OpenAI - Codex Docs Changes

agent-approvals-security.md +254 −0 added

Details

1# Agent approvals & security

3Codex helps protect your code and data and reduces the risk of misuse.

5This page covers how to operate Codex safely, including sandboxing, approvals,

6 and network access. If you are looking for Codex Security, the product for

7 scanning connected GitHub repositories, see [Codex Security](https://developers.openai.com/codex/security).

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

11For a high-level explanation of how sandboxing works across the Codex app, IDE

12extension, and CLI, see [Sandboxing](https://developers.openai.com/codex/concepts/sandboxing).

13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

15## Sandbox and approvals

17Codex security controls come from two layers that work together:

19- **Sandbox mode**: What Codex can do technically (for example, where it can write and whether it can reach the network) when it executes model-generated commands.

20- **Approval policy**: When Codex must ask you before it executes an action (for example, leaving the sandbox, using the network, or running commands outside a trusted set).

22Codex uses different sandbox modes depending on where you run it:

24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.

25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

27In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.

29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

33## Network access [Elevated Risk](https://help.openai.com/articles/20001061)

35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

37For the Codex app, CLI, or IDE Extension, the default `workspace-write` sandbox mode keeps network access turned off unless you enable it in your configuration:

39```toml

40[sandbox_workspace_write]

41network_access = true

42```

44You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

46```toml

47web_search = "cached" # default

48# web_search = "disabled"

49# web_search = "live" # same as --search

50```

52Use caution when enabling network access or web search in Codex. Prompt injection can cause the agent to fetch and follow untrusted instructions.

54## Defaults and recommendations

56- On launch, Codex detects whether the folder is version-controlled and recommends:

57 - Version-controlled folders: `Auto` (workspace write + on-request approvals)

58 - Non-version-controlled folders: `read-only`

59- Depending on your setup, Codex may also start in `read-only` until you explicitly trust the working directory (for example, via an onboarding prompt or `/permissions`).

60- The workspace includes the current directory and temporary directories like `/tmp`. Use the `/status` command to see which directories are in the workspace.

61- To accept the defaults, run `codex`.

62- You can set these explicitly:

63 - `codex --sandbox workspace-write --ask-for-approval on-request`

64 - `codex --sandbox read-only --ask-for-approval on-request`

66### Protected paths in writable roots

68In the default `workspace-write` sandbox policy, writable roots still include protected paths:

70- `<writable_root>/.git` is protected as read-only whether it appears as a directory or file.

71- If `<writable_root>/.git` is a pointer file (`gitdir: ...`), the resolved Git directory path is also protected as read-only.

72- `<writable_root>/.agents` is protected as read-only when it exists as a directory.

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.

76### Run without approval prompts

78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

80This option works with all `--sandbox` modes, so you still control Codex's level of autonomy. Codex makes a best effort within the constraints you set.

82If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

84For a middle ground, `approval_policy = { reject = { ... } }` lets you auto-reject specific approval prompt categories (sandbox escalation, execpolicy-rule prompts, or MCP elicitations) while keeping other prompts interactive.

86### Common sandbox and approval combinations

88| Intent | Flags | Effect |

89| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |

90| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

91| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

92| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |

93| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

94| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |

96`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.

98With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

100#### Configuration in `config.toml`

101

102For the broader configuration workflow, see [Config basics](https://developers.openai.com/codex/config-basic), [Advanced Config](https://developers.openai.com/codex/config-advanced#approval-policies-and-sandbox-modes), and the [Configuration Reference](https://developers.openai.com/codex/config-reference).

103

104```toml

105# Always ask for approval mode

106approval_policy = "untrusted"

107sandbox_mode = "read-only"

108allow_login_shell = false # optional hardening: disallow login shells for shell-based tools

109

110# Optional: Allow network in workspace-write mode

111[sandbox_workspace_write]

112network_access = true

113

114# Optional: granular approval prompt auto-rejection

115# approval_policy = { reject = { sandbox_approval = true, rules = false, mcp_elicitations = false } }

116```

117

118You can also save presets as profiles, then select them with `codex --profile <name>`:

119

120```toml

121[profiles.full_auto]

122approval_policy = "on-request"

123sandbox_mode = "workspace-write"

124

125[profiles.readonly_quiet]

126approval_policy = "never"

127sandbox_mode = "read-only"

128```

129

130### Test the sandbox locally

131

132To see what happens when a command runs under the Codex sandbox, use these Codex CLI commands:

133

134```bash

135# macOS

136codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...

137# Linux

138codex sandbox linux [--full-auto] [COMMAND]...

139```

140

141The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

142

143## OS-level sandbox

144

145Codex enforces the sandbox differently depending on your OS:

146

147- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

148- **Linux** uses `Landlock` plus `seccomp` by default. You can opt into the alternative Linux sandbox pipeline with `features.use_linux_sandbox_bwrap = true` (or `-c use_linux_sandbox_bwrap=true`). In managed proxy mode, the bwrap pipeline routes egress through a proxy-only bridge and fails closed if it cannot build valid loopback proxy routes; landlock-only flows do not use that bridge behavior.

149- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux (WSL)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

150

151If you use the Codex IDE extension on Windows, it supports WSL directly. Set the following in your VS Code settings to keep the agent inside WSL whenever it’s available:

152

153```json

154{

155 "chatgpt.runCodexInWindowsSubsystemForLinux": true

156}

157```

158

159This ensures the IDE extension inherits Linux sandbox semantics for commands, approvals, and filesystem access even when the host OS is Windows. Learn more in the [Windows setup guide](https://developers.openai.com/codex/windows).

160

161When running natively on Windows, configure the native sandbox mode in `config.toml`:

162

163```toml

164[windows]

165sandbox = "unelevated" # or "elevated"

166```

167

168See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

169

170When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.

171

172In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

173

174## Version control

175

176Codex works best with a version control workflow:

177

178- Work on a feature branch and keep `git status` clean before delegating. This keeps Codex patches easier to isolate and revert.

179- Prefer patch-based workflows (for example, `git diff`/`git apply`) over editing tracked files directly. Commit frequently so you can roll back in small increments.

180- Treat Codex suggestions like any other PR: run targeted verification, review diffs, and document decisions in commit messages for auditing.

181

182## Monitoring and telemetry

183

184Codex supports opt-in monitoring via OpenTelemetry (OTel) to help teams audit usage, investigate issues, and meet compliance requirements without weakening local security defaults. Telemetry is off by default; enable it explicitly in your configuration.

185

186### Overview

187

188- Codex turns off OTel export by default to keep local runs self-contained.

189- When enabled, Codex emits structured log events covering conversations, API requests, SSE/WebSocket stream activity, user prompts (redacted by default), tool approval decisions, and tool results.

190- Codex tags exported events with `service.name` (originator), CLI version, and an environment label to separate dev/staging/prod traffic.

191

192### Enable OTel (opt-in)

193

194Add an `[otel]` block to your Codex configuration (typically `~/.codex/config.toml`), choosing an exporter and whether to log prompt text.

195

196```toml

197[otel]

198environment = "staging" # dev | staging | prod

199exporter = "none" # none | otlp-http | otlp-grpc

200log_user_prompt = false # redact prompt text unless policy allows

201```

202

203- `exporter = "none"` leaves instrumentation active but doesn't send data anywhere.

204- To send events to your own collector, pick one of:

205

206```toml

207[otel]

208exporter = { otlp-http = {

209 endpoint = "https://otel.example.com/v1/logs",

210 protocol = "binary",

211 headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }

212}}

213```

214

215```toml

216[otel]

217exporter = { otlp-grpc = {

218 endpoint = "https://otel.example.com:4317",

219 headers = { "x-otlp-meta" = "abc123" }

220}}

221```

222

223Codex batches events and flushes them on shutdown. Codex exports only telemetry produced by its OTel module.

224

225### Event categories

226

227Representative event types include:

228

229- `codex.conversation_starts` (model, reasoning settings, sandbox/approval policy)

230- `codex.api_request` (attempt, status/success, duration, and error details)

231- `codex.sse_event` (stream event kind, success/failure, duration, plus token counts on `response.completed`)

232- `codex.websocket_request` and `codex.websocket_event` (request duration plus per-message kind/success/error)

233- `codex.user_prompt` (length; content redacted unless explicitly enabled)

234- `codex.tool_decision` (approved/denied, source: configuration vs. user)

235- `codex.tool_result` (duration, success, output snippet)

236

237Associated OTel metrics (counter plus duration histogram pairs) include `codex.api_request`, `codex.sse_event`, `codex.websocket.request`, `codex.websocket.event`, and `codex.tool.call` (with corresponding `.duration_ms` instruments).

238

239For the full event catalog and configuration reference, see the [Codex configuration documentation on GitHub](https://github.com/openai/codex/blob/main/docs/config.md#otel).

240

241### Security and privacy guidance

242

243- Keep `log_user_prompt = false` unless policy explicitly permits storing prompt contents. Prompts can include source code and sensitive data.

244- Route telemetry only to collectors you control; apply retention limits and access controls aligned with your compliance requirements.

245- Treat tool arguments and outputs as sensitive. Favor redaction at the collector or SIEM when possible.

246- Review local data retention settings (for example, `history.persistence` / `history.max_bytes`) if you don't want Codex to save session transcripts under `CODEX_HOME`. See [Advanced Config](https://developers.openai.com/codex/config-advanced#history-persistence) and [Configuration Reference](https://developers.openai.com/codex/config-reference).

247- If you run the CLI with network access turned off, OTel export can't reach your collector. To export, allow network access in `workspace-write` mode for the OTel endpoint, or export from Codex cloud with the collector domain on your approved list.

248- Review events periodically for approval/sandbox changes and unexpected tool executions.

249

250OTel is optional and designed to complement, not replace, the sandbox and approval protections described above.

251

252## Managed configuration

253

254Enterprise admins can configure Codex security settings for their workspace in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration). See that page for setup and policy details.

app.md +5 −2

Details

4 4

5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).

6 6

7![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)

7![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)

8 10

9## Getting started11## Getting started

12 14

131. Download and install the Codex app151. Download and install the Codex app

14 16

~~15 The Codex app is currently only available for macOS.~~17 Download the Codex app for Windows or macOS.

16 18

17 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)19 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)

18 20

~~19 [Get notified for Windows and Linux](https://openai.com/form/codex-app/)~~21 [Get notified for Linux](https://openai.com/form/codex-app/)

202. Open Codex and sign in222. Open Codex and sign in

21 23

22 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.24 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

39- Find and fix bugs in my codebase with minimal, high-confidence changes.41- Find and fix bugs in my codebase with minimal, high-confidence changes.

40 42

41 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).43 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).

44 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

42 45

43---46---

44 47

app-server.md +122 −19

Details

205- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.205- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.

206- `thread/loaded/list` - list the thread ids currently loaded in memory.206- `thread/loaded/list` - list the thread ids currently loaded in memory.

207- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.207- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

208- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.

208- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.209- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

209- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.210- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

210- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.211- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

227- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.228- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

228- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).229- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

229- `config/read` - fetch the effective configuration on disk after resolving configuration layering.230- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

231- `externalAgentConfig/detect` - detect migratable external-agent artifacts with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

232- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).

230- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.233- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

231- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.234- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

232- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists and residency requirements (or `null` if you haven’t set any up).235- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

233 236

234## Models237## Models

235 238

241{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }244{ "method": "model/list", "id": 6, "params": { "limit": 20, "includeHidden": false } }

242{ "id": 6, "result": {245{ "id": 6, "result": {

243 "data": [{246 "data": [{

244 "id": "gpt-5.2-codex",247 "id": "gpt-5.4",

245 "model": "gpt-5.2-codex",248 "model": "gpt-5.4",

246 "upgrade": "gpt-5.3-codex",249 "displayName": "GPT-5.4",

247 "displayName": "GPT-5.2 Codex",

248 "hidden": false,250 "hidden": false,

249 "defaultReasoningEffort": "medium",251 "defaultReasoningEffort": "medium",

250 "reasoningEffort": [{252 "supportedReasoningEfforts": [{

251 "effort": "low",253 "reasoningEffort": "low",

252 "description": "Lower latency"254 "description": "Lower latency"

253 }],255 }],

254 "inputModalities": ["text", "image"],256 "inputModalities": ["text", "image"],

261 263

262Each model entry can include:264Each model entry can include:

263 265

264- `reasoningEffort` - supported effort options for the model.266- `supportedReasoningEfforts` - supported effort options for the model.

