OpenAI - Codex Docs Changes 2026-02-19 20:37 UTC → 2026-04-20 06:53 UTC

1# Agent approvals & security

2 

3Codex helps protect your code and data and reduces the risk of misuse.

4 

5This page covers how to operate Codex safely, including sandboxing, approvals,

6 and network access. If you are looking for Codex Security, the product for

7 scanning connected GitHub repositories, see [Codex Security](https://developers.openai.com/codex/security).

8 

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

10 

11For a high-level explanation of how sandboxing works across the Codex app, IDE

12extension, and CLI, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing).

13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

14 

15## Sandbox and approvals

16 

17Codex security controls come from two layers that work together:

18 

19- **Sandbox mode**: What Codex can do technically (for example, where it can write and whether it can reach the network) when it executes model-generated commands.

20- **Approval policy**: When Codex must ask you before it executes an action (for example, leaving the sandbox, using the network, or running commands outside a trusted set).

21 

22Codex uses different sandbox modes depending on where you run it:

23 

24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.

25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

26 

27In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.

28 

29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

30 

31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

32 

33## Network access [Elevated Risk](https://help.openai.com/articles/20001061)

34 

35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

36 

37For the Codex app, CLI, or IDE Extension, the default `workspace-write` sandbox mode keeps network access turned off unless you enable it in your configuration:

38 

39```toml

40[sandbox_workspace_write]

41network_access = true

42```

43 

44You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

45 

46```toml

47web_search = "cached" # default

48# web_search = "disabled"

49# web_search = "live" # same as --search

50```

51 

52Use caution when enabling network access or web search in Codex. Prompt injection can cause the agent to fetch and follow untrusted instructions.

53 

54## Defaults and recommendations

55 

56- On launch, Codex detects whether the folder is version-controlled and recommends:

57 - Version-controlled folders: `Auto` (workspace write + on-request approvals)

58 - Non-version-controlled folders: `read-only`

59- Depending on your setup, Codex may also start in `read-only` until you explicitly trust the working directory (for example, via an onboarding prompt or `/permissions`).

60- The workspace includes the current directory and temporary directories like `/tmp`. Use the `/status` command to see which directories are in the workspace.

61- To accept the defaults, run `codex`.

62- You can set these explicitly:

63 - `codex --sandbox workspace-write --ask-for-approval on-request`

64 - `codex --sandbox read-only --ask-for-approval on-request`

65 

66### Protected paths in writable roots

67 

68In the default `workspace-write` sandbox policy, writable roots still include protected paths:

69 

70- `<writable_root>/.git` is protected as read-only whether it appears as a directory or file.

71- If `<writable_root>/.git` is a pointer file (`gitdir: ...`), the resolved Git directory path is also protected as read-only.

72- `<writable_root>/.agents` is protected as read-only when it exists as a directory.

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.

75 

76### Run without approval prompts

77 

78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

79 

80This option works with all `--sandbox` modes, so you still control Codex's level of autonomy. Codex makes a best effort within the constraints you set.

81 

82If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

83 

84For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

85 

86Set `approvals_reviewer = "guardian_subagent"` to route eligible approval reviews through the Guardian reviewer subagent instead of prompting the user directly. Admin requirements can constrain this with `allowed_approvals_reviewers`.

87 

88### Common sandbox and approval combinations

89 

90| Intent | Flags | Effect |

91| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |

92| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

93| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

94| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |

95| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

96| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |

97 

98`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.

99 

100With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

101 

102#### Configuration in `config.toml`

103 

104For the broader configuration workflow, see [Config basics](https://developers.openai.com/codex/config-basic), [Advanced Config](https://developers.openai.com/codex/config-advanced#approval-policies-and-sandbox-modes), and the [Configuration Reference](https://developers.openai.com/codex/config-reference).

105 

106```toml

107# Always ask for approval mode

108approval_policy = "untrusted"

109sandbox_mode = "read-only"

110allow_login_shell = false # optional hardening: disallow login shells for shell-based tools

111 

112# Optional: Allow network in workspace-write mode

113[sandbox_workspace_write]

114network_access = true

115 

116# Optional: granular approval policy

117# approval_policy = { granular = {

118# sandbox_approval = true,

119# rules = true,

120# mcp_elicitations = true,

121# request_permissions = false,

122# skill_approval = false

123# } }

124```

125 

126You can also save presets as profiles, then select them with `codex --profile <name>`:

127 

128```toml

129[profiles.full_auto]

130approval_policy = "on-request"

131sandbox_mode = "workspace-write"

132 

133[profiles.readonly_quiet]

134approval_policy = "never"

135sandbox_mode = "read-only"

136```

137 

138### Test the sandbox locally

139 

140To see what happens when a command runs under the Codex sandbox, use these Codex CLI commands:

141 

142```bash

143# macOS

144codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...

145# Linux

146codex sandbox linux [--full-auto] [COMMAND]...

147```

148 

149The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

150 

151## OS-level sandbox

152 

153Codex enforces the sandbox differently depending on your OS:

154 

155- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

156- **Linux** uses the `bwrap` pipeline plus `seccomp` by default. `use_legacy_landlock` is available when you need the older path. In managed proxy mode, the default `bwrap` pipeline routes egress through a proxy-only bridge and fails closed if it can’t build valid local proxy routes.

157- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

158 

159If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:

160 

161```json

162{

163 "chatgpt.runCodexInWindowsSubsystemForLinux": true

164}

165```

166 

167This ensures the IDE extension inherits Linux sandbox semantics for commands, approvals, and filesystem access even when the host OS is Windows. Learn more in the [Windows setup guide](https://developers.openai.com/codex/windows).

168 

169When running natively on Windows, configure the native sandbox mode in `config.toml`:

170 

171```toml

172[windows]

173sandbox = "unelevated" # or "elevated"

174# sandbox_private_desktop = true # default; set false only for compatibility

175```

176 

177See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

178 

179When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.

180 

181In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

182 

183## Version control

184 

185Codex works best with a version control workflow:

186 

187- Work on a feature branch and keep `git status` clean before delegating. This keeps Codex patches easier to isolate and revert.

188- Prefer patch-based workflows (for example, `git diff`/`git apply`) over editing tracked files directly. Commit frequently so you can roll back in small increments.

189- Treat Codex suggestions like any other PR: run targeted verification, review diffs, and document decisions in commit messages for auditing.

190 

191## Monitoring and telemetry

192 

193Codex supports opt-in monitoring via OpenTelemetry (OTel) to help teams audit usage, investigate issues, and meet compliance requirements without weakening local security defaults. Telemetry is off by default; enable it explicitly in your configuration.

194 

195### Overview

196 

197- Codex turns off OTel export by default to keep local runs self-contained.

198- When enabled, Codex emits structured log events covering conversations, API requests, SSE/WebSocket stream activity, user prompts (redacted by default), tool approval decisions, and tool results.

199- Codex tags exported events with `service.name` (originator), CLI version, and an environment label to separate dev/staging/prod traffic.

200 

201### Enable OTel (opt-in)

202 

203Add an `[otel]` block to your Codex configuration (typically `~/.codex/config.toml`), choosing an exporter and whether to log prompt text.

204 

205```toml

206[otel]

207environment = "staging" # dev | staging | prod

208exporter = "none" # none | otlp-http | otlp-grpc

209log_user_prompt = false # redact prompt text unless policy allows

210```

211 

212- `exporter = "none"` leaves instrumentation active but doesn't send data anywhere.

213- To send events to your own collector, pick one of:

214 

215```toml

216[otel]

217exporter = { otlp-http = {

218 endpoint = "https://otel.example.com/v1/logs",

219 protocol = "binary",

220 headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }

221}}

222```

223 

224```toml

225[otel]

226exporter = { otlp-grpc = {

227 endpoint = "https://otel.example.com:4317",

228 headers = { "x-otlp-meta" = "abc123" }

229}}

230```

231 

232Codex batches events and flushes them on shutdown. Codex exports only telemetry produced by its OTel module.

