OpenAI - Codex Docs Changes 2026-02-19 20:53 UTC → 2026-03-18 12:23 UTC

1# Agent approvals & security

2 

3Codex helps protect your code and data and reduces the risk of misuse.

4 

5This page covers how to operate Codex safely, including sandboxing, approvals,

6 and network access. If you are looking for Codex Security, the product for

7 scanning connected GitHub repositories, see [Codex Security](https://developers.openai.com/codex/security).

8 

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

10 

11For a high-level explanation of how sandboxing works across the Codex app, IDE

12extension, and CLI, see [Sandboxing](https://developers.openai.com/codex/concepts/sandboxing).

13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

14 

15## Sandbox and approvals

16 

17Codex security controls come from two layers that work together:

18 

19- **Sandbox mode**: What Codex can do technically (for example, where it can write and whether it can reach the network) when it executes model-generated commands.

20- **Approval policy**: When Codex must ask you before it executes an action (for example, leaving the sandbox, using the network, or running commands outside a trusted set).

21 

22Codex uses different sandbox modes depending on where you run it:

23 

24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.

25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

26 

27In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.

28 

29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

30 

31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

32 

33## Network access [Elevated Risk](https://help.openai.com/articles/20001061)

34 

35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

36 

37For the Codex app, CLI, or IDE Extension, the default `workspace-write` sandbox mode keeps network access turned off unless you enable it in your configuration:

38 

39```toml

40[sandbox_workspace_write]

41network_access = true

42```

43 

44You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

45 

46```toml

47web_search = "cached" # default

48# web_search = "disabled"

49# web_search = "live" # same as --search

50```

51 

52Use caution when enabling network access or web search in Codex. Prompt injection can cause the agent to fetch and follow untrusted instructions.

53 

54## Defaults and recommendations

55 

56- On launch, Codex detects whether the folder is version-controlled and recommends:

57 - Version-controlled folders: `Auto` (workspace write + on-request approvals)

58 - Non-version-controlled folders: `read-only`

59- Depending on your setup, Codex may also start in `read-only` until you explicitly trust the working directory (for example, via an onboarding prompt or `/permissions`).

60- The workspace includes the current directory and temporary directories like `/tmp`. Use the `/status` command to see which directories are in the workspace.

61- To accept the defaults, run `codex`.

62- You can set these explicitly:

63 - `codex --sandbox workspace-write --ask-for-approval on-request`

64 - `codex --sandbox read-only --ask-for-approval on-request`

65 

66### Protected paths in writable roots

67 

68In the default `workspace-write` sandbox policy, writable roots still include protected paths:

69 

70- `<writable_root>/.git` is protected as read-only whether it appears as a directory or file.

71- If `<writable_root>/.git` is a pointer file (`gitdir: ...`), the resolved Git directory path is also protected as read-only.

72- `<writable_root>/.agents` is protected as read-only when it exists as a directory.

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.

75 

76### Run without approval prompts

77 

78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

79 

80This option works with all `--sandbox` modes, so you still control Codex's level of autonomy. Codex makes a best effort within the constraints you set.

81 

82If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

83 

84For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP elicitations, `request_permissions` prompts, and skill-script approvals.

85 

86### Common sandbox and approval combinations

87 

88| Intent | Flags | Effect |

89| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |

90| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

91| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

92| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |

93| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

94| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |

95 

96`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.

97 

98With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

99 

100#### Configuration in `config.toml`

101 

102For the broader configuration workflow, see [Config basics](https://developers.openai.com/codex/config-basic), [Advanced Config](https://developers.openai.com/codex/config-advanced#approval-policies-and-sandbox-modes), and the [Configuration Reference](https://developers.openai.com/codex/config-reference).

103 

104```toml

105# Always ask for approval mode

106approval_policy = "untrusted"

107sandbox_mode = "read-only"

108allow_login_shell = false # optional hardening: disallow login shells for shell-based tools

109 

110# Optional: Allow network in workspace-write mode

111[sandbox_workspace_write]

112network_access = true

113 

114# Optional: granular approval policy

115# approval_policy = { granular = {

116# sandbox_approval = true,

117# rules = true,

118# mcp_elicitations = true,

119# request_permissions = false,

120# skill_approval = false

121# } }

122```

123 

124You can also save presets as profiles, then select them with `codex --profile <name>`:

125 

126```toml

127[profiles.full_auto]

128approval_policy = "on-request"

129sandbox_mode = "workspace-write"

130 

131[profiles.readonly_quiet]

132approval_policy = "never"

133sandbox_mode = "read-only"

134```

135 

136### Test the sandbox locally

137 

138To see what happens when a command runs under the Codex sandbox, use these Codex CLI commands:

139 

140```bash

141# macOS

142codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...

143# Linux

144codex sandbox linux [--full-auto] [COMMAND]...

145```

146 

147The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

148 

149## OS-level sandbox

150 

151Codex enforces the sandbox differently depending on your OS:

152 

153- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

154- **Linux** uses the bubblewrap pipeline plus `seccomp` by default. `use_legacy_landlock` is available when you need the older path. In managed proxy mode, the default bubblewrap pipeline routes egress through a proxy-only bridge and fails closed if it cannot build valid loopback proxy routes.

155- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux (WSL)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

156 

157If you use the Codex IDE extension on Windows, it supports WSL directly. Set the following in your VS Code settings to keep the agent inside WSL whenever it’s available:

158 

159```json

160{

161 "chatgpt.runCodexInWindowsSubsystemForLinux": true

162}

163```

164 

165This ensures the IDE extension inherits Linux sandbox semantics for commands, approvals, and filesystem access even when the host OS is Windows. Learn more in the [Windows setup guide](https://developers.openai.com/codex/windows).

166 

167When running natively on Windows, configure the native sandbox mode in `config.toml`:

168 

169```toml

170[windows]

171sandbox = "unelevated" # or "elevated"

172# sandbox_private_desktop = true # default; set false only for compatibility

173```

174 

175See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

176 

177When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.

178 

179In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

180 

181## Version control

182 

183Codex works best with a version control workflow:

184 

185- Work on a feature branch and keep `git status` clean before delegating. This keeps Codex patches easier to isolate and revert.

186- Prefer patch-based workflows (for example, `git diff`/`git apply`) over editing tracked files directly. Commit frequently so you can roll back in small increments.

187- Treat Codex suggestions like any other PR: run targeted verification, review diffs, and document decisions in commit messages for auditing.

188 

189## Monitoring and telemetry

190 

191Codex supports opt-in monitoring via OpenTelemetry (OTel) to help teams audit usage, investigate issues, and meet compliance requirements without weakening local security defaults. Telemetry is off by default; enable it explicitly in your configuration.

192 

193### Overview

194 

195- Codex turns off OTel export by default to keep local runs self-contained.

196- When enabled, Codex emits structured log events covering conversations, API requests, SSE/WebSocket stream activity, user prompts (redacted by default), tool approval decisions, and tool results.

197- Codex tags exported events with `service.name` (originator), CLI version, and an environment label to separate dev/staging/prod traffic.

198 

199### Enable OTel (opt-in)

200 

201Add an `[otel]` block to your Codex configuration (typically `~/.codex/config.toml`), choosing an exporter and whether to log prompt text.

202 

203```toml

204[otel]

205environment = "staging" # dev | staging | prod

206exporter = "none" # none | otlp-http | otlp-grpc

207log_user_prompt = false # redact prompt text unless policy allows

208```

209 

210- `exporter = "none"` leaves instrumentation active but doesn't send data anywhere.

211- To send events to your own collector, pick one of:

212 

213```toml

214[otel]

215exporter = { otlp-http = {

216 endpoint = "https://otel.example.com/v1/logs",

217 protocol = "binary",

218 headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }

219}}

220```

221 

222```toml

223[otel]

224exporter = { otlp-grpc = {

225 endpoint = "https://otel.example.com:4317",

226 headers = { "x-otlp-meta" = "abc123" }

227}}

228```

229 

230Codex batches events and flushes them on shutdown. Codex exports only telemetry produced by its OTel module.

