OpenAI - Codex Docs Changes 2026-02-20 12:16 UTC → 2026-05-01 18:29 UTC

1# Agent approvals & security

2 

3Codex helps protect your code and data and reduces the risk of misuse.

4 

5This page covers how to operate Codex safely, including sandboxing, approvals,

6 and network access. If you are looking for Codex Security, the product for

7 scanning connected GitHub repositories, see [Codex Security](https://developers.openai.com/codex/security).

8 

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

10 

11For a high-level explanation of how sandboxing works across the Codex app, IDE

12extension, and CLI, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing).

13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

14 

15## Sandbox and approvals

16 

17Codex security controls come from two layers that work together:

18 

19- **Sandbox mode**: What Codex can do technically (for example, where it can write and whether it can reach the network) when it executes model-generated commands.

20- **Approval policy**: When Codex must ask you before it executes an action (for example, leaving the sandbox, using the network, or running commands outside a trusted set).

21 

22Codex uses different sandbox modes depending on where you run it:

23 

24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.

25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

26 

27In the `Auto` preset (for example, `--sandbox workspace-write --ask-for-approval on-request`), Codex can read files, make edits, and run commands in the working directory automatically.

28 

29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

30 

31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

32 

33## Network access [Elevated Risk](https://help.openai.com/articles/20001061)

34 

35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

36 

37For the Codex app, CLI, or IDE Extension, the default `workspace-write` sandbox mode keeps network access turned off unless you enable it in your configuration:

38 

39```toml

40[sandbox_workspace_write]

41network_access = true

42```

43 

44You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

45 

46```toml

47web_search = "cached" # default

48# web_search = "disabled"

49# web_search = "live" # same as --search

50```

51 

52Use caution when enabling network access or web search in Codex. Prompt injection can cause the agent to fetch and follow untrusted instructions.

53 

54## Defaults and recommendations

55 

56- On launch, Codex detects whether the folder is version-controlled and recommends:

57 - Version-controlled folders: `Auto` (workspace write + on-request approvals)

58 - Non-version-controlled folders: `read-only`

59- Depending on your setup, Codex may also start in `read-only` until you explicitly trust the working directory (for example, via an onboarding prompt or `/permissions`).

60- The workspace includes the current directory and temporary directories like `/tmp`. Use the `/status` command to see which directories are in the workspace.

61- To accept the defaults, run `codex`.

62- You can set these explicitly:

63 - `codex --sandbox workspace-write --ask-for-approval on-request`

64 - `codex --sandbox read-only --ask-for-approval on-request`

65 

66### Protected paths in writable roots

67 

68In the default `workspace-write` sandbox policy, writable roots still include protected paths:

69 

70- `<writable_root>/.git` is protected as read-only whether it appears as a directory or file.

71- If `<writable_root>/.git` is a pointer file (`gitdir: ...`), the resolved Git directory path is also protected as read-only.

72- `<writable_root>/.agents` is protected as read-only when it exists as a directory.

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.

75 

76### Deny reads with filesystem profiles

77 

78Named permission profiles can also deny reads for exact paths or glob patterns.

79This is useful when a workspace should stay writable but specific sensitive

80files, such as local environment files, must stay unreadable:

81 

82```toml

83default_permissions = "workspace"

84 

85[permissions.workspace.filesystem]

86":project_roots" = { "." = "write", "**/*.env" = "none" }

87glob_scan_max_depth = 3

88```

89 

90Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy

91evaluates globs for local macOS and Linux command execution. On platforms that

92pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for

93unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and

94`*/*/*.env`.

95 

96### Run without approval prompts

97 

98You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

99 

100This option works with all `--sandbox` modes, so you still control Codex's level of autonomy. Codex makes a best effort within the constraints you set.

101 

102If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

103 

104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

105 

106### Automatic approval reviews

107 

108By default, approval requests route to you:

109 

110```toml

111approvals_reviewer = "user"

112```

113 

114Automatic approval reviews apply when approvals are interactive, such as

115`approval_policy = "on-request"` or a granular approval policy. Set

116`approvals_reviewer = "auto_review"` to route eligible approval requests

117through a reviewer agent before Codex runs the request:

118 

119```toml

120approval_policy = "on-request"

121approvals_reviewer = "auto_review"

122```

123 

124The reviewer evaluates only actions that already need approval, such as sandbox

125escalations, network requests, `request_permissions` prompts, or side-effecting

126app and MCP tool calls. Actions that stay inside the sandbox continue without an

127extra review step.

128 

129The reviewer policy checks for data exfiltration, credential probing, persistent

130security weakening, and destructive actions. Low-risk and medium-risk actions

131can proceed when policy allows them. The policy denies critical-risk actions.

132High-risk actions require enough user authorization and no matching deny rule.

133Timeouts, parse failures, and review errors fail closed.

134 

135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

136is in the open-source Codex repository. Enterprises can replace its

137tenant-specific section with `guardian_policy_config` in managed requirements.

138Local `[auto_review].policy` text is also supported, but managed requirements

139take precedence. For setup details, see

140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

141 

142In the Codex app, these reviews appear as automatic review items with a status such

143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a

144risk level for the reviewed request.

145 

146Automatic review uses extra model calls, so it can add to Codex usage. Admins

147can constrain it with `allowed_approvals_reviewers`.

148 

149### Common sandbox and approval combinations

150 

151| Intent | Flags | Effect |

152| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |

153| Auto (preset) | *no flags needed* or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

154| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

155| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |

156| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

157| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |

158 

159For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.

160 

161With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

162 

163#### Configuration in `config.toml`

164 

165For the broader configuration workflow, see [Config basics](https://developers.openai.com/codex/config-basic), [Advanced Config](https://developers.openai.com/codex/config-advanced#approval-policies-and-sandbox-modes), and the [Configuration Reference](https://developers.openai.com/codex/config-reference).

166 

167```toml

168# Always ask for approval mode

169approval_policy = "untrusted"

170sandbox_mode = "read-only"

171allow_login_shell = false # optional hardening: disallow login shells for shell-based tools

172 

173# Optional: Allow network in workspace-write mode

174[sandbox_workspace_write]

175network_access = true

176 

177# Optional: granular approval policy

178# approval_policy = { granular = {

179# sandbox_approval = true,

180# rules = true,

181# mcp_elicitations = true,

182# request_permissions = false,

183# skill_approval = false

184# } }

185```

186 

187You can also save presets as profiles, then select them with `codex --profile <name>`:

188 

189```toml

190[profiles.full_auto]

191approval_policy = "on-request"

192sandbox_mode = "workspace-write"

193 

194[profiles.readonly_quiet]

195approval_policy = "never"

196sandbox_mode = "read-only"

197```

198 

199### Test the sandbox locally

200 

201To see what happens when a command runs under the Codex sandbox, use these Codex CLI commands:

202 

203```bash

204# macOS

205codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...

206# Linux

207codex sandbox linux [--permissions-profile <name>] [COMMAND]...

208# Windows

209codex sandbox windows [--permissions-profile <name>] [COMMAND]...

210```

211 

212The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

213 

214## OS-level sandbox

215 

216Codex enforces the sandbox differently depending on your OS:

217 

218- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

219- **Linux** uses `bwrap` plus `seccomp` by default.

220- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

221 

222If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:

223 

224```json

225{

226 "chatgpt.runCodexInWindowsSubsystemForLinux": true

227}

228```

229 

230This ensures the IDE extension inherits Linux sandbox semantics for commands, approvals, and filesystem access even when the host OS is Windows. Learn more in the [Windows setup guide](https://developers.openai.com/codex/windows).

231 

232When running natively on Windows, configure the native sandbox mode in `config.toml`:

233 

234```toml

235[windows]

236sandbox = "unelevated" # or "elevated"

237# sandbox_private_desktop = true # default; set false only for compatibility

238```

239 

240See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

241 

242When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration blocks the namespace, setuid `bwrap`, or `seccomp` operations that Codex needs.

