1# Admin Setup1# Admin rollout guide
2 2
3<div class="max-w-1xl mx-auto">3Use this guide to plan a ChatGPT Enterprise rollout across these administration
4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"4boundaries:
5 alt="Codex enterprise admin toggle"5
6 class="block w-full mx-auto rounded-lg"6- Workspace access.
7 />7- Local runtime policy for covered capabilities in the ChatGPT desktop app,
8</div>8 Codex CLI, and IDE extension.
9 9- Codex cloud.
10 10- Platform API access.
11 11- Plugins and apps.
12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12- Permissions in connected systems.
13 13
14Use this page as the step-by-step rollout guide. For detailed policy, configuration, automation, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).14Complete the steps in order for a new rollout, or use the linked pages to change
15 15one boundary.
16## Enterprise-grade security and privacy16
17 17In workspace settings, **Codex Local** is a grouping label for certain local
18Codex supports ChatGPT Enterprise security features, including:18access and access-token controls, not a separate product or client. The current
19 19**Allow members to use Codex Local** control covers local use in the ChatGPT
20- No training on enterprise data20desktop app, Codex CLI, and IDE extension. Managed configuration is a separate
21- Residency and retention that follow ChatGPT Enterprise policies21policy layer that can constrain supported runtime behavior for covered
22- Granular user access controls22capabilities in those clients. This guide names the individual surface when
23- Data encryption at rest (AES-256) and in transit (TLS 1.2+)23behavior or availability differs.
24- Audit logging via the ChatGPT Compliance API24
25 25Start with the canonical map in
26For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.26[Roles and workspace permissions](https://learn.chatgpt.com/docs/enterprise/roles-and-workspace-permissions).
27For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).27Use Help Center guidance for current ChatGPT workspace procedures and the
28 28linked developer documentation for local and hosted runtime behavior.
29## Pre-requisites: Determine owners and rollout strategy29
30 30<a id="enterprise-grade-security-and-privacy"></a>
31During your rollout, team members may support different aspects of integrating Codex into your organization. Ensure you have the following owners:31
32 32For enterprise security, privacy, and runtime protections, see
33- **ChatGPT Enterprise workspace owner:** required to configure Codex settings in your workspace.33[Agent approvals and security](https://learn.chatgpt.com/docs/agent-approvals-security) and the
34- **Security owner:** determines agent permissions settings for Codex.34[Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).
35- **Analytics owner:** integrates analytics and compliance APIs into your data pipelines.35
36 36<a id="pre-requisites-determine-owners-and-rollout-strategy"></a>
37Decide which Codex surfaces you will use:37
38 38## Step 1: Assign owners and choose a rollout
39- **Codex local:** includes the Codex app, CLI, and IDE extension. The agent runs on the developer's computer in a sandbox.39
40- **Codex cloud:** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.40Assign an owner for each part of the rollout:
41- **Both:** use local + cloud together.41
42 42- **Workspace access:** Membership, seats, roles, and supported workspace
43You can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).43 features.
44 44- **Local runtime policy:** Approvals, permission profiles, filesystem and
45## Step 1: Enable Codex in your workspace45 network access, and other requirements for supported local clients.
46 46- **Codex cloud:** Hosted environments, repository connections, and cloud
47You configure access to Codex in ChatGPT Enterprise workspace settings.47 runtime policy.
48 48- **Connected systems:** Provider-side application installation, accounts, and
49Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).49 permissions.
50 50- **Reporting and compliance:** Analytics access, audit exports, and downstream
51### Codex local51 data handling.
52 52
53Codex local is enabled by default for new ChatGPT Enterprise workspaces. If53Decide whether each audience needs covered local capabilities in the ChatGPT
54 you are not a ChatGPT workspace owner, you can test whether you have access by54desktop app, Codex CLI, IDE extension, Codex cloud, or a combination. Treat
55 [installing Codex](https://developers.openai.com/codex/quickstart) and logging in with your work email.55Platform API access as a separate organization and project boundary when a
56 56workflow uses API-key authentication.