231 

232### Event categories

233 

234Representative event types include:

235 

236- `codex.conversation_starts` (model, reasoning settings, sandbox/approval policy)

237- `codex.api_request` (attempt, status/success, duration, and error details)

238- `codex.sse_event` (stream event kind, success/failure, duration, plus token counts on `response.completed`)

239- `codex.websocket_request` and `codex.websocket_event` (request duration plus per-message kind/success/error)

240- `codex.user_prompt` (length; content redacted unless explicitly enabled)

241- `codex.tool_decision` (approved/denied, source: configuration vs. user)

242- `codex.tool_result` (duration, success, output snippet)

243 

244Associated OTel metrics (counter plus duration histogram pairs) include `codex.api_request`, `codex.sse_event`, `codex.websocket.request`, `codex.websocket.event`, and `codex.tool.call` (with corresponding `.duration_ms` instruments).

245 

246For the full event catalog and configuration reference, see the [Codex configuration documentation on GitHub](https://github.com/openai/codex/blob/main/docs/config.md#otel).

247 

248### Security and privacy guidance

249 

250- Keep `log_user_prompt = false` unless policy explicitly permits storing prompt contents. Prompts can include source code and sensitive data.

251- Route telemetry only to collectors you control; apply retention limits and access controls aligned with your compliance requirements.

252- Treat tool arguments and outputs as sensitive. Favor redaction at the collector or SIEM when possible.

253- Review local data retention settings (for example, `history.persistence` / `history.max_bytes`) if you don't want Codex to save session transcripts under `CODEX_HOME`. See [Advanced Config](https://developers.openai.com/codex/config-advanced#history-persistence) and [Configuration Reference](https://developers.openai.com/codex/config-reference).

254- If you run the CLI with network access turned off, OTel export can't reach your collector. To export, allow network access in `workspace-write` mode for the OTel endpoint, or export from Codex cloud with the collector domain on your approved list.

255- Review events periodically for approval/sandbox changes and unexpected tool executions.

256 

257OTel is optional and designed to complement, not replace, the sandbox and approval protections described above.

258 

259## Managed configuration

260 

261Enterprise admins can configure Codex security settings for their workspace in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration). See that page for setup and policy details.

4 4 

5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).

6 6 

7![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)

8 

7![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)

8 10 

9## Getting started11## Getting started

12 14 

131. Download and install the Codex app151. Download and install the Codex app

14 16 

15 The Codex app is currently only available for macOS.17 Download the Codex app for Windows or macOS.

16 18 

17 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)19 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)

18 20 

19 [Get notified for Windows and Linux](https://openai.com/form/codex-app/)21 [Get notified for Linux](https://openai.com/form/codex-app/)

202. Open Codex and sign in222. Open Codex and sign in

21 23 

22 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.24 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

39- Find and fix bugs in my codebase with minimal, high-confidence changes.41- Find and fix bugs in my codebase with minimal, high-confidence changes.

40 42 

41 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).43 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).

44 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

42 45 

43---46---

44 47 

21Requests include `method`, `params`, and `id`:21Requests include `method`, `params`, and `id`:

22 22 

23```json23```json

24{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.1-codex" } }24{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.4" } }

25```25```

26 26 

27Responses echo the `id` with either `result` or `error`:27Responses echo the `id` with either `result` or `error`:

99 },99 },

100});100});

101send({ method: "initialized", params: {} });101send({ method: "initialized", params: {} });

102send({ method: "thread/start", id: 1, params: { model: "gpt-5.1-codex" } });102send({ method: "thread/start", id: 1, params: { model: "gpt-5.4" } });

103```103```

104 104 

105## Core primitives105## Core primitives

116- **Start (or resume) a thread**: Call `thread/start` for a new conversation, `thread/resume` to continue an existing one, or `thread/fork` to branch history into a new thread id.116- **Start (or resume) a thread**: Call `thread/start` for a new conversation, `thread/resume` to continue an existing one, or `thread/fork` to branch history into a new thread id.

117- **Begin a turn**: Call `turn/start` with the target `threadId` and user input. Optional fields override model, personality, `cwd`, sandbox policy, and more.117- **Begin a turn**: Call `turn/start` with the target `threadId` and user input. Optional fields override model, personality, `cwd`, sandbox policy, and more.

118- **Steer an active turn**: Call `turn/steer` to append user input to the currently in-flight turn without creating a new turn.118- **Steer an active turn**: Call `turn/steer` to append user input to the currently in-flight turn without creating a new turn.

119- **Stream events**: After `turn/start`, keep reading notifications on stdout: `item/started`, `item/completed`, `item/agentMessage/delta`, tool progress, and other updates.119- **Stream events**: After `turn/start`, keep reading notifications on stdout: `thread/archived`, `thread/unarchived`, `item/started`, `item/completed`, `item/agentMessage/delta`, tool progress, and other updates.

120- **Finish the turn**: The server emits `turn/completed` with final status when the model finishes or after a `turn/interrupt` cancellation.120- **Finish the turn**: The server emits `turn/completed` with final status when the model finishes or after a `turn/interrupt` cancellation.

121 121 

122## Initialization122## Initialization

123 123 

124Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.124Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.

125 125 

126The server returns the user agent string it will present to upstream services. Set `clientInfo` to identify your integration.126The server returns the user agent string it will present to upstream services plus `platformFamily` and `platformOs` values that describe the runtime target. Set `clientInfo` to identify your integration.

127 127 

128`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.128`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.

129 129 

159 },159 },

160 "capabilities": {160 "capabilities": {

161 "experimentalApi": true,161 "experimentalApi": true,

162 "optOutNotificationMethods": [162 "optOutNotificationMethods": ["thread/started", "item/agentMessage/delta"]

163 "codex/event/session_configured",

164 "item/agentMessage/delta"

165 ]

166 }163 }

167 }164 }

168}165}

201- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.198- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.

202- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.199- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

203- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.200- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.

204- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history.201- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

205- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters.202- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.

206- `thread/loaded/list` - list the thread ids currently loaded in memory.203- `thread/loaded/list` - list the thread ids currently loaded in memory.

207- `thread/archive` - move a thread’s log file into the archived directory; returns `{}` on success.204- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

208- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread`.205- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

206- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.

207- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

208- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

209- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.209- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

210- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.210- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

211- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."211- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

213- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.213- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

214- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.214- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

215- `command/exec` - run a single command under the server sandbox without starting a thread/turn.215- `command/exec` - run a single command under the server sandbox without starting a thread/turn.

216- `command/exec/write` - write stdin bytes to a running `command/exec` session or close stdin.

217- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

218- `command/exec/terminate` - terminate a running `command/exec` session.

216- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.219- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

217- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.220- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

218- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).221- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

219- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).222- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

223- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata.

224- `plugin/read` - read one plugin by marketplace path and plugin name, including bundled skills, apps, and MCP server names.

220- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.225- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.

221- `skills/config/write` - enable or disable skills by path.226- `skills/config/write` - enable or disable skills by path.

222- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.227- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.

223- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.228- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.

224- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.229- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

225- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination).230- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination).

226- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id).231- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

232- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

227- `config/read` - fetch the effective configuration on disk after resolving configuration layering.233- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

234- `externalAgentConfig/detect` - detect migratable external-agent artifacts with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

235- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).

228- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.236- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

229- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.237- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

230- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists and residency requirements (or `null` if you haven’t set any up).238- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

239- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, and `fs/copy` - operate on absolute filesystem paths through the app-server v2 filesystem API.

231 240 

232## Models241## Models

233 242 

239{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }248{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }

240{ "id": 6, "result": {249{ "id": 6, "result": {

241 "data": [{250 "data": [{

242 "id": "gpt-5.2-codex",251 "id": "gpt-5.4",

243 "model": "gpt-5.2-codex",252 "model": "gpt-5.4",

244 "upgrade": "gpt-5.3-codex",253 "displayName": "GPT-5.4",

245 "displayName": "GPT-5.2 Codex",

246 "hidden": false,254 "hidden": false,

247 "defaultReasoningEffort": "medium",255 "defaultReasoningEffort": "medium",

248 "reasoningEffort": [{256 "supportedReasoningEfforts": [{

249 "effort": "low",257 "reasoningEffort": "low",

250 "description": "Lower latency"258 "description": "Lower latency"

251 }],259 }],

252 "inputModalities": ["text", "image"],260 "inputModalities": ["text", "image"],

259 267 

260Each model entry can include:268Each model entry can include:

261 269 

262- `reasoningEffort` - supported effort options for the model.270- `supportedReasoningEfforts` - supported effort options for the model.