243 

244In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

245 

246### Run Codex in Dev Containers

247 

248If your host cannot run the Linux sandbox directly, or if your organization already standardizes on containerized development, run Codex with Dev Containers and let Docker provide the outer isolation boundary. This works with Visual Studio Code Dev Containers and compatible tools.

249 

250Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.

251 

252Devcontainers provide substantial protection, but they do not prevent every

253 attack. If you run Codex with `--sandbox danger-full-access` or

254 `--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious

255 project can exfiltrate anything available inside the devcontainer, including

256 Codex credentials. Use this pattern only with trusted repositories, and

257 monitor Codex activity as you would in any other elevated environment.

258 

259The reference implementation includes:

260 

261- an Ubuntu 24.04 base image with Codex and common development tools installed;

262- an allowlist-driven firewall profile for outbound access;

263- VS Code settings and extension recommendations for reopening the workspace in a container;

264- persistent mounts for command history and Codex configuration;

265- `bubblewrap`, so Codex can still use its Linux sandbox when the container grants the needed capabilities.

266 

267To try it:

268 

2691. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).

2702. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.

2713. In VS Code, run **Dev Containers: Open Folder in Container…** and select `.devcontainer/devcontainer.secure.json`.

2724. After the container starts, open a terminal and run `codex`.

273 

274You can also start the container from the CLI:

275 

276```bash

277devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json

278```

279 

280The example has three main pieces:

281 

282- `.devcontainer/devcontainer.secure.json` controls container settings, capabilities, mounts, environment variables, and VS Code extensions.

283- `.devcontainer/Dockerfile.secure` defines the Ubuntu-based image and installed tools.

284- `.devcontainer/init-firewall.sh` applies the outbound network policy.

285 

286The reference firewall is intentionally a starting point. If you depend on domain allowlisting for isolation, implement DNS rebinding and DNS refresh protections that fit your environment, such as TTL-aware refreshes or a DNS-aware firewall.

287 

288Inside the container, choose one of these modes:

289 

290- Keep Codex's Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.

291- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.

292 

293## Version control

294 

295Codex works best with a version control workflow:

296 

297- Work on a feature branch and keep `git status` clean before delegating. This keeps Codex patches easier to isolate and revert.

298- Prefer patch-based workflows (for example, `git diff`/`git apply`) over editing tracked files directly. Commit frequently so you can roll back in small increments.

299- Treat Codex suggestions like any other PR: run targeted verification, review diffs, and document decisions in commit messages for auditing.

300 

301## Monitoring and telemetry

302 

303Codex supports opt-in monitoring via OpenTelemetry (OTel) to help teams audit usage, investigate issues, and meet compliance requirements without weakening local security defaults. Telemetry is off by default; enable it explicitly in your configuration.

304 

305### Overview

306 

307- Codex turns off OTel export by default to keep local runs self-contained.

308- When enabled, Codex emits structured log events covering conversations, API requests, SSE/WebSocket stream activity, user prompts (redacted by default), tool approval decisions, and tool results.

309- Codex tags exported events with `service.name` (originator), CLI version, and an environment label to separate dev/staging/prod traffic.

310 

311### Enable OTel (opt-in)

312 

313Add an `[otel]` block to your Codex configuration (typically `~/.codex/config.toml`), choosing an exporter and whether to log prompt text.

314 

315```toml

316[otel]

317environment = "staging" # dev | staging | prod

318exporter = "none" # none | otlp-http | otlp-grpc

319log_user_prompt = false # redact prompt text unless policy allows

320```

321 

322- `exporter = "none"` leaves instrumentation active but doesn't send data anywhere.

323- To send events to your own collector, pick one of:

324 

325```toml

326[otel]

327exporter = { otlp-http = {

328 endpoint = "https://otel.example.com/v1/logs",

329 protocol = "binary",

330 headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }

331}}

332```

333 

334```toml

335[otel]

336exporter = { otlp-grpc = {

337 endpoint = "https://otel.example.com:4317",

338 headers = { "x-otlp-meta" = "abc123" }

339}}

340```

341 

342Codex batches events and flushes them on shutdown. Codex exports only telemetry produced by its OTel module.

343 

344### Event categories

345 

346Representative event types include:

347 

348- `codex.conversation_starts` (model, reasoning settings, sandbox/approval policy)

349- `codex.api_request` (attempt, status/success, duration, and error details)

350- `codex.sse_event` (stream event kind, success/failure, duration, plus token counts on `response.completed`)

351- `codex.websocket_request` and `codex.websocket_event` (request duration plus per-message kind/success/error)

352- `codex.user_prompt` (length; content redacted unless explicitly enabled)

353- `codex.tool_decision` (approved/denied, source: configuration vs. user)

354- `codex.tool_result` (duration, success, output snippet)

355 

356Associated OTel metrics (counter plus duration histogram pairs) include `codex.api_request`, `codex.sse_event`, `codex.websocket.request`, `codex.websocket.event`, and `codex.tool.call` (with corresponding `.duration_ms` instruments).

357 

358For the full event catalog and configuration reference, see the [Codex configuration documentation on GitHub](https://github.com/openai/codex/blob/main/docs/config.md#otel).

359 

360### Security and privacy guidance

361 

362- Keep `log_user_prompt = false` unless policy explicitly permits storing prompt contents. Prompts can include source code and sensitive data.

363- Route telemetry only to collectors you control; apply retention limits and access controls aligned with your compliance requirements.

364- Treat tool arguments and outputs as sensitive. Favor redaction at the collector or SIEM when possible.

365- Review local data retention settings (for example, `history.persistence` / `history.max_bytes`) if you don't want Codex to save session transcripts under `CODEX_HOME`. See [Advanced Config](https://developers.openai.com/codex/config-advanced#history-persistence) and [Configuration Reference](https://developers.openai.com/codex/config-reference).

366- If you run the CLI with network access turned off, OTel export can't reach your collector. To export, allow network access in `workspace-write` mode for the OTel endpoint, or export from Codex cloud with the collector domain on your approved list.

367- Review events periodically for approval/sandbox changes and unexpected tool executions.

368 

369OTel is optional and designed to complement, not replace, the sandbox and approval protections described above.

370 

371## Managed configuration

372 

373Enterprise admins can configure Codex security settings for their workspace in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration). See that page for setup and policy details.

4 4 

5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).

6 6 

7![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)

8 

7![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)

8 10 

9## Getting started11## Getting started

10 12 

11The Codex app is available on macOS (Apple Silicon).13The Codex app is available on macOS and Windows.

14 

15Most Codex app features are available on both platforms. Platform-specific

16exceptions are noted in the relevant docs.

12 17 

131. Download and install the Codex app181. Download and install the Codex app

14 19 

15 The Codex app is currently only available for macOS.20 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.

21 

22 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)

23 

24 Need a different operating system?

16 25 

17 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)26 [Download for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi)

18 27 

19 [Get notified for Windows and Linux](https://openai.com/form/codex-app/)28 [Get notified for Linux](https://openai.com/form/codex-app/)

202. Open Codex and sign in292. Open Codex and sign in

21 30 

22 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.31 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

38- Build a classic Snake game in this repo.47- Build a classic Snake game in this repo.

39- Find and fix bugs in my codebase with minimal, high-confidence changes.48- Find and fix bugs in my codebase with minimal, high-confidence changes.

40 49 

41 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).50 If you need more inspiration, explore [Codex use cases](https://developers.openai.com/codex/use-cases).