57Turn on **Allow members to use Codex Local**.57
58 58## Step 2: Configure workspace access and identity
59This enables use of the Codex app, CLI, and IDE extension for allowed users.59
60 60Use ChatGPT workspace membership, seats, groups, and supported RBAC permissions
61If members need programmatic Codex local workflows, grant **Allow users to create access tokens** in the **Access tokens** section or through a custom role. Workspace owners and admins can use **Access token expiration limit** in the **Codex Local** section to set the longest expiration members can choose for new tokens. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).61to grant the intended audiences supported workspace features. Verify local
62 62client and Codex cloud access against the current workspace guidance rather
63If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”63than assuming that the same role controls every surface. Keep built-in
64 64administration roles limited to the people who administer the workspace.
65#### Enable device code authentication for Codex CLI65
66 66Workspace controls and labels change over time. Use these sources for current
67Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).67procedures:
68 68
69<div class="max-w-1xl mx-auto py-1">69- [Manage members, seat types, roles, and access](https://help.openai.com/en/articles/8266401-managing-members-seat-types-roles-and-access-in-chatgpt-enterprise)
70 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"70- [Configure role-based access control](https://help.openai.com/en/articles/11750701-rbac)
71 alt="Codex local toggle"71- [Manage workspace settings](https://help.openai.com/en/articles/8411955)
72 class="block w-full mx-auto rounded-lg"72- [Groups and provisioning](https://learn.chatgpt.com/docs/enterprise/groups-and-provisioning)
73 />73- [Authentication](https://learn.chatgpt.com/docs/auth)
74</div>74
75 75Test sign-in and feature access with a representative member before expanding
76### Codex cloud76the rollout. Workspace access doesn't grant repository, file, or action access
77 77in a connected service.
78### Prerequisites78
79 79## Step 3: Configure local runtime requirements
80Codex cloud requires **GitHub (cloud-hosted) repositories**. If your codebase is on-premises or not on GitHub, you can use the Codex SDK to build similar workflows on your own infrastructure.80
81 81Local requirements constrain runtime behavior when a user starts a supported
82To set up Codex as an admin, you must have GitHub access to the repositories82local run in the ChatGPT desktop app, Codex CLI, or IDE extension. Deliver
83 commonly used across your organization. If you don't have the necessary83`requirements.toml` through a supported cloud, device, or system channel. Keep
84 access, work with someone on your engineering team who does.84this policy separate from ChatGPT workspace roles and groups.
85 85
86### Enable Codex cloud in workspace settings86Use permission profiles for supported local clients instead of building new
87 87deployments around legacy sandbox-mode restrictions. For example:
88Start by turning on the ChatGPT GitHub Connector in the Codex section of [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).
89
90To enable Codex cloud for your workspace, turn on **Allow members to use Codex cloud**. Once enabled, users can access Codex directly from the left-hand navigation panel in ChatGPT.
91
92Note that it may take up to 10 minutes for Codex to appear in ChatGPT.
93
94#### Enable Codex Slack app to post answers on task completion
95
96Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.
97
98To learn more, see [Codex in Slack](https://developers.openai.com/codex/integrations/slack).
99
100#### Enable Codex agent to access the internet
101
102By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.
103
104This setting lets users use an allowlist for common software dependency domains, add domains and trusted sites, and specify allowed HTTP methods.
105
106For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
107
108<div class="max-w-1xl mx-auto py-1">
109 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"
110 alt="Codex cloud toggle"
111 class="block w-full mx-auto rounded-lg"
112 />
113</div>
114
115## Step 2: Set up custom roles (RBAC)
116
117Use RBAC to control granular permissions for access Codex local and Codex cloud.
118
119<div class="max-w-1xl mx-auto">
120 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"
121 alt="Codex cloud toggle"
122 class="block w-full mx-auto rounded-lg"
123 />
124</div>
125
126### What RBAC lets you do
127
128Workspace Owners can use RBAC in ChatGPT admin settings to:
129
130- Set a default role for users who aren't assigned any custom role
131- Create custom roles with granular permissions
132- Assign one or more custom roles to Groups
133- Automatically sync users into Groups via SCIM
134- Manage roles centrally from the Custom Roles tab
135
136Users can inherit more than one role, and permissions resolve to the most permissive (least restrictive) access across those roles.
137
138### Create a Codex Admin group
139
140Set up a dedicated "Codex Admin" group rather than granting Codex administration to a broad audience.