265- `defaultReasoningEffort` - suggested default effort for clients.267- `defaultReasoningEffort` - suggested default effort for clients.

266- `upgrade` - optional recommended upgrade model id for migration prompts in clients.268- `upgrade` - optional recommended upgrade model id for migration prompts in clients.

269- `upgradeInfo` - optional upgrade metadata for migration prompts in clients.

267- `hidden` - whether the model is hidden from the default picker list.270- `hidden` - whether the model is hidden from the default picker list.

268- `inputModalities` - supported input types for the model (for example `text`, `image`).271- `inputModalities` - supported input types for the model (for example `text`, `image`).

269- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.272- `supportsPersonality` - whether the model supports personality-specific instructions such as `/personality`.

301- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.304- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.

302- `thread/loaded/list` returns the thread IDs currently in memory.305- `thread/loaded/list` returns the thread IDs currently in memory.

303- `thread/archive` moves the thread's persisted JSONL log into the archived directory.306- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

307- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.

304- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.308- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

305- `thread/compact/start` triggers compaction and returns `{}` immediately.309- `thread/compact/start` triggers compaction and returns `{}` immediately.

306- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.310- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

315 "cwd": "/Users/me/project",319 "cwd": "/Users/me/project",

316 "approvalPolicy": "never",320 "approvalPolicy": "never",

317 "sandbox": "workspaceWrite",321 "sandbox": "workspaceWrite",

318 "personality": "friendly"322 "personality": "friendly",

323 "serviceName": "my_app_server_client"

319} }324} }

320{ "id": 10, "result": {325{ "id": 10, "result": {

321 "thread": {326 "thread": {

322 "id": "thr_123",327 "id": "thr_123",

323 "preview": "",328 "preview": "",

329 "ephemeral": false,

324 "modelProvider": "openai",330 "modelProvider": "openai",

325 "createdAt": 1730910000331 "createdAt": 1730910000

326 }332 }

328{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }334{ "method": "thread/started", "params": { "thread": { "id": "thr_123" } } }

329```335```

330 336

337`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration's service name.

338

331To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:339To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:

332 340

333```json341```json

335 "threadId": "thr_123",343 "threadId": "thr_123",

336 "personality": "friendly"344 "personality": "friendly"

337} }345} }

338{ "id": 11, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes" } } }346{ "id": 11, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false } } }

339```347```

340 348

341Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.349Resuming a thread doesn't update `thread.updatedAt` (or the rollout file's modified time) by itself. The timestamp updates when you start a turn.

365 373

366```json374```json

367{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }375{ "method": "thread/read", "id": 19, "params": { "threadId": "thr_123", "includeTurns": true } }

368{ "id": 19, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "status": { "type": "notLoaded" }, "turns": [] } } }376{ "id": 19, "result": { "thread": { "id": "thr_123", "name": "Bug bash notes", "ephemeral": false, "status": { "type": "notLoaded" }, "turns": [] } } }

369```377```

370 378

371Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.379Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

405} }413} }

406{ "id": 20, "result": {414{ "id": 20, "result": {

407 "data": [415 "data": [

408 { "id": "thr_a", "preview": "Create a TUI", "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111, "name": "TUI prototype", "status": { "type": "notLoaded" } },416 { "id": "thr_a", "preview": "Create a TUI", "ephemeral": false, "modelProvider": "openai", "createdAt": 1730831111, "updatedAt": 1730831111, "name": "TUI prototype", "status": { "type": "notLoaded" } },

409 { "id": "thr_b", "preview": "Fix tests", "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000, "status": { "type": "notLoaded" } }417 { "id": "thr_b", "preview": "Fix tests", "ephemeral": true, "modelProvider": "openai", "createdAt": 1730750000, "updatedAt": 1730750000, "status": { "type": "notLoaded" } }

410 ],418 ],

411 "nextCursor": "opaque-token-or-null"419 "nextCursor": "opaque-token-or-null"

412} }420} }

437{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }445{ "id": 21, "result": { "data": ["thr_123", "thr_456"] } }

438```446```

439 447

448### Unsubscribe from a loaded thread

449

450`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:

451

452- `unsubscribed` when the connection was subscribed and is now removed.

453- `notSubscribed` when the connection was not subscribed to that thread.

454- `notLoaded` when the thread is not loaded.

455

456If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

457

458```json

459{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

460{ "id": 22, "result": { "status": "unsubscribed" } }

461{ "method": "thread/status/changed", "params": {

462 "threadId": "thr_123",

463 "status": { "type": "notLoaded" }

464} }

465{ "method": "thread/closed", "params": { "threadId": "thr_123" } }

466```

467

440### Archive a thread468### Archive a thread

441 469

442Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.470Use `thread/archive` to move the persisted thread log (stored as a JSONL file on disk) into the archived sessions directory.

470{ "id": 25, "result": {} }498{ "id": 25, "result": {} }

471```499```

472 500

501### Roll back recent turns

502

503Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.

504

505```json

506{ "method": "thread/rollback", "id": 26, "params": { "threadId": "thr_b", "numTurns": 1 } }

507{ "id": 26, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }

508```

509

473## Turns510## Turns

474 511

475The `input` field accepts a list of items:512The `input` field accepts a list of items:

687 "requirements": {724 "requirements": {

688 "allowedApprovalPolicies": ["onRequest", "unlessTrusted"],725 "allowedApprovalPolicies": ["onRequest", "unlessTrusted"],

689 "allowedSandboxModes": ["readOnly", "workspaceWrite"],726 "allowedSandboxModes": ["readOnly", "workspaceWrite"],

727 "featureRequirements": {

728 "personality": true,

729 "unified_exec": false

730 },

690 "network": {731 "network": {

691 "enabled": true,732 "enabled": true,

692 "allowedDomains": ["api.openai.com"],733 "allowedDomains": ["api.openai.com"],

697} }738} }

698```739```

699 740

700`result.requirements` is `null` when no requirements are configured. When present, the optional `network` object carries managed proxy constraints (domain rules, proxy settings, and unix-socket policy).741`result.requirements` is `null` when no requirements are configured. See the docs on [`requirements.toml`](https://developers.openai.com/codex/config-reference#requirementstoml) for details on supported keys and values.

701 742

702### Windows sandbox setup (`windowsSandbox/setupStart`)743### Windows sandbox setup (`windowsSandbox/setupStart`)

703 744

724 765

725## Events766## Events

726 767

727Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/status/changed`, `turn/*`, and `item/*` notifications.768Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

728 769

729### Notification opt-out770### Notification opt-out

730 771

767- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.808- `commandExecution` - `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}`.

768- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.809- `fileChange` - `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}`.

769- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.810- `mcpToolCall` - `{id, server, tool, status, arguments, result?, error?}`.

811- `dynamicToolCall` - `{id, tool, arguments, status, contentItems?, success?, durationMs?}` for client-executed dynamic tool invocations.

770- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.812- `collabToolCall` - `{id, tool, status, senderThreadId, receiverThreadId?, newThreadId?, prompt?, agentStatus?}`.

771- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.813- `webSearch` - `{id, query, action?}` for web search requests issued by the agent.

772- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.814- `imageView` - `{id, path}` emitted when the agent invokes the image viewer tool.

823Order of messages:865Order of messages:

824 866

8251. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.8671. `item/started` shows the pending `commandExecution` item with `command`, `cwd`, and other fields.

8262. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, optional `proposedExecpolicyAmendment`, and optional `networkApprovalContext`.8682. `item/commandExecution/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, optional `command`, optional `cwd`, optional `commandActions`, optional `proposedExecpolicyAmendment`, optional `networkApprovalContext`, and optional `availableDecisions`. When `initialize.params.capabilities.experimentalApi = true`, the payload can also include experimental `additionalPermissions` describing requested per-command sandbox access. Any filesystem paths inside `additionalPermissions` are absolute on the wire.

8273. Client responds with one of the command execution approval decisions above.8693. Client responds with one of the command execution approval decisions above.

8284. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.8704. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

8715. `item/completed` returns the final `commandExecution` item with `status: completed | failed | declined`.

829 872

830When `networkApprovalContext` is present, the prompt is for managed network access (not a general shell-command approval). The current v2 schema exposes the target `host` and `protocol`; clients should render a network-specific prompt and not rely on `command` being a user-meaningful shell command preview.873When `networkApprovalContext` is present, the prompt is for managed network access (not a general shell-command approval). The current v2 schema exposes the target `host` and `protocol`; clients should render a network-specific prompt and not rely on `command` being a user-meaningful shell command preview.

831 874

832Codex deduplicates concurrent network approval prompts by destination (`host`, protocol, and port). The app-server may therefore send one prompt that unblocks multiple queued requests to the same destination, while different ports on the same host are treated separately.875Codex groups concurrent network approval prompts by destination (`host`, protocol, and port). The app-server may therefore send one prompt that unblocks multiple queued requests to the same destination, while different ports on the same host are treated separately.

833 876

834### File change approvals877### File change approvals

835 878

8381. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.8811. `item/started` emits a `fileChange` item with proposed `changes` and `status: "inProgress"`.

8392. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.8822. `item/fileChange/requestApproval` includes `itemId`, `threadId`, `turnId`, optional `reason`, and optional `grantRoot`.

8403. Client responds with one of the file change approval decisions above.8833. Client responds with one of the file change approval decisions above.

8414. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.8844. `serverRequest/resolved` confirms that the pending request has been answered or cleared.

8855. `item/completed` returns the final `fileChange` item with `status: completed | failed | declined`.

886

887### `tool/requestUserInput`

888

889When the client responds to `item/tool/requestUserInput`, app-server emits `serverRequest/resolved` with `{ threadId, requestId }`. If the pending request is cleared by turn start, turn completion, or turn interruption before the client answers, the server emits the same notification for that cleanup.

890

891### Dynamic tool calls (experimental)

892

893`dynamicTools` on `thread/start` and the corresponding `item/tool/call` request or response flow are experimental APIs.

894

895When a dynamic tool is invoked during a turn, app-server emits:

896

8971. `item/started` with `item.type = "dynamicToolCall"`, `status = "inProgress"`, plus `tool` and `arguments`.

8982. `item/tool/call` as a server request to the client.

8993. The client response payload with returned content items.

9004. `item/completed` with `item.type = "dynamicToolCall"`, the final `status`, and any returned `contentItems` or `success` value.

842 901

843### MCP tool-call approvals (apps)902### MCP tool-call approvals (apps)

844 903

1088}1147}

1089```1148```

1090 1149

1150### Detect and import external agent config

1151

1152Use `externalAgentConfig/detect` to discover migratable external-agent artifacts, then pass the selected entries to `externalAgentConfig/import`.

1153

1154Detection example:

1155

1156```json

1157{ "method": "externalAgentConfig/detect", "id": 63, "params": {

1158 "includeHome": true,

1159 "cwds": ["/Users/me/project"]

1160} }

1161{ "id": 63, "result": {

1162 "items": [

1163 {

1164 "itemType": "AGENTS_MD",

1165 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1166 "cwd": "/Users/me/project"

1167 },

1168 {

1169 "itemType": "SKILLS",

1170 "description": "Copy skill folders from /Users/me/.claude/skills to /Users/me/.agents/skills.",

1171 "cwd": null

1172 }

1173 ]

1174} }

1175```

1176

1177Import example:

1178

1179```json

1180{ "method": "externalAgentConfig/import", "id": 64, "params": {

1181 "migrationItems": [

1182 {

1183 "itemType": "AGENTS_MD",

1184 "description": "Import /Users/me/project/CLAUDE.md to /Users/me/project/AGENTS.md.",

1185 "cwd": "/Users/me/project"

1186 }

1187 ]

1188} }

1189{ "id": 64, "result": {} }

1190```

1191

1192Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, and `MCP_SERVER_CONFIG`. Detection returns only items that still have work to do. For example, AGENTS migration is skipped when `AGENTS.md` already exists and is non-empty, and skill imports do not overwrite existing skill directories.

1193

1091## Auth endpoints1194## Auth endpoints

1092 1195

1093The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1196The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.

app/automations.md +23 −12

Details

2 2

3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.

4 4

~~5Automations run locally in the Codex app. The app needs to be running, and the~~5Automations run in the background in the Codex app. The app needs to be

~~6selected project needs to be available on disk.~~6running, and the selected project needs to be available on disk.