233 

234### Event categories

235 

236Representative event types include:

237 

238- `codex.conversation_starts` (model, reasoning settings, sandbox/approval policy)

239- `codex.api_request` (attempt, status/success, duration, and error details)

240- `codex.sse_event` (stream event kind, success/failure, duration, plus token counts on `response.completed`)

241- `codex.websocket_request` and `codex.websocket_event` (request duration plus per-message kind/success/error)

242- `codex.user_prompt` (length; content redacted unless explicitly enabled)

243- `codex.tool_decision` (approved/denied, source: configuration vs. user)

244- `codex.tool_result` (duration, success, output snippet)

245 

246Associated OTel metrics (counter plus duration histogram pairs) include `codex.api_request`, `codex.sse_event`, `codex.websocket.request`, `codex.websocket.event`, and `codex.tool.call` (with corresponding `.duration_ms` instruments).

247 

248For the full event catalog and configuration reference, see the [Codex configuration documentation on GitHub](https://github.com/openai/codex/blob/main/docs/config.md#otel).

249 

250### Security and privacy guidance

251 

252- Keep `log_user_prompt = false` unless policy explicitly permits storing prompt contents. Prompts can include source code and sensitive data.

253- Route telemetry only to collectors you control; apply retention limits and access controls aligned with your compliance requirements.

254- Treat tool arguments and outputs as sensitive. Favor redaction at the collector or SIEM when possible.

255- Review local data retention settings (for example, `history.persistence` / `history.max_bytes`) if you don't want Codex to save session transcripts under `CODEX_HOME`. See [Advanced Config](https://developers.openai.com/codex/config-advanced#history-persistence) and [Configuration Reference](https://developers.openai.com/codex/config-reference).

256- If you run the CLI with network access turned off, OTel export can't reach your collector. To export, allow network access in `workspace-write` mode for the OTel endpoint, or export from Codex cloud with the collector domain on your approved list.

257- Review events periodically for approval/sandbox changes and unexpected tool executions.

258 

259OTel is optional and designed to complement, not replace, the sandbox and approval protections described above.

260 

261## Managed configuration

262 

263Enterprise admins can configure Codex security settings for their workspace in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration). See that page for setup and policy details.

1# Codex app1# Codex app

2 2 

3Your Codex command center

4 

5The Codex app is a focused desktop experience for working on Codex threads in parallel, with built-in worktree support, automations, and Git functionality.3The Codex app is a focused desktop experience for working on Codex threads in parallel, with built-in worktree support, automations, and Git functionality.

6 4 

7ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).

8 6 

9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp) ![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-dark.webp)7![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)

10 8 

11![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp) ![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-dark.webp)9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)

12 10 

13## Getting started11## Getting started

14 12 

15The Codex app is available on macOS (Apple Silicon).13The Codex app is available on macOS and Windows.

16 14 

171. Download and install the Codex app151. Download and install the Codex app

18 16 

19 The Codex app is currently only available for macOS.17 Download the Codex app for Windows or macOS. Choose the Intel build if you’re using an Intel-based Mac.

18 

19 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)

20 20 

21 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)21 Need a different operating system?

22 22 

23 [Get notified for Windows and Linux](https://openai.com/form/codex-app/)23 [Download for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi)

24 

25 [Get notified for Linux](https://openai.com/form/codex-app/)

242. Open Codex and sign in262. Open Codex and sign in

25 27 

26 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.28 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

38 40 

39 You can ask Codex anything about the project or your computer in general. Here are some examples:41 You can ask Codex anything about the project or your computer in general. Here are some examples:

40 42 

41 ![](https://developers.openai.com/codex/colorcons/brain.png)Tell me about this projectCopied![](https://developers.openai.com/codex/colorcons/gamepad.png)Build a classic Snake game in this repo.Copied![](https://developers.openai.com/codex/colorcons/search.png)Find and fix bugs in my codebase with minimal, high-confidence changes.Copied43- Tell me about this project

44- Build a classic Snake game in this repo.

45- Find and fix bugs in my codebase with minimal, high-confidence changes.

42 46 

43 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).47 If you need more inspiration, explore [Codex use cases](https://developers.openai.com/codex/use-cases).

48 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

44 49 

45---50---

46 51 

48 53 

49[### Multitask across projects54[### Multitask across projects

50 55 

51Run multiple tasks in parallel and switch quickly between them.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Built-in Git tools56Run project threads side by side and switch between them quickly.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Worktrees

52 57 

53Review diffs, comment inline, stage or revert chunks, and commit without leaving the app.](https://developers.openai.com/codex/app/features#built-in-git-tools)[### Worktrees for parallel tasks58Keep parallel code changes isolated with built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Computer use

54 59 

55Isolate changes of multiple Codex threads using built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Skills support60Let Codex use macOS apps for GUI tasks, browser flows, and native app testing.](https://developers.openai.com/codex/app/computer-use)[### Review and ship changes

56 61 

57Give your Codex agent additional capabilities and reuse skills across App, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Automations62Inspect diffs, address PR feedback, stage files, commit, and push.](https://developers.openai.com/codex/app/review)[### Terminal and actions

58 63 

59Pair skills with automations to automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives runs if there’s nothing to report.](https://developers.openai.com/codex/app/automations)[### Built-in terminal64Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser

60 65 

61Open a terminal per thread to test your changes, run dev servers, scripts, and custom commands.](https://developers.openai.com/codex/app/features#integrated-terminal)[### Local environments66Open unauthenticated local or public pages and comment on rendered output.](https://developers.openai.com/codex/app/browser)[### Image generation

62 67 

63Define worktree setup scripts and common project actions for easy access.](https://developers.openai.com/codex/app/local-environments)[### Sync with the IDE extension68Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations

64 69 

65Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)[### MCP support70Schedule recurring tasks, or wake up the same thread for ongoing checks.](https://developers.openai.com/codex/app/automations)[### Skills

66 71 

67Connect your Codex agent to additional services using MCP.](https://developers.openai.com/codex/app/features#mcp-support)72Reuse instructions and workflows across the app, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Sidebar and artifacts

68 73 

74Follow plans, sources, task summaries, and generated file previews.](https://developers.openai.com/codex/app/features#richer-outputs-and-artifacts)[### Plugins

69 75 

70Need help? Visit the [troubleshooting guide](https://developers.openai.com/codex/app/troubleshooting).76Connect apps, skills, and MCP servers to extend what Codex can do.](https://developers.openai.com/codex/plugins)[### IDE Extension sync

77 

78Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)

71 79 

72[Next80---

73 81 

74Features](https://developers.openai.com/codex/app/features)82Need help? Visit the [troubleshooting guide](https://developers.openai.com/codex/app/troubleshooting).

1# Codex App Server1# Codex App Server

2 2 

3Embed Codex into your product with the app-server protocol

4 

5Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.3Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.

6 4 

7If you are automating jobs or running Codex in CI, use the5If you are automating jobs or running Codex in CI, use the

23Requests include `method`, `params`, and `id`:21Requests include `method`, `params`, and `id`:

24 22 

25```json23```json

26{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.1-codex" } }24{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.4" } }

27```25```

28 26 

29Responses echo the `id` with either `result` or `error`:27Responses echo the `id` with either `result` or `error`:

101 },99 },

102});100});

103send({ method: "initialized", params: {} });101send({ method: "initialized", params: {} });

104send({ method: "thread/start", id: 1, params: { model: "gpt-5.1-codex" } });102send({ method: "thread/start", id: 1, params: { model: "gpt-5.4" } });

105```103```

106 104 

107## Core primitives105## Core primitives

118- **Start (or resume) a thread**: Call `thread/start` for a new conversation, `thread/resume` to continue an existing one, or `thread/fork` to branch history into a new thread id.116- **Start (or resume) a thread**: Call `thread/start` for a new conversation, `thread/resume` to continue an existing one, or `thread/fork` to branch history into a new thread id.

119- **Begin a turn**: Call `turn/start` with the target `threadId` and user input. Optional fields override model, personality, `cwd`, sandbox policy, and more.117- **Begin a turn**: Call `turn/start` with the target `threadId` and user input. Optional fields override model, personality, `cwd`, sandbox policy, and more.

120- **Steer an active turn**: Call `turn/steer` to append user input to the currently in-flight turn without creating a new turn.118- **Steer an active turn**: Call `turn/steer` to append user input to the currently in-flight turn without creating a new turn.