141
142The **Allow members to administer Codex** toggle grants the Codex Admin role. Codex Admins can:
143
144- View Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics)
145- Open the Codex [Policies page](https://chatgpt.com/codex/settings/policies) to manage cloud-managed `requirements.toml` policies
146- Assign those managed policies to user groups or configure a default fallback policy
147- Manage Codex cloud environments, including editing and deleting environments
148
149Use this role for the small set of admins who own Codex rollout, policy management, and governance. It's not required for general Codex users. You don't need Codex cloud to enable this toggle.
150
151Recommended rollout pattern:
152
153- Create a "Codex Users" group for people who should use Codex
154- Create a separate "Codex Admin" group for the smaller set of people who should manage Codex settings and policies
155- Assign the custom role with **Allow members to administer Codex** enabled only to the "Codex Admin" group
156- Keep membership in the "Codex Admin" group limited to workspace owners or designated platform, IT, and governance operators
157- If you use SCIM, back the "Codex Admin" group with your identity provider so membership changes are auditable and centrally managed
158
159This separation makes it easier to roll out Codex while keeping analytics, environment management, and policy deployment limited to trusted admins. For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).
160
161## Step 3: Configure Codex local requirements
162
163Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).
164
165Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).
166
167<div class="max-w-1xl mx-auto py-1">
168 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"
169 alt="Codex policies and configurations page"
170 class="block w-full mx-auto rounded-lg"
171 />
172</div>
173
174Recommended setup:
175
1761. Create a baseline policy for most users, then create stricter or more permissive variants only where needed.
1772. Assign each managed policy to a specific user group, and configure a default fallback policy for everyone else.
1783. Order group rules with care. If a user matches more than one group-specific rule, the first matching rule applies.
1794. Treat each policy as a complete profile for that group. Codex doesn't fill missing fields from later matching group rules.
180
181These cloud-managed policies apply across Codex local surfaces when users sign in with ChatGPT, including the Codex app, CLI, and IDE extension.
182
183### Example requirements.toml policies
184
185Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.
186
187For Codex 0.138.0 or later, prefer `allowed_permission_profiles` with managed
188`default_permissions`. Use `allowed_sandbox_modes` only for legacy deployments
189that still configure `sandbox_mode`.
190
191<div class="max-w-1xl mx-auto py-1">
192 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"
193 alt="Example managed requirements policy"
194 class="block w-full mx-auto rounded-lg"
195 />
196</div>
197
198Example: limit web search, sandbox mode, and approvals for a standard local rollout:
199
200```toml
201allowed_web_search_modes = ["disabled", "cached"]
202allowed_sandbox_modes = ["workspace-write"]
203allowed_approval_policies = ["on-request"]
204```
205
206Example: allow the standard permission profiles for an upgraded fleet:
207
208Permission-profile allowlists require Codex 0.138.0 or later. Use this example
209 only after every managed client runs a supporting release.
210 88
211```toml89```toml
212default_permissions = ":workspace"90default_permissions = ":workspace"
216":workspace" = true94":workspace" = true
217```95```
218 96
219Example: constrain Browser Use, the in-app browser, and Computer Use:97To disable Computer Use across the supported browser and desktop feature
98surfaces, constrain each public feature key that participates in the experience:
220 99
221```toml100```toml
222[features]101[features]
223browser_use = false102browser_use = false
224browser_use_full_cdp_access = false103browser_use_full_cdp_access = false
104browser_use_external = false
225in_app_browser = false105in_app_browser = false
226computer_use = false106computer_use = false
227```107```
228 108
229Example: add a restrictive command rule when you want admins to block or gate specific commands:109For the authoritative key list, delivery behavior, precedence, and more
230 110examples, see
231```toml111[Managed configuration](https://learn.chatgpt.com/docs/enterprise/managed-configuration) and the
232[rules]112[`requirements.toml` reference](https://learn.chatgpt.com/docs/config-file/config-reference#requirementstoml).
233prefix_rules = [
234 { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before mutating remote history." },
235]
236```
237
238You can use any example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
239
240### Checking user policies
241
242Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.
243
244<div class="max-w-1xl mx-auto py-1">
245 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"
246 alt="Policy lookup by group or user email"
247 class="block w-full mx-auto rounded-lg"
248 />
249</div>
250
251If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).
252
253## Step 4: Standardize local configuration with Team Config
254
255Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.