51 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

42 52 

43---53---

44 54 

46 56 

47[### Multitask across projects57[### Multitask across projects

48 58 

49Run multiple tasks in parallel and switch quickly between them.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Built-in Git tools59Run project threads side by side and switch between them quickly.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Worktrees

60 

61Keep parallel code changes isolated with built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Computer use

62 

63Let Codex use macOS apps for GUI tasks, browser flows, and native app testing.](https://developers.openai.com/codex/app/computer-use)[### Review and ship changes

64 

65Inspect diffs, address PR feedback, stage files, commit, and push.](https://developers.openai.com/codex/app/review)[### Terminal and actions

50 66 

51Review diffs, comment inline, stage or revert chunks, and commit without leaving the app.](https://developers.openai.com/codex/app/features#built-in-git-tools)[### Worktrees for parallel tasks67Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser

52 68 

53Isolate changes of multiple Codex threads using built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Skills support69Open rendered pages, leave comments, or let Codex operate local browser flows.](https://developers.openai.com/codex/app/browser)[### Image generation

54 70 

55Give your Codex agent additional capabilities and reuse skills across App, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Automations71Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations

56 72 

57Pair skills with automations to automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives runs if there’s nothing to report.](https://developers.openai.com/codex/app/automations)[### Built-in terminal73Schedule recurring tasks, or wake up the same thread for ongoing checks.](https://developers.openai.com/codex/app/automations)[### Skills

58 74 

59Open a terminal per thread to test your changes, run dev servers, scripts, and custom commands.](https://developers.openai.com/codex/app/features#integrated-terminal)[### Local environments75Reuse instructions and workflows across the app, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Sidebar and artifacts

60 76 

61Define worktree setup scripts and common project actions for easy access.](https://developers.openai.com/codex/app/local-environments)[### Sync with the IDE extension77Follow plans, sources, task summaries, and generated file previews.](https://developers.openai.com/codex/app/features#richer-outputs-and-artifacts)[### Plugins

62 78 

63Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)[### MCP support79Connect apps, skills, and MCP servers to extend what Codex can do.](https://developers.openai.com/codex/plugins)[### IDE Extension sync

64 80 

65Connect your Codex agent to additional services using MCP.](https://developers.openai.com/codex/app/features#mcp-support)81Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)

66 82 

67---83---

68 84 

12Supported transports:12Supported transports:

13 13 

14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).

15- `websocket` (`--listen ws://IP:PORT`, experimental): one JSON-RPC message per WebSocket text frame.15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one JSON-RPC message per WebSocket text frame.

16- `off` (`--listen off`): don't expose a local transport.

17 

18When you run with `--listen ws://IP:PORT`, the same listener also serves basic HTTP health probes:

19 

20- `GET /readyz` returns `200 OK` once the listener accepts new connections.

21- `GET /healthz` returns `200 OK` when the request doesn't include an `Origin` header.

22- Requests with an `Origin` header are rejected with `403 Forbidden`.

23 

24WebSocket transport is experimental and unsupported. Loopback listeners such as `ws://127.0.0.1:PORT` are appropriate for localhost and SSH port-forwarding workflows. Non-loopback WebSocket listeners currently allow unauthenticated connections by default during rollout, so configure WebSocket auth before exposing one remotely.

25 

26Supported WebSocket auth flags:

27 

28- `--ws-auth capability-token --ws-token-file /absolute/path`

29- `--ws-auth capability-token --ws-token-sha256 HEX`

30- `--ws-auth signed-bearer-token --ws-shared-secret-file /absolute/path`

31 

32For signed bearer tokens, you can also set `--ws-issuer`, `--ws-audience`, and `--ws-max-clock-skew-seconds`. Clients present the credential as `Authorization: Bearer <token>` during the WebSocket handshake, and app-server enforces auth before JSON-RPC `initialize`.

33 

34Prefer `--ws-token-file` over passing raw bearer tokens on the command line. Use `--ws-token-sha256` only when the client keeps the raw high-entropy token in a separate local secret store; the hash is only a verifier, and clients still need the original token.

16 35 

17In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.36In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.

18 37 

21Requests include `method`, `params`, and `id`:40Requests include `method`, `params`, and `id`:

22 41 

23```json42```json

24{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.1-codex" } }43{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.4" } }

25```44```

26 45 

27Responses echo the `id` with either `result` or `error`:46Responses echo the `id` with either `result` or `error`:

99 },118 },

100});119});

101send({ method: "initialized", params: {} });120send({ method: "initialized", params: {} });

102send({ method: "thread/start", id: 1, params: { model: "gpt-5.1-codex" } });121send({ method: "thread/start", id: 1, params: { model: "gpt-5.4" } });

103```122```

104 123 

105## Core primitives124## Core primitives

116- **Start (or resume) a thread**: Call `thread/start` for a new conversation, `thread/resume` to continue an existing one, or `thread/fork` to branch history into a new thread id.135- **Start (or resume) a thread**: Call `thread/start` for a new conversation, `thread/resume` to continue an existing one, or `thread/fork` to branch history into a new thread id.

117- **Begin a turn**: Call `turn/start` with the target `threadId` and user input. Optional fields override model, personality, `cwd`, sandbox policy, and more.136- **Begin a turn**: Call `turn/start` with the target `threadId` and user input. Optional fields override model, personality, `cwd`, sandbox policy, and more.

118- **Steer an active turn**: Call `turn/steer` to append user input to the currently in-flight turn without creating a new turn.137- **Steer an active turn**: Call `turn/steer` to append user input to the currently in-flight turn without creating a new turn.

119- **Stream events**: After `turn/start`, keep reading notifications on stdout: `item/started`, `item/completed`, `item/agentMessage/delta`, tool progress, and other updates.138- **Stream events**: After `turn/start`, keep reading notifications on stdout: `thread/archived`, `thread/unarchived`, `item/started`, `item/completed`, `item/agentMessage/delta`, tool progress, and other updates.

120- **Finish the turn**: The server emits `turn/completed` with final status when the model finishes or after a `turn/interrupt` cancellation.139- **Finish the turn**: The server emits `turn/completed` with final status when the model finishes or after a `turn/interrupt` cancellation.

121 140 

122## Initialization141## Initialization

123 142 

124Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.143Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.

125 144 

126The server returns the user agent string it will present to upstream services. Set `clientInfo` to identify your integration.145The server returns the user agent string it will present to upstream services plus `platformFamily` and `platformOs` values that describe the runtime target. Set `clientInfo` to identify your integration.

127 146 

128`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.147`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.

129 148 

159 },178 },

160 "capabilities": {179 "capabilities": {

161 "experimentalApi": true,180 "experimentalApi": true,

162 "optOutNotificationMethods": [181 "optOutNotificationMethods": ["thread/started", "item/agentMessage/delta"]

163 "codex/event/session_configured",

164 "item/agentMessage/delta"

165 ]

166 }182 }

167 }183 }

168}184}

201- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.217- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.

202- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.218- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

203- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.219- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.

204- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history.220- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

205- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters.221- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.

222- `thread/turns/list` - page through a stored thread's turn history without resuming it.

206- `thread/loaded/list` - list the thread ids currently loaded in memory.223- `thread/loaded/list` - list the thread ids currently loaded in memory.

207- `thread/archive` - move a thread’s log file into the archived directory; returns `{}` on success.224- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

208- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread`.225- `thread/goal/set` - set the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/updated`.

226- `thread/goal/get` - read the current goal for a loaded thread (experimental; requires `capabilities.experimentalApi`).

227- `thread/goal/clear` - clear the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/cleared`.

228- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.

229- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

230- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.

231- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

232- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

209- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.233- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

234- `thread/shellCommand` - run a user-initiated shell command against a thread. This runs outside the sandbox with full access and doesn't inherit the thread sandbox policy.

235- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

210- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.236- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

211- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."237- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

238- `thread/inject_items` - append raw Responses API items to a loaded thread's model-visible history without starting a user turn.

212- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.239- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

213- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.240- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

214- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.241- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

215- `command/exec` - run a single command under the server sandbox without starting a thread/turn.242- `command/exec` - run a single command under the server sandbox without starting a thread/turn.

243- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.

244- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

245- `command/exec/terminate` - stop a running `command/exec` session.

246- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.

216- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.247- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

248- `modelProvider/capabilities/read` - read provider capability bounds for model/provider combinations (experimental; requires `capabilities.experimentalApi`).

217- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.249- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

250- `experimentalFeature/enablement/set` - patch in-memory runtime enablement for supported feature keys such as `apps` and `plugins`.

218- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).251- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

219- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).252- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

253- `skills/changed` (notify) - emitted when watched local skill files change.

254- `marketplace/add` - add a remote plugin marketplace and persist it into the user's marketplace config.

255- `marketplace/upgrade` - refresh a configured Git marketplace, or all configured Git marketplaces when you omit the marketplace name.

256- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.

257- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.

258- `plugin/install` - install a plugin from a marketplace path or remote marketplace name.

259- `plugin/uninstall` - uninstall an installed plugin.

220- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.260- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.

221- `skills/config/write` - enable or disable skills by path.261- `skills/config/write` - enable or disable skills by path.

222- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.262- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.

223- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.263- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.

224- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.264- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

225- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination).265- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

226- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id).266- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

267- `mcpServer/tool/call` - call a tool on a thread's configured MCP server.

268- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread.

269- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

270- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

227- `config/read` - fetch the effective configuration on disk after resolving configuration layering.271- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

272- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

273- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home). Supported item types include config, skills, `AGENTS.md`, plugins, MCP server config, subagents, hooks, commands, and sessions; plugin imports emit `externalAgentConfig/import/completed`.

228- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.274- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

229- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.275- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

230- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists and residency requirements (or `null` if you haven’t set any up).276- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

277- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.

278 

279Plugin summaries include a `source` union. Local plugins return

280`{ "type": "local", "path": ... }`, Git-backed marketplace entries return

281`{ "type": "git", "url": ..., "path": ..., "refName": ..., "sha": ... }`,

282and remote catalog entries return `{ "type": "remote" }`. For remote-only

283catalog entries, `PluginMarketplaceEntry.path` can be `null`; pass

284`remoteMarketplaceName` instead of `marketplacePath` when reading or installing

285those plugins.

231 286 

232## Models287## Models

233 288 

239{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }294{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }

240{ "id": 6, "result": {295{ "id": 6, "result": {

241 "data": [{296 "data": [{

242 "id": "gpt-5.2-codex",297 "id": "gpt-5.4",

243 "model": "gpt-5.2-codex",298 "model": "gpt-5.4",

244 "upgrade": "gpt-5.3-codex",299 "displayName": "GPT-5.4",

245 "displayName": "GPT-5.2 Codex",

246 "hidden": false,300 "hidden": false,

247 "defaultReasoningEffort": "medium",301 "defaultReasoningEffort": "medium",

248 "reasoningEffort": [{302 "supportedReasoningEfforts": [{

249 "effort": "low",303 "reasoningEffort": "low",

250 "description": "Lower latency"304 "description": "Lower latency"

251 }],305 }],

252 "inputModalities": ["text", "image"],306 "inputModalities": ["text", "image"],

259 313 

260Each model entry can include:314Each model entry can include:

261 315 

262- `reasoningEffort` - supported effort options for the model.316- `supportedReasoningEfforts` - supported effort options for the model.

263- `defaultReasoningEffort` - suggested default effort for clients.317- `defaultReasoningEffort` - suggested default effort for clients.

264- `upgrade` - optional recommended upgrade model id for migration prompts in clients.318- `upgrade` - optional recommended upgrade model id for migration prompts in clients.

319- `upgradeInfo` - optional upgrade metadata for migration prompts in clients.

265- `hidden` - whether the model is hidden from the default picker list.320- `hidden` - whether the model is hidden from the default picker list.

266- `inputModalities` - supported input types for the model (for example `text`, `image`).321- `inputModalities` - supported input types for the model (for example `text`, `image`).

267- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.322- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.

296## Threads351## Threads

297 352 

298- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.353- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.

299- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.354- `thread/turns/list` pages through a stored thread's turn history without resuming it.

355- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.

300- `thread/loaded/list` returns the thread IDs currently in memory.356- `thread/loaded/list` returns the thread IDs currently in memory.

301- `thread/archive` moves the thread's persisted JSONL log into the archived directory.357- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

358- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.

359- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.

302- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.360- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

303- `thread/compact/start` triggers compaction and returns `{}` immediately.361- `thread/compact/start` triggers compaction and returns `{}` immediately.

304- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.362- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

363- `thread/inject_items` appends raw Responses API items to a loaded thread's model-visible history without starting a user turn.

305 364 

306### Start or resume a thread365### Start or resume a thread

307 366 

309 368 

310```json369```json

311{ "method": "thread/start", "id": 10, "params": {370{ "method": "thread/start", "id": 10, "params": {

312 "model": "gpt-5.1-codex",371 "model": "gpt-5.4",

313 "cwd": "/Users/me/project",372 "cwd": "/Users/me/project",

314 "approvalPolicy": "never",373 "approvalPolicy": "never",

315 "sandbox": "workspaceWrite",374 "sandbox": "workspaceWrite",

316 "personality": "friendly"375 "personality": "friendly",

376 "serviceName": "my_app_server_client"

317} }377} }

318{ "id": 10, "result": {378{ "id": 10, "result": {

319 "thread": {379 "thread": {

320 "id": "thr_123",380 "id": "thr_123",

321 "preview": "",381 "preview": "",

382 "ephemeral": false,

322 "modelProvider": "openai",383 "modelProvider": "openai",

323 "createdAt": 1730910000384 "createdAt": 1730910000

324 }385 }

326{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }387{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }

327```388```

328 389 

390`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration's service name.

391 

329To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:392To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:

330 393 

331```json394```json

333 "threadId": "thr_123",396 "threadId": "thr_123",

334 "personality": "friendly"397 "personality": "friendly"

335} }398} }

336{ "id": 11, "result": { "thread": { "id": "thr_123" } } }399{ "id": 11, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false } } }

337```400```

338 401 

339Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.402Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.

352{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }415{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }

353```416```

354 417 

418When a user-facing thread title has been set, app-server hydrates `thread.name` on `thread/list`, `thread/read`, `thread/resume`, `thread/unarchive`, and `thread/rollback` responses. `thread/start` and `thread/fork` may omit `name` (or return `null`) until a title is set later.

419 

355### Read a stored thread (without resuming)420### Read a stored thread (without resuming)

356 421 

357Use `thread/read` when you want stored thread data but don't want to resume the thread or subscribe to its events.422Use `thread/read` when you want stored thread data but don't want to resume the thread or subscribe to its events.

358 423 

359- `includeTurns` - when `true`, the response includes the thread's turns; when `false` or omitted, you get the thread summary only.424- `includeTurns` - when `true`, the response includes the thread's turns; when `false` or omitted, you get the thread summary only.

425- Returned `thread` objects include runtime `status` (`notLoaded`, `idle`, `systemError`, or `active` with `activeFlags`).

360 426 

361```json427```json

362{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }428{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }

363{ "id": 19, "result": { "thread": { "id": "thr_123", "turns": [] } } }429{ "id": 19, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false, "status": { "type": "notLoaded" }, "turns": [] } } }

364```430```

365 431 

366Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.432Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

367 433 

434### List thread turns

435 

436Use `thread/turns/list` to page a stored thread's turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.

437 

438```json

439{ "method": "thread/turns/list", "id": 20, "params": {

440 "threadId": "thr_123",

441 "limit": 50,

442 "sortDirection": "desc"

443} }

444{ "id": 20, "result": {

445 "data": [],

446 "nextCursor": "older-turns-cursor-or-null",

447 "backwardsCursor": "newer-turns-cursor-or-null"

448} }

449```

450 

368### List threads (with pagination & filters)451### List threads (with pagination & filters)

369 452 

370`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:453`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:

376- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.459- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.

377- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).460- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).

378- `cwd` - restrict results to threads whose session current working directory exactly matches this path.461- `cwd` - restrict results to threads whose session current working directory exactly matches this path.

462- `searchTerm` - search stored thread summaries and metadata before pagination.