7 7

~~8In Git repositories, each automation run starts in a new~~8In Git repositories, you can choose whether an automation runs in your local

~~9[worktree](https://developers.openai.com/codex/app/worktrees) so it doesn’t interfere with your main~~9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the

~~10checkout. In non-version-controlled projects, automations run directly in the~~10background. Worktrees keep automation changes separate from unfinished local

11work, while running in your local project can modify files you are still

12working on. In non-version-controlled projects, automations run directly in the

11project directory.13project directory.

12 14

~~13![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp)~~15You can also leave the model and reasoning effort on their default settings, or

16choose them explicitly if you want more control over how the automation runs.

18![Automation creation form with schedule and prompt fields](/images/codex/app/codex-automations-light.webp)

14 19

15## Managing tasks20## Managing tasks

16 21

18 23

19The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.

20 25

21When an automation runs in a Git repository, Codex uses a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). In non-version-controlled projects, automations run directly in the project directory. Consider using Git to enable running on background worktrees. You can have the same automation run on multiple projects.26For Git repositories, each automation can run either in your local project or

27on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use

28worktrees when you want to isolate automation changes from unfinished local

29work. Use local mode when you want the automation to work directly in your main

30checkout, keeping in mind that it can modify files you are actively editing.

31In non-version-controlled projects, automations run directly in the project

32directory. You can have the same automation run on multiple projects.

22 33

23Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).34Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).

24 35

30first. This helps you confirm:41first. This helps you confirm:

31 42

32- The prompt is clear and scoped correctly.43- The prompt is clear and scoped correctly.

~~33- The selected model and tools behave as expected.~~44- The selected or default model, reasoning effort, and tools behave as expected.

34- The resulting diff is reviewable.45- The resulting diff is reviewable.

35 46

36When you start scheduling runs, review the first few outputs closely and adjust47When you start scheduling runs, review the first few outputs closely and adjust

38 49

39## Worktree cleanup for automations50## Worktree cleanup for automations

40 51

~~41For Git repositories, automations run in worktrees. Frequent schedules can~~52If you choose worktrees for Git repositories, frequent schedules can create

~~42create many worktrees over time. Archive automation runs you no longer need,~~53many worktrees over time. Archive automation runs you no longer need, and avoid

~~43and avoid pinning runs unless you intend to keep their worktrees.~~54pinning runs unless you intend to keep their worktrees.

44 55

45## Permissions and security model56## Permissions and security model

46 57

app/commands.md +18 −0

Details

48| `/review` | Start code review mode to review uncommitted changes or compare against a base branch. |48| `/review` | Start code review mode to review uncommitted changes or compare against a base branch. |

49| `/status` | Show the thread ID, context usage, and rate limits. |49| `/status` | Show the thread ID, context usage, and rate limits. |

50 50

51## Deeplinks

53The Codex app registers the `codex://` URL scheme so links can open specific parts of the app directly.

55| Deeplink | Opens | Supported query parameters |

56| --- | --- | --- |

57| `codex://settings` | Settings. | None. |

58| `codex://skills` | Skills. | None. |

59| `codex://automations` | Inbox in automation create mode. | None. |

60| `codex://threads/<thread-id>` | A local thread. `<thread-id>` must be a UUID. | None. |

61| `codex://new` | A new thread. | Optional: `prompt`, `originUrl`, `path`. |

63For new-thread deeplinks:

65- `prompt` prefills the composer.

66- `path` must be an absolute path to a local directory and, when valid, makes that directory the active workspace for the new thread.

67- `originUrl` tries to match one of your current workspace roots by Git remote URL. If both `path` and `originUrl` are present, Codex resolves `path` first.

51## See also69## See also

52 70

53- [Features](https://developers.openai.com/codex/app/features)71- [Features](https://developers.openai.com/codex/app/features)

app/features.md +18 −4

Details

14session in a specific directory.14session in a specific directory.

15 15

16If you work in a single repository with two or more apps or packages, split16If you work in a single repository with two or more apps or packages, split

~~17distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/security)~~17distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/agent-approvals-security)

18only includes the files for that project.18only includes the files for that project.

19 19

20![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp)20![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp)

85pressing <kbd>Cmd</kbd>+<kbd>J</kbd>.85pressing <kbd>Cmd</kbd>+<kbd>J</kbd>.

86 86

87Use the terminal to validate changes, run scripts, and perform Git operations87Use the terminal to validate changes, run scripts, and perform Git operations

~~88without leaving the app.~~88without leaving the app. Codex can also read the current terminal output, so

89it can check the status of a running development server or refer back to a

90failed build while it works with you.

89 91

90Common tasks include:92Common tasks include:

91 93

101 103

102![Integrated terminal drawer open beneath a Codex thread](/images/codex/app/integrated-terminal-light.webp)104![Integrated terminal drawer open beneath a Codex thread](/images/codex/app/integrated-terminal-light.webp)

103 105

106## Native Windows sandbox

107

108On Windows, Codex can run natively in PowerShell with a native Windows sandbox

109instead of requiring WSL or a virtual machine. This lets you stay in

110Windows-native workflows while keeping bounded permissions in place.

111

112[Learn more about Windows setup and sandboxing](https://developers.openai.com/codex/app/windows).

113

114![Codex app Windows sandbox setup prompt above the message composer](/images/codex/windows/windows-sandbox-setup.webp)

115

104## Voice dictation116## Voice dictation

105 117

106Use your voice to prompt Codex. Hold <kbd>Ctrl</kbd>+<kbd>M</kbd> while the composer is visible and start talking. Your voice will be transcribed. Edit the transcribed prompt or hit send to have Codex start work.118Use your voice to prompt Codex. Hold <kbd>Ctrl</kbd>+<kbd>M</kbd> while the composer is visible and start talking. Your voice will be transcribed. Edit the transcribed prompt or hit send to have Codex start work.

152opening separate projects or using worktrees rather than asking Codex to roam164opening separate projects or using worktrees rather than asking Codex to roam

153outside the project root.165outside the project root.

154 166

155For details on how Codex handles sandboxing, check out the [security documentation](https://developers.openai.com/codex/security).167For a high-level overview, see [Sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For

168configuration details, see the

169[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).

156 170

157## MCP support171## MCP support

158 172

165 179

166Codex ships with a first-party web search tool. For local tasks in the Codex IDE Extension, Codex180Codex ships with a first-party web search tool. For local tasks in the Codex IDE Extension, Codex

167enables web search by default and serves results from a web search cache. If you configure your181enables web search by default and serves results from a web search cache. If you configure your

168sandbox for [full access](https://developers.openai.com/codex/security), web search defaults to live results. See182sandbox for [full access](https://developers.openai.com/codex/agent-approvals-security), web search defaults to live results. See

169[Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the183[Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the

170most recent data.184most recent data.

171 185

app/settings.md +9 −6

Details

10require <kbd>Cmd</kbd>+<kbd>Enter</kbd> for multiline prompts or prevent sleep while a10require <kbd>Cmd</kbd>+<kbd>Enter</kbd> for multiline prompts or prevent sleep while a

11thread runs.11thread runs.

12 12

~~13## Appearance~~

~~15Pick a theme, decide whether the window is solid, and adjust UI or code fonts. Font~~

~~16choices apply across the app, including the diff review panel and terminal.~~

18## Notifications13## Notifications

19 14

20Choose when turn completion notifications appear, and whether the app should prompt for15Choose when turn completion notifications appear, and whether the app should prompt for

24 19

25Codex agents in the app inherit the same configuration as the IDE and CLI extension.20Codex agents in the app inherit the same configuration as the IDE and CLI extension.

26Use the in-app controls for common settings, or edit `config.toml` for advanced21Use the in-app controls for common settings, or edit `config.toml` for advanced

~~27options. See [Codex security](https://developers.openai.com/codex/security) and~~22options. See [Codex security](https://developers.openai.com/codex/agent-approvals-security) and

28[config basics](https://developers.openai.com/codex/config-basic) for more detail.23[config basics](https://developers.openai.com/codex/config-basic) for more detail.

29 24

25## Appearance

27In **Settings**, you can change the Codex app appearance by choosing a base theme,

28adjusting accent, background, and foreground colors, and changing the UI and code

29fonts. You can also share your custom theme with friends.

31![Codex app Appearance settings showing theme selection, color controls, and font options](/images/codex/app/theme-selection-light.webp)

30## Git33## Git

31 34

32Use Git settings to standardize branch naming and choose whether Codex uses force35Use Git settings to standardize branch naming and choose whether Codex uses force

app/troubleshooting.md +4 −2

Details

32### Only some threads appear in the sidebar32### Only some threads appear in the sidebar

33 33

34The sidebar allows filtering of threads depending on the state of a project. If34The sidebar allows filtering of threads depending on the state of a project. If

~~35you’re missing threads, check whether you have any filters applied by clicking~~35you're missing threads, click the filter icon next to the **Threads** label and

~~36the filter icon next to the **Threads** label.~~36switch to Chronological. If you still don't see the thread, open

37[Settings](codex://settings) and check the archived chats or archived threads

38section.

37 39

38### Code doesn't run on a worktree40### Code doesn't run on a worktree

39 41

app/windows.md +214 −0 added

Details

1# Windows

3The [Codex app for Windows](https://apps.microsoft.com/detail/9plm9xgg6vks?hl=en-US&gl=US) gives you one interface for

4working across projects, running parallel agent threads, and reviewing results.

5It runs natively on Windows using PowerShell and the

6[Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox), or you can configure it to

7run in [Windows Subsystem for Linux (WSL)](#windows-subsystem-for-linux-wsl).

9![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)

11## Download and update the Codex app

13Download the Codex app from the

14[Microsoft Store](https://apps.microsoft.com/detail/9plm9xgg6vks?hl=en-US&gl=US).

16Then follow the [quickstart](https://developers.openai.com/codex/quickstart?setup=app) to get started.

18To update the app, open the Microsoft Store, go to **Downloads**, and click

19**Check for updates**. The Store installs the latest version afterward.

21For enterprises, administrators can deploy the app with Microsoft Store app

22distribution through enterprise management tools.

24If you prefer a command-line install path, or need an alternative to opening

25the Microsoft Store UI, run:

27```powershell

28winget install Codex -s msstore

29```

31## Native sandbox

33The Codex app on Windows supports a native [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) when the agent runs in PowerShell, and uses Linux sandboxing when you run the agent in [Windows Subsystem for Linux (WSL)](#windows-subsystem-for-linux-wsl). To apply sandbox protections in either mode, set sandbox permissions to **Default permissions** in the Composer before sending messages to Codex.

35Running Codex in full access mode means Codex is not limited to your project

36 directory and might perform unintentional destructive actions that can lead to

37 data loss. Keep sandbox boundaries in place and use [rules](https://developers.openai.com/codex/rules) for

38 targeted exceptions, or set your [approval policy to

39 never](https://developers.openai.com/codex/agent-approvals-security#run-without-approval-prompts) to have

40 Codex attempt to solve problems without asking for escalated permissions,

41 based on your [approval and security setup](https://developers.openai.com/codex/agent-approvals-security).

43## Customize for your dev setup

45### Preferred editor

47Choose a default app for **Open**, such as Visual Studio, VS Code, or another

48editor. You can override that choice per project. If you already picked a

49different app from the **Open** menu for a project, that project-specific

50choice takes precedence.

52![Codex app settings showing the default Open In app on Windows](/images/codex/windows/open-in-windows-light.webp)

54### Integrated terminal

56You can also choose the default integrated terminal. Depending on what you have

57installed, options include:

59- PowerShell

60- Command Prompt

61- Git Bash

62- WSL

64This change applies only to new terminal sessions. If you already have an

65integrated terminal open, restart the app or start a new thread before

66expecting the new default terminal to appear.

68![Codex app settings showing the integrated terminal selection on Windows](/images/codex/windows/integrated-shell-light.webp)

70## Windows Subsystem for Linux (WSL)

72By default, the Codex app uses the Windows-native agent. That means the agent

73runs commands in PowerShell. The app can still work with projects that live in

74Windows Subsystem for Linux (WSL) by using the `wsl` CLI when needed.

76If you want to add a project from the WSL filesystem, click **Add new project**

77or press <kbd>Ctrl</kbd>+<kbd>O</kbd>, then type `\\wsl$\` into the File

78Explorer window. From there, choose your Linux distribution and the folder you

79want to open.

81If you plan to keep using the Windows-native agent, prefer storing projects on

82your Windows filesystem and accessing them from WSL through

83`/mnt/<drive>/...`. This setup is more reliable than opening projects

84directly from the WSL filesystem.