256
257You can check Team Config settings into the repository under the `.codex` directory. Codex automatically picks up Team Config settings when a user opens that repository.
258
259Start with Team Config for your highest-traffic repositories so teams get consistent behavior in the places they use Codex most.
260
261| Type | Path | Use it to |
262| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |
263| [Config basics](https://developers.openai.com/codex/config-basic) | `config.toml` | Set defaults for sandbox mode, approvals, model, reasoning effort, and more. |
264| [Rules](https://developers.openai.com/codex/rules) | `rules/` | Control which commands Codex can run outside the sandbox. |
265| [Skills](https://developers.openai.com/codex/skills) | `skills/` | Make shared skills available to your team. |
266
267For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).
268
269## Step 5: Configure Codex cloud usage (if enabled)
270
271This step covers repository and environment setup after you enable the Codex cloud workspace toggle.
272
273### Connect Codex cloud to repositories
274
2751. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**
2762. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT
2773. Install or connect the ChatGPT GitHub Connector
2784. Choose an installation target for the ChatGPT Connector (typically your main organization)
2795. Allow the repositories you want to connect to Codex
280
281For GitHub Enterprise Managed Users (EMU), an organization owner must install
282 the Codex GitHub App for the organization before users can connect
283 repositories in Codex cloud.
284
285For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).
286
287Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.
288
289### Configure IP addresses
290
291If your GitHub organization controls the IP addresses that apps use to connect, make sure to include the [Codex cloud egress IP ranges](https://developers.openai.com/api/docs/guides/ip-addresses).
292
293These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.
294
295### Enable code review with Codex cloud
296
297To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).
298
299You can configure code review at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details are on the [GitHub integration page](https://developers.openai.com/codex/integrations/github).
300
301Use the overview page to confirm your workspace has code review turned on and to see the available review controls.
302
303<div class="max-w-1xl mx-auto py-1">
304 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"
305 alt="Code review settings overview"
306 class="block w-full mx-auto rounded-lg"
307 />
308</div>
309
310<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">
311 <div class="max-w-1xl mx-auto">
312 <p>
313 Use the auto review settings to decide whether Codex should review pull
314 requests automatically for connected repositories.
315 </p>
316 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"
317 alt="Automatic code review settings"
318 class="block w-full mx-auto rounded-lg"
319 />
320 </div>
321 <div class="max-w-1xl mx-auto">
322 <p>
323 Use review triggers to control which pull request events should start a
324 Codex review.
325 </p>
326 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"
327 alt="Code review trigger settings"
328 class="block w-full mx-auto rounded-lg"
329 />
330 </div>
331</div>
332
333### Configure Codex security
334
335Codex Security helps engineering and security teams find, confirm, and remediate likely vulnerabilities in connected GitHub repositories.
336
337At a high level, Codex Security:
338
339- scans connected repositories commit by commit
340- ranks likely findings and confirms them when possible
341- shows structured findings with evidence, criticality, and suggested remediation
342- lets teams refine a repository threat model to improve prioritization and review quality
343
344For setup, scan creation, findings review, and threat model guidance, see [Codex Security setup](https://developers.openai.com/codex/security/setup). For a product overview, see [Codex Security](https://developers.openai.com/codex/security).
345
346Integration docs are also available for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).
347
348## Step 6: Set up governance and observability
349
350Codex gives enterprise teams options for visibility into adoption and impact. Set up governance early so your team can track adoption, investigate issues, and support compliance workflows.
351
352### Codex governance typically uses
353
354- Analytics Dashboard for quick, self-serve visibility
355- Analytics API for programmatic reporting and business intelligence integration
356- Compliance API for audit and investigation workflows
357
358### Recommended baseline setup
359
360- Assign an owner for adoption reporting
361- Assign an owner for audit and compliance review
362- Define a review cadence
363- Decide what success looks like
364
365### Analytics API setup steps
366
367To set up the Analytics API key:
368
3691. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.
3702. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).
3713. Create a new secret key dedicated to Codex Analytics, and give it a descriptive name such as Codex Analytics API.
3724. Select the appropriate project for your organization. If you only have one project, the default project is fine.
3735. Set the key permissions to Read only, since this API only retrieves analytics data.
3746. Copy the key value and store it securely, because you can only view it once.
3757. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.