379 463 

380`sourceKinds` accepts the following values:464`sourceKinds` accepts the following values:

381 465 

400} }484} }

401{ "id": 20, "result": {485{ "id": 20, "result": {

402 "data": [486 "data": [

403 { "id": "thr_a", "preview": "Create a TUI", "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111 },487 { "id": "thr_a", "preview": "Create a TUI", "ephemeral": false, "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111, "name": "TUI prototype", "status": { "type": "notLoaded" } },

404 { "id": "thr_b", "preview": "Fix tests", "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000 }488 { "id": "thr_b", "preview": "Fix tests", "ephemeral": true, "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000, "status": { "type": "notLoaded" } }

405 ],489 ],

406 "nextCursor": "opaque-token-or-null"490 "nextCursor": "opaque-token-or-null"

407} }491} }

409 493 

410When `nextCursor` is `null`, you have reached the final page.494When `nextCursor` is `null`, you have reached the final page.

411 495 

496### Update stored thread metadata

497 

498Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.

499 

500```json

501{ "method": "thread/metadata/update", "id": 21, "params": {

502 "threadId": "thr_123",

503 "gitInfo": { "branch": "feature/sidebar-pr" }

504} }

505{ "id": 21, "result": {

506 "thread": {

507 "id": "thr_123",

508 "gitInfo": { "sha": null, "branch": "feature/sidebar-pr", "originUrl": null }

509 }

510} }

511```

512 

513### Track thread status changes

514 

515`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

516 

517```json

518{

519 "method": "thread/status/changed",

520 "params": {

521 "threadId": "thr_123",

522 "status": { "type": "active", "activeFlags": ["waitingOnApproval"] }

523 }

524}

525```

526 

412### List loaded threads527### List loaded threads

413 528 

414`thread/loaded/list` returns thread IDs currently loaded in memory.529`thread/loaded/list` returns thread IDs currently loaded in memory.

418{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }533{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }

419```534```

420 535 

536### Unsubscribe from a loaded thread

537 

538`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:

539 

540- `unsubscribed` when the connection was subscribed and is now removed.

541- `notSubscribed` when the connection wasn't subscribed to that thread.

542- `notLoaded` when the thread isn't loaded.

543 

544If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

545 

546```json

547{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

548{ "id": 22, "result": { "status": "unsubscribed" } }

549```

550 

551If the thread later expires:

552 

553```json

554{ "method": "thread/status/changed", "params": {

555 "threadId": "thr_123",

556 "status": { "type": "notLoaded" }

557} }

558{ "method": "thread/closed", "params": { "threadId": "thr_123" } }

559```

560 

421### Archive a thread561### Archive a thread

422 562 

423Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.563Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.

425```json565```json

426{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }566{ "method": "thread/archive", "id": 22, "params": { "threadId": "thr_b" } }

427{ "id": 22, "result": {} }567{ "id": 22, "result": {} }

568{ "method": "thread/archived", "params": { "threadId": "thr_b" } }

428```569```

429 570 

430Archived threads won't appear in future calls to `thread/list` unless you pass `archived: true`.571Archived threads won't appear in future calls to `thread/list` unless you pass `archived: true`.

435 576 

436```json577```json

437{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }578{ "method": "thread/unarchive", "id": 24, "params": { "threadId": "thr_b" } }

438{ "id": 24, "result": { "thread": { "id": "thr_b" } } }579{ "id": 24, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes" } } }

580{ "method": "thread/unarchived", "params": { "threadId": "thr_b" } }

439```581```

440 582 

441### Trigger thread compaction583### Trigger thread compaction

449{ "id": 25, "result": {} }591{ "id": 25, "result": {} }

450```592```

451 593 

594### Run a thread shell command

595 

596Use `thread/shellCommand` for user-initiated shell commands that belong to a thread. The request returns immediately with `{}` while progress streams through standard `turn/*` and `item/*` notifications.

597 

598This API runs outside the sandbox with full access and doesn't inherit the thread sandbox policy. Clients should expose it only for explicit user-initiated commands.

599 

600If the thread already has an active turn, the command runs as an auxiliary action on that turn and its formatted output is injected into the turn's message stream. If the thread is idle, app-server starts a standalone turn for the shell command.

601 

602```json

603{ "method": "thread/shellCommand", "id": 26, "params": { "threadId": "thr_b", "command": "git status --short" } }

604{ "id": 26, "result": {} }

605```

606 

607### Clean background terminals

608 

609Use `thread/backgroundTerminals/clean` to stop all running background terminals associated with a thread. This method is experimental and requires `capabilities.experimentalApi = true`.

610 

611```json

612{ "method": "thread/backgroundTerminals/clean", "id": 27, "params": { "threadId": "thr_b" } }

613{ "id": 27, "result": {} }

614```

615 

616### Roll back recent turns

617 

618Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.

619 

620```json

621{ "method": "thread/rollback", "id": 28, "params": { "threadId": "thr_b", "numTurns": 1 } }

622{ "id": 28, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }

623```

624 

452## Turns625## Turns

453 626 

454The `input` field accepts a list of items:627The `input` field accepts a list of items:

478}651}

479```652```

480 653 

654On macOS, `includePlatformDefaults: true` appends a curated platform-default Seatbelt policy for restricted-read sessions. This improves tool compatibility without broadly allowing all of `/System`.

655 

481Examples:656Examples:

482 657 

483```json658```json

510 "writableRoots": ["/Users/me/project"],685 "writableRoots": ["/Users/me/project"],

511 "networkAccess": true686 "networkAccess": true

512 },687 },

513 "model": "gpt-5.1-codex",688 "model": "gpt-5.4",

514 "effort": "medium",689 "effort": "medium",

515 "summary": "concise",690 "summary": "concise",

516 "personality": "friendly",691 "personality": "friendly",

524{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }699{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }

525```700```

526 701 

702### Inject items into a thread

703 

704Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread's prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.

705 

706```json

707{ "method": "thread/inject_items", "id": 31, "params": {

708 "threadId": "thr_123",

709 "items": [

710 {

711 "type": "message",

712 "role": "assistant",

713 "content": [{ "type": "output_text", "text": "Previously computed context." }]

714 }

715 ]

716} }

717{ "id": 31, "result": {} }

718```

719 

527### Steer an active turn720### Steer an active turn

528 721 

529Use `turn/steer` to append more user input to the active in-flight turn.722Use `turn/steer` to append more user input to the active in-flight turn.

653- The server rejects empty `command` arrays.846- The server rejects empty `command` arrays.

654- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).847- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).

655- When omitted, `timeoutMs` falls back to the server default.848- When omitted, `timeoutMs` falls back to the server default.

849- Set `tty: true` for PTY-backed sessions, and use `processId` when you plan to follow up with `command/exec/write`, `command/exec/resize`, or `command/exec/terminate`.

850- Set `streamStdoutStderr: true` to receive `command/exec/outputDelta` notifications while the command is running.

851 

852### Read admin requirements (`configRequirements/read`)

853 

854Use `configRequirements/read` to inspect the effective admin requirements loaded from `requirements.toml` and/or MDM.

855 

856```json

857{ "method": "configRequirements/read", "id": 52, "params": {} }

858{ "id": 52, "result": {

859 "requirements": {

860 "allowedApprovalPolicies": ["onRequest", "unlessTrusted"],

861 "allowedSandboxModes": ["readOnly", "workspaceWrite"],

862 "featureRequirements": {

863 "personality": true,

864 "unified_exec": false

865 },

866 "network": {

867 "enabled": true,

868 "allowedDomains": ["api.openai.com"],

869 "allowUnixSockets": ["/tmp/example.sock"],

870 "dangerouslyAllowAllUnixSockets": false

871 }

872 }

873} }

874```

875 

876`result.requirements` is `null` when no requirements are configured. See the docs on [`requirements.toml`](https://developers.openai.com/codex/config-reference#requirementstoml) for details on supported keys and values.

877 

878### Windows sandbox setup (`windowsSandbox/setupStart`)

879 

880Custom Windows clients can trigger sandbox setup asynchronously instead of blocking on startup checks.