86If you want the agent itself to run in WSL, open **[Settings](codex://settings)**,

87switch the agent from Windows native to WSL, and **restart the app**. The

88change doesn't take effect until you restart. Your projects should remain in

89place after restart.

91![Codex app settings showing the agent selector with Windows native and WSL options](/images/codex/windows/wsl-select-light.webp)

93You configure the integrated terminal independently from the agent. See

94[Customize for your dev setup](#customize-for-your-dev-setup) for the

95terminal options. You can keep the agent in WSL and still use PowerShell in the

96terminal, or use WSL for both, depending on your workflow.

98## Useful developer tools

100Codex works best when a few common developer tools are already installed:

101

102- **Git**: Powers the review panel in the Codex app and lets you inspect or

103 revert changes.

104- **Node.js**: A common tool that the agent uses to perform tasks more

105 efficiently.

106- **Python**: A common tool that the agent uses to perform tasks more

107 efficiently.

108- **.NET SDK**: Useful when you want to build native Windows apps.

109- **GitHub CLI**: Powers GitHub-specific functionality in the Codex app.

110

111Install them with the default Windows package manager `winget` by pasting this

112into the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or

113asking Codex to install them:

114

115```powershell

116winget install --id Git.Git

117winget install --id OpenJS.NodeJS.LTS

118winget install --id Python.Python.3.14

119winget install --id Microsoft.DotNet.SDK.10

120winget install --id GitHub.cli

121```

122

123After installing GitHub CLI, run `gh auth login` to enable GitHub features in

124the app.

125

126If you need a different Python or .NET version, change the package IDs to the

127version you want.

128

129## Troubleshooting and FAQ

130

131### Run commands with elevated permissions

132

133If you need Codex to run commands with elevated permissions, start the Codex app

134itself as an administrator. After installation, open the Start menu, find

135Codex, and choose Run as administrator. The Codex agent inherits that

136permission level.

137

138### PowerShell execution policy blocks commands

139

140If you have never used tools such as Node.js or `npm` in PowerShell before, the

141Codex agent or integrated terminal may hit execution policy errors.

142

143This can also happen if Codex creates PowerShell scripts for you. In that case,

144you may need a less restrictive execution policy before PowerShell will run

145them.

146

147An error may look something like this:

148

149```text

150npm.ps1 cannot be loaded because running scripts is disabled on this system.

151```

152

153A common fix is to set the execution policy to `RemoteSigned`:

154

155```powershell

156Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

157```

158

159For details and other options, check Microsoft's

160[execution policy guide](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies)

161before changing the policy.

162

163### Local environment scripts on Windows

164

165If your [local environment](https://developers.openai.com/codex/app/local-environments) uses cross-platform

166commands such as `npm` scripts, you can keep one shared setup script or

167set of actions for every platform.

168

169If you need Windows-specific behavior, create Windows-specific setup scripts or

170Windows-specific actions.

171

172Actions run in the environment used by your integrated terminal. See

173[Customize for your dev setup](#customize-for-your-dev-setup).

174

175Local setup scripts run in the agent environment: WSL if the agent uses WSL,

176and PowerShell otherwise.

177

178### Share config, auth, and sessions with WSL

179

180The Windows app uses the same Codex home directory as native Codex on Windows:

181`%USERPROFILE%\.codex`.

182

183If you also run the Codex CLI inside WSL, the CLI uses the Linux home

184directory by default, so it does not automatically share configuration, cached

185auth, or session history with the Windows app.

186

187To share them, use one of these approaches:

188

189- Sync WSL `~/.codex` with `%USERPROFILE%\.codex` on your file system.

190- Point WSL at the Windows Codex home directory by setting `CODEX_HOME`:

191

192```bash

193export CODEX_HOME=/mnt/c/Users/<windows-user>/.codex

194```

195

196If you want that setting in every shell, add it to your WSL shell profile, such

197as `~/.bashrc` or `~/.zshrc`.

198

199### Git features are unavailable

200

201If you don't have Git installed natively on Windows, the app can't use some

202features. Install it with `winget install Git.Git` from PowerShell or `cmd.exe`.

203

204### Git isn't detected for projects opened from `\\wsl$`

205

206For now, if you want to use the Windows-native agent with a project that is

207also accessible from WSL, the most reliable workaround is to store the project

208on the native Windows drive and access it in WSL through `/mnt/<drive>/...`.

209

210### Cmder is not listed in the open dialog

211

212If Cmder is installed but doesn’t show in Codex’s open dialog, add it to the

213Windows Start Menu: right-click Cmder and choose **Add to Start**, then restart

214Codex or reboot.

app/worktrees.md +45 −43

Details

1# Worktrees1# Worktrees

2 2

3In the Codex app, worktrees let Codex run multiple independent tasks in the same project without interfering with each other. For Git repositories, [automations](https://developers.openai.com/codex/app/automations) run on dedicated background worktrees so they don’t conflict with your ongoing work. In non-version-controlled projects, automations run directly in the project directory. You can also start threads on a worktree manually.3In the Codex app, worktrees let Codex run multiple independent tasks in the same project without interfering with each other. For Git repositories, [automations](https://developers.openai.com/codex/app/automations) run on dedicated background worktrees so they don't conflict with your ongoing work. In non-version-controlled projects, automations run directly in the project directory. You can also start threads on a worktree manually, and use Handoff to move a thread between Local and Worktree.

4 4

5## What's a worktree5## What's a worktree

6 6

10 10

11- **Local checkout**: The repository that you created. Sometimes just referred to as **Local** in the Codex app.11- **Local checkout**: The repository that you created. Sometimes just referred to as **Local** in the Codex app.

12- **Worktree**: A [Git worktree](https://git-scm.com/docs/git-worktree) that was created from your local checkout in the Codex app.12- **Worktree**: A [Git worktree](https://git-scm.com/docs/git-worktree) that was created from your local checkout in the Codex app.

13- **Handoff**: The flow that moves a thread between Local and Worktree. Codex handles the Git operations required to move your work safely between them.

13 14

14## Why use a worktree15## Why use a worktree

15 16

~~161. Work in parallel with Codex without breaking each other as you work.~~171. Work in parallel with Codex without disturbing your current Local setup.

~~172. Start a thread unrelated to your current work~~182. Queue up background work while you stay focused on the foreground.

~~18 - Staging area to queue up work you want Codex to start but aren’t ready to test yet.~~193. Move a thread into Local later when you're ready to inspect, test, or collaborate more directly.

19 20

20## Getting started21## Getting started

21 22

313. Submit your prompt323. Submit your prompt

32 33

33 Submit your task and Codex will create a Git worktree based on the branch you selected. By default, Codex works in a ["detached HEAD"](https://git-scm.com/docs/git-checkout#_detached_head).34 Submit your task and Codex will create a Git worktree based on the branch you selected. By default, Codex works in a ["detached HEAD"](https://git-scm.com/docs/git-checkout#_detached_head).

~~344. Verify your changes~~354. Choose where to keep working

35 36

~~36 When you’re ready, follow one of the paths [below](#verifying-and-pushing-workflow-changes)~~37 When you’re ready, you can either keep working directly on the worktree or hand the thread off to your local checkout. Handing off to or from local will move your thread *and* code so you can continue in the other checkout.

~~37 based on your project and flow.~~

38 38

~~39## Verifying and pushing workflow changes~~39## Working between Local and Worktree

40 40

41Worktrees look and feel much like your local checkout. But **Git only allows a branch to be checked out in one place at a time**. If you check out a branch on a worktree, you **can’t** check it out in your local checkout at the same time, and vice versa.41Worktrees look and feel much like your local checkout. The difference is where they fit into your flow. You can think of Local as the foreground and Worktree as the background. Handoff lets you move a thread between them.

42 42

~~43Because of this, choose how you want to verify and commit changes Codex made on a worktree:~~43Under the hood, Handoff handles the Git operations required to move work between two checkouts safely. This matters because **Git only allows a branch to be checked out in one place at a time**. If you check out a branch on a worktree, you **can't** check it out in your local checkout at the same time, and vice versa.

45In practice, there are two common paths:

44 46

451. [Work exclusively on the worktree](#option-1-working-on-the-worktree). This path works best when you can verify changes directly on the worktree, for example because you have dependencies and tools installed using a [local environment setup script](https://developers.openai.com/codex/app/local-environments).471. [Work exclusively on the worktree](#option-1-working-on-the-worktree). This path works best when you can verify changes directly on the worktree, for example because you have dependencies and tools installed using a [local environment setup script](https://developers.openai.com/codex/app/local-environments).

462. [Work in your local checkout](#option-2-working-in-your-local-checkout). Use this when you need to bring changes back into your main checkout, for example because you can run only one instance of your app.482. [Hand the thread off to Local](#option-2-handing-a-thread-off-to-local). Use this when you want to bring the thread into the foreground, for example because you want to inspect changes in your usual IDE or can run only one instance of your app.

47 49

48### Option 1: Working on the worktree50### Option 1: Working on the worktree

49 51

57 59

58Remember, if you create a branch on a worktree, you can't check it out in any other worktree, including your local checkout.60Remember, if you create a branch on a worktree, you can't check it out in any other worktree, including your local checkout.

59 61

~~60If you plan to keep working on this branch, you can [add it to the sidebar](#adding-a-worktree-to-the-sidebar). Otherwise, archive the thread after you’re done so the worktree can be deleted.~~62### Option 2: Handing a thread off to Local

~~62### Option 2: Working in your local checkout~~

63 63

~~64If you don’t want to verify your changes directly on the worktree and instead check them out on your local checkout, click **Sync with local** in the header of your thread.~~64If you want to bring a thread into the foreground, click **Hand off** in the header of your thread and move it to **Local**.

65 65

~~66You will be presented with the option of creating a new branch or syncing to an existing branch.~~66This path works well when you want to read the changes in your usual IDE window, run your existing development server, or validate the work in the same environment you already use day to day.

67 67

~~68You can sync with local at any point. To do so, click **Sync with local** in the header again. From here, you can choose which direction to sync (to local or from local) and a sync method:~~68Codex handles the Git steps required to move the thread safely between the worktree and your local checkout.

69 69

~~70- **Overwrite**: Makes the destination checkout match the source checkout’s files and commit history.~~70Each thread keeps the same associated worktree over time. If you hand the thread back to a worktree later, Codex returns it to that same background environment so you can pick up where you left off.

71- **Apply**: Calculates the source changes since the nearest shared commit and applies that patch onto the destination checkout, preserving destination commit history while bringing over source code changes (not source commits).

72 71

~~73![Sync worktree dialog with options to apply or pull changes](/images/codex/app/sync-worktree-light.webp)~~72![Handoff dialog moving a thread from a worktree to Local](/images/codex/app/handoff-light.webp)

74 73

~~75You can create multiple worktrees and sync them to the same feature branch to split up your work into parallel threads.~~74You can also go the other direction. If you're already working in Local and want to free up the foreground, use **Hand off** to move the thread to a worktree. This is useful when you want Codex to keep working in the background while you switch your attention back to something else locally.

76 75

77In some cases, changes on your worktree might conflict with changes on your local checkout, for example from testing a previous worktree. In those cases, you can use the **Overwrite local** option to reset the previous changes and cleanly apply your worktree changes.76Since Handoff uses Git operations, any files that are part of your `.gitignore` file won't move with the thread.

78 77

~~79Since this process uses Git operations, any files that are part of the `.gitignore` file won’t be transferred during the sync process.~~78## Advanced details

80 79

~~81## Adding a worktree to the sidebar~~80### Codex-managed and permanent worktrees

82 81

83If you choose option one above (work on the worktree), once you have created a branch on the worktree, an option appears in the header to add the worktree to your sidebar. This promotes the worktree to a permanent home. When you do this, it will never be automatically deleted, and you can even kick off new threads from the same worktree.82By default, threads use a Codex-managed worktree. These are meant to feel lightweight and disposable. A Codex-managed worktree is typically dedicated to one thread, and Codex returns that thread to the same worktree if you hand it back there later.

84 83

~~85## Advanced details~~84If you want a long-lived environment, create a permanent worktree from the three-dot menu on a project in the sidebar. This creates a new permanent worktree as its own project. Permanent worktrees are not automatically deleted, and you can start multiple threads from the same worktree.