121- **Stream events**: After `turn/start`, keep reading notifications on stdout: `item/started`, `item/completed`, `item/agentMessage/delta`, tool progress, and other updates.119- **Stream events**: After `turn/start`, keep reading notifications on stdout: `thread/archived`, `thread/unarchived`, `item/started`, `item/completed`, `item/agentMessage/delta`, tool progress, and other updates.

122- **Finish the turn**: The server emits `turn/completed` with final status when the model finishes or after a `turn/interrupt` cancellation.120- **Finish the turn**: The server emits `turn/completed` with final status when the model finishes or after a `turn/interrupt` cancellation.

123 121 

124## Initialization122## Initialization

125 123 

126Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.124Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.

127 125 

128The server returns the user agent string it will present to upstream services. Set `clientInfo` to identify your integration.126The server returns the user agent string it will present to upstream services plus `platformFamily` and `platformOs` values that describe the runtime target. Set `clientInfo` to identify your integration.

129 127 

130`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.128`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.

131 129 

161 },159 },

162 "capabilities": {160 "capabilities": {

163 "experimentalApi": true,161 "experimentalApi": true,

164 "optOutNotificationMethods": [162 "optOutNotificationMethods": ["thread/started", "item/agentMessage/delta"]

165 "codex/event/session_configured",

166 "item/agentMessage/delta"

167 ]

168 }163 }

169 }164 }

170}165}

203- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.198- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.

204- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.199- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

205- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.200- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.

206- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history.201- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

207- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters.202- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.

208- `thread/loaded/list` - list the thread ids currently loaded in memory.203- `thread/loaded/list` - list the thread ids currently loaded in memory.

209- `thread/archive` - move a thread’s log file into the archived directory; returns `{}` on success.204- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

210- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread`.205- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

206- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.

207- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

208- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

211- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.209- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

210- `thread/shellCommand` - run a user-initiated shell command against a thread. This runs outside the sandbox with full access and doesn't inherit the thread sandbox policy.

211- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

212- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.212- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

213- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."213- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

214- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.214- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

215- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.215- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

216- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.216- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

217- `command/exec` - run a single command under the server sandbox without starting a thread/turn.217- `command/exec` - run a single command under the server sandbox without starting a thread/turn.

218- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.

219- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

220- `command/exec/terminate` - stop a running `command/exec` session.

218- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.221- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

219- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.222- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

220- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).223- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

221- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).224- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

225- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace errors, featured plugin ids, and the development-only `forceRemoteSync` option.

226- `plugin/read` - read one plugin by marketplace path and plugin name, including bundled skills, apps, and MCP server names.

227- `plugin/install` - install a plugin from a marketplace path.

228- `plugin/uninstall` - uninstall an installed plugin.

222- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.229- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.

223- `skills/config/write` - enable or disable skills by path.230- `skills/config/write` - enable or disable skills by path.

224- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.231- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.

225- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.232- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.

226- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.233- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

227- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination).234- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

228- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id).235- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

236- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

237- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

229- `config/read` - fetch the effective configuration on disk after resolving configuration layering.238- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

239- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

240- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).

230- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.241- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

231- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.242- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

232- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists and residency requirements (or `null` if you haven’t set any up).243- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

244- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, and `fs/copy` - operate on absolute filesystem paths through the app-server v2 filesystem API.

233 245 

234## Models246## Models

235 247 

241{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }253{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }

242{ "id": 6, "result": {254{ "id": 6, "result": {

243 "data": [{255 "data": [{

244 "id": "gpt-5.2-codex",256 "id": "gpt-5.4",

245 "model": "gpt-5.2-codex",257 "model": "gpt-5.4",

246 "upgrade": "gpt-5.3-codex",258 "displayName": "GPT-5.4",

247 "displayName": "GPT-5.2 Codex",

248 "hidden": false,259 "hidden": false,

249 "defaultReasoningEffort": "medium",260 "defaultReasoningEffort": "medium",

250 "reasoningEffort": [{261 "supportedReasoningEfforts": [{

251 "effort": "low",262 "reasoningEffort": "low",

252 "description": "Lower latency"263 "description": "Lower latency"

253 }],264 }],

254 "inputModalities": ["text", "image"],265 "inputModalities": ["text", "image"],

261 272 

262Each model entry can include:273Each model entry can include:

263 274 

264- `reasoningEffort` - supported effort options for the model.275- `supportedReasoningEfforts` - supported effort options for the model.

265- `defaultReasoningEffort` - suggested default effort for clients.276- `defaultReasoningEffort` - suggested default effort for clients.

266- `upgrade` - optional recommended upgrade model id for migration prompts in clients.277- `upgrade` - optional recommended upgrade model id for migration prompts in clients.

278- `upgradeInfo` - optional upgrade metadata for migration prompts in clients.

267- `hidden` - whether the model is hidden from the default picker list.279- `hidden` - whether the model is hidden from the default picker list.

268- `inputModalities` - supported input types for the model (for example `text`, `image`).280- `inputModalities` - supported input types for the model (for example `text`, `image`).

269- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.281- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.

301- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.313- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.

302- `thread/loaded/list` returns the thread IDs currently in memory.314- `thread/loaded/list` returns the thread IDs currently in memory.

303- `thread/archive` moves the thread's persisted JSONL log into the archived directory.315- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

316- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.

304- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.317- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

305- `thread/compact/start` triggers compaction and returns `{}` immediately.318- `thread/compact/start` triggers compaction and returns `{}` immediately.

306- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.319- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

311 324 

312```json325```json

313{ "method": "thread/start", "id": 10, "params": {326{ "method": "thread/start", "id": 10, "params": {

314 "model": "gpt-5.1-codex",327 "model": "gpt-5.4",

315 "cwd": "/Users/me/project",328 "cwd": "/Users/me/project",

316 "approvalPolicy": "never",329 "approvalPolicy": "never",

317 "sandbox": "workspaceWrite",330 "sandbox": "workspaceWrite",

318 "personality": "friendly"331 "personality": "friendly",

332 "serviceName": "my_app_server_client"

319} }333} }

320{ "id": 10, "result": {334{ "id": 10, "result": {

321 "thread": {335 "thread": {

322 "id": "thr_123",336 "id": "thr_123",

323 "preview": "",337 "preview": "",

338 "ephemeral": false,

324 "modelProvider": "openai",339 "modelProvider": "openai",

325 "createdAt": 1730910000340 "createdAt": 1730910000

326 }341 }

328{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }343{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }

329```344```

330 345 

346`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration's service name.

347 

331To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:348To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:

332 349 

333```json350```json

335 "threadId": "thr_123",352 "threadId": "thr_123",

336 "personality": "friendly"353 "personality": "friendly"

337} }354} }

338{ "id": 11, "result": { "thread": { "id": "thr_123" } } }355{ "id": 11, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false } } }

339```356```

340 357 

341Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.358Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.

354{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }371{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }

355```372```

356 373 

374When a user-facing thread title has been set, app-server hydrates `thread.name` on `thread/list`, `thread/read`, `thread/resume`, `thread/unarchive`, and `thread/rollback` responses. `thread/start` and `thread/fork` may omit `name` (or return `null`) until a title is set later.

375 

357### Read a stored thread (without resuming)376### Read a stored thread (without resuming)

358 377 

359Use `thread/read` when you want stored thread data but don't want to resume the thread or subscribe to its events.378Use `thread/read` when you want stored thread data but don't want to resume the thread or subscribe to its events.

360 379 

361- `includeTurns` - when `true`, the response includes the thread's turns; when `false` or omitted, you get the thread summary only.380- `includeTurns` - when `true`, the response includes the thread's turns; when `false` or omitted, you get the thread summary only.

381- Returned `thread` objects include runtime `status` (`notLoaded`, `idle`, `systemError`, or `active` with `activeFlags`).