881 

882```json

883{ "method": "windowsSandbox/setupStart", "id": 53, "params": { "mode": "elevated" } }

884{ "id": 53, "result": { "started": true } }

885```

886 

887App-server starts setup in the background and later emits a completion notification:

888 

889```json

890{

891 "method": "windowsSandbox/setupCompleted",

892 "params": { "mode": "elevated", "success": true, "error": null }

893}

894```

895 

896Modes:

897 

898- `elevated` - run the elevated Windows sandbox setup path.

899- `unelevated` - run the legacy setup/preflight path.

900 

901## Filesystem

902 

903The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.

904 

905```json

906{ "method": "fs/watch", "id": 54, "params": {

907 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

908 "path": "/Users/me/project/.git/HEAD"

909} }

910{ "id": 54, "result": { "path": "/Users/me/project/.git/HEAD" } }

911{ "method": "fs/changed", "params": {

912 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

913 "changedPaths": ["/Users/me/project/.git/HEAD"]

914} }

915{ "method": "fs/unwatch", "id": 55, "params": {

916 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1"

917} }

918{ "id": 55, "result": {} }

919```

920 

921Watching a file emits `fs/changed` for that file path, including updates delivered by replace or rename operations.

656 922 

657## Events923## Events

658 924 

659Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `turn/*`, and `item/*` notifications.925Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

660 926 

661### Notification opt-out927### Notification opt-out

662 928 

664 930 

665- Exact-match only: `item/agentMessage/delta` suppresses only that method.931- Exact-match only: `item/agentMessage/delta` suppresses only that method.

666- Unknown method names are ignored.932- Unknown method names are ignored.

667- Applies to both legacy (`codex/event/*`) and v2 (`thread/*`, `turn/*`, `item/*`, etc.) notifications.933- Applies to the current `thread/*`, `turn/*`, `item/*`, and related v2 notifications.

668- Doesn't apply to requests, responses, or errors.934- Doesn't apply to requests, responses, or errors.

669 935 

670### Fuzzy file search events (experimental)936### Fuzzy file search events (experimental)

674- `fuzzyFileSearch/sessionUpdated` - `{ sessionId, query, files }` with the current matches for the active query.940- `fuzzyFileSearch/sessionUpdated` - `{ sessionId, query, files }` with the current matches for the active query.

675- `fuzzyFileSearch/sessionCompleted` - `{ sessionId }` once indexing and matching for that query completes.941- `fuzzyFileSearch/sessionCompleted` - `{ sessionId }` once indexing and matching for that query completes.

676 942 

943### Windows sandbox setup events

944 

945- `windowsSandbox/setupCompleted` - `{ mode, success, error }` emitted after a `windowsSandbox/setupStart` request finishes.

946 

677### Turn events947### Turn events

678 948 

679- `turn/started` - `{ turn }` with the turn id, empty `items`, and `status: "inProgress"`.949- `turn/started` - `{ turn }` with the turn id, empty `items`, and `status: "inProgress"`.

689`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Common item types include:959`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Common item types include:

690 960 

691- `userMessage` - `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).961- `userMessage` - `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).

692- `agentMessage` - `{id, text}` containing the accumulated agent reply.962- `agentMessage` - `{id, text, phase?}` containing the accumulated agent reply. When present, `phase` uses Responses API wire values (`commentary`, `final_answer`).

693- `plan` - `{id, text}` containing proposed plan text in plan mode. Treat the final `plan` item from `item/completed` as authoritative.963- `plan` - `{id, text}` containing proposed plan text in plan mode. Treat the final `plan` item from `item/completed` as authoritative.

694- `reasoning` - `{id, summary, content}` where `summary` holds streamed reasoning summaries and `content` holds raw reasoning blocks.964- `reasoning` - `{id, summary, content}` where `summary` holds streamed reasoning summaries and `content` holds raw reasoning blocks.

695- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.965- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.

696- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.966- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.

697- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.967- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.

968- `dynamicToolCall` - `{id, tool, arguments, status, contentItems?, success?, durationMs?}` for client-executed dynamic tool invocations.

698- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.969- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.

699- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.970- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.

700- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.971- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.

751Order of messages:1022Order of messages:

752 1023 

7531. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.10241. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.

7542. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, and optional `proposedExecpolicyAmendment`.10252. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, optional `proposedExecpolicyAmendment`, optional `networkApprovalContext`, and optional `availableDecisions`. When `initialize.params.capabilities.experimentalApi = true`, the payload can also include experimental `additionalPermissions` describing requested per-command sandbox access. Any filesystem paths inside `additionalPermissions` are absolute on the wire.

7553. Client responds with one of the command execution approval decisions above.10263. Client responds with one of the command execution approval decisions above.

7564. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.10274. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

10285. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.

1029 

1030When `networkApprovalContext` is present, the prompt is for managed network access (not a general shell-command approval). The current v2 schema exposes the target `host` and `protocol`; clients should render a network-specific prompt and not rely on `command` being a user-meaningful shell command preview.

1031 

1032Codex groups concurrent network approval prompts by destination (`host`, protocol, and port). The app-server may therefore send one prompt that unblocks multiple queued requests to the same destination, while different ports on the same host are treated separately.

757 1033 

758### File change approvals1034### File change approvals

759 1035 

7621. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.10381. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.

7632. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.10392. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.

7643. Client responds with one of the file change approval decisions above.10403. Client responds with one of the file change approval decisions above.

7654. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.10414. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

10425. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.

1043 

1044### `tool/requestUserInput`

1045 

1046When the client responds to `item/tool/requestUserInput`, app-server emits `serverRequest/resolved` with `{ threadId, requestId }`. If the pending request is cleared by turn start, turn completion, or turn interruption before the client answers, the server emits the same notification for that cleanup.

1047 

1048### Dynamic tool calls (experimental)

1049 

1050`dynamicTools` on `thread/start` and the corresponding `item/tool/call` request or response flow are experimental APIs.

1051 

1052When a dynamic tool is invoked during a turn, app-server emits:

1053 

10541. `item/started` with `item.type = "dynamicToolCall"`, `status = "inProgress"`, plus `tool` and `arguments`.

10552. `item/tool/call` as a server request to the client.

10563. The client response payload with returned content items.

10574. `item/completed` with `item.type = "dynamicToolCall"`, the final `status`, and any returned `contentItems` or `success` value.

766 1058 

767### MCP tool-call approvals (apps)1059### MCP tool-call approvals (apps)

768 1060 

769App (connector) tool calls can also require approval. When an app tool call has side effects, the server may elicit approval with `tool/requestUserInput` and options such as **Accept**, **Decline**, and **Cancel**. If the user declines or cancels, the related `mcpToolCall` item completes with an error instead of running the tool.1061App (connector) tool calls can also require approval. When an app tool call has side effects, the server may elicit approval with `tool/requestUserInput` and options such as **Accept**, **Decline**, and **Cancel**. Destructive tool annotations always trigger approval even when the tool also advertises less-privileged hints. If the user declines or cancels, the related `mcpToolCall` item completes with an error instead of running the tool.

770 1062 

771## Skills1063## Skills

772 1064 

848} }1140} }

849```1141```

850 1142 

1143The server also emits `skills/changed` notifications when watched local skill files change. Treat this as an invalidation signal and rerun `skills/list` with your current params when needed.

1144 

851To enable or disable a skill by path:1145To enable or disable a skill by path:

852 1146 

853```json1147```json

863 1157 

864## Apps (connectors)1158## Apps (connectors)

865 1159 

866Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state.1160Use `app/list` to fetch available apps. In the CLI/TUI, `/apps` is the user-facing picker; in custom clients, call `app/list` directly. Each entry includes both `isAccessible` (available to the user) and `isEnabled` (enabled in `config.toml`) so clients can distinguish install/access from local enabled state. App entries can also include optional `branding`, `appMetadata`, and `labels` fields.