86 85

87### How Codex manages worktrees for you86### How Codex manages worktrees for you

88 87

89Codex will create a worktree in `$CODEX_HOME/worktrees`. The starting commit will be the `HEAD` commit of the branch selected when you start your thread. If you chose a branch with local changes, the uncommitted changes will be applied to the worktree as well. The worktree will *not* be checked out as a branch. It will be in a [detached HEAD](https://git-scm.com/docs/git-checkout#_detached_head) state. This means you can create several worktrees without polluting your branches.88Codex creates worktrees in `$CODEX_HOME/worktrees`. The starting commit will be the `HEAD` commit of the branch selected when you start your thread. If you chose a branch with local changes, the uncommitted changes will be applied to the worktree as well. The worktree will *not* be checked out as a branch. It will be in a [detached HEAD](https://git-scm.com/docs/git-checkout#_detached_head) state. This lets Codex create several worktrees without polluting your branches.

90 89

91### Branch limitations90### Branch limitations

92 91

98 97

99To resolve this, you would need to check out another branch instead of `feature/a` on the worktree.98To resolve this, you would need to check out another branch instead of `feature/a` on the worktree.

100 99

101If you plan on checking out the branch locally, try Workflow 2 ([sync with local](#option-2-working-in-your-local-checkout)).100If you plan on checking out the branch locally, use Handoff to move the thread into Local instead of trying to keep the same branch checked out in both places at once.

102 101

103Why this limitation exists102Why this limitation exists

104 103

112 111

113Worktrees can take up a lot of disk space. Each one has its own set of repository files, dependencies, build caches, etc. As a result, the Codex app tries to keep the number of worktrees to a reasonable limit.112Worktrees can take up a lot of disk space. Each one has its own set of repository files, dependencies, build caches, etc. As a result, the Codex app tries to keep the number of worktrees to a reasonable limit.

114 113

115Worktrees will never be cleaned up if:114By default, Codex keeps your most recent 15 Codex-managed worktrees. You can change this limit or turn off automatic deletion in settings if you prefer to manage disk usage yourself.

116 115

117- A pinned conversation is tied to it116Codex tries to avoid deleting worktrees that are still important. Codex-managed worktrees won't be deleted automatically if:

118- The worktree was added to the sidebar (see above)

119 117

120Worktrees are eligible for cleanup when:118- A pinned conversation is tied to it

119- The thread is still in progress

120- The worktree is a permanent worktree

121 121

122- It’s more than 4 days old122Codex-managed worktrees are deleted automatically when:

123- You have more than 10 worktrees

124 123

125When either of those conditions are met, Codex automatically cleans up a worktree when you archive a thread, or on app startup if it finds a worktree with no associated threads.124- You archive the associated thread

125- Codex needs to delete older worktrees to stay within your configured limit

126 126

127Before cleaning up a worktree, Codex will save a snapshot of the work on it that you can restore at any point in a new worktree. If you open a conversation after its worktree was cleaned up, you’ll see the option to restore it.127Before deleting a Codex-managed worktree, Codex saves a snapshot of the work on it. If you open a conversation after its worktree was deleted, you'll see the option to restore it.

128 128

129## Frequently asked questions129## Frequently asked questions

130 130

133 Not today. Codex creates worktrees under `$CODEX_HOME/worktrees` so it can133 Not today. Codex creates worktrees under `$CODEX_HOME/worktrees` so it can

134 manage them consistently.134 manage them consistently.

135 135

136Can I move a session between worktrees?136Can I move a thread between Local and Worktree?

137 137

138Not yet. If you need to change environments, you have to start a new thread in138 Yes. Use **Hand off** in the thread header to move a thread between your local

139the target environment and restate the prompt. You can use the up arrow keys139 checkout and a worktree. Codex handles the Git operations needed to move the

140in the composer to try to recover your prompt.140 thread safely between environments. If you hand a thread back to a worktree

141 later, Codex returns it to the same associated worktree.

141 142

142What happens to threads if a worktree is deleted?143What happens to threads if a worktree is deleted?

143 144

144 Threads can remain in your history even if the underlying worktree directory145 Threads can remain in your history even if the underlying worktree directory

145is cleaned up. However, Codex saves a snapshot of the worktree prior to146 is deleted. For Codex-managed worktrees, Codex saves a snapshot before

146cleaning it up and offers to restore it if you reopen the thread associated147 deleting the worktree and offers to restore it if you reopen the associated

147with it.148 thread. Permanent worktrees are not automatically deleted when you archive

149 their threads.

auth.md +12 −2

Details

26 26

27OpenAI bills API key usage through your OpenAI Platform account at standard API rates. See the [API pricing page](https://openai.com/api/pricing/).27OpenAI bills API key usage through your OpenAI Platform account at standard API rates. See the [API pricing page](https://openai.com/api/pricing/).

28 28

~~29Recommendation is to use API key authentication for programmatic Codex CLI workflows (for example CI/CD jobs). Do not expose Codex execution in untrusted or publicly triggerable environments.~~29Features that rely on ChatGPT credits, such as [fast mode](https://developers.openai.com/codex/speed), are

30available only when you sign in with ChatGPT. If you sign in with an API key,

31Codex uses standard API pricing instead.

33Recommendation is to use API key authentication for programmatic Codex CLI workflows (for example CI/CD jobs). Don't expose Codex execution in untrusted or public environments.

30 34

31## Secure your Codex cloud account35## Secure your Codex cloud account

32 36

85 89

86If the active credentials don't match the configured restrictions, Codex logs the user out and exits.90If the active credentials don't match the configured restrictions, Codex logs the user out and exits.

87 91

~~88These settings are commonly applied via managed configuration rather than per-user setup. See [Managed configuration](https://developers.openai.com/codex/security#managed-configuration).~~92These settings are commonly applied via managed configuration rather than per-user setup. See [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).

89 93

90## Login on headless devices94## Login on headless devices

91 95

141docker cp ~/.codex/auth.json MY_CONTAINER:"$CONTAINER_HOME/.codex/auth.json"145docker cp ~/.codex/auth.json MY_CONTAINER:"$CONTAINER_HOME/.codex/auth.json"

142```146```

143 147

148For a more advanced version of this same pattern on trusted CI/CD runners, see

149[Maintain Codex account auth in CI/CD (advanced)](https://developers.openai.com/codex/auth/ci-cd-auth).

150That guide explains how to let Codex refresh `auth.json` during normal runs and

151then keep the updated file for the next job. API keys are still the recommended

152default for automation.

153

144### Fallback: Forward the localhost callback over SSH154### Fallback: Forward the localhost callback over SSH

145 155

146If you can forward ports between your local machine and the remote host, you can use the standard browser-based flow by tunneling Codex's local callback server (default `localhost:1455`).156If you can forward ports between your local machine and the remote host, you can use the standard browser-based flow by tunneling Codex's local callback server (default `localhost:1455`).

auth/ci-cd-auth.md +277 −0 added

Details

1# Maintain Codex account auth in CI/CD (advanced)

3This guide shows how to keep ChatGPT-managed Codex auth working on a trusted

4CI/CD runner without calling the OAuth token endpoint yourself.

6The right way to authenticate automation is with an API key. Use this guide

7only if you specifically need to run the workflow as your Codex account.

9The pattern is:

111. Create `auth.json` once on a trusted machine with `codex login`.

122. Put that file on the runner.

133. Run Codex normally.

144. Let Codex refresh the session when it becomes stale.

155. Keep the refreshed `auth.json` for the next run.

17This is an advanced workflow for enterprise and other trusted private

18automation. API keys are still the recommended option for most CI/CD jobs.

20Treat `~/.codex/auth.json` like a password: it contains access tokens. Don't

21 commit it, paste it into tickets, or share it in chat. Do not use this

22 workflow for public or open-source repositories.

24## Why this works

26Codex already knows how to refresh a ChatGPT-managed session.

28As of the current open-source client:

30- Codex loads the local auth cache from `auth.json`

31- if `last_refresh` is older than about 8 days, Codex refreshes the token

32 bundle before the run continues

33- after a successful refresh, Codex writes the new tokens and a new

34 `last_refresh` back to `auth.json`

35- if a request gets a `401`, Codex also has a built-in refresh-and-retry path

37That means the supported CI/CD strategy is not "call the refresh API yourself."

38It is "run Codex and persist the updated `auth.json`."

40## When to use this

42Use this guide only when all of the following are true:

44- you need ChatGPT-managed Codex auth rather than an API key

45- `codex login` cannot run on the remote runner

46- the runner is trusted private infrastructure

47- you can preserve the refreshed `auth.json` between runs

48- only one machine or serialized job stream will use a given `auth.json` copy

50This guide applies to Codex-managed ChatGPT auth (`auth_mode: "chatgpt"`).

52It does not apply to:

54- API key auth

55- external-token host integrations (`auth_mode: "chatgptAuthTokens"`)

56- generic OAuth clients outside Codex

58If your credentials are stored in the OS keyring, switch to file-backed storage

59first. See [Credential storage](https://developers.openai.com/codex/auth#credential-storage).

61## Seed `auth.json` once

63On a trusted machine where browser login is possible:

651. Configure Codex to store credentials in a file:

67```toml

68cli_auth_credentials_store = "file"

69```

712. Run:

73```bash

74codex login

75```

773. Verify the file looks like managed ChatGPT auth:

79```bash

80AUTH_FILE="${CODEX_HOME:-$HOME/.codex}/auth.json"

82jq '{

83 auth_mode,

84 has_tokens: (.tokens != null),

85 has_refresh_token: ((.tokens.refresh_token // "") != ""),

86 last_refresh

87}' "$AUTH_FILE"

88```

90Continue only if:

92- `auth_mode` is `"chatgpt"`

93- `has_refresh_token` is `true`

95Then place the contents of `auth.json` into your CI/CD secret manager or copy

96it to a trusted persistent runner.

98## Recommended pattern: GitHub Actions on a self-hosted runner

100The simplest fully automated setup is a self-hosted GitHub Actions runner with a

101persistent `CODEX_HOME`.

102

103Why this pattern works well:

104

105- the runner can keep `auth.json` on disk between jobs

106- Codex can refresh the file in place

107- later jobs automatically pick up the refreshed tokens

108- you only need the original secret for bootstrap or reseeding

109

110The critical detail is to seed `auth.json` only if it is missing. If you

111rewrite the file from the original secret on every run, you throw away the

112refreshed tokens that Codex just wrote.

113

114Example scheduled workflow:

115

116```yaml

117name: Keep Codex auth fresh

118

119on:

120 schedule:

121 - cron: "0 9 * * 1"

122 workflow_dispatch:

123

124jobs:

125 keep-codex-auth-fresh:

126 runs-on: self-hosted

127 steps:

128 - name: Bootstrap auth.json if needed

129 shell: bash

130 env:

131 CODEX_AUTH_JSON: ${{ secrets.CODEX_AUTH_JSON }}

132 run: |

133 export CODEX_HOME="${CODEX_HOME:-$HOME/.codex}"

134 mkdir -p "$CODEX_HOME"

135 chmod 700 "$CODEX_HOME"

136

137 if [ ! -f "$CODEX_HOME/auth.json" ]; then

138 printf '%s' "$CODEX_AUTH_JSON" > "$CODEX_HOME/auth.json"

139 chmod 600 "$CODEX_HOME/auth.json"

140 fi

141

142 - name: Run Codex

143 shell: bash

144 run: |

145 codex exec --json "Reply with the single word OK." >/dev/null

146```

147

148What this does:

149

150- the first run seeds `auth.json`

151- later runs reuse the same file

152- once the cached session is old enough, Codex refreshes it during the normal

153 `codex exec` step

154- the refreshed file remains on disk for the next workflow run

155

156A weekly schedule is usually enough because Codex treats the session as stale

157after roughly 8 days in the current open-source client.

158

159## Ephemeral runners: restore, run Codex, persist the updated file

160

161If you use GitHub-hosted runners, GitLab shared runners, or any other ephemeral

162environment, the runner filesystem disappears after each job. In that setup,

163you need a round-trip:

164

1651. restore the current `auth.json` from secure storage

1662. run Codex

1673. write the updated `auth.json` back to secure storage

168

169Generic GitHub Actions shape:

170

171```yaml

172name: Run Codex with managed auth

173

174on:

175 workflow_dispatch:

176

177jobs:

178 codex-job:

179 runs-on: ubuntu-latest

180 steps:

181 - name: Restore auth.json

182 shell: bash

183 run: |

184 export CODEX_HOME="${CODEX_HOME:-$HOME/.codex}"

185 mkdir -p "$CODEX_HOME"

186 chmod 700 "$CODEX_HOME"

187

188 # Replace this with your secret manager or secure storage command.