263- `defaultReasoningEffort` - suggested default effort for clients.271- `defaultReasoningEffort` - suggested default effort for clients.

264- `upgrade` - optional recommended upgrade model id for migration prompts in clients.272- `upgrade` - optional recommended upgrade model id for migration prompts in clients.

273- `upgradeInfo` - optional upgrade metadata for migration prompts in clients.

265- `hidden` - whether the model is hidden from the default picker list.274- `hidden` - whether the model is hidden from the default picker list.

266- `inputModalities` - supported input types for the model (for example `text`, `image`).275- `inputModalities` - supported input types for the model (for example `text`, `image`).

267- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.276- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.

299- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.308- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.

300- `thread/loaded/list` returns the thread IDs currently in memory.309- `thread/loaded/list` returns the thread IDs currently in memory.

301- `thread/archive` moves the thread's persisted JSONL log into the archived directory.310- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

311- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.

302- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.312- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

303- `thread/compact/start` triggers compaction and returns `{}` immediately.313- `thread/compact/start` triggers compaction and returns `{}` immediately.

304- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.314- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

309 319 

310```json320```json

311{ "method": "thread/start", "id": 10, "params": {321{ "method": "thread/start", "id": 10, "params": {

312 "model": "gpt-5.1-codex",322 "model": "gpt-5.4",

313 "cwd": "/Users/me/project",323 "cwd": "/Users/me/project",

314 "approvalPolicy": "never",324 "approvalPolicy": "never",

315 "sandbox": "workspaceWrite",325 "sandbox": "workspaceWrite",

316 "personality": "friendly"326 "personality": "friendly",

327 "serviceName": "my_app_server_client"

317} }328} }

318{ "id": 10, "result": {329{ "id": 10, "result": {

319 "thread": {330 "thread": {

320 "id": "thr_123",331 "id": "thr_123",

321 "preview": "",332 "preview": "",

333 "ephemeral": false,

322 "modelProvider": "openai",334 "modelProvider": "openai",

323 "createdAt": 1730910000335 "createdAt": 1730910000

324 }336 }

326{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }338{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }

327```339```

328 340 

341`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration's service name.

342 

329To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:343To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:

330 344 

331```json345```json

333 "threadId": "thr_123",347 "threadId": "thr_123",

334 "personality": "friendly"348 "personality": "friendly"

335} }349} }

336{ "id": 11, "result": { "thread": { "id": "thr_123" } } }350{ "id": 11, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false } } }

337```351```

338 352 

339Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.353Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.

352{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }366{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }

353```367```

354 368 

369When a user-facing thread title has been set, app-server hydrates `thread.name` on `thread/list`, `thread/read`, `thread/resume`, `thread/unarchive`, and `thread/rollback` responses. `thread/start` and `thread/fork` may omit `name` (or return `null`) until a title is set later.

370 

355### Read a stored thread (without resuming)371### Read a stored thread (without resuming)

356 372 

357Use `thread/read` when you want stored thread data but don't want to resume the thread or subscribe to its events.373Use `thread/read` when you want stored thread data but don't want to resume the thread or subscribe to its events.

358 374 

359- `includeTurns` - when `true`, the response includes the thread's turns; when `false` or omitted, you get the thread summary only.375- `includeTurns` - when `true`, the response includes the thread's turns; when `false` or omitted, you get the thread summary only.

376- Returned `thread` objects include runtime `status` (`notLoaded`, `idle`, `systemError`, or `active` with `activeFlags`).

360 377 

361```json378```json

362{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }379{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }

363{ "id": 19, "result": { "thread": { "id": "thr_123", "turns": [] } } }380{ "id": 19, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false, "status": { "type": "notLoaded" }, "turns": [] } } }

364```381```

365 382 

366Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.383Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

400} }417} }

401{ "id": 20, "result": {418{ "id": 20, "result": {

402 "data": [419 "data": [

403 { "id": "thr_a", "preview": "Create a TUI", "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111 },420 { "id": "thr_a", "preview": "Create a TUI", "ephemeral": false, "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111, "name": "TUI prototype", "status": { "type": "notLoaded" } },

404 { "id": "thr_b", "preview": "Fix tests", "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000 }421 { "id": "thr_b", "preview": "Fix tests", "ephemeral": true, "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000, "status": { "type": "notLoaded" } }

405 ],422 ],

406 "nextCursor": "opaque-token-or-null"423 "nextCursor": "opaque-token-or-null"

407} }424} }

409 426 

410When `nextCursor` is `null`, you have reached the final page.427When `nextCursor` is `null`, you have reached the final page.

411 428 

429### Track thread status changes

430 

431`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

432 

433```json

434{

435 "method": "thread/status/changed",

436 "params": {

437 "threadId": "thr_123",

438 "status": { "type": "active", "activeFlags": ["waitingOnApproval"] }

439 }

440}

441```

442 

412### List loaded threads443### List loaded threads

413 444 

414`thread/loaded/list` returns thread IDs currently loaded in memory.445`thread/loaded/list` returns thread IDs currently loaded in memory.

418{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }449{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }

419```450```

420 451 

452### Unsubscribe from a loaded thread

453 

454`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:

455 

456- `unsubscribed` when the connection was subscribed and is now removed.

457- `notSubscribed` when the connection was not subscribed to that thread.

458- `notLoaded` when the thread is not loaded.

459 

460If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

461 

462```json

463{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

464{ "id": 22, "result": { "status": "unsubscribed" } }

465{ "method": "thread/status/changed", "params": {

466 "threadId": "thr_123",

467 "status": { "type": "notLoaded" }

468} }

469{ "method": "thread/closed", "params": { "threadId": "thr_123" } }

470```

471 

421### Archive a thread472### Archive a thread

422 473 

423Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.474Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.

425```json476```json

426{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }477{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }

427{ "id": 22, "result": {} }478{ "id": 22, "result": {} }

479{ "method": "thread/archived", "params": { "threadId": "thr_b" } }

428```480```

429 481 

430Archived threads won't appear in future calls to `thread/list` unless you pass `archived: true`.482Archived threads won't appear in future calls to `thread/list` unless you pass `archived: true`.

435 487 

436```json488```json

437{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }489{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }

438{ "id": 24, "result": { "thread": { "id": "thr_b" } } }490{ "id": 24, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes" } } }

491{ "method": "thread/unarchived", "params": { "threadId": "thr_b" } }

439```492```

440 493 

441### Trigger thread compaction494### Trigger thread compaction

449{ "id": 25, "result": {} }502{ "id": 25, "result": {} }

450```503```

451 504 

505### Roll back recent turns

506 

507Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.

508 

509```json

510{ "method": "thread/rollback", "id": 26, "params": { "threadId": "thr_b", "numTurns": 1 } }

511{ "id": 26, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }

512```

513 

452## Turns514## Turns

453 515 

454The `input` field accepts a list of items:516The `input` field accepts a list of items:

478}540}

479```541```

480 542 

543On macOS, `includePlatformDefaults: true` appends a curated platform-default Seatbelt policy for restricted-read sessions. This improves tool compatibility without broadly allowing all of `/System`.

544 

481Examples:545Examples:

482 546 

483```json547```json

510 "writableRoots": ["/Users/me/project"],574 "writableRoots": ["/Users/me/project"],

511 "networkAccess": true575 "networkAccess": true

512 },576 },

513 "model": "gpt-5.1-codex",577 "model": "gpt-5.4",

514 "effort": "medium",578 "effort": "medium",

515 "summary": "concise",579 "summary": "concise",

516 "personality": "friendly",580 "personality": "friendly",

653- The server rejects empty `command` arrays.717- The server rejects empty `command` arrays.

654- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).718- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).

655- When omitted, `timeoutMs` falls back to the server default.719- When omitted, `timeoutMs` falls back to the server default.

720- Set `tty: true` for PTY-backed sessions, and use `processId` when you plan to follow up with `command/exec/write`, `command/exec/resize`, or `command/exec/terminate`.