362 382 

363```json383```json

364{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }384{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }

365{ "id": 19, "result": { "thread": { "id": "thr_123", "turns": [] } } }385{ "id": 19, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false, "status": { "type": "notLoaded" }, "turns": [] } } }

366```386```

367 387 

368Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.388Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

402} }422} }

403{ "id": 20, "result": {423{ "id": 20, "result": {

404 "data": [424 "data": [

405 { "id": "thr_a", "preview": "Create a TUI", "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111 },425 { "id": "thr_a", "preview": "Create a TUI", "ephemeral": false, "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111, "name": "TUI prototype", "status": { "type": "notLoaded" } },

406 { "id": "thr_b", "preview": "Fix tests", "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000 }426 { "id": "thr_b", "preview": "Fix tests", "ephemeral": true, "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000, "status": { "type": "notLoaded" } }

407 ],427 ],

408 "nextCursor": "opaque-token-or-null"428 "nextCursor": "opaque-token-or-null"

409} }429} }

411 431 

412When `nextCursor` is `null`, you have reached the final page.432When `nextCursor` is `null`, you have reached the final page.

413 433 

434### Track thread status changes

435 

436`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

437 

438```json

439{

440 "method": "thread/status/changed",

441 "params": {

442 "threadId": "thr_123",

443 "status": { "type": "active", "activeFlags": ["waitingOnApproval"] }

444 }

445}

446```

447 

414### List loaded threads448### List loaded threads

415 449 

416`thread/loaded/list` returns thread IDs currently loaded in memory.450`thread/loaded/list` returns thread IDs currently loaded in memory.

420{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }454{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }

421```455```

422 456 

457### Unsubscribe from a loaded thread

458 

459`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:

460 

461- `unsubscribed` when the connection was subscribed and is now removed.

462- `notSubscribed` when the connection wasn't subscribed to that thread.

463- `notLoaded` when the thread isn't loaded.

464 

465If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

466 

467```json

468{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

469{ "id": 22, "result": { "status": "unsubscribed" } }

470{ "method": "thread/status/changed", "params": {

471 "threadId": "thr_123",

472 "status": { "type": "notLoaded" }

473} }

474{ "method": "thread/closed", "params": { "threadId": "thr_123" } }

475```

476 

423### Archive a thread477### Archive a thread

424 478 

425Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.479Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.

427```json481```json

428{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }482{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }

429{ "id": 22, "result": {} }483{ "id": 22, "result": {} }

484{ "method": "thread/archived", "params": { "threadId": "thr_b" } }

430```485```

431 486 

432Archived threads won't appear in future calls to `thread/list` unless you pass `archived: true`.487Archived threads won't appear in future calls to `thread/list` unless you pass `archived: true`.

437 492 

438```json493```json

439{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }494{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }

440{ "id": 24, "result": { "thread": { "id": "thr_b" } } }495{ "id": 24, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes" } } }

496{ "method": "thread/unarchived", "params": { "threadId": "thr_b" } }

441```497```

442 498 

443### Trigger thread compaction499### Trigger thread compaction

451{ "id": 25, "result": {} }507{ "id": 25, "result": {} }

452```508```

453 509 

510### Run a thread shell command

511 

512Use `thread/shellCommand` for user-initiated shell commands that belong to a thread. The request returns immediately with `{}` while progress streams through standard `turn/*` and `item/*` notifications.

513 

514This API runs outside the sandbox with full access and doesn't inherit the thread sandbox policy. Clients should expose it only for explicit user-initiated commands.

515 

516If the thread already has an active turn, the command runs as an auxiliary action on that turn and its formatted output is injected into the turn's message stream. If the thread is idle, app-server starts a standalone turn for the shell command.

517 

518```json

519{ "method": "thread/shellCommand", "id": 26, "params": { "threadId": "thr_b", "command": "git status --short" } }

520{ "id": 26, "result": {} }

521```

522 

523### Clean background terminals

524 

525Use `thread/backgroundTerminals/clean` to stop all running background terminals associated with a thread. This method is experimental and requires `capabilities.experimentalApi = true`.

526 

527```json

528{ "method": "thread/backgroundTerminals/clean", "id": 27, "params": { "threadId": "thr_b" } }

529{ "id": 27, "result": {} }

530```

531 

532### Roll back recent turns

533 

534Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.

535 

536```json

537{ "method": "thread/rollback", "id": 28, "params": { "threadId": "thr_b", "numTurns": 1 } }

538{ "id": 28, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }

539```

540 

454## Turns541## Turns

455 542 

456The `input` field accepts a list of items:543The `input` field accepts a list of items:

480}567}

481```568```

482 569 

570On macOS, `includePlatformDefaults: true` appends a curated platform-default Seatbelt policy for restricted-read sessions. This improves tool compatibility without broadly allowing all of `/System`.

571 

483Examples:572Examples:

484 573 

485```json574```json

512 "writableRoots": ["/Users/me/project"],601 "writableRoots": ["/Users/me/project"],

513 "networkAccess": true602 "networkAccess": true

514 },603 },

515 "model": "gpt-5.1-codex",604 "model": "gpt-5.4",

516 "effort": "medium",605 "effort": "medium",

517 "summary": "concise",606 "summary": "concise",

518 "personality": "friendly",607 "personality": "friendly",

655- The server rejects empty `command` arrays.744- The server rejects empty `command` arrays.

656- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).745- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).

657- When omitted, `timeoutMs` falls back to the server default.746- When omitted, `timeoutMs` falls back to the server default.

747- Set `tty: true` for PTY-backed sessions, and use `processId` when you plan to follow up with `command/exec/write`, `command/exec/resize`, or `command/exec/terminate`.

748- Set `streamStdoutStderr: true` to receive `command/exec/outputDelta` notifications while the command is running.

749 

750### Read admin requirements (`configRequirements/read`)

751 

752Use `configRequirements/read` to inspect the effective admin requirements loaded from `requirements.toml` and/or MDM.

753 

754```json

755{ "method": "configRequirements/read", "id": 52, "params": {} }

756{ "id": 52, "result": {

757 "requirements": {

758 "allowedApprovalPolicies": ["onRequest", "unlessTrusted"],

759 "allowedSandboxModes": ["readOnly", "workspaceWrite"],

760 "featureRequirements": {

761 "personality": true,

762 "unified_exec": false

763 },

764 "network": {

765 "enabled": true,

766 "allowedDomains": ["api.openai.com"],

767 "allowUnixSockets": ["/tmp/example.sock"],

768 "dangerouslyAllowAllUnixSockets": false

769 }

770 }

771} }

772```

773 

774`result.requirements` is `null` when no requirements are configured. See the docs on [`requirements.toml`](https://developers.openai.com/codex/config-reference#requirementstoml) for details on supported keys and values.

775 

776### Windows sandbox setup (`windowsSandbox/setupStart`)

777 

778Custom Windows clients can trigger sandbox setup asynchronously instead of blocking on startup checks.

779 

780```json

781{ "method": "windowsSandbox/setupStart", "id": 53, "params": { "mode": "elevated" } }

782{ "id": 53, "result": { "started": true } }

783```

784 

785App-server starts setup in the background and later emits a completion notification:

786 

787```json

788{

789 "method": "windowsSandbox/setupCompleted",

790 "params": { "mode": "elevated", "success": true, "error": null }

791}

792```

793 

794Modes:

795 

796- `elevated` - run the elevated Windows sandbox setup path.

797- `unelevated` - run the legacy setup/preflight path.

658 798 

659## Events799## Events

660 800 

661Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `turn/*`, and `item/*` notifications.801Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

662 802 

663### Notification opt-out803### Notification opt-out

664 804 

666 806 

667- Exact-match only: `item/agentMessage/delta` suppresses only that method.807- Exact-match only: `item/agentMessage/delta` suppresses only that method.

668- Unknown method names are ignored.808- Unknown method names are ignored.

669- Applies to both legacy (`codex/event/*`) and v2 (`thread/*`, `turn/*`, `item/*`, etc.) notifications.809- Applies to the current `thread/*`, `turn/*`, `item/*`, and related v2 notifications.

670- Doesn't apply to requests, responses, or errors.810- Doesn't apply to requests, responses, or errors.

671 811 

672### Fuzzy file search events (experimental)812### Fuzzy file search events (experimental)

676- `fuzzyFileSearch/sessionUpdated` - `{ sessionId, query, files }` with the current matches for the active query.816- `fuzzyFileSearch/sessionUpdated` - `{ sessionId, query, files }` with the current matches for the active query.

677- `fuzzyFileSearch/sessionCompleted` - `{ sessionId }` once indexing and matching for that query completes.817- `fuzzyFileSearch/sessionCompleted` - `{ sessionId }` once indexing and matching for that query completes.