189 my-secret-cli read codex-auth-json > "$CODEX_HOME/auth.json"

190 chmod 600 "$CODEX_HOME/auth.json"

191

192 - name: Run Codex

193 shell: bash

194 run: |

195 codex exec --json "summarize the failing tests"

196

197 - name: Persist refreshed auth.json

198 if: always()

199 shell: bash

200 run: |

201 # Replace this with your secret manager or secure storage command.

202 my-secret-cli write codex-auth-json < "$CODEX_HOME/auth.json"

203```

204

205The key requirement is that the write-back step stores the refreshed file that

206Codex produced during the run, not the original seed.

207

208## You do not need a separate refresh command

209

210Any normal Codex run can refresh the session.

211

212That means you have two good options:

213

214- let your existing CI/CD Codex job refresh the file naturally

215- add a lightweight scheduled maintenance job, like the GitHub Actions example

216 above, if your real jobs do not run often enough

217

218The first Codex run after the session becomes stale is the one that refreshes

219`auth.json`.

220

221## Operational rules that matter

222

223- Use one `auth.json` per runner or per serialized workflow stream.

224- Do not share the same file across concurrent jobs or multiple machines.

225- Do not overwrite a persistent runner's refreshed file from the original seed

226 on every run.

227- Do not store `auth.json` in the repository, logs, or public artifact storage.

228- Reseed from a trusted machine if built-in refresh stops working.

229

230## What to do when refresh stops working

231

232This flow reduces manual work, but it does not guarantee the same session lasts

233forever.

234

235Reseed the runner with a fresh `auth.json` if:

236

237- Codex starts returning `401` and the runner can no longer refresh

238- the refresh token was revoked or expired

239- another machine or concurrent job rotated the token first

240- your secure-storage round trip failed and an old file was restored

241

242To reseed:

243

2441. Run `codex login` on a trusted machine.

2452. Replace the stored CI/CD copy of `auth.json`.

2463. Let the next runner job continue using Codex's built-in refresh flow.

247

248## Verify that the runner is maintaining the session

249

250Check that the runner still has managed auth tokens and that `last_refresh`

251exists:

252

253```bash

254AUTH_FILE="${CODEX_HOME:-$HOME/.codex}/auth.json"

255

256jq '{

257 auth_mode,

258 last_refresh,

259 has_access_token: ((.tokens.access_token // "") != ""),

260 has_id_token: ((.tokens.id_token // "") != ""),

261 has_refresh_token: ((.tokens.refresh_token // "") != "")

262}' "$AUTH_FILE"

263```

264

265If your runner is persistent, you should see the same file continue to exist

266between runs. If your runner is ephemeral, confirm that your write-back step is

267storing the updated file from the last job.

268

269## Source references

270

271If you want to verify this behavior in the open-source client:

272

273- [`codex-rs/core/src/auth.rs`](https://github.com/openai/codex/blob/main/codex-rs/core/src/auth.rs)

274 covers stale-token detection, automatic refresh, refresh-on-401 recovery, and

275 persistence of refreshed tokens

276- [`codex-rs/core/src/auth/storage.rs`](https://github.com/openai/codex/blob/main/codex-rs/core/src/auth/storage.rs)

277 covers file-backed `auth.json` storage

cli.md +6 −4

Details

3Codex CLI is OpenAI's coding agent that you can run locally from your terminal. It can read, change, and run code on your machine in the selected directory.3Codex CLI is OpenAI's coding agent that you can run locally from your terminal. It can read, change, and run code on your machine in the selected directory.

4It's [open source](https://github.com/openai/codex) and built in Rust for speed and efficiency.4It's [open source](https://github.com/openai/codex) and built in Rust for speed and efficiency.

5 5

~~6Codex is included with ChatGPT Plus, Pro, Business, Edu, and Enterprise plans. Learn more about [what’s included](https://developers.openai.com/codex/pricing).~~6ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).

7 7

8## CLI setup8## CLI setup

9 9

47experimental. For the best Windows experience, use Codex in a WSL workspace47experimental. For the best Windows experience, use Codex in a WSL workspace

48and follow our [Windows setup guide](https://developers.openai.com/codex/windows).48and follow our [Windows setup guide](https://developers.openai.com/codex/windows).

49 49

50If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

50---52---

51 53

52## Work with the Codex CLI54## Work with the Codex CLI

55 57

56Run `codex` to start an interactive terminal UI (TUI) session.](https://developers.openai.com/codex/cli/features#running-in-interactive-mode)[### Control model and reasoning58Run `codex` to start an interactive terminal UI (TUI) session.](https://developers.openai.com/codex/cli/features#running-in-interactive-mode)[### Control model and reasoning

57 59

~~58Use `/model` to switch between GPT-5.3-Codex and other available models, or adjust reasoning levels.](https://developers.openai.com/codex/cli/features#models-reasoning)[### Image inputs~~60Use `/model` to switch between GPT-5.4, GPT-5.3-Codex, and other available models, or adjust reasoning levels.](https://developers.openai.com/codex/cli/features#models-reasoning)[### Image inputs

59 61

60Attach screenshots or design specs so Codex reads them alongside your prompt.](https://developers.openai.com/codex/cli/features#image-inputs)[### Run local code review62Attach screenshots or design specs so Codex reads them alongside your prompt.](https://developers.openai.com/codex/cli/features#image-inputs)[### Run local code review

61 63

~~62Get your code reviewed by a separate Codex agent before you commit or push your changes.](https://developers.openai.com/codex/cli/features#running-local-code-review)[### Use multi-agent~~64Get your code reviewed by a separate Codex agent before you commit or push your changes.](https://developers.openai.com/codex/cli/features#running-local-code-review)[### Use subagents

63 65

~~64Enable experimental multi-agent collaboration and parallelize complex tasks.](https://developers.openai.com/codex/multi-agent)[### Web search~~66Use subagents to parallelize complex tasks.](https://developers.openai.com/codex/subagents)[### Web search

65 67

66Use Codex to search the web and get up-to-date information for your task.](https://developers.openai.com/codex/cli/features#web-search)[### Codex Cloud tasks68Use Codex to search the web and get up-to-date information for your task.](https://developers.openai.com/codex/cli/features#web-search)[### Codex Cloud tasks

67 69

cli/features.md +13 −7

Details

20 20

21- Send prompts, code snippets, or screenshots (see [image inputs](#image-inputs)) directly into the composer.21- Send prompts, code snippets, or screenshots (see [image inputs](#image-inputs)) directly into the composer.

22- Watch Codex explain its plan before making a change, and approve or reject steps inline.22- Watch Codex explain its plan before making a change, and approve or reject steps inline.

~~23- Read syntax-highlighted markdown code blocks and diffs in the TUI, then use `/theme` to preview and save a preferred color theme.~~23- Read syntax-highlighted markdown code blocks and diffs in the TUI, then use `/theme` to preview and save a preferred theme.

24- Use `/clear` to wipe the terminal and start a fresh chat, or press <kbd>Ctrl</kbd>+<kbd>L</kbd> to clear the screen without starting a new conversation.

25- Use `/copy` to copy the latest completed Codex output. If a turn is still running, Codex copies the most recent finished output instead of in-progress text.

24- Navigate draft history in the composer with <kbd>Up</kbd>/<kbd>Down</kbd>; Codex restores prior draft text and image placeholders.26- Navigate draft history in the composer with <kbd>Up</kbd>/<kbd>Down</kbd>; Codex restores prior draft text and image placeholders.

25- Press <kbd>Ctrl</kbd>+<kbd>C</kbd> or use `/exit` to close the interactive session when you're done.27- Press <kbd>Ctrl</kbd>+<kbd>C</kbd> or use `/exit` to close the interactive session when you're done.

26 28

44 46

45## Models and reasoning47## Models and reasoning

46 48

47For most coding tasks in Codex, `gpt-5.3-codex` is the go-to model. It’s available for ChatGPT-authenticated Codex sessions in the Codex app, CLI, IDE extension, and Codex Cloud. For extra fast tasks, ChatGPT Pro subscribers have access to the GPT-5.3-Codex-Spark model in research preview.49For most tasks in Codex, `gpt-5.4` is the recommended model. It brings the industry-leading coding capabilities of `gpt-5.3-codex` to OpenAI’s flagship frontier model, combining frontier coding performance with stronger reasoning, native computer use, and broader professional workflows. For extra fast tasks, ChatGPT Pro subscribers have access to the GPT-5.3-Codex-Spark model in research preview.

48 50

~~49Switch models mid-session with the /model command, or specify one when launching the CLI.~~51Switch models mid-session with the `/model` command, or specify one when launching the CLI.

50 52

51```bash53```bash

~~52codex --model gpt-5.3-codex~~54codex --model gpt-5.4

53```55```

54 56

55[Learn more about the models available in Codex](https://developers.openai.com/codex/models).57[Learn more about the models available in Codex](https://developers.openai.com/codex/models).

66 68

67`codex features enable <feature>` and `codex features disable <feature>` write to `~/.codex/config.toml`. If you launch Codex with `--profile`, Codex stores the change in that profile rather than the root configuration.69`codex features enable <feature>` and `codex features disable <feature>` write to `~/.codex/config.toml`. If you launch Codex with `--profile`, Codex stores the change in that profile rather than the root configuration.

68 70

~~69## Multi-agents (experimental)~~71## Subagents

70 72

71Use Codex multi-agent workflows to parallelize larger tasks. For setup, role configuration (`[agents]` in `config.toml`), and examples, see [Multi-agents](https://developers.openai.com/codex/multi-agent).73Use Codex subagent workflows to parallelize larger tasks. For setup, role configuration (`[agents]` in `config.toml`), and examples, see [Subagents](https://developers.openai.com/codex/subagents).

75Codex only spawns subagents when you explicitly ask it to. Because each

76subagent does its own model and tool work, subagent workflows consume more

77tokens than comparable single-agent runs.

72 78

73## Image inputs79## Image inputs

74 80

103 109

104## Web search110## Web search

105 111

106Codex ships with a first-party web search tool. For local tasks in the Codex CLI, Codex enables web search by default and serves results from a web search cache. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](https://developers.openai.com/codex/security), web search defaults to live results. To fetch the most recent data, pass `--search` for a single run or set `web_search = "live"` in [Config basics](https://developers.openai.com/codex/config-basic). You can also set `web_search = "disabled"` to turn the tool off.112Codex ships with a first-party web search tool. For local tasks in the Codex CLI, Codex enables web search by default and serves results from a web search cache. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](https://developers.openai.com/codex/agent-approvals-security), web search defaults to live results. To fetch the most recent data, pass `--search` for a single run or set `web_search = "live"` in [Config basics](https://developers.openai.com/codex/config-basic). You can also set `web_search = "disabled"` to turn the tool off.

107 113

108You'll see `web_search` items in the transcript or `codex exec --json` output whenever Codex looks something up.114You'll see `web_search` items in the transcript or `codex exec --json` output whenever Codex looks something up.

109 115

cli/slash-commands.md +89 −30

Details

1# Slash commands in Codex CLI1# Slash commands in Codex CLI

2 2

3Slash commands give you fast, keyboard-first control over Codex. Type `/` in the composer to open the slash popup, choose a command, and Codex will perform actions such as switching models, adjusting permissions, or summarizing long conversations without leaving the terminal.3Slash commands give you fast, keyboard-first control over Codex. Type `/` in

4the composer to open the slash popup, choose a command, and Codex will perform

5actions such as switching models, adjusting permissions, or summarizing long

6conversations without leaving the terminal.

4 7

5This guide shows you how to:8This guide shows you how to:

6 9

7- Find the right built-in slash command for a task10- Find the right built-in slash command for a task

~~8- Steer an active session with commands like `/model`, `/personality`, `/permissions`, `/experimental`, `/agent`, and `/status`~~11- Steer an active session with commands like `/model`, `/personality`,

12 `/permissions`, `/experimental`, `/agent`, and `/status`

9 13

10## Built-in slash commands14## Built-in slash commands

11 15

~~12Codex ships with the following commands. Open the slash popup and start typing the command name to filter the list.~~16Codex ships with the following commands. Open the slash popup and start typing

17the command name to filter the list.