721- Set `streamStdoutStderr: true` to receive `command/exec/outputDelta` notifications while the command is running.

722 

723### Read admin requirements (`configRequirements/read`)

724 

725Use `configRequirements/read` to inspect the effective admin requirements loaded from `requirements.toml` and/or MDM.

726 

727```json

728{ "method": "configRequirements/read", "id": 52, "params": {} }

729{ "id": 52, "result": {

730 "requirements": {

731 "allowedApprovalPolicies": ["onRequest", "unlessTrusted"],

732 "allowedSandboxModes": ["readOnly", "workspaceWrite"],

733 "featureRequirements": {

734 "personality": true,

735 "unified_exec": false

736 },

737 "network": {

738 "enabled": true,

739 "allowedDomains": ["api.openai.com"],

740 "allowUnixSockets": ["/tmp/example.sock"],

741 "dangerouslyAllowAllUnixSockets": false

742 }

743 }

744} }

745```

746 

747`result.requirements` is `null` when no requirements are configured. See the docs on [`requirements.toml`](https://developers.openai.com/codex/config-reference#requirementstoml) for details on supported keys and values.

748 

749### Windows sandbox setup (`windowsSandbox/setupStart`)

750 

751Custom Windows clients can trigger sandbox setup asynchronously instead of blocking on startup checks.

752 

753```json

754{ "method": "windowsSandbox/setupStart", "id": 53, "params": { "mode": "elevated" } }

755{ "id": 53, "result": { "started": true } }

756```

757 

758App-server starts setup in the background and later emits a completion notification:

759 

760```json

761{

762 "method": "windowsSandbox/setupCompleted",

763 "params": { "mode": "elevated", "success": true, "error": null }

764}

765```

766 

767Modes:

768 

769- `elevated` - run the elevated Windows sandbox setup path.

770- `unelevated` - run the legacy setup/preflight path.

656 771 

657## Events772## Events

658 773 

659Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `turn/*`, and `item/*` notifications.774Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

660 775 

661### Notification opt-out776### Notification opt-out

662 777 

664 779 

665- Exact-match only: `item/agentMessage/delta` suppresses only that method.780- Exact-match only: `item/agentMessage/delta` suppresses only that method.

666- Unknown method names are ignored.781- Unknown method names are ignored.

667- Applies to both legacy (`codex/event/*`) and v2 (`thread/*`, `turn/*`, `item/*`, etc.) notifications.782- Applies to the current `thread/*`, `turn/*`, `item/*`, and related v2 notifications.

668- Doesn't apply to requests, responses, or errors.783- Doesn't apply to requests, responses, or errors.

669 784 

670### Fuzzy file search events (experimental)785### Fuzzy file search events (experimental)

674- `fuzzyFileSearch/sessionUpdated` - `{ sessionId, query, files }` with the current matches for the active query.789- `fuzzyFileSearch/sessionUpdated` - `{ sessionId, query, files }` with the current matches for the active query.

675- `fuzzyFileSearch/sessionCompleted` - `{ sessionId }` once indexing and matching for that query completes.790- `fuzzyFileSearch/sessionCompleted` - `{ sessionId }` once indexing and matching for that query completes.

676 791 

792### Windows sandbox setup events

793 

794- `windowsSandbox/setupCompleted` - `{ mode, success, error }` emitted after a `windowsSandbox/setupStart` request finishes.

795 

677### Turn events796### Turn events

678 797 

679- `turn/started` - `{ turn }` with the turn id, empty `items`, and `status: "inProgress"`.798- `turn/started` - `{ turn }` with the turn id, empty `items`, and `status: "inProgress"`.

689`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Common item types include:808`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Common item types include:

690 809 

691- `userMessage` - `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).810- `userMessage` - `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).

692- `agentMessage` - `{id, text}` containing the accumulated agent reply.811- `agentMessage` - `{id, text, phase?}` containing the accumulated agent reply. When present, `phase` uses Responses API wire values (`commentary`, `final_answer`).

693- `plan` - `{id, text}` containing proposed plan text in plan mode. Treat the final `plan` item from `item/completed` as authoritative.812- `plan` - `{id, text}` containing proposed plan text in plan mode. Treat the final `plan` item from `item/completed` as authoritative.

694- `reasoning` - `{id, summary, content}` where `summary` holds streamed reasoning summaries and `content` holds raw reasoning blocks.813- `reasoning` - `{id, summary, content}` where `summary` holds streamed reasoning summaries and `content` holds raw reasoning blocks.

695- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.814- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.

696- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.815- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.

697- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.816- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.

817- `dynamicToolCall` - `{id, tool, arguments, status, contentItems?, success?, durationMs?}` for client-executed dynamic tool invocations.

698- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.818- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.

699- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.819- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.

700- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.820- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.

751Order of messages:871Order of messages:

752 872 

7531. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.8731. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.

7542. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, and optional `proposedExecpolicyAmendment`.8742. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, optional `proposedExecpolicyAmendment`, optional `networkApprovalContext`, and optional `availableDecisions`. When `initialize.params.capabilities.experimentalApi = true`, the payload can also include experimental `additionalPermissions` describing requested per-command sandbox access. Any filesystem paths inside `additionalPermissions` are absolute on the wire.

7553. Client responds with one of the command execution approval decisions above.8753. Client responds with one of the command execution approval decisions above.

7564. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.8764. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

8775. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.

878 

879When `networkApprovalContext` is present, the prompt is for managed network access (not a general shell-command approval). The current v2 schema exposes the target `host` and `protocol`; clients should render a network-specific prompt and not rely on `command` being a user-meaningful shell command preview.

880 

881Codex groups concurrent network approval prompts by destination (`host`, protocol, and port). The app-server may therefore send one prompt that unblocks multiple queued requests to the same destination, while different ports on the same host are treated separately.

757 882 

758### File change approvals883### File change approvals

759 884 

7621. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.8871. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.

7632. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.8882. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.

7643. Client responds with one of the file change approval decisions above.8893. Client responds with one of the file change approval decisions above.

7654. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.8904. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

8915. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.

892 

893### `tool/requestUserInput`

894 

895When the client responds to `item/tool/requestUserInput`, app-server emits `serverRequest/resolved` with `{ threadId, requestId }`. If the pending request is cleared by turn start, turn completion, or turn interruption before the client answers, the server emits the same notification for that cleanup.

896 

897### Dynamic tool calls (experimental)

898 

899`dynamicTools` on `thread/start` and the corresponding `item/tool/call` request or response flow are experimental APIs.

900 

901When a dynamic tool is invoked during a turn, app-server emits:

902 

9031. `item/started` with `item.type = "dynamicToolCall"`, `status = "inProgress"`, plus `tool` and `arguments`.

9042. `item/tool/call` as a server request to the client.

9053. The client response payload with returned content items.

9064. `item/completed` with `item.type = "dynamicToolCall"`, the final `status`, and any returned `contentItems` or `success` value.

766 907 

767### MCP tool-call approvals (apps)908### MCP tool-call approvals (apps)

768 909 

769App (connector) tool calls can also require approval. When an app tool call has side effects, the server may elicit approval with `tool/requestUserInput` and options such as **Accept**, **Decline**, and **Cancel**. If the user declines or cancels, the related `mcpToolCall` item completes with an error instead of running the tool.910App (connector) tool calls can also require approval. When an app tool call has side effects, the server may elicit approval with `tool/requestUserInput` and options such as **Accept**, **Decline**, and **Cancel**. Destructive tool annotations always trigger approval even when the tool also advertises less-privileged hints. If the user declines or cancels, the related `mcpToolCall` item completes with an error instead of running the tool.

770 911 

771## Skills912## Skills

772 913 

863 1004 

864## Apps (connectors)1005## Apps (connectors)

865 1006 

866Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state.1007Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state. App entries can also include optional `branding`, `appMetadata`, and `labels` fields.