678 818 

819### Windows sandbox setup events

820 

821- `windowsSandbox/setupCompleted` - `{ mode, success, error }` emitted after a `windowsSandbox/setupStart` request finishes.

822 

679### Turn events823### Turn events

680 824 

681- `turn/started` - `{ turn }` with the turn id, empty `items`, and `status: "inProgress"`.825- `turn/started` - `{ turn }` with the turn id, empty `items`, and `status: "inProgress"`.

691`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Common item types include:835`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Common item types include:

692 836 

693- `userMessage` - `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).837- `userMessage` - `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).

694- `agentMessage` - `{id, text}` containing the accumulated agent reply.838- `agentMessage` - `{id, text, phase?}` containing the accumulated agent reply. When present, `phase` uses Responses API wire values (`commentary`, `final_answer`).

695- `plan` - `{id, text}` containing proposed plan text in plan mode. Treat the final `plan` item from `item/completed` as authoritative.839- `plan` - `{id, text}` containing proposed plan text in plan mode. Treat the final `plan` item from `item/completed` as authoritative.

696- `reasoning` - `{id, summary, content}` where `summary` holds streamed reasoning summaries and `content` holds raw reasoning blocks.840- `reasoning` - `{id, summary, content}` where `summary` holds streamed reasoning summaries and `content` holds raw reasoning blocks.

697- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.841- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.

698- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.842- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.

699- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.843- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.

844- `dynamicToolCall` - `{id, tool, arguments, status, contentItems?, success?, durationMs?}` for client-executed dynamic tool invocations.

700- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.845- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.

701- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.846- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.

702- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.847- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.

753Order of messages:898Order of messages:

754 899 

7551. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.9001. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.

7562. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, and optional `proposedExecpolicyAmendment`.9012. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, optional `proposedExecpolicyAmendment`, optional `networkApprovalContext`, and optional `availableDecisions`. When `initialize.params.capabilities.experimentalApi = true`, the payload can also include experimental `additionalPermissions` describing requested per-command sandbox access. Any filesystem paths inside `additionalPermissions` are absolute on the wire.

7573. Client responds with one of the command execution approval decisions above.9023. Client responds with one of the command execution approval decisions above.

7584. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.9034. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

9045. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.

905 

906When `networkApprovalContext` is present, the prompt is for managed network access (not a general shell-command approval). The current v2 schema exposes the target `host` and `protocol`; clients should render a network-specific prompt and not rely on `command` being a user-meaningful shell command preview.

907 

908Codex groups concurrent network approval prompts by destination (`host`, protocol, and port). The app-server may therefore send one prompt that unblocks multiple queued requests to the same destination, while different ports on the same host are treated separately.

759 909 

760### File change approvals910### File change approvals

761 911 

7641. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.9141. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.

7652. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.9152. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.

7663. Client responds with one of the file change approval decisions above.9163. Client responds with one of the file change approval decisions above.

7674. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.9174. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

9185. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.

919 

920### `tool/requestUserInput`

921 

922When the client responds to `item/tool/requestUserInput`, app-server emits `serverRequest/resolved` with `{ threadId, requestId }`. If the pending request is cleared by turn start, turn completion, or turn interruption before the client answers, the server emits the same notification for that cleanup.

923 

924### Dynamic tool calls (experimental)

925 

926`dynamicTools` on `thread/start` and the corresponding `item/tool/call` request or response flow are experimental APIs.

927 

928When a dynamic tool is invoked during a turn, app-server emits:

929 

9301. `item/started` with `item.type = "dynamicToolCall"`, `status = "inProgress"`, plus `tool` and `arguments`.

9312. `item/tool/call` as a server request to the client.

9323. The client response payload with returned content items.

9334. `item/completed` with `item.type = "dynamicToolCall"`, the final `status`, and any returned `contentItems` or `success` value.

768 934 

769### MCP tool-call approvals (apps)935### MCP tool-call approvals (apps)

770 936 

771App (connector) tool calls can also require approval. When an app tool call has side effects, the server may elicit approval with `tool/requestUserInput` and options such as **Accept**, **Decline**, and **Cancel**. If the user declines or cancels, the related `mcpToolCall` item completes with an error instead of running the tool.937App (connector) tool calls can also require approval. When an app tool call has side effects, the server may elicit approval with `tool/requestUserInput` and options such as **Accept**, **Decline**, and **Cancel**. Destructive tool annotations always trigger approval even when the tool also advertises less-privileged hints. If the user declines or cancels, the related `mcpToolCall` item completes with an error instead of running the tool.

772 938 

773## Skills939## Skills

774 940 

865 1031 

866## Apps (connectors)1032## Apps (connectors)

867 1033 

868Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state.1034Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state. App entries can also include optional `branding`, `appMetadata`, and `labels` fields.

869 1035 

870```json1036```json

871{ "method": "app/list", "id": 50, "params": {1037{ "method": "app/list", "id": 50, "params": {

881 "name": "Demo App",1047 "name": "Demo App",

882 "description": "Example connector for documentation.",1048 "description": "Example connector for documentation.",

883 "logoUrl": "https://example.com/demo-app.png",1049 "logoUrl": "https://example.com/demo-app.png",

1050 "logoUrlDark": null,

1051 "distributionChannel": null,

1052 "branding": null,

1053 "appMetadata": null,

1054 "labels": null,

884 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",1055 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",

885 "isAccessible": true,1056 "isAccessible": true,

886 "isEnabled": true1057 "isEnabled": true

906 "name": "Demo App",1077 "name": "Demo App",

907 "description": "Example connector for documentation.",1078 "description": "Example connector for documentation.",

908 "logoUrl": "https://example.com/demo-app.png",1079 "logoUrl": "https://example.com/demo-app.png",

1080 "logoUrlDark": null,

1081 "distributionChannel": null,

1082 "branding": null,

1083 "appMetadata": null,

1084 "labels": null,

909 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",1085 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",

910 "isAccessible": true,1086 "isAccessible": true,

911 "isEnabled": true1087 "isEnabled": true

938}1114}

939```1115```

940 1116 

1117### Config RPC examples for app settings

1118 

1119Use `config/read`, `config/value/write`, and `config/batchWrite` to inspect or update app controls in `config.toml`.

1120 

1121Read the effective app config shape (including `_default` and per-tool overrides):

1122 

1123```json

1124{ "method": "config/read", "id": 60, "params": { "includeLayers": false } }

1125{ "id": 60, "result": {

1126 "config": {

1127 "apps": {

1128 "_default": {

1129 "enabled": true,

1130 "destructive_enabled": true,

1131 "open_world_enabled": true

1132 },

1133 "google_drive": {

1134 "enabled": true,

1135 "destructive_enabled": false,

1136 "default_tools_approval_mode": "prompt",

1137 "tools": {

1138 "files/delete": { "enabled": false, "approval_mode": "approve" }

1139 }

1140 }

1141 }

1142 }

1143} }

1144```

1145 

1146Update a single app setting:

1147 

1148```json

1149{

1150 "method": "config/value/write",

1151 "id": 61,

1152 "params": {

1153 "keyPath": "apps.google_drive.default_tools_approval_mode",

1154 "value": "prompt",

1155 "mergeStrategy": "replace"

1156 }

1157}

1158```

1159 

1160Apply multiple app edits atomically:

1161 

1162```json

1163{

1164 "method": "config/batchWrite",

1165 "id": 62,

1166 "params": {

1167 "edits": [

1168 {

1169 "keyPath": "apps._default.destructive_enabled",

1170 "value": false,

1171 "mergeStrategy": "upsert"

1172 },

1173 {

1174 "keyPath": "apps.google_drive.tools.files/delete.approval_mode",

1175 "value": "approve",

1176 "mergeStrategy": "upsert"

1177 }

1178 ]

1179 }

1180}

1181```

1182 

1183### Detect and import external agent config

1184 

1185Use `externalAgentConfig/detect` to discover external-agent artifacts that can be migrated, then pass the selected entries to `externalAgentConfig/import`.