13 18

15| ------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |20| ------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |

16| [`/permissions`](#update-permissions-with-permissions) | Set what Codex can do without asking first. | Relax or tighten approval requirements mid-session, such as switching between Auto and Read Only. |21| [`/permissions`](#update-permissions-with-permissions) | Set what Codex can do without asking first. | Relax or tighten approval requirements mid-session, such as switching between Auto and Read Only. |

17| [`/sandbox-add-read-dir`](#grant-sandbox-read-access-with-sandbox-add-read-dir) | Grant sandbox read access to an extra directory (Windows only). | Unblock commands that need to read an absolute directory path outside the current readable roots. |22| [`/sandbox-add-read-dir`](#grant-sandbox-read-access-with-sandbox-add-read-dir) | Grant sandbox read access to an extra directory (Windows only). | Unblock commands that need to read an absolute directory path outside the current readable roots. |

25| [`/clear`](#clear-the-terminal-and-start-a-new-chat-with-clear) | Clear the terminal and start a fresh chat. | Reset the visible UI and conversation together when you want to start over. |

20| [`/compact`](#keep-transcripts-lean-with-compact) | Summarize the visible conversation to free tokens. | Use after long runs so Codex retains key points without blowing the context window. |26| [`/compact`](#keep-transcripts-lean-with-compact) | Summarize the visible conversation to free tokens. | Use after long runs so Codex retains key points without blowing the context window. |

27| [`/copy`](#copy-the-latest-response-with-copy) | Copy the latest completed Codex output. | Grab the latest finished response or plan text without manually selecting it. |

25| [`/init`](#generate-agentsmd-with-init) | Generate an `AGENTS.md` scaffold in the current directory. | Capture persistent instructions for the repository or subdirectory you're working in. |32| [`/init`](#generate-agentsmd-with-init) | Generate an `AGENTS.md` scaffold in the current directory. | Capture persistent instructions for the repository or subdirectory you're working in. |

39| [`/debug-config`](#inspect-config-layers-with-debug-config) | Print config layer and requirements diagnostics. | Debug precedence and policy requirements, including experimental network constraints. |46| [`/debug-config`](#inspect-config-layers-with-debug-config) | Print config layer and requirements diagnostics. | Debug precedence and policy requirements, including experimental network constraints. |

40| [`/statusline`](#configure-footer-items-with-statusline) | Configure TUI status-line fields interactively. | Pick and reorder footer items (model/context/limits/git/tokens/session) and persist in config.toml. |47| [`/statusline`](#configure-footer-items-with-statusline) | Configure TUI status-line fields interactively. | Pick and reorder footer items (model/context/limits/git/tokens/session) and persist in config.toml. |

41 48

~~42`/quit` and `/exit` both exit the CLI. Use them only after you have saved or committed any important work.~~49`/quit` and `/exit` both exit the CLI. Use them only after you have saved or

50committed any important work.

43 51

44The `/approvals` command still works as an alias, but it no longer appears in the slash popup list.52The `/approvals` command still works as an alias, but it no longer appears in the slash popup list.

45 53

621. In an active conversation, type `/personality` and press Enter.701. In an active conversation, type `/personality` and press Enter.

632. Choose a style from the popup.712. Choose a style from the popup.

64 72

~~65Expected: Codex confirms the new style in the transcript and uses it for later responses in the thread.~~73Expected: Codex confirms the new style in the transcript and uses it for later

74responses in the thread.

66 75

~~67Codex supports `friendly`, `pragmatic`, and `none` personalities. Use `none` to disable personality instructions.~~76Codex supports `friendly`, `pragmatic`, and `none` personalities. Use `none`

77to disable personality instructions.

68 78

69If the active model doesn't support personality-specific instructions, Codex hides this command.79If the active model doesn't support personality-specific instructions, Codex hides this command.

70 80

71### Switch to plan mode with `/plan`81### Switch to plan mode with `/plan`

72 82

~~731. Type `/plan` and press Enter to switch the active conversation into plan mode.~~831. Type `/plan` and press Enter to switch the active conversation into plan

84 mode.

742. Optional: provide inline prompt text (for example, `/plan Propose a migration plan for this service`).852. Optional: provide inline prompt text (for example, `/plan Propose a migration plan for this service`).

753. You can paste content or attach images while using inline `/plan` arguments.863. You can paste content or attach images while using inline `/plan` arguments.

76 87

81### Toggle experimental features with `/experimental`92### Toggle experimental features with `/experimental`

82 93

831. Type `/experimental` and press Enter.941. Type `/experimental` and press Enter.

~~842. Toggle the features you want (for example, **Multi-agents**), then restart Codex.~~952. Toggle the features you want, then restart Codex.

85 96

86Expected: Codex saves your feature choices to config and applies them on restart.97Expected: Codex saves your feature choices to config and applies them on restart.

87 98

99### Clear the terminal and start a new chat with `/clear`

100

1011. Type `/clear` and press Enter.

102

103Expected: Codex clears the terminal, resets the visible transcript, and starts

104a fresh chat in the same CLI session.

105

106Unlike <kbd>Ctrl</kbd>+<kbd>L</kbd>, `/clear` starts a new conversation.

107

108<kbd>Ctrl</kbd>+<kbd>L</kbd> only clears the terminal view and keeps the current

109chat. Codex disables both actions while a task is in progress.

110

88### Update permissions with `/permissions`111### Update permissions with `/permissions`

89 112

901. Type `/permissions` and press Enter.1131. Type `/permissions` and press Enter.

~~912. Select the approval preset that matches your comfort level, for example `Auto` for hands-off runs or `Read Only` to review edits.~~1142. Select the approval preset that matches your comfort level, for example

115 `Auto` for hands-off runs or `Read Only` to review edits.

92 116

~~93Expected: Codex announces the updated policy. Future actions respect the new approval mode until you change it again.~~117Expected: Codex announces the updated policy. Future actions respect the

118updated approval mode until you change it again.

119

120### Copy the latest response with `/copy`

121

1221. Type `/copy` and press Enter.

123

124Expected: Codex copies the latest completed Codex output to your clipboard.

125

126If a turn is still running, `/copy` uses the latest completed output instead of

127the in-progress response. The command is unavailable before the first completed

128Codex output and immediately after a rollback.

94 129

95### Grant sandbox read access with `/sandbox-add-read-dir`130### Grant sandbox read access with `/sandbox-add-read-dir`

96 131

991. Type `/sandbox-add-read-dir C:\absolute\directory\path` and press Enter.1341. Type `/sandbox-add-read-dir C:\absolute\directory\path` and press Enter.

1002. Confirm the path is an existing absolute directory.1352. Confirm the path is an existing absolute directory.

101 136

102Expected: Codex refreshes the Windows sandbox policy and grants read access to that directory for later commands that run in the sandbox.137Expected: Codex refreshes the Windows sandbox policy and grants read access to

138that directory for later commands that run in the sandbox.

103 139

104### Inspect the session with `/status`140### Inspect the session with `/status`

105 141

1061. In any conversation, type `/status`.1421. In any conversation, type `/status`.

1072. Review the output for the active model, approval policy, writable roots, and current token usage.1432. Review the output for the active model, approval policy, writable roots, and current token usage.

108 144

109Expected: You see a summary like what `codex status` prints in the shell, confirming Codex is operating where you expect.145Expected: You see a summary like what `codex status` prints in the shell,

146confirming Codex is operating where you expect.

110 147

111### Inspect config layers with `/debug-config`148### Inspect config layers with `/debug-config`

112 149

1131. Type `/debug-config`.1501. Type `/debug-config`.

1142. Review the output for config layer order (lowest precedence first), on/off state, and policy sources.1512. Review the output for config layer order (lowest precedence first), on/off

152 state, and policy sources.

115 153

116Expected: Codex prints layer diagnostics plus policy details such as `allowed_approval_policies`, `allowed_sandbox_modes`, `mcp_servers`, `rules`, `enforce_residency`, and `experimental_network` when configured.154Expected: Codex prints layer diagnostics plus policy details such as

155`allowed_approval_policies`, `allowed_sandbox_modes`, `mcp_servers`, `rules`,

156`enforce_residency`, and `experimental_network` when configured.

117 157

118Use this output to debug why an effective setting differs from `config.toml`.158Use this output to debug why an effective setting differs from `config.toml`.

119 159

1221. Type `/statusline`.1621. Type `/statusline`.

1232. Use the picker to toggle and reorder items, then confirm.1632. Use the picker to toggle and reorder items, then confirm.

124 164

125Expected: The footer status line updates immediately and persists to `tui.status_line` in `config.toml`.165Expected: The footer status line updates immediately and persists to

166`tui.status_line` in `config.toml`.

126 167

127Available status-line items include model, model+reasoning, context stats, rate limits, git branch, token counters, session id, current directory/project root, and Codex version.168Available status-line items include model, model+reasoning, context stats, rate

169limits, git branch, token counters, session id, current directory/project root,

170and Codex version.

128 171

129### Check background terminals with `/ps`172### Check background terminals with `/ps`

130 173

1311. Type `/ps`.1741. Type `/ps`.

1322. Review the list of background terminals and their status.1752. Review the list of background terminals and their status.

133 176

134Expected: Codex shows each background terminal’s command plus up to three recent, non-empty output lines so you can gauge progress at a glance.177Expected: Codex shows each background terminal's command plus up to three

178recent, non-empty output lines so you can gauge progress at a glance.

135 179

136Background terminals appear when `unified_exec` is in use; otherwise, the list may be empty.180Background terminals appear when `unified_exec` is in use; otherwise, the list may be empty.

137 181

1401. After a long exchange, type `/compact`.1841. After a long exchange, type `/compact`.

1412. Confirm when Codex offers to summarize the conversation so far.1852. Confirm when Codex offers to summarize the conversation so far.

142 186

143Expected: Codex replaces earlier turns with a concise summary, freeing context while keeping critical details.187Expected: Codex replaces earlier turns with a concise summary, freeing context

188while keeping critical details.

144 189

145### Review changes with `/diff`190### Review changes with `/diff`

146 191

1471. Type `/diff` to inspect the Git diff.1921. Type `/diff` to inspect the Git diff.

1482. Scroll through the output inside the CLI to review edits and added files.1932. Scroll through the output inside the CLI to review edits and added files.

149 194

150Expected: Codex shows changes you’ve staged, changes you haven’t staged yet, and files Git hasn’t started tracking, so you can decide what to keep.195Expected: Codex shows changes you've staged, changes you haven't staged yet,

196and files Git hasn't started tracking, so you can decide what to keep.

151 197

152### Highlight files with `/mention`198### Highlight files with `/mention`

153 199

160 206

1611. Type `/new` and press Enter.2071. Type `/new` and press Enter.

162 208

163Expected: Codex starts a fresh conversation in the same CLI session, so you can switch tasks without leaving your terminal.209Expected: Codex starts a fresh conversation in the same CLI session, so you

210can switch tasks without leaving your terminal.

211

212Unlike `/clear`, `/new` doesn’t clear the current terminal view first.

164 213

165### Resume a saved conversation with `/resume`214### Resume a saved conversation with `/resume`

166 215

1671. Type `/resume` and press Enter.2161. Type `/resume` and press Enter.

1682. Choose the session you want from the saved-session picker.2172. Choose the session you want from the saved-session picker.

169 218

170Expected: Codex reloads the selected conversation’s transcript so you can pick up where you left off, keeping the original history intact.219Expected: Codex reloads the selected conversation's transcript so you can pick

220up where you left off, keeping the original history intact.

171 221

172### Fork the current conversation with `/fork`222### Fork the current conversation with `/fork`

173 223

1741. Type `/fork` and press Enter.2241. Type `/fork` and press Enter.

175 225

176Expected: Codex clones the current conversation into a new thread with a fresh ID, leaving the original transcript untouched so you can explore an alternative approach in parallel.226Expected: Codex clones the current conversation into a new thread with a fresh

227ID, leaving the original transcript untouched so you can explore an alternative

228approach in parallel.

177 229

178If you need to fork a saved session instead of the current one, run `codex fork` in your terminal to open the session picker.230If you need to fork a saved session instead of the current one, run

231`codex fork` in your terminal to open the session picker.

179 232

180### Generate `AGENTS.md` with `/init`233### Generate `AGENTS.md` with `/init`

181 234

1821. Run `/init` in the directory where you want Codex to look for persistent instructions.2351. Run `/init` in the directory where you want Codex to look for persistent instructions.

1832. Review the generated `AGENTS.md`, then edit it to match your repository conventions.2362. Review the generated `AGENTS.md`, then edit it to match your repository conventions.

184 237

185Expected: Codex creates an `AGENTS.md` scaffold you can refine and commit for future sessions.238Expected: Codex creates an `AGENTS.md` scaffold you can refine and commit for

239future sessions.

