HTTPS requests, and secure WebSocket
132connections.
133
134```shell
135export CODEX_CA_CERTIFICATE=/path/to/corporate-root-ca.pem
136codex login
137```
138 207
139## Login on headless devices
140 208
141If you are signing in to ChatGPT with the Codex CLI, there are some situations where the browser-based login UI may not work:
142 209
143- You're running the CLI in a remote or headless environment.
144- Your local networking configuration blocks the localhost callback Codex uses to return the OAuth token to the CLI after you sign in.
145 210
146In these situations, prefer device code authentication (beta). In the interactive login UI, choose **Sign in with Device Code**, or run `codex login --device-auth` directly. If device code authentication doesn't work in your environment, use one of the fallback methods.
147
148### Preferred: Device code authentication (beta)
149
1501. Enable device code login in your ChatGPT security settings (personal account) or ChatGPT workspace permissions (workspace admin).
1512. In the terminal where you're running Codex, choose one of these options:
152 - In the interactive login UI, select **Sign in with Device Code**.
153 - Run `codex login --device-auth`.
1543. Open the link in your browser, sign in, then enter the one-time code.
155
156If device code login isn't enabled by the server, Codex falls back to the standard browser-based login flow.
157
158### Fallback: Authenticate locally and copy your auth cache
159
160If you can complete the login flow on a machine with a browser, you can copy your cached credentials to the headless machine.
161
1621. On a machine where you can use the browser-based login flow, run `codex login`.
1632. Confirm the login cache exists at `~/.codex/auth.json`.
1643. Copy `~/.codex/auth.json` to `~/.codex/auth.json` on the headless machine.
165
166Treat `~/.codex/auth.json` like a password: it contains access tokens. Don't commit it, paste it into tickets, or share it in chat.
167
168If your OS stores credentials in a credential store instead of `~/.codex/auth.json`, this method may not apply. See
169[Credential storage](#credential-storage) for how to configure file-based storage.
170
171Copy to a remote machine over SSH:
172
173```shell
174ssh user@remote 'mkdir -p ~/.codex'
175scp ~/.codex/auth.json user@remote:~/.codex/auth.json
176```
177
178Or use a one-liner that avoids `scp`:
179
180```shell
181ssh user@remote 'mkdir -p ~/.codex && cat > ~/.codex/auth.json' < ~/.codex/auth.json
182```
183
184Copy into a Docker container:
185
186```shell
187# Replace MY_CONTAINER with the name or ID of your container.
188CONTAINER_HOME=$(docker exec MY_CONTAINER printenv HOME)
189docker exec MY_CONTAINER mkdir -p "$CONTAINER_HOME/.codex"
190docker cp ~/.codex/auth.json MY_CONTAINER:"$CONTAINER_HOME/.codex/auth.json"
191```
192
193For a more advanced version of this same pattern on trusted CI/CD runners, see
194[Maintain Codex account auth in CI/CD (advanced)](https://developers.openai.com/codex/auth/ci-cd-auth).
195That guide explains how to let Codex refresh `auth.json` during normal runs and
196then keep the updated file for the next job. API keys are still the recommended
197default for automation.
198
199### Fallback: Forward the localhost callback over SSH
200
201If you can forward ports between your local machine and the remote host, you can use the standard browser-based flow by tunneling Codex's local callback server (default `localhost:1455`).
202
2031. From your local machine, start port forwarding:
204
205```shell
206ssh -L 1455:localhost:1455 user@remote
207```
208 211
2092. In that SSH session, run `codex login` and follow the printed address on your local machine.
210 212
211## Alternative model providers213## Alternative model providers
212 214
213When you define a [custom model provider](https://developers.openai.com/codex/config-advanced#custom-model-providers) in your configuration file, you can choose one of these authentication methods:215When you define a [custom model provider](https://learn.chatgpt.com/docs/config-file/config-advanced#custom-model-providers) in your configuration file, you can choose one of these authentication methods:
214 216
215- **OpenAI authentication**: Set `requires_openai_auth = true` to use OpenAI authentication. You can then sign in with ChatGPT or an API key. This is useful when you access OpenAI models through an LLM proxy server. When `requires_openai_auth = true`, Codex ignores `env_key`.217- **OpenAI authentication**: Set `requires_openai_auth = true` to use OpenAI authentication. You can then sign in with ChatGPT or an API key. This is useful when you access OpenAI models through an LLM proxy server. When `requires_openai_auth = true`, Codex ignores `env_key`.
216- **Environment variable authentication**: Set `env_key = "<ENV_VARIABLE_NAME>"` to use a provider-specific API key from the local environment variable named `<ENV_VARIABLE_NAME>`.218- **Environment variable authentication**: Set `env_key = "<ENV_VARIABLE_NAME>"` to use a provider-specific API key from the local environment variable named `<ENV_VARIABLE_NAME>`.