1186 

1187Detection example:

1188 

1189```json

1190{ "method": "externalAgentConfig/detect", "id": 63, "params": {

1191 "includeHome": true,

1192 "cwds": ["/Users/me/project"]

1193} }

1194{ "id": 63, "result": {

1195 "items": [

1196 {

1197 "itemType": "AGENTS_MD",

1198 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1199 "cwd": "/Users/me/project"

1200 },

1201 {

1202 "itemType": "SKILLS",

1203 "description": "Copy skill folders from /Users/me/.claude/skills to /Users/me/.agents/skills.",

1204 "cwd": null

1205 }

1206 ]

1207} }

1208```

1209 

1210Import example:

1211 

1212```json

1213{ "method": "externalAgentConfig/import", "id": 64, "params": {

1214 "migrationItems": [

1215 {

1216 "itemType": "AGENTS_MD",

1217 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1218 "cwd": "/Users/me/project"

1219 }

1220 ]

1221} }

1222{ "id": 64, "result": {} }

1223```

1224 

1225Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, and `MCP_SERVER_CONFIG`. Detection returns only items that still have work to do. For example, AGENTS migration is skipped when `AGENTS.md` already exists and is non-empty, and skill imports don’t overwrite existing skill directories.

1226 

941## Auth endpoints1227## Auth endpoints

942 1228 

943The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1229The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.

1# Automations1# Automations

2 2 

3Schedule recurring Codex tasks

4 

5Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.

6 4 

7Automations run locally in the Codex app. The app needs to be running, and the5For project-scoped automations, the app needs to be running, and the selected

8selected project needs to be available on disk.6project needs to be available on disk.

9 7 

10In Git repositories, each automation run starts in a new8In Git repositories, you can choose whether an automation runs in your local

11[worktree](https://developers.openai.com/codex/app/worktrees) so it doesn’t interfere with your main9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the

12checkout. In non-version-controlled projects, automations run directly in the10background. Worktrees keep automation changes separate from unfinished local

11work, while running in your local project can modify files you are still

12working on. In non-version-controlled projects, automations run directly in the

13project directory.13project directory.

14 14 

15![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp) ![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-dark.webp)15You can also leave the model and reasoning effort on their default settings, or

16choose them explicitly if you want more control over how the automation runs.

16 17 

17![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp) ![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-dark.webp)18![Automation creation form with schedule and prompt fields](/images/codex/app/codex-automations-light.webp)

18 19 

19## Managing tasks20## Managing tasks

20 21 

21All automations and their runs can be found in the automations pane inside your Codex app sidebar.22Find all automations and their runs in the automations pane inside your Codex app sidebar.

22 23 

23The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.

24 25 

25When an automation runs in a Git repository, Codex uses a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). In non-version-controlled projects, automations run directly in the project directory. Consider using Git to enable running on background worktrees. You can have the same automation run on multiple projects.26Standalone automations start fresh runs on a schedule and report results in

27Triage. Use them when each run should be independent or when one automation

28should run across one or more projects. If you need a custom cadence, choose a

29custom schedule and enter cron syntax.

30 

31For Git repositories, each automation can run either in your local project or

32on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use

33worktrees when you want to isolate automation changes from unfinished local

34work. Use local mode when you want the automation to work directly in your main

35checkout, keeping in mind that it can change files you are actively editing.

36In non-version-controlled projects, automations run directly in the project

37directory. You can have the same automation run on more than one project.

26 38 

27Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).39Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).

28 40 

29To keep automations maintainable and shareable across teams, you can use [skills](https://developers.openai.com/codex/skills) to define the action and provide tools and context to Codex. You can explicitly trigger a skill as part of an automation by using `$skill-name` inside your automation.41Automations can use the same plugins and skills available to Codex. To keep

42automations maintainable and shareable across teams, use [skills](https://developers.openai.com/codex/skills)

43to define the action and provide tools and context. You can explicitly trigger a

44skill as part of an automation by using `$skill-name` inside your automation.

45 

46## Ask Codex to create or update automations

47 

48You can create and update automations from a regular Codex thread. Describe the

49task, the schedule, and whether the automation should stay attached to the

50current thread or start fresh runs. Codex can draft the automation prompt, choose

51the right automation type, and update it when the scope or cadence changes.

52 

53For example, ask Codex to remind you in this thread while a deployment finishes,

54or ask it to create a standalone automation that checks a project on a recurring

55schedule.

56 

57Skills can also create or update automations. For example, a skill for

58babysitting a pull request could set up a recurring automation that checks the

59PR status with the GitHub plugin and fixes new review feedback.

60 

61## Thread automations

62 

63Thread automations are heartbeat-style recurring wake-up calls attached to the

64current thread. Use them when you want Codex to keep returning to the same

65conversation on a schedule.

66 

67Use a thread automation when the scheduled work should preserve the thread's

68context instead of starting from a new prompt each time.

30 69 

31## Testing automations safely70Thread automations can use minute-based intervals for active follow-up loops,

71or daily and weekly schedules when you need a check-in at a specific time.

72 

73Thread automations are useful for:

74 

75- checking a long-running command until it finishes

76- polling Slack, GitHub, or another connected source when the results should

77 stay in the same thread

78- reminding Codex to continue a review loop at a fixed cadence

79- running a skill-driven workflow that uses plugins, such as checking PR status

80 and addressing new feedback

81- keeping a chat focused on an ongoing research or triage task

82 

83Use a standalone or project automation when each run should be independent,

84when it should run across more than one project, or when findings should appear

85as separate automation runs in Triage.

86 

87When you create a thread automation, make the prompt durable. It should

88describe what Codex should do each time the thread wakes up, how to decide

89whether there is anything important to report, and when to stop or ask you for

90input.

91 

92## Test automations

32 93 

33Before you schedule an automation, test the prompt manually in a regular thread94Before you schedule an automation, test the prompt manually in a regular thread

34first. This helps you confirm:95first. This helps you confirm:

35 96 

36- The prompt is clear and scoped correctly.97- The prompt is clear and scoped correctly.

37- The selected model and tools behave as expected.98- The selected or default model, reasoning effort, and tools behave as expected.

38- The resulting diff is reviewable.99- The resulting diff is reviewable.

39 100 

40When you start scheduling runs, review the first few outputs closely and adjust101When you start scheduling runs, review the first few outputs and adjust the

41the prompt or cadence as needed.102prompt or cadence as needed.

42 103 

43## Worktree cleanup for automations104## Worktree cleanup for automations

44 105 

45For Git repositories, automations run in worktrees. Frequent schedules can106If you choose worktrees for Git repositories, frequent schedules can create

46create many worktrees over time. Archive automation runs you no longer need,107many worktrees over time. Archive automation runs you no longer need, and avoid

47and avoid pinning runs unless you intend to keep their worktrees.108pinning runs unless you intend to keep their worktrees.

48 109 

49## Permissions and security model110## Permissions and security model

50 111 

51Automations are designed to run unattended and use your default sandbox112Automations run unattended and use your default sandbox settings.

52settings.

53 113 

54- If your sandbox mode is **read-only**, tool calls fail if they require114- If your sandbox mode is **read-only**, tool calls fail if they require

55 modifying files, accessing network, or working with apps on your computer.115 modifying files, accessing network, or working with apps on your computer.

59 on your computer. You can selectively allowlist commands to run outside the119 on your computer. You can selectively allowlist commands to run outside the

60 sandbox using [rules](https://developers.openai.com/codex/rules).120 sandbox using [rules](https://developers.openai.com/codex/rules).

61- If your sandbox mode is **full access**, background automations carry121- If your sandbox mode is **full access**, background automations carry

62 elevated risk, as Codex may modify files, run commands, and access network122 elevated risk, as Codex may change files, run commands, and access network

63 without asking. Consider updating sandbox settings to workspace write, and123 without asking. Consider updating sandbox settings to workspace write, and

64 using [rules](https://developers.openai.com/codex/rules) to selectively define which commands the agent124 using [rules](https://developers.openai.com/codex/rules) to selectively define which commands the agent

65 can run with full access.125 can run with full access.

66 126 

67If you are in a managed environment, admins can restrict these behaviors using127If you are in a managed environment, admins can restrict these behaviors using

68admin-enforced requirements. For example, they can disallow `approval_policy = "never"` or constrain allowed sandbox modes. See128admin-enforced requirements. For example, they can disallow `approval_policy = "never"` or constrain allowed sandbox modes. See

69[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/security#admin-enforced-requirements-requirementstoml).129[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).