867 1008 

868```json1009```json

869{ "method": "app/list", "id": 50, "params": {1010{ "method": "app/list", "id": 50, "params": {

879 "name": "Demo App",1020 "name": "Demo App",

880 "description": "Example connector for documentation.",1021 "description": "Example connector for documentation.",

881 "logoUrl": "https://example.com/demo-app.png",1022 "logoUrl": "https://example.com/demo-app.png",

1023 "logoUrlDark": null,

1024 "distributionChannel": null,

1025 "branding": null,

1026 "appMetadata": null,

1027 "labels": null,

882 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",1028 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",

883 "isAccessible": true,1029 "isAccessible": true,

884 "isEnabled": true1030 "isEnabled": true

904 "name": "Demo App",1050 "name": "Demo App",

905 "description": "Example connector for documentation.",1051 "description": "Example connector for documentation.",

906 "logoUrl": "https://example.com/demo-app.png",1052 "logoUrl": "https://example.com/demo-app.png",

1053 "logoUrlDark": null,

1054 "distributionChannel": null,

1055 "branding": null,

1056 "appMetadata": null,

1057 "labels": null,

907 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",1058 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",

908 "isAccessible": true,1059 "isAccessible": true,

909 "isEnabled": true1060 "isEnabled": true

936}1087}

937```1088```

938 1089 

1090### Config RPC examples for app settings

1091 

1092Use `config/read`, `config/value/write`, and `config/batchWrite` to inspect or update app controls in `config.toml`.

1093 

1094Read the effective app config shape (including `_default` and per-tool overrides):

1095 

1096```json

1097{ "method": "config/read", "id": 60, "params": { "includeLayers": false } }

1098{ "id": 60, "result": {

1099 "config": {

1100 "apps": {

1101 "_default": {

1102 "enabled": true,

1103 "destructive_enabled": true,

1104 "open_world_enabled": true

1105 },

1106 "google_drive": {

1107 "enabled": true,

1108 "destructive_enabled": false,

1109 "default_tools_approval_mode": "prompt",

1110 "tools": {

1111 "files/delete": { "enabled": false, "approval_mode": "approve" }

1112 }

1113 }

1114 }

1115 }

1116} }

1117```

1118 

1119Update a single app setting:

1120 

1121```json

1122{

1123 "method": "config/value/write",

1124 "id": 61,

1125 "params": {

1126 "keyPath": "apps.google_drive.default_tools_approval_mode",

1127 "value": "prompt",

1128 "mergeStrategy": "replace"

1129 }

1130}

1131```

1132 

1133Apply multiple app edits atomically:

1134 

1135```json

1136{

1137 "method": "config/batchWrite",

1138 "id": 62,

1139 "params": {

1140 "edits": [

1141 {

1142 "keyPath": "apps._default.destructive_enabled",

1143 "value": false,

1144 "mergeStrategy": "upsert"

1145 },

1146 {

1147 "keyPath": "apps.google_drive.tools.files/delete.approval_mode",

1148 "value": "approve",

1149 "mergeStrategy": "upsert"

1150 }

1151 ]

1152 }

1153}

1154```

1155 

1156### Detect and import external agent config

1157 

1158Use `externalAgentConfig/detect` to discover migratable external-agent artifacts, then pass the selected entries to `externalAgentConfig/import`.

1159 

1160Detection example:

1161 

1162```json

1163{ "method": "externalAgentConfig/detect", "id": 63, "params": {

1164 "includeHome": true,

1165 "cwds": ["/Users/me/project"]

1166} }

1167{ "id": 63, "result": {

1168 "items": [

1169 {

1170 "itemType": "AGENTS_MD",

1171 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1172 "cwd": "/Users/me/project"

1173 },

1174 {

1175 "itemType": "SKILLS",

1176 "description": "Copy skill folders from /Users/me/.claude/skills to /Users/me/.agents/skills.",

1177 "cwd": null

1178 }

1179 ]

1180} }

1181```

1182 

1183Import example:

1184 

1185```json

1186{ "method": "externalAgentConfig/import", "id": 64, "params": {

1187 "migrationItems": [

1188 {

1189 "itemType": "AGENTS_MD",

1190 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1191 "cwd": "/Users/me/project"

1192 }

1193 ]

1194} }

1195{ "id": 64, "result": {} }

1196```

1197 

1198Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, and `MCP_SERVER_CONFIG`. Detection returns only items that still have work to do. For example, AGENTS migration is skipped when `AGENTS.md` already exists and is non-empty, and skill imports do not overwrite existing skill directories.

1199 

939## Auth endpoints1200## Auth endpoints

940 1201 

941The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1202The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.

2 2 

3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.

4 4 

5Automations run locally in the Codex app. The app needs to be running, and the5Automations run in the background in the Codex app. The app needs to be

6selected project needs to be available on disk.6running, and the selected project needs to be available on disk.

7 7 

8In Git repositories, each automation run starts in a new8In Git repositories, you can choose whether an automation runs in your local

9[worktree](https://developers.openai.com/codex/app/worktrees) so it doesn’t interfere with your main9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the

10checkout. In non-version-controlled projects, automations run directly in the10background. Worktrees keep automation changes separate from unfinished local

11work, while running in your local project can modify files you are still

12working on. In non-version-controlled projects, automations run directly in the

11project directory.13project directory.

12 14 

13![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp)15You can also leave the model and reasoning effort on their default settings, or

16choose them explicitly if you want more control over how the automation runs.

17 

18![Automation creation form with schedule and prompt fields](/images/codex/app/codex-automations-light.webp)

14 19 

15## Managing tasks20## Managing tasks

16 21 

18 23 

19The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.

20 25 

21When an automation runs in a Git repository, Codex uses a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). In non-version-controlled projects, automations run directly in the project directory. Consider using Git to enable running on background worktrees. You can have the same automation run on multiple projects.26For Git repositories, each automation can run either in your local project or

27on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use

28worktrees when you want to isolate automation changes from unfinished local

29work. Use local mode when you want the automation to work directly in your main

30checkout, keeping in mind that it can modify files you are actively editing.

31In non-version-controlled projects, automations run directly in the project

32directory. You can have the same automation run on multiple projects.

22 33 

23Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).34Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).

24 35 

30first. This helps you confirm:41first. This helps you confirm:

31 42 

32- The prompt is clear and scoped correctly.43- The prompt is clear and scoped correctly.

33- The selected model and tools behave as expected.44- The selected or default model, reasoning effort, and tools behave as expected.

34- The resulting diff is reviewable.45- The resulting diff is reviewable.

35 46 

36When you start scheduling runs, review the first few outputs closely and adjust47When you start scheduling runs, review the first few outputs closely and adjust

38 49 

39## Worktree cleanup for automations50## Worktree cleanup for automations

40 51 

41For Git repositories, automations run in worktrees. Frequent schedules can52If you choose worktrees for Git repositories, frequent schedules can create

42create many worktrees over time. Archive automation runs you no longer need,53many worktrees over time. Archive automation runs you no longer need, and avoid

43and avoid pinning runs unless you intend to keep their worktrees.54pinning runs unless you intend to keep their worktrees.

44 55 

45## Permissions and security model56## Permissions and security model

46 57 

62 73 

63If you are in a managed environment, admins can restrict these behaviors using74If you are in a managed environment, admins can restrict these behaviors using

64admin-enforced requirements. For example, they can disallow `approval_policy = "never"` or constrain allowed sandbox modes. See75admin-enforced requirements. For example, they can disallow `approval_policy = "never"` or constrain allowed sandbox modes. See

65[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/security#admin-enforced-requirements-requirementstoml).76[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).

66 77 

67Automations use `approval_policy = "never"` when your organization policy78Automations use `approval_policy = "never"` when your organization policy

68allows it. If `approval_policy = "never"` is disallowed by admin requirements,79allows it. If `approval_policy = "never"` is disallowed by admin requirements,

48| `/review` | Start code review mode to review uncommitted changes or compare against a base branch. |48| `/review` | Start code review mode to review uncommitted changes or compare against a base branch. |

49| `/status` | Show the thread ID, context usage, and rate limits. |49| `/status` | Show the thread ID, context usage, and rate limits. |

50 50 

51## Deeplinks

52 

53The Codex app registers the `codex://` URL scheme so links can open specific parts of the app directly.