376
377<div class="not-prose max-w-md mx-auto py-1">
378 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"
379 alt="Codex analytics key creation"
380 class="block w-full mx-auto rounded-lg"
381 />
382</div>
383
384To use the Analytics API key:
385
3861. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.
3872. Call the Analytics API at `https://api.chatgpt.com/v1/analytics/codex` using your Platform API key, and include your `workspace_id` in the path.
3883. Choose the endpoint you want to query:
389
390- /workspaces/`{workspace_id}`/usage
391- /workspaces/`{workspace_id}`/code_reviews
392- /workspaces/`{workspace_id}`/code_review_responses
393
3944. Set a reporting date range with `start_time` and `end_time` if needed.
3955. Retrieve the next page of results with `next_page` if the response spans more than one page.
396
397Example curl command to retrieve workspace usage:
398
399```bash
400curl -H "Authorization: Bearer YOUR_PLATFORM_API_KEY" \
401 "https://api.chatgpt.com/v1/analytics/codex/workspaces/WORKSPACE_ID/usage"
402```
403
404For more details on the Analytics API, see [Analytics API](https://developers.openai.com/codex/enterprise/governance#analytics-api).
405
406### Compliance API setup steps
407
408To set up the Compliance API key:
409
4101. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.
4112. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).
4123. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.
4134. Choose All permissions.
4145. Copy the key value and store it securely, because you can only view it once.
4156. Send an email to support@openai.com with:
416
417- the last 4 digits of the API key
418- the key name
419- the created-by name
420- the scope needed: `read`, `delete`, or both
421
4227. Wait for OpenAI to confirm your API key has Compliance API access.
423
424To use the Compliance API key:
425
4261. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.
4272. Use the Compliance API at `https://api.chatgpt.com/v1/`
4283. Pass your Compliance API key in the Authorization header as a Bearer token.
4294. For Codex-related compliance data, use these endpoints:
430
431- /compliance/workspaces/`{workspace_id}`/logs
432- /compliance/workspaces/`{workspace_id}`/logs/`{log_file_id}`
433- /compliance/workspaces/`{workspace_id}`/codex_tasks
434- /compliance/workspaces/`{workspace_id}`/codex_environments
435
4365. For most Codex compliance integrations, start with the logs endpoint and request Codex event types such as CODEX_LOG or CODEX_SECURITY_LOG.
4376. Use /logs to list available Codex compliance log files, then /logs/`{log_file_id}` to download a specific file.
438
439Example curl command to list compliance log files:
440
441```bash
442curl -L -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \
443 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/logs?event_type=CODEX_LOG&after=2026-03-01T00:00:00Z"
444```
445
446Example curl command to list Codex tasks:
447
448```bash
449curl -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \
450 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/codex_tasks"
451```
452
453For more details on the Compliance API, see [Compliance API](https://developers.openai.com/codex/enterprise/governance#compliance-api).
454
455## Step 7: Confirm and verify setup
456
457### What to verify
458
459- Users can sign in to Codex local (ChatGPT or API key)
460- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)
461- MFA and SSO requirements match your enterprise security policy
462- RBAC and workspace toggles produce the expected access behavior
463- Managed configuration applies for users
464- Governance data is visible for admins
465
466For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).
467 113
468Once your team is confident with setup, you can roll Codex out to more teams and organizations.114<a id="team-config"></a>
115<a id="step-4-standardize-local-configuration-with-team-config"></a>
116
117## Step 4: Standardize repository configuration
118
119Use repository-scoped configuration to share project defaults, rules, and
120skills without duplicating setup for every user. Check configuration into
121`.codex` or `.agents` according to the feature's documented location:
122
123| Type | Source | Use it to |
124| ------------- | ------------------------------------------------ | ---------------------------------------------------------- |
125| Configuration | [Config basics](https://learn.chatgpt.com/docs/config-file/config-basic) | Set repository defaults for supported local clients |
126| Rules | [Rules](https://learn.chatgpt.com/docs/agent-configuration/rules) | Control commands that require approval outside the sandbox |
127| Skills | [Build skills](https://learn.chatgpt.com/docs/build-skills) | Make repository workflows available to supported clients |
128
129Repository configuration can supply defaults and reusable workflows. It can't
130grant workspace, model, Platform API, or connected-system access.