70 130 

71Automations use `approval_policy = "never"` when your organization policy131Automations use `approval_policy = "never"` when your organization policy

72allows it. If `approval_policy = "never"` is disallowed by admin requirements,132allows it. If admin requirements disallow `approval_policy = "never"`,

73automations fall back to the approval behavior of your selected mode.133automations fall back to the approval behavior of your selected mode.

74 134 

75## Examples135## Examples

174```markdown234```markdown

175Check my commits from the last 24h and submit a $recent-code-bugfix.235Check my commits from the last 24h and submit a $recent-code-bugfix.

176```236```

177 

178[Previous

179 

180Review](https://developers.openai.com/codex/app/review)[Next

181 

182Worktrees](https://developers.openai.com/codex/app/worktrees)

1# In-app browser

2 

3The in-app browser gives you and Codex a shared view of rendered web pages

4inside a thread. Use it when you're building or debugging a web app and want to

5preview pages and attach visual comments.

6 

7Use it for local development servers, file-backed previews, and public pages

8that don't require sign-in. For anything that depends on login state or browser

9extensions, use your regular browser.

10 

11Open the in-app browser from the toolbar, by clicking a URL, by navigating

12manually in the browser, or by pressing <kbd>Cmd</kbd>+<kbd>Shift</kbd>+<kbd>B</kbd>

13(<kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>B</kbd> on Windows).

14 

15The in-app browser does not support authentication flows, signed-in pages,

16 your regular browser profile, cookies, extensions, or existing tabs. Use it

17 for pages Codex can open without logging in.

18 

19Treat page content as untrusted context. Don't paste secrets into browser flows.

20 

21![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)

22 

23## Preview a page

24 

251. Start your app's development server in the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or with a [local environment action](https://developers.openai.com/codex/app/local-environments#actions).

262. Open an unauthenticated local route, file-backed page, or public page by

27 clicking a URL or navigating manually in the browser.

283. Review the rendered state alongside the code diff.

294. Leave browser comments on the elements or areas that need changes.

305. Ask Codex to address the comments and keep the scope narrow.

31 

32Example feedback:

33 

34```text

35I left comments on the pricing page in the in-app browser. Address the mobile

36layout issues and keep the card structure unchanged.

37```

38 

39## Comment on the page

40 

41When a bug is visible only in the rendered page, use browser comments to give

42Codex precise feedback on the page.

43 

44- Turn on comment mode, select an element or area, and submit a comment.

45- In comment mode, hold <kbd>Shift</kbd> and click to select an area.

46- Hold <kbd>Cmd</kbd> while clicking to send a comment immediately.

47 

48After you leave comments, send a message in the thread asking Codex to address

49them. Comments are most useful when Codex needs to make a precise visual change.

50 

51Good feedback is specific:

52 

53```text

54This button overflows on mobile. Keep the label on one line if it fits,

55otherwise wrap it without changing the card height.

56```

57 

58```text

59This tooltip covers the data point under the cursor. Reposition the tooltip so

60it stays inside the chart bounds.

61```

62 

63## Keep browser tasks scoped

64 

65The in-app browser is for review and iteration. Keep each browser task small

66enough to review in one pass.

67 

68- Name the page, route, or local URL.

69- Name the visual state you care about, such as loading, empty, error, or

70 success.

71- Leave comments on the exact elements or areas that need changes.

72- Review the updated route after Codex changes the code.

73- Ask Codex to start or check the dev server before it uses the browser.

74 

75For repository changes, use the [review pane](https://developers.openai.com/codex/app/review) to inspect the

76changes and leave comments.

1# Codex app commands1# Codex app commands

2 2 

3Reference for Codex app commands and keyboard shortcuts

4 

5Use these commands and keyboard shortcuts to navigate the Codex app.3Use these commands and keyboard shortcuts to navigate the Codex app.

6 4 

7## Keyboard shortcuts5## Keyboard shortcuts

38 36 

39You can also explicitly invoke skills by typing `$` in the thread composer. See [Skills](https://developers.openai.com/codex/skills).37You can also explicitly invoke skills by typing `$` in the thread composer. See [Skills](https://developers.openai.com/codex/skills).

40 38 

41Enabled skills also appear in the slash command list (for example, `/imagegen`).39Enabled skills also appear in the slash command list.

42 40 

43### Available slash commands41### Available slash commands

44 42 

50| `/review` | Start code review mode to review uncommitted changes or compare against a base branch. |48| `/review` | Start code review mode to review uncommitted changes or compare against a base branch. |

51| `/status` | Show the thread ID, context usage, and rate limits. |49| `/status` | Show the thread ID, context usage, and rate limits. |

52 50 

53## See also51## Deeplinks

54 52 

55- [Features](https://developers.openai.com/codex/app/features)53The Codex app registers the `codex://` URL scheme so links can open specific parts of the app directly.

56- [Settings](https://developers.openai.com/codex/app/settings)54 

55| Deeplink | Opens | Supported query parameters |

56| --- | --- | --- |

57| `codex://settings` | Settings. | None. |

58| `codex://skills` | Skills. | None. |

59| `codex://automations` | Inbox in automation create mode. | None. |

60| `codex://threads/<thread-id>` | A local thread. `<thread-id>` must be a UUID. | None. |

61| `codex://new` | A new thread. | Optional: `prompt`, `originUrl`, `path`. |

62 

63For new-thread deeplinks:

57 64 

58[Previous65- `prompt` sets the initial composer text.

66- `path` must be an absolute path to a local directory and, when valid, makes that directory the active workspace for the new thread.

67- `originUrl` tries to match one of your current workspace roots by Git remote URL. If both `path` and `originUrl` are present, Codex resolves `path` first.

59 68 

60Local Environments](https://developers.openai.com/codex/app/local-environments)[Next69## See also

61 70 

62Troubleshooting](https://developers.openai.com/codex/app/troubleshooting)71- [Features](https://developers.openai.com/codex/app/features)

72- [Settings](https://developers.openai.com/codex/app/settings)

1# Computer Use

2 

3In the Codex app, computer use is currently available on macOS, except in the

4 European Economic Area, the United Kingdom, and Switzerland at launch. Install

5 the Computer Use plugin, then grant Screen Recording and Accessibility

6 permissions when macOS prompts you.

7 

8With computer use, Codex can see and operate graphical user interfaces on macOS.

9Use it for tasks where command-line tools or structured integrations aren't

10enough, such as checking a desktop app, using a browser, changing app settings,

11working with a data source that isn't available as a plugin, or reproducing a

12bug that only happens in a graphical user interface.

13 

14Because computer use can affect app and system state outside your project

15workspace, use it for scoped tasks and review permission prompts before

16continuing.

17 

18## Set up computer use

19 

20In Codex settings, open **Computer Use** and click **Install** to install the

21Computer Use plugin before you ask Codex to operate desktop apps. When macOS

22prompts for access, grant Screen Recording and Accessibility permissions if you

23want Codex to see and interact with the target app.

24 

25To use computer use, grant:

26 

27- **Screen Recording** permission so Codex can see the target app.

28- **Accessibility** permission so Codex can click, type, and navigate.

29 

30## When to use computer use

31 

32Choose computer use when the task depends on a graphical user interface that's

33hard to verify through files or command output alone.

34 

35Good fits include:

36 

37- Testing a macOS app, an iOS simulator flow, or another desktop app that Codex

38 is building.

39- Performing a task that requires your web browser.

40- Reproducing a bug that only appears in a graphical interface.

41- Changing app settings that require clicking through a UI.

42- Inspecting information in an app or data source that isn't available through a

43 plugin.

44- Running a scoped task in the background while you keep working elsewhere.

45- Executing a workflow that spans more than one app.

46 

47For web apps you are building locally, use the

48[in-app browser](https://developers.openai.com/codex/app/browser) first.

49 

50## Start a computer use task

51 

52Mention `@Computer Use` or `@AppName` in your prompt, or ask Codex to use

53computer use. Describe the exact app, window, or flow Codex should operate.

54 

55```text

56Open the app with computer use, reproduce the onboarding bug, and fix the

57smallest code path that causes it. After each change, run the same UI flow

58again.

59```

60 

61```text

62Open @Chrome and verify the checkout page still works after the latest changes.

63```

64 

65If the target app exposes a dedicated plugin or MCP server, prefer that

66structured integration for data access and repeatable operations. Choose

67computer use when Codex needs to inspect or operate the app visually.

68 

69## Permissions and approvals

70 

71The macOS system permissions for computer use are separate from app approvals in

72Codex. The macOS permissions let Codex see and operate apps. App approvals

73determine which apps you allow Codex to use. File reads, file edits, and shell

74commands still follow the sandbox and approval settings for the thread.

75 

76With computer use, Codex can see and take action only in the apps you allow.

77During a task, Codex asks for your permission before it can use an app on your

78computer. You can choose **Always allow** so Codex can use that app in the future

79without asking again. You can remove apps from the **Always allow** list in the

80**Computer Use** section of Codex settings.

81 

82![Codex app asking for permission to use Calculator with computer use](/images/codex/app/computer-use-approval-light.webp)

83 

84Codex may also ask for permission before taking sensitive or disruptive actions.

85 

86If Codex can't see or control an app, open **System Settings > Privacy &

87Security** and check **Screen Recording** and **Accessibility** for the Codex

88app.

89 

90## Safety guidance

91 

92With computer use, Codex can view screen content, take screenshots, and interact

93with windows, menus, keyboard input, and clipboard state in the target app.

94Treat visible app content, browser pages, screenshots, and files opened in the

95target app as context Codex may process while the task runs.

96 

97Keep tasks narrow and stay present for sensitive flows:

98 

99- Give Codex one clear target app or flow at a time.

100- You can stop the task or take over your computer at any time.

101- Keep sensitive apps closed unless they're required for the task.

102- Avoid tasks that require secrets unless you're present and can approve each

103 step.

104- Review app permission prompts before allowing Codex to use an app.

105- Use **Always allow** only for apps you trust Codex to use automatically in

106 future tasks.

107- Stay present for account, security, privacy, network, payment, or

108 credential-related settings.

109- Cancel the task if Codex starts interacting with the wrong window.

110 

111If Codex uses your browser, it can interact with pages where you're already

112signed in. Review website actions as if you were taking them yourself: web pages

113can contain malicious or misleading content, and sites may treat approved clicks,

114form submissions, and signed-in actions as coming from your account. To keep

115using your browser while Codex works, ask Codex to use a different browser.

116 

117The feature can't automate terminal apps or Codex itself, since automating them

118could bypass Codex security policies. It also can't authenticate as an

119administrator or approve security and privacy permission prompts on your

120computer.

121 

122File edits and shell commands still follow Codex approval and sandbox settings

123where applicable. Changes made through desktop apps may not appear in the review

124pane until they're saved to disk and tracked by the project. Your ChatGPT data

125controls apply to content processed through Codex, including screenshots taken

126by computer use.

1# Codex app features1# Codex app features

2 2 

3What you can do with the Codex app

4 

5The Codex app is a focused desktop experience for working on Codex threads in parallel,3The Codex app is a focused desktop experience for working on Codex threads in parallel,

6with built-in worktree support, automations, and Git functionality.4with built-in worktree support, automations, and Git functionality.

7 5 

16session in a specific directory.14session in a specific directory.

17 15 

18If you work in a single repository with two or more apps or packages, split16If you work in a single repository with two or more apps or packages, split

19distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/security)17distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/agent-approvals-security)

20only includes the files for that project.18only includes the files for that project.

21 19 

22![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp) ![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-dark.webp)20![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp)

23 

24![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp) ![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-dark.webp)

25 21 

26## Skills support22## Skills support

27 23 

29IDE Extension. You can also view and explore new skills that your team has25IDE Extension. You can also view and explore new skills that your team has

30created across your different projects by clicking Skills in the sidebar.26created across your different projects by clicking Skills in the sidebar.

31 27 

32![Skills picker showing available skills in the Codex app](/images/codex/app/skill-selector-light.webp) ![Skills picker showing available skills in the Codex app](/images/codex/app/skill-selector-dark.webp)28![Skills picker showing available skills in the Codex app](/images/codex/app/skill-selector-light.webp)

33 

34![Skills picker showing available skills in the Codex app](/images/codex/app/skill-selector-light.webp) ![Skills picker showing available skills in the Codex app](/images/codex/app/skill-selector-dark.webp)

35 29 

36## Automations30## Automations

37 31 

38You can also combine skills with [automations](https://developers.openai.com/codex/app/automations) to perform routine tasks32You can also combine skills with [automations](https://developers.openai.com/codex/app/automations) to perform routine tasks

39such as evaluating errors in your telemetry and submitting fixes or creating reports on recent33such as evaluating errors in your telemetry and submitting fixes or creating reports on recent

40codebase changes.34codebase changes. For ongoing work that should stay in one thread, use a

35[thread automation](https://developers.openai.com/codex/app/automations#thread-automations).

41 36 

42![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp) ![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-dark.webp)37![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp)

43 

44![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp) ![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-dark.webp)

45 38 

46## Modes39## Modes

47 40 

55 48 

56For the full glossary and concepts, explore the [concepts section](https://developers.openai.com/codex/prompting).49For the full glossary and concepts, explore the [concepts section](https://developers.openai.com/codex/prompting).

57 50 

58![New thread composer with Local, Worktree, and Cloud mode options](/images/codex/app/modes-light.webp) ![New thread composer with Local, Worktree, and Cloud mode options](/images/codex/app/modes-dark.webp)51![New thread composer with Local, Worktree, and Cloud mode options](/images/codex/app/modes-light.webp)

59 

60![New thread composer with Local, Worktree, and Cloud mode options](/images/codex/app/modes-light.webp) ![New thread composer with Local, Worktree, and Cloud mode options](/images/codex/app/modes-dark.webp)

61 52 

62## Built-in Git tools53## Built-in Git tools

63 54 

71 62 

72For more advanced Git tasks, use the [integrated terminal](#integrated-terminal).63For more advanced Git tasks, use the [integrated terminal](#integrated-terminal).

73 64 

74![Git diff and commit panel with a commit message field](/images/codex/app/git-commit-light.webp) ![Git diff and commit panel with a commit message field](/images/codex/app/git-commit-dark.webp)65![Git diff and commit panel with a commit message field](/images/codex/app/git-commit-light.webp)

75 

76![Git diff and commit panel with a commit message field](/images/codex/app/git-commit-light.webp) ![Git diff and commit panel with a commit message field](/images/codex/app/git-commit-dark.webp)

77 66 

78## Worktree support67## Worktree support

79 68 

88 77 

89[Learn more about using worktrees in the Codex app.](https://developers.openai.com/codex/app/worktrees)78[Learn more about using worktrees in the Codex app.](https://developers.openai.com/codex/app/worktrees)

90 79 

91![Worktree thread view showing branch actions and worktree details](/images/codex/app/worktree-light.webp) ![Worktree thread view showing branch actions and worktree details](/images/codex/app/worktree-dark.webp)80![Worktree thread view showing branch actions and worktree details](/images/codex/app/worktree-light.webp)

92 

93![Worktree thread view showing branch actions and worktree details](/images/codex/app/worktree-light.webp) ![Worktree thread view showing branch actions and worktree details](/images/codex/app/worktree-dark.webp)

94 81 

95## Integrated terminal82## Integrated terminal

96 83 

99pressing <kbd>Cmd</kbd>+<kbd>J</kbd>.86pressing <kbd>Cmd</kbd>+<kbd>J</kbd>.

100 87 

101Use the terminal to validate changes, run scripts, and perform Git operations88Use the terminal to validate changes, run scripts, and perform Git operations

102without leaving the app.89without leaving the app. Codex can also read the current terminal output, so

90it can check the status of a running development server or refer back to a

91failed build while it works with you.

103 92 

104Common tasks include:93Common tasks include:

105 94 

113Note that <kbd>Cmd</kbd>+<kbd>K</kbd> opens the command palette in the Codex102Note that <kbd>Cmd</kbd>+<kbd>K</kbd> opens the command palette in the Codex