54 

55| Deeplink | Opens | Supported query parameters |

56| --- | --- | --- |

57| `codex://settings` | Settings. | None. |

58| `codex://skills` | Skills. | None. |

59| `codex://automations` | Inbox in automation create mode. | None. |

60| `codex://threads/<thread-id>` | A local thread. `<thread-id>` must be a UUID. | None. |

61| `codex://new` | A new thread. | Optional: `prompt`, `originUrl`, `path`. |

62 

63For new-thread deeplinks:

64 

65- `prompt` prefills the composer.

66- `path` must be an absolute path to a local directory and, when valid, makes that directory the active workspace for the new thread.

67- `originUrl` tries to match one of your current workspace roots by Git remote URL. If both `path` and `originUrl` are present, Codex resolves `path` first.

68 

51## See also69## See also

52 70 

53- [Features](https://developers.openai.com/codex/app/features)71- [Features](https://developers.openai.com/codex/app/features)

14session in a specific directory.14session in a specific directory.

15 15 

16If you work in a single repository with two or more apps or packages, split16If you work in a single repository with two or more apps or packages, split

17distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/security)17distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/agent-approvals-security)

18only includes the files for that project.18only includes the files for that project.

19 19 

20![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp)20![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp)

85pressing <kbd>Cmd</kbd>+<kbd>J</kbd>.85pressing <kbd>Cmd</kbd>+<kbd>J</kbd>.

86 86 

87Use the terminal to validate changes, run scripts, and perform Git operations87Use the terminal to validate changes, run scripts, and perform Git operations

88without leaving the app.88without leaving the app. Codex can also read the current terminal output, so

89it can check the status of a running development server or refer back to a

90failed build while it works with you.

89 91 

90Common tasks include:92Common tasks include:

91 93 

101 103 

102![Integrated terminal drawer open beneath a Codex thread](/images/codex/app/integrated-terminal-light.webp)104![Integrated terminal drawer open beneath a Codex thread](/images/codex/app/integrated-terminal-light.webp)

103 105 

106## Native Windows sandbox

107 

108On Windows, Codex can run natively in PowerShell with a native Windows sandbox

109instead of requiring WSL or a virtual machine. This lets you stay in

110Windows-native workflows while keeping bounded permissions in place.

111 

112[Learn more about Windows setup and sandboxing](https://developers.openai.com/codex/app/windows).

113 

114![Codex app Windows sandbox setup prompt above the message composer](/images/codex/windows/windows-sandbox-setup.webp)

115 

104## Voice dictation116## Voice dictation

105 117 

106Use your voice to prompt Codex. Hold <kbd>Ctrl</kbd>+<kbd>M</kbd> while the composer is visible and start talking. Your voice will be transcribed. Edit the transcribed prompt or hit send to have Codex start work.118Use your voice to prompt Codex. Hold <kbd>Ctrl</kbd>+<kbd>M</kbd> while the composer is visible and start talking. Your voice will be transcribed. Edit the transcribed prompt or hit send to have Codex start work.

152opening separate projects or using worktrees rather than asking Codex to roam164opening separate projects or using worktrees rather than asking Codex to roam

153outside the project root.165outside the project root.

154 166 

155For details on how Codex handles sandboxing, check out the [security documentation](https://developers.openai.com/codex/security).167For a high-level overview, see [Sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For

168configuration details, see the

169[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).

156 170 

157## MCP support171## MCP support

158 172 

165 179 

166Codex ships with a first-party web search tool. For local tasks in the Codex IDE Extension, Codex180Codex ships with a first-party web search tool. For local tasks in the Codex IDE Extension, Codex

167enables web search by default and serves results from a web search cache. If you configure your181enables web search by default and serves results from a web search cache. If you configure your

168sandbox for [full access](https://developers.openai.com/codex/security), web search defaults to live results. See182sandbox for [full access](https://developers.openai.com/codex/agent-approvals-security), web search defaults to live results. See

169[Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the183[Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the

170most recent data.184most recent data.

171 185 

10require <kbd>Cmd</kbd>+<kbd>Enter</kbd> for multiline prompts or prevent sleep while a10require <kbd>Cmd</kbd>+<kbd>Enter</kbd> for multiline prompts or prevent sleep while a

11thread runs.11thread runs.

12 12 

13## Appearance

14 

15Pick a theme, decide whether the window is solid, and adjust UI or code fonts. Font

16choices apply across the app, including the diff review panel and terminal.

17 

18## Notifications13## Notifications

19 14 

20Choose when turn completion notifications appear, and whether the app should prompt for15Choose when turn completion notifications appear, and whether the app should prompt for

24 19 

25Codex agents in the app inherit the same configuration as the IDE and CLI extension.20Codex agents in the app inherit the same configuration as the IDE and CLI extension.

26Use the in-app controls for common settings, or edit `config.toml` for advanced21Use the in-app controls for common settings, or edit `config.toml` for advanced

27options. See [Codex security](https://developers.openai.com/codex/security) and22options. See [Codex security](https://developers.openai.com/codex/agent-approvals-security) and

28[config basics](https://developers.openai.com/codex/config-basic) for more detail.23[config basics](https://developers.openai.com/codex/config-basic) for more detail.

29 24 

25## Appearance

26 

27In **Settings**, you can change the Codex app appearance by choosing a base theme,

28adjusting accent, background, and foreground colors, and changing the UI and code

29fonts. You can also share your custom theme with friends.

30 

31![Codex app Appearance settings showing theme selection, color controls, and font options](/images/codex/app/theme-selection-light.webp)

32 

30## Git33## Git

31 34 

32Use Git settings to standardize branch naming and choose whether Codex uses force35Use Git settings to standardize branch naming and choose whether Codex uses force

32### Only some threads appear in the sidebar32### Only some threads appear in the sidebar

33 33 

34The sidebar allows filtering of threads depending on the state of a project. If34The sidebar allows filtering of threads depending on the state of a project. If

35you’re missing threads, check whether you have any filters applied by clicking35you're missing threads, click the filter icon next to the **Threads** label and

36the filter icon next to the **Threads** label.36switch to Chronological. If you still don't see the thread, open

37[Settings](codex://settings) and check the archived chats or archived threads

38section.

37 39 

38### Code doesn't run on a worktree40### Code doesn't run on a worktree

39 41 

1# Windows

2 

3The [Codex app for Windows](https://apps.microsoft.com/detail/9plm9xgg6vks?hl=en-US&gl=US) gives you one interface for

4working across projects, running parallel agent threads, and reviewing results.

5It runs natively on Windows using PowerShell and the

6[Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox), or you can configure it to

7run in [Windows Subsystem for Linux (WSL)](#windows-subsystem-for-linux-wsl).

8 

9![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)

10 

11## Download and update the Codex app

12 

13Download the Codex app from the

14[Microsoft Store](https://apps.microsoft.com/detail/9plm9xgg6vks?hl=en-US&gl=US).

15 

16Then follow the [quickstart](https://developers.openai.com/codex/quickstart?setup=app) to get started.

17 

18To update the app, open the Microsoft Store, go to **Downloads**, and click

19**Check for updates**. The Store installs the latest version afterward.

20 

21For enterprises, administrators can deploy the app with Microsoft Store app

22distribution through enterprise management tools.

23 

24If you prefer a command-line install path, or need an alternative to opening

25the Microsoft Store UI, run:

26 

27```powershell

28winget install Codex -s msstore

29```

30 

31## Native sandbox

32 

33The Codex app on Windows supports a native [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) when the agent runs in PowerShell, and uses Linux sandboxing when you run the agent in [Windows Subsystem for Linux (WSL)](#windows-subsystem-for-linux-wsl). To apply sandbox protections in either mode, set sandbox permissions to **Default permissions** in the Composer before sending messages to Codex.

34 

35Running Codex in full access mode means Codex is not limited to your project

36 directory and might perform unintentional destructive actions that can lead to

37 data loss. Keep sandbox boundaries in place and use [rules](https://developers.openai.com/codex/rules) for

38 targeted exceptions, or set your [approval policy to

39 never](https://developers.openai.com/codex/agent-approvals-security#run-without-approval-prompts) to have

40 Codex attempt to solve problems without asking for escalated permissions,

41 based on your [approval and security setup](https://developers.openai.com/codex/agent-approvals-security).