867 1161 

868```json1162```json

869{ "method": "app/list", "id": 50, "params": {1163{ "method": "app/list", "id": 50, "params": {

879 "name": "Demo App",1173 "name": "Demo App",

880 "description": "Example connector for documentation.",1174 "description": "Example connector for documentation.",

881 "logoUrl": "https://example.com/demo-app.png",1175 "logoUrl": "https://example.com/demo-app.png",

1176 "logoUrlDark": null,

1177 "distributionChannel": null,

1178 "branding": null,

1179 "appMetadata": null,

1180 "labels": null,

882 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",1181 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",

883 "isAccessible": true,1182 "isAccessible": true,

884 "isEnabled": true1183 "isEnabled": true

904 "name": "Demo App",1203 "name": "Demo App",

905 "description": "Example connector for documentation.",1204 "description": "Example connector for documentation.",

906 "logoUrl": "https://example.com/demo-app.png",1205 "logoUrl": "https://example.com/demo-app.png",

1206 "logoUrlDark": null,

1207 "distributionChannel": null,

1208 "branding": null,

1209 "appMetadata": null,

1210 "labels": null,

907 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",1211 "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",

908 "isAccessible": true,1212 "isAccessible": true,

909 "isEnabled": true1213 "isEnabled": true

936}1240}

937```1241```

938 1242 

1243### Config RPC examples for app settings

1244 

1245Use `config/read`, `config/value/write`, and `config/batchWrite` to inspect or update app controls in `config.toml`.

1246 

1247Read the effective app config shape (including `_default` and per-tool overrides):

1248 

1249```json

1250{ "method": "config/read", "id": 60, "params": { "includeLayers": false } }

1251{ "id": 60, "result": {

1252 "config": {

1253 "apps": {

1254 "_default": {

1255 "enabled": true,

1256 "destructive_enabled": true,

1257 "open_world_enabled": true

1258 },

1259 "google_drive": {

1260 "enabled": true,

1261 "destructive_enabled": false,

1262 "default_tools_approval_mode": "prompt",

1263 "tools": {

1264 "files/delete": { "enabled": false, "approval_mode": "approve" }

1265 }

1266 }

1267 }

1268 }

1269} }

1270```

1271 

1272Update a single app setting:

1273 

1274```json

1275{

1276 "method": "config/value/write",

1277 "id": 61,

1278 "params": {

1279 "keyPath": "apps.google_drive.default_tools_approval_mode",

1280 "value": "prompt",

1281 "mergeStrategy": "replace"

1282 }

1283}

1284```

1285 

1286Apply multiple app edits atomically:

1287 

1288```json

1289{

1290 "method": "config/batchWrite",

1291 "id": 62,

1292 "params": {

1293 "edits": [

1294 {

1295 "keyPath": "apps._default.destructive_enabled",

1296 "value": false,

1297 "mergeStrategy": "upsert"

1298 },

1299 {

1300 "keyPath": "apps.google_drive.tools.files/delete.approval_mode",

1301 "value": "approve",

1302 "mergeStrategy": "upsert"

1303 }

1304 ]

1305 }

1306}

1307```

1308 

1309### Detect and import external agent config

1310 

1311Use `externalAgentConfig/detect` to discover external-agent artifacts that can be migrated, then pass the selected entries to `externalAgentConfig/import`.

1312 

1313Detection example:

1314 

1315```json

1316{ "method": "externalAgentConfig/detect", "id": 63, "params": {

1317 "includeHome": true,

1318 "cwds": ["/Users/me/project"]

1319} }

1320{ "id": 63, "result": {

1321 "items": [

1322 {

1323 "itemType": "AGENTS_MD",

1324 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1325 "cwd": "/Users/me/project"

1326 },

1327 {

1328 "itemType": "SKILLS",

1329 "description": "Copy skill folders from /Users/me/.claude/skills to /Users/me/.agents/skills.",

1330 "cwd": null

1331 }

1332 ]

1333} }

1334```

1335 

1336Import example:

1337 

1338```json

1339{ "method": "externalAgentConfig/import", "id": 64, "params": {

1340 "migrationItems": [

1341 {

1342 "itemType": "AGENTS_MD",

1343 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1344 "cwd": "/Users/me/project"

1345 }

1346 ]

1347} }

1348{ "id": 64, "result": {} }

1349```

1350 

1351When a request includes plugin imports, the server emits `externalAgentConfig/import/completed` after the import finishes. This notification may arrive immediately after the response or after background remote imports complete.

1352 

1353Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, `PLUGINS`,

1354and `MCP_SERVER_CONFIG`. For `PLUGINS` items, `details.plugins` lists each

1355`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection

1356returns only items that still have work to do. For example, Codex skips AGENTS

1357migration when `AGENTS.md` already exists and is non-empty, and skill imports

1358don't overwrite existing skill directories.

1359 

1360When detecting plugins from `.claude/settings.json`, Codex reads configured

1361marketplace sources from `extraKnownMarketplaces`. If `enabledPlugins` contains

1362plugins from `claude-plugins-official` but the marketplace source is missing,

1363Codex infers `anthropics/claude-plugins-official` as the source.

1364 

939## Auth endpoints1365## Auth endpoints

940 1366 

941The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1367The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, inspect ChatGPT rate limits, and notify workspace owners about depleted credits or usage limits.

942 1368 

943### Authentication modes1369### Authentication modes

944 1370 

945Codex supports three authentication modes. `account/updated.authMode` shows the active mode, and `account/read` also reports it.1371Codex supports these authentication modes. `account/updated.authMode` shows the active mode and includes the current ChatGPT `planType` when available. `account/read` also reports account and plan details.

946 1372 

947- **API key (`apikey`)** - the caller supplies an OpenAI API key and Codex stores it for API requests.1373- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.

948- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically.1374- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.

949- **ChatGPT external tokens (`chatgptAuthTokens`)** - a host app supplies `idToken` and `accessToken` directly. Codex stores these tokens in memory, and the host app must refresh them when asked.1375- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user's ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.

950 1376 

951### API overview1377### API overview

952 1378 

953- `account/read` - fetch current account info; optionally refresh tokens.1379- `account/read` - fetch current account info; optionally refresh tokens.

954- `account/login/start` - begin login (`apiKey`, `chatgpt`, or `chatgptAuthTokens`).1380- `account/login/start` - begin login (`apiKey`, `chatgpt`, `chatgptDeviceCode`, or experimental `chatgptAuthTokens`).

955- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).1381- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).

956- `account/login/cancel` - cancel a pending ChatGPT login by `loginId`.1382- `account/login/cancel` - cancel a pending managed ChatGPT login by `loginId`.

957- `account/logout` - sign out; triggers `account/updated`.1383- `account/logout` - sign out; triggers `account/updated`.

958- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`).1384- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.

959- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.1385- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.

960- `account/rateLimits/read` - fetch ChatGPT rate limits.1386- `account/rateLimits/read` - fetch ChatGPT rate limits.

961- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.1387- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.

1388- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.

962- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.1389- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.

1390- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread; payload includes `{ name, status, error }`.

963 1391 

964### 1) Check auth state1392### 1) Check auth state

965 1393 

1031 ```1459 ```

1032 1460 

1033 ```json1461 ```json

1034 { "method": "account/updated", "params": { "authMode": "apikey" } }1462 {

1463 "method": "account/updated",

1464 "params": { "authMode": "apikey", "planType": null }

1465 }

1035 ```1466 ```

1036 1467 

1037### 3) Log in with ChatGPT (browser flow)1468### 3) Log in with ChatGPT (browser flow)

1063 ```1494 ```

1064 1495 

1065 ```json1496 ```json

1066 { "method": "account/updated", "params": { "authMode": "chatgpt" } }1497 {

1498 "method": "account/updated",

1499 "params": { "authMode": "chatgpt", "planType": "plus" }

1500 }

1501 ```

1502 

1503### 3b) Log in with ChatGPT (device-code flow)

1504 

1505Use this flow when your client owns the sign-in ceremony or when a browser callback is brittle.