131
132## Step 5: Configure Codex cloud
133
134Codex cloud uses hosted environments and connected source repositories. Plan
135each boundary:
136
1371. Grant the intended audience Codex cloud access through supported workspace
138 controls.
1392. Install and configure the supported source-system integration.
1403. Limit repository access in the source system to the repositories each
141 audience needs.
1424. Configure cloud environments, secrets, and internet access for those
143 repositories.
1445. Configure optional hosted workflows such as code review.
1456. Test with a representative user who has the intended workspace and
146 repository permissions.
147
148Codex cloud respects the repository permissions and protections exposed by the
149connected source system. Workspace access doesn't bypass those controls. See
150[Cloud environments](https://learn.chatgpt.com/docs/environments/cloud-environment),
151[GitHub integration](https://learn.chatgpt.com/docs/third-party/github), and
152[Agent approvals and security](https://learn.chatgpt.com/docs/agent-approvals-security) for Codex cloud
153setup and runtime guidance.
154
155## Step 6: Configure plugins and connected capabilities
156
157Review plugin installation, bundled skills, app-backed capabilities, app
158actions, and source-system authorization as separate decisions. Disabling an
159app-backed capability doesn't necessarily uninstall the plugin or its bundled
160skills.
161
162Before including a plugin or skill in the rollout:
163
1641. Confirm its source, accountable owner, intended audience, and review date.
1652. Review bundled skills, apps, MCP servers, hooks, and the data and actions
166 each capability requires.
1673. Test it with non-sensitive data and the least access it needs.
1684. Record who owns re-review and retirement.
169
170Plugins are available in ChatGPT Work on the web, in ChatGPT Work and Codex in
171the ChatGPT desktop app, and through the Codex CLI plugin browser. They aren't
172available in Chat, the IDE extension, or mobile.
173
174See [Plugin controls](https://learn.chatgpt.com/docs/enterprise/apps-and-connectors) and
175[Skill controls](https://learn.chatgpt.com/docs/enterprise/skills) for the complete model.
176
177## Step 7: Set up governance and observability
178
179Choose the reporting surface that matches the question:
180
181<a id="analytics-api-setup-steps"></a>
182<a id="compliance-api-setup-steps"></a>
183
184- Use [Workspace analytics](https://learn.chatgpt.com/docs/enterprise/workspace-analytics) for
185 interactive ChatGPT workspace analytics and Codex analytics.
186- Use the [Analytics API](https://learn.chatgpt.com/docs/enterprise/analytics-api) for programmatic,
187 aggregated reporting through the Codex Analytics API.
188- Use the [Compliance API](https://learn.chatgpt.com/docs/enterprise/compliance-api) for audit and
189 investigation records.
190- Use [ChatGPT usage limits and spend controls](https://learn.chatgpt.com/docs/enterprise/usage-limits)
191 when plan-dependent Codex activity consumes eligible ChatGPT workspace
192 credits.
193
194Use the authenticated API references for current access requirements, schemas,
195fields, retention, and request behavior. Don't build an integration from a
196copied contract in this guide.
197
198Protect the integration boundary:
199
200- Store API keys and other integration credentials in the organization's
201 secret-management system.
202- Limit access to downstream systems and retained data to the approved
203 audience.
204- Protect exported Compliance API records according to their sensitivity and
205 the organization's retention policy, and test collection and deletion
206 workflows against the current contract.
207
208## Step 8: Verify and maintain the rollout
209
210Verify every applicable boundary with representative identities:
211
212- ChatGPT workspace membership, seat, and supported role permissions.
213- Covered local capabilities in the ChatGPT desktop app, Codex CLI, and IDE
214 extension, including sign-in and effective runtime requirements.
215- Codex cloud access, environment configuration, and repository permissions.
216- Platform API organization and project access for API-key workflows.
217- Plugin installation, bundled skills, app access, and supported actions.
218- Connected-system authorization and data access.
219- Analytics and compliance access for the responsible administrators.
220
221Record the owner and current procedural source for each control. This record
222lets administrators update procedures when UI or policy changes without
223changing the administration model.
224
225After the initial rollout, review access, connected capabilities, credit use,
226support feedback, and the workflows teams actually use. Adjust the rollout
227scope and administrator guidance when those signals change.