42 

43## Customize for your dev setup

44 

45### Preferred editor

46 

47Choose a default app for **Open**, such as Visual Studio, VS Code, or another

48editor. You can override that choice per project. If you already picked a

49different app from the **Open** menu for a project, that project-specific

50choice takes precedence.

51 

52![Codex app settings showing the default Open In app on Windows](/images/codex/windows/open-in-windows-light.webp)

53 

54### Integrated terminal

55 

56You can also choose the default integrated terminal. Depending on what you have

57installed, options include:

58 

59- PowerShell

60- Command Prompt

61- Git Bash

62- WSL

63 

64This change applies only to new terminal sessions. If you already have an

65integrated terminal open, restart the app or start a new thread before

66expecting the new default terminal to appear.

67 

68![Codex app settings showing the integrated terminal selection on Windows](/images/codex/windows/integrated-shell-light.webp)

69 

70## Windows Subsystem for Linux (WSL)

71 

72By default, the Codex app uses the Windows-native agent. That means the agent

73runs commands in PowerShell. The app can still work with projects that live in

74Windows Subsystem for Linux (WSL) by using the `wsl` CLI when needed.

75 

76If you want to add a project from the WSL filesystem, click **Add new project**

77or press <kbd>Ctrl</kbd>+<kbd>O</kbd>, then type `\\wsl$\` into the File

78Explorer window. From there, choose your Linux distribution and the folder you

79want to open.

80 

81If you plan to keep using the Windows-native agent, prefer storing projects on

82your Windows filesystem and accessing them from WSL through

83`/mnt/<drive>/...`. This setup is more reliable than opening projects

84directly from the WSL filesystem.

85 

86If you want the agent itself to run in WSL, open **[Settings](codex://settings)**,

87switch the agent from Windows native to WSL, and **restart the app**. The

88change doesn't take effect until you restart. Your projects should remain in

89place after restart.

90 

91![Codex app settings showing the agent selector with Windows native and WSL options](/images/codex/windows/wsl-select-light.webp)

92 

93You configure the integrated terminal independently from the agent. See

94[Customize for your dev setup](#customize-for-your-dev-setup) for the

95terminal options. You can keep the agent in WSL and still use PowerShell in the

96terminal, or use WSL for both, depending on your workflow.

97 

98## Useful developer tools

99 

100Codex works best when a few common developer tools are already installed:

101 

102- **Git**: Powers the review panel in the Codex app and lets you inspect or

103 revert changes.

104- **Node.js**: A common tool that the agent uses to perform tasks more

105 efficiently.

106- **Python**: A common tool that the agent uses to perform tasks more

107 efficiently.

108- **.NET SDK**: Useful when you want to build native Windows apps.

109- **GitHub CLI**: Powers GitHub-specific functionality in the Codex app.

110 

111Install them with the default Windows package manager `winget` by pasting this

112into the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or

113asking Codex to install them:

114 

115```powershell

116winget install --id Git.Git

117winget install --id OpenJS.NodeJS.LTS

118winget install --id Python.Python.3.14

119winget install --id Microsoft.DotNet.SDK.10

120winget install --id GitHub.cli

121```

122 

123After installing GitHub CLI, run `gh auth login` to enable GitHub features in

124the app.

125 

126If you need a different Python or .NET version, change the package IDs to the

127version you want.

128 

129## Troubleshooting and FAQ

130 

131### Run commands with elevated permissions

132 

133If you need Codex to run commands with elevated permissions, start the Codex app

134itself as an administrator. After installation, open the Start menu, find

135Codex, and choose Run as administrator. The Codex agent inherits that

136permission level.

137 

138### PowerShell execution policy blocks commands

139 

140If you have never used tools such as Node.js or `npm` in PowerShell before, the

141Codex agent or integrated terminal may hit execution policy errors.

142 

143This can also happen if Codex creates PowerShell scripts for you. In that case,

144you may need a less restrictive execution policy before PowerShell will run

145them.

146 

147An error may look something like this:

148 

149```text

150npm.ps1 cannot be loaded because running scripts is disabled on this system.

151```

152 

153A common fix is to set the execution policy to `RemoteSigned`:

154 

155```powershell

156Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

157```

158 

159For details and other options, check Microsoft's

160[execution policy guide](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies)

161before changing the policy.

162 

163### Local environment scripts on Windows

164 

165If your [local environment](https://developers.openai.com/codex/app/local-environments) uses cross-platform

166commands such as `npm` scripts, you can keep one shared setup script or

167set of actions for every platform.

168 

169If you need Windows-specific behavior, create Windows-specific setup scripts or

170Windows-specific actions.

171 

172Actions run in the environment used by your integrated terminal. See

173[Customize for your dev setup](#customize-for-your-dev-setup).

174 

175Local setup scripts run in the agent environment: WSL if the agent uses WSL,

176and PowerShell otherwise.

177 

178### Share config, auth, and sessions with WSL

179 

180The Windows app uses the same Codex home directory as native Codex on Windows:

181`%USERPROFILE%\.codex`.

182 

183If you also run the Codex CLI inside WSL, the CLI uses the Linux home

184directory by default, so it does not automatically share configuration, cached

185auth, or session history with the Windows app.

186 

187To share them, use one of these approaches:

188 

189- Sync WSL `~/.codex` with `%USERPROFILE%\.codex` on your file system.

190- Point WSL at the Windows Codex home directory by setting `CODEX_HOME`:

191 

192```bash

193export CODEX_HOME=/mnt/c/Users/<windows-user>/.codex

194```

195 

196If you want that setting in every shell, add it to your WSL shell profile, such

197as `~/.bashrc` or `~/.zshrc`.

198 

199### Git features are unavailable

200 

201If you don't have Git installed natively on Windows, the app can't use some

202features. Install it with `winget install Git.Git` from PowerShell or `cmd.exe`.

203 

204### Git isn't detected for projects opened from `\\wsl$`

205 

206For now, if you want to use the Windows-native agent with a project that is

207also accessible from WSL, the most reliable workaround is to store the project

208on the native Windows drive and access it in WSL through `/mnt/<drive>/...`.

209 

210### Cmder is not listed in the open dialog

211 

212If Cmder is installed but doesn’t show in Codex’s open dialog, add it to the

213Windows Start Menu: right-click Cmder and choose **Add to Start**, then restart

214Codex or reboot.

1# Worktrees1# Worktrees

2 2 

3In the Codex app, worktrees let Codex run multiple independent tasks in the same project without interfering with each other. For Git repositories, [automations](https://developers.openai.com/codex/app/automations) run on dedicated background worktrees so they don’t conflict with your ongoing work. In non-version-controlled projects, automations run directly in the project directory. You can also start threads on a worktree manually.3In the Codex app, worktrees let Codex run multiple independent tasks in the same project without interfering with each other. For Git repositories, [automations](https://developers.openai.com/codex/app/automations) run on dedicated background worktrees so they don't conflict with your ongoing work. In non-version-controlled projects, automations run directly in the project directory. You can also start threads on a worktree manually, and use Handoff to move a thread between Local and Worktree.

4 4 

5## What's a worktree5## What's a worktree

6 6 

10 10 

11- **Local checkout**: The repository that you created. Sometimes just referred to as **Local** in the Codex app.11- **Local checkout**: The repository that you created. Sometimes just referred to as **Local** in the Codex app.

12- **Worktree**: A [Git worktree](https://git-scm.com/docs/git-worktree) that was created from your local checkout in the Codex app.12- **Worktree**: A [Git worktree](https://git-scm.com/docs/git-worktree) that was created from your local checkout in the Codex app.

13- **Handoff**: The flow that moves a thread between Local and Worktree. Codex handles the Git operations required to move your work safely between them.

13 14 

14## Why use a worktree15## Why use a worktree

15 16 

161. Work in parallel with Codex without breaking each other as you work.171. Work in parallel with Codex without disturbing your current Local setup.

172. Start a thread unrelated to your current work182. Queue up background work while you stay focused on the foreground.

18 - Staging area to queue up work you want Codex to start but aren’t ready to test yet.193. Move a thread into Local later when you're ready to inspect, test, or collaborate more directly.