1506 

15071. Start:

1508 

1509 ```json

1510 {

1511 "method": "account/login/start",

1512 "id": 4,

1513 "params": { "type": "chatgptDeviceCode" }

1514 }

1515 ```

1516 

1517 ```json

1518 {

1519 "id": 4,

1520 "result": {

1521 "type": "chatgptDeviceCode",

1522 "loginId": "<uuid>",

1523 "verificationUrl": "https://auth.openai.com/codex/device",

1524 "userCode": "ABCD-1234"

1525 }

1526 }

1527 ```

15282. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.

15293. Wait for notifications:

1530 

1531 ```json

1532 {

1533 "method": "account/login/completed",

1534 "params": { "loginId": "<uuid>", "success": true, "error": null }

1535 }

1536 ```

1537 

1538 ```json

1539 {

1540 "method": "account/updated",

1541 "params": { "authMode": "chatgpt", "planType": "plus" }

1542 }

1067 ```1543 ```

1068 1544 

1069### 3b) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)1545### 3c) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)

1070 1546 

1071Use this mode when a host application owns the user’s ChatGPT auth lifecycle and supplies tokens directly.1547Use this experimental mode only when a host application owns the user's ChatGPT auth lifecycle and supplies tokens directly. Clients must set `capabilities.experimentalApi = true` during `initialize` before using this login type.

1072 1548 

10731. Send:15491. Send:

1074 1550 

1078 "id": 7,1554 "id": 7,

1079 "params": {1555 "params": {

1080 "type": "chatgptAuthTokens",1556 "type": "chatgptAuthTokens",

1081 "idToken": "<jwt>",1557 "accessToken": "<jwt>",

1082 "accessToken": "<jwt>"1558 "chatgptAccountId": "org-123",

1559 "chatgptPlanType": "business"

1083 }1560 }

1084 }1561 }

1085 ```1562 ```

1100 ```json1577 ```json

1101 {1578 {

1102 "method": "account/updated",1579 "method": "account/updated",

1103 "params": { "authMode": "chatgptAuthTokens" }1580 "params": { "authMode": "chatgptAuthTokens", "planType": "business" }

1104 }1581 }

1105 ```1582 ```

1106 1583 

1112 "id": 8,1589 "id": 8,

1113 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }1590 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }

1114}1591}

1115{ "id": 8, "result": { "idToken": "<jwt>", "accessToken": "<jwt>" } }1592{ "id": 8, "result": { "accessToken": "<jwt>", "chatgptAccountId": "org-123", "chatgptPlanType": "business" } }

1116```1593```

1117 1594 

1118The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.1595The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.

1129```json1606```json

1130{ "method": "account/logout", "id": 5 }1607{ "method": "account/logout", "id": 5 }

1131{ "id": 5, "result": {} }1608{ "id": 5, "result": {} }

1132{ "method": "account/updated", "params": { "authMode": null } }1609{ "method": "account/updated", "params": { "authMode": null, "planType": null } }

1133```1610```

1134 1611 

1135### 6) Rate limits (ChatGPT)1612### 6) Rate limits (ChatGPT)

1141 "limitId": "codex",1618 "limitId": "codex",

1142 "limitName": null,1619 "limitName": null,

1143 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1620 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1144 "secondary": null1621 "secondary": null,

1622 "rateLimitReachedType": null

1145 },1623 },

1146 "rateLimitsByLimitId": {1624 "rateLimitsByLimitId": {

1147 "codex": {1625 "codex": {

1148 "limitId": "codex",1626 "limitId": "codex",

1149 "limitName": null,1627 "limitName": null,

1150 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1628 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1151 "secondary": null1629 "secondary": null,

1630 "rateLimitReachedType": null

1152 },1631 },

1153 "codex_other": {1632 "codex_other": {

1154 "limitId": "codex_other",1633 "limitId": "codex_other",

1155 "limitName": "codex_other",1634 "limitName": "codex_other",

1156 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },1635 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },

1157 "secondary": null1636 "secondary": null,

1637 "rateLimitReachedType": null

1158 }1638 }

1159 }1639 }

1160} }1640} }

1175- `usedPercent` is current usage within the quota window.1655- `usedPercent` is current usage within the quota window.

1176- `windowDurationMins` is the quota window length.1656- `windowDurationMins` is the quota window length.

1177- `resetsAt` is a Unix timestamp (seconds) for the next reset.1657- `resetsAt` is a Unix timestamp (seconds) for the next reset.

1658- `planType` is included when the backend returns the ChatGPT plan associated with a bucket.

1659- `credits` is included when the backend returns remaining workspace credit details.

1660- `rateLimitReachedType` identifies the backend-classified limit state when one has been reached.

1661 

1662### 7) Notify a workspace owner about a limit

1663 

1664Use `account/sendAddCreditsNudgeEmail` to ask ChatGPT to email a workspace owner when credits are depleted or a usage limit has been reached.

1665 

1666```json

1667{ "method": "account/sendAddCreditsNudgeEmail", "id": 7, "params": { "creditType": "credits" } }

1668{ "id": 7, "result": { "status": "sent" } }

1669```

1670 

1671Use `creditType: "credits"` when workspace credits are depleted, or `creditType: "usage_limit"` when the workspace usage limit has been reached. If the owner was already notified recently, the response status is `cooldown_active`.

2 2 

3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.

4 4 

5Automations run locally in the Codex app. The app needs to be running, and the5For project-scoped automations, the app needs to be running, and the selected

6selected project needs to be available on disk.6project needs to be available on disk.

7 7 

8In Git repositories, each automation run starts in a new8In Git repositories, you can choose whether an automation runs in your local

9[worktree](https://developers.openai.com/codex/app/worktrees) so it doesn’t interfere with your main9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the

10checkout. In non-version-controlled projects, automations run directly in the10background. Worktrees keep automation changes separate from unfinished local

11work, while running in your local project can modify files you are still

12working on. In non-version-controlled projects, automations run directly in the

11project directory.13project directory.

12 14 

13![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp)15You can also leave the model and reasoning effort on their default settings, or

16choose them explicitly if you want more control over how the automation runs.

17 

18![Automation creation form with schedule and prompt fields](/images/codex/app/codex-automations-light.webp)

14 19 

15## Managing tasks20## Managing tasks

16 21 

17All automations and their runs can be found in the automations pane inside your Codex app sidebar.22Find all automations and their runs in the automations pane inside your Codex app sidebar.

18 23 

19The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.

20 25 

21When an automation runs in a Git repository, Codex uses a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). In non-version-controlled projects, automations run directly in the project directory. Consider using Git to enable running on background worktrees. You can have the same automation run on multiple projects.26Standalone automations start fresh runs on a schedule and report results in

27Triage. Use them when each run should be independent or when one automation

28should run across one or more projects. If you need a custom cadence, choose a

29custom schedule and enter cron syntax.

30 

31For Git repositories, each automation can run either in your local project or

32on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use

33worktrees when you want to isolate automation changes from unfinished local

34work. Use local mode when you want the automation to work directly in your main

35checkout, keeping in mind that it can change files you are actively editing.

36In non-version-controlled projects, automations run directly in the project

37directory. You can have the same automation run on more than one project.

22 38 

23Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).39Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).

24 40 

25To keep automations maintainable and shareable across teams, you can use [skills](https://developers.openai.com/codex/skills) to define the action and provide tools and context to Codex. You can explicitly trigger a skill as part of an automation by using `$skill-name` inside your automation.41Automations can use the same plugins and skills available to Codex. To keep

42automations maintainable and shareable across teams, use [skills](https://developers.openai.com/codex/skills)

43to define the action and provide tools and context. You can explicitly trigger a

44skill as part of an automation by using `$skill-name` inside your automation.

45 

46## Ask Codex to create or update automations

47 

48You can create and update automations from a regular Codex thread. Describe the

49task, the schedule, and whether the automation should stay attached to the

50current thread or start fresh runs. Codex can draft the automation prompt, choose

51the right automation type, and update it when the scope or cadence changes.

52 

53For example, ask Codex to remind you in this thread while a deployment finishes,

54or ask it to create a standalone automation that checks a project on a recurring

55schedule.

56