186 240

187### Ask for a working tree review with `/review`241### Ask for a working tree review with `/review`

188 242

1891. Type `/review`.2431. Type `/review`.

1902. Follow up with `/diff` if you want to inspect the exact file changes.2442. Follow up with `/diff` if you want to inspect the exact file changes.

191 245

192Expected: Codex summarizes issues it finds in your working tree, focusing on behavior changes and missing tests. It uses the current session model unless you set `review_model` in `config.toml`.246Expected: Codex summarizes issues it finds in your working tree, focusing on

247behavior changes and missing tests. It uses the current session model unless

248you set `review_model` in `config.toml`.

193 249

194### List MCP tools with `/mcp`250### List MCP tools with `/mcp`

195 251

2031. Type `/apps`.2591. Type `/apps`.

2042. Pick an app from the list.2602. Pick an app from the list.

205 261

206Expected: Codex inserts the app mention into the composer as `$app-slug`, so you can immediately ask Codex to use it.262Expected: Codex inserts the app mention into the composer as `$app-slug`, so

263you can immediately ask Codex to use it.

207 264

208### Switch agent threads with `/agent`265### Switch agent threads with `/agent`

209 266

2101. Type `/agent` and press Enter.2671. Type `/agent` and press Enter.

2112. Select the thread you want from the picker.2682. Select the thread you want from the picker.

212 269

213Expected: Codex switches the active thread so you can inspect or continue that agent’s work.270Expected: Codex switches the active thread so you can inspect or continue that

271agent's work.

214 272

215### Send feedback with `/feedback`273### Send feedback with `/feedback`

216 274

2171. Type `/feedback` and press Enter.2751. Type `/feedback` and press Enter.

2182. Follow the prompts to include logs or diagnostics.2762. Follow the prompts to include logs or diagnostics.

219 277

220Expected: Codex collects the requested diagnostics and submits them to the maintainers.278Expected: Codex collects the requested diagnostics and submits them to the

279maintainers.

221 280

222### Sign out with `/logout`281### Sign out with `/logout`

223 282

codex.md +5 −1

Details

24 24

25Explore Codex Ambassadors and upcoming community meetups by location.25Explore Codex Ambassadors and upcoming community meetups by location.

26 26

~~27 See community](https://developers.openai.com/codex/community/meetups)~~27 See community](https://developers.openai.com/codex/community/meetups) [### Codex for OSS

29Apply or nominate maintainers for API credits, ChatGPT Pro with Codex, and selective Codex Security access.

31 Learn more](https://developers.openai.com/codex/community/codex-for-oss)

codex-for-oss-terms.md +47 −0 added

Details

1# Codex for Open Source Program Terms

3These Program Terms govern the Codex for Open Source program (the “Program”) offered by OpenAI OpCo, LLC and its affiliates (“OpenAI,” “we,” “our,” or “us”). By submitting an application to the Program or accepting any Program benefit, you agree to these Program Terms.

5These Program Terms supplement, and do not replace, the OpenAI Terms of Use, Privacy Policy, applicable service terms, and OpenAI policies that govern your use of ChatGPT, Codex, the API, and any other OpenAI services made available through the Program. If there is a conflict, these Program Terms control only with respect to the Program.

7## 1. Program Overview

9The Program is designed to support maintainers of important open-source software. Approved applicants may receive one or more of the following benefits, as determined by OpenAI in its sole discretion: (i) a limited-duration ChatGPT Pro benefit that includes Codex access; (ii) API credits for eligible open-source maintainer workflows; and (iii) conditional access to Codex Security for qualified repositories or maintainers. Availability, duration, scope, and timing of any benefit may vary by applicant, repository, or use case.

11## 2. Eligibility and Applications

13To be considered for the Program, applicants must have a valid ChatGPT account and provide accurate and complete information about themselves, their repositories, and their role in maintaining or administering those repositories. OpenAI may consider factors such as repository usage, ecosystem importance, evidence of active maintenance, role or permissions, and Program capacity. Submission of an application does not guarantee selection, funding, or access.

15## 3. Selection and Verification

17OpenAI may approve or deny applications in its sole discretion. OpenAI may request additional information to verify identity, repository affiliation, maintainer status, or repository control, and may condition any benefit on successful verification. OpenAI's decisions are final.

19## 4. Benefits

21Unless OpenAI states otherwise in writing, Program benefits are personal, limited, non-transferable, and have no cash value. Program benefits may not be sold, assigned, sublicensed, exchanged, or shared. If OpenAI provides a redemption code, invitation, or activation flow, the recipient must follow the applicable redemption instructions and any additional redemption terms communicated by OpenAI. Benefits may expire if they are not redeemed or activated within the period specified by OpenAI.

23## 5. Additional Conditions for Codex Security and API Credits

25Codex Security access and API credits are optional, additional Program benefits and may require separate review, additional eligibility checks, and/or additional terms. OpenAI may limit Codex Security access to repositories that the applicant owns, maintains, or is otherwise authorized to administer.

27Applicants may not use the Program, including Codex Security, to scan, probe, test, or review repositories, systems, or codebases that they do not own or lack permission to review. OpenAI may require proof of control or authorization before granting or continuing such access and may limit or revoke access at any time if authorization is unclear or no longer valid.

29## 6. Fraud, Abuse, and Revocation

31OpenAI may reject, suspend, or revoke any Program benefit for any reason in its sole discretion, including without limitation if it reasonably believes that an applicant or recipient: (i) provided false, misleading, or incomplete information; (ii) used multiple identities or accounts to obtain more than one benefit; (iii) transferred, resold, or shared a benefit; (iv) violated OpenAI's terms or policies; (v) used the Program in a harmful, abusive, fraudulent, or unauthorized manner; or (vi) otherwise created legal, security, reputational, or operational risk for OpenAI or others.

33## 7. Submission Similarity; No Exclusivity; No Confidentiality

35The applicant acknowledges that OpenAI may currently or in the future develop, receive, review, fund, support, or work with ideas, projects, repositories, workflows, or proposals that are similar or identical to the applicant's submission. Nothing in these Program Terms prevents OpenAI from independently developing, funding, or supporting any such similar or identical work.

37The applicant further acknowledges that OpenAI assumes no obligation of exclusivity with respect to any submission and that any decision to select, fund, or support a project or maintainer is made in OpenAI's sole discretion.

39Except as described in OpenAI's privacy policy or as required by law, applicants should not submit confidential information in connection with the Program, and OpenAI has no duty to treat application materials as confidential.

41## 8. Program Changes

43OpenAI may modify, pause, limit, or discontinue the Program, its eligibility criteria, or any Program benefit at any time. OpenAI may also update these Program Terms from time to time. Continued participation in the Program after an update constitutes acceptance of the revised Program Terms.

45## 9. Taxes and Local Restrictions

47Recipients are responsible for any taxes, reporting obligations, or local legal requirements that may apply to receipt or use of Program benefits. The Program is void where prohibited or restricted by law.

community/codex-for-oss.md +19 −0 added

Details

1# Codex for Open Source

3Open-source maintainers do critical work, often behind the scenes, to keep the software ecosystem healthy. Over the past year, the Codex Open Source Fund ($1 million) has supported projects that need API credits, including teams using Codex to power GitHub pull request workflows. OpenAI is grateful to the maintainers who keep that work moving.

5The fund now supports eligible maintainers by offering six months of ChatGPT Pro with Codex and conditional access to Codex Security for core maintainers with write access. Developers should code in the tools they prefer, whether that’s Codex, [OpenCode](https://github.com/anomalyco/opencode), [Cline](https://github.com/cline/cline), [pi](https://github.com/badlogic/pi-mono/tree/main/packages/coding-agent), [OpenClaw](https://github.com/openclaw/openclaw), or something else, and this program supports that work.

7## What the program includes

9- Six months of ChatGPT Pro with Codex for day-to-day coding, triage, review, and maintainer workflows

10- Conditional access to Codex Security for repositories that need deeper security coverage

11- API credits through the Codex Open Source Fund for projects that use Codex in pull request review, maintainer automation, release workflows, or other core OSS work

13Given GPT-5.4’s capabilities, the team reviews Codex Security access case by case to ensure these workflows get the care and diligence they require.

15If you’re a core maintainer or run a widely used public project, apply. If your project doesn’t fit the criteria but it plays an important role in the ecosystem, apply anyway and explain why.

17By submitting an application, you agree to the [Codex for Open Source Program Terms](https://developers.openai.com/codex/codex-for-oss-terms).

19[Apply today!](https://openai.com/form/codex-for-oss/)

community/meetups.md +8 −8

Details

1# Codex Meetups1# Codex Meetups

2 2

~~3Mar 12~~3Mar 17

4 4

~~5![Stylized city cover for Orlando](https://developers.openai.com/codex/meetups/orlando.webp)~~5![Stylized city cover for San Francisco](https://developers.openai.com/codex/meetups/san-francisco.webp)

6 6

~~7UpcomingMar 12~~7UpcomingMar 17

8 8

~~9Orlando, FL, USA~~9San Francisco, California, USA

10 10

~~11### Orlando~~11### Community Hackathon - San Francisco

12 12

~~13March 12, 2026~~13March 17, 2026

14 14

~~15Hosted by [Leonard](https://www.linkedin.com/in/lgofman/), [Michael](https://www.linkedin.com/in/michael-rusudev/), and [Carlos](https://www.linkedin.com/in/cataladev/)~~15Hosted by [Adam Chan](https://x.com/itsajchan)

16 16

~~17[Register now](https://luma.com/39y2dvwx)[Share city](https://developers.openai.com/codex/community/meetups?city=Orlando)~~17[Register now (opens in a new tab)](https://luma.com/openclaw-hack-night-mar17-2026)[Share city](https://developers.openai.com/codex/community/meetups?city=San%20Francisco)

concepts/customization.md +12 −12

Details

7- **Project guidance (`AGENTS.md`)** for persistent instructions7- **Project guidance (`AGENTS.md`)** for persistent instructions

8- **Skills** for reusable workflows and domain expertise8- **Skills** for reusable workflows and domain expertise

9- **[MCP](https://developers.openai.com/codex/mcp)** for access to external tools and shared systems9- **[MCP](https://developers.openai.com/codex/mcp)** for access to external tools and shared systems

~~10- **[Multi-agents](https://developers.openai.com/codex/concepts/multi-agents)** for delegating work to specialized sub-agents~~10- **[Subagents](https://developers.openai.com/codex/concepts/subagents)** for delegating work to specialized subagents

11 11

12These are complementary, not competing. `AGENTS.md` shapes behavior, skills package repeatable processes, and [MCP](https://developers.openai.com/codex/mcp) connects Codex to systems outside the local workspace.12These are complementary, not competing. `AGENTS.md` shapes behavior, skills package repeatable processes, and [MCP](https://developers.openai.com/codex/mcp) connects Codex to systems outside the local workspace.

13 13

19 19

20- Build and test commands20- Build and test commands

21- Review expectations21- Review expectations

~~22- Repo-specific conventions~~22- repo-specific conventions

23- Directory-specific instructions23- Directory-specific instructions

24 24

25When the agent makes incorrect assumptions about your codebase, correct them in `AGENTS.md` and ask the agent to update `AGENTS.md` so the fix persists. Treat it as a feedback loop.25When the agent makes incorrect assumptions about your codebase, correct them in `AGENTS.md` and ask the agent to update `AGENTS.md` so the fix persists. Treat it as a feedback loop.

44 - AGENTS.md Global (for you as a developer)44 - AGENTS.md Global (for you as a developer)

45- repo-root/45- repo-root/

46 46

~~47 - AGENTS.md Repo-specific (for your team)~~47 - AGENTS.md repo-specific (for your team)

48 48

49[Custom instructions with AGENTS.md](https://developers.openai.com/codex/guides/agents-md)49[Custom instructions with AGENTS.md](https://developers.openai.com/codex/guides/agents-md)

50 50

87 87

88Skills can be global (in your user directory, for you as a developer) or repo-specific (checked into `.agents/skills`, for your team). Put repo skills in `.agents/skills` when the workflow applies to that project; use your user directory for skills you want across all repos.88Skills can be global (in your user directory, for you as a developer) or repo-specific (checked into `.agents/skills`, for your team). Put repo skills in `.agents/skills` when the workflow applies to that project; use your user directory for skills you want across all repos.

89 89

91| :----- | :--------------------- | :--------------------------------------------- |91| :----- | :--------------------- | :--------------------------------------------- |

94 94

95Codex uses progressive disclosure for skills:95Codex uses progressive disclosure for skills:

105## MCP105## MCP

106 106

107MCP (Model Context Protocol) is the