19 20 

20## Getting started21## Getting started

21 22 

313. Submit your prompt323. Submit your prompt

32 33 

33 Submit your task and Codex will create a Git worktree based on the branch you selected. By default, Codex works in a ["detached HEAD"](https://git-scm.com/docs/git-checkout#_detached_head).34 Submit your task and Codex will create a Git worktree based on the branch you selected. By default, Codex works in a ["detached HEAD"](https://git-scm.com/docs/git-checkout#_detached_head).

344. Verify your changes354. Choose where to keep working

35 36 

36 When you’re ready, follow one of the paths [below](#verifying-and-pushing-workflow-changes)37 When you’re ready, you can either keep working directly on the worktree or hand the thread off to your local checkout. Handing off to or from local will move your thread *and* code so you can continue in the other checkout.

37 based on your project and flow.

38 38 

39## Verifying and pushing workflow changes39## Working between Local and Worktree

40 40 

41Worktrees look and feel much like your local checkout. But **Git only allows a branch to be checked out in one place at a time**. If you check out a branch on a worktree, you **can’t** check it out in your local checkout at the same time, and vice versa.41Worktrees look and feel much like your local checkout. The difference is where they fit into your flow. You can think of Local as the foreground and Worktree as the background. Handoff lets you move a thread between them.

42 42 

43Because of this, choose how you want to verify and commit changes Codex made on a worktree:43Under the hood, Handoff handles the Git operations required to move work between two checkouts safely. This matters because **Git only allows a branch to be checked out in one place at a time**. If you check out a branch on a worktree, you **can't** check it out in your local checkout at the same time, and vice versa.

44 

45In practice, there are two common paths:

44 46 

451. [Work exclusively on the worktree](#option-1-working-on-the-worktree). This path works best when you can verify changes directly on the worktree, for example because you have dependencies and tools installed using a [local environment setup script](https://developers.openai.com/codex/app/local-environments).471. [Work exclusively on the worktree](#option-1-working-on-the-worktree). This path works best when you can verify changes directly on the worktree, for example because you have dependencies and tools installed using a [local environment setup script](https://developers.openai.com/codex/app/local-environments).

462. [Work in your local checkout](#option-2-working-in-your-local-checkout). Use this when you need to bring changes back into your main checkout, for example because you can run only one instance of your app.482. [Hand the thread off to Local](#option-2-handing-a-thread-off-to-local). Use this when you want to bring the thread into the foreground, for example because you want to inspect changes in your usual IDE or can run only one instance of your app.

47 49 

48### Option 1: Working on the worktree50### Option 1: Working on the worktree

49 51 

57 59 

58Remember, if you create a branch on a worktree, you can't check it out in any other worktree, including your local checkout.60Remember, if you create a branch on a worktree, you can't check it out in any other worktree, including your local checkout.

59 61 

60If you plan to keep working on this branch, you can [add it to the sidebar](#adding-a-worktree-to-the-sidebar). Otherwise, archive the thread after you’re done so the worktree can be deleted.62### Option 2: Handing a thread off to Local

61 

62### Option 2: Working in your local checkout

63 63 

64If you don’t want to verify your changes directly on the worktree and instead check them out on your local checkout, click **Sync with local** in the header of your thread.64If you want to bring a thread into the foreground, click **Hand off** in the header of your thread and move it to **Local**.

65 65 

66You will be presented with the option of creating a new branch or syncing to an existing branch.66This path works well when you want to read the changes in your usual IDE window, run your existing development server, or validate the work in the same environment you already use day to day.

67 67 

68You can sync with local at any point. To do so, click **Sync with local** in the header again. From here, you can choose which direction to sync (to local or from local) and a sync method:68Codex handles the Git steps required to move the thread safely between the worktree and your local checkout.

69 69 

70- **Overwrite**: Makes the destination checkout match the source checkout’s files and commit history.70Each thread keeps the same associated worktree over time. If you hand the thread back to a worktree later, Codex returns it to that same background environment so you can pick up where you left off.

71- **Apply**: Calculates the source changes since the nearest shared commit and applies that patch onto the destination checkout, preserving destination commit history while bringing over source code changes (not source commits).

72 71 

73![Sync worktree dialog with options to apply or pull changes](/images/codex/app/sync-worktree-light.webp)72![Handoff dialog moving a thread from a worktree to Local](/images/codex/app/handoff-light.webp)

74 73 

75You can create multiple worktrees and sync them to the same feature branch to split up your work into parallel threads.74You can also go the other direction. If you're already working in Local and want to free up the foreground, use **Hand off** to move the thread to a worktree. This is useful when you want Codex to keep working in the background while you switch your attention back to something else locally.

76 75 

77In some cases, changes on your worktree might conflict with changes on your local checkout, for example from testing a previous worktree. In those cases, you can use the **Overwrite local** option to reset the previous changes and cleanly apply your worktree changes.76Since Handoff uses Git operations, any files that are part of your `.gitignore` file won't move with the thread.

78 77 

79Since this process uses Git operations, any files that are part of the `.gitignore` file won’t be transferred during the sync process.78## Advanced details

80 79 

81## Adding a worktree to the sidebar80### Codex-managed and permanent worktrees

82 81 

83If you choose option one above (work on the worktree), once you have created a branch on the worktree, an option appears in the header to add the worktree to your sidebar. This promotes the worktree to a permanent home. When you do this, it will never be automatically deleted, and you can even kick off new threads from the same worktree.82By default, threads use a Codex-managed worktree. These are meant to feel lightweight and disposable. A Codex-managed worktree is typically dedicated to one thread, and Codex returns that thread to the same worktree if you hand it back there later.

84 83 

85## Advanced details84If you want a long-lived environment, create a permanent worktree from the three-dot menu on a project in the sidebar. This creates a new permanent worktree as its own project. Permanent worktrees are not automatically deleted, and you can start multiple threads from the same worktree.

86 85 

87### How Codex manages worktrees for you86### How Codex manages worktrees for you

88 87 

89Codex will create a worktree in `$CODEX_HOME/worktrees`. The starting commit will be the `HEAD` commit of the branch selected when you start your thread. If you chose a branch with local changes, the uncommitted changes will be applied to the worktree as well. The worktree will *not* be checked out as a branch. It will be in a [detached HEAD](https://git-scm.com/docs/git-checkout#_detached_head) state. This means you can create several worktrees without polluting your branches.88Codex creates worktrees in `$CODEX_HOME/worktrees`. The starting commit will be the `HEAD` commit of the branch selected when you start your thread. If you chose a branch with local changes, the uncommitted changes will be applied to the worktree as well. The worktree will *not* be checked out as a branch. It will be in a [detached HEAD](https://git-scm.com/docs/git-checkout#_detached_head) state. This lets Codex create several worktrees without polluting your branches.

90 89 

91### Branch limitations90### Branch limitations

92 91 

98 97 

99To resolve this, you would need to check out another branch instead of `feature/a` on the worktree.98To resolve this, you would need to check out another branch instead of `feature/a` on the worktree.

100 99 

101If you plan on checking out the branch locally, try Workflow 2 ([sync with local](#option-2-working-in-your-local-checkout)).100If you plan on checking out the branch locally, use Handoff to move the thread into Local instead of trying to keep the same branch checked out in both places at once.

102 101 

103Why this limitation exists102Why this limitation exists

104 103 

112 111 

113Worktrees can take up a lot of disk space. Each one has its own set of repository files, dependencies, build caches, etc. As a result, the Codex app tries to keep the number of worktrees to a reasonable limit.112Worktrees can take up a lot of disk space. Each one has its own set of repository files, dependencies, build caches, etc. As a result, the Codex app tries to keep the number of worktrees to a reasonable limit.

114 113 

115Worktrees will never be cleaned up if:114By default, Codex keeps your most recent 15 Codex-managed worktrees. You can change this limit or turn off automatic deletion in settings if you prefer to manage disk usage yourself.

116 115 

117- A pinned conversation is tied to it116Codex tries to avoid deleting worktrees that are still important. Codex-managed worktrees won't be deleted automatically if:

118- The worktree was added to the sidebar (see above)

119 117 

120Worktrees are eligible for cleanup when:118- A pinned conversation is tied to it

119- The thread is still in progress

120- The worktree is a permanent worktree

121 121 

122- It’s more than 4 days old122Codex-managed worktrees are deleted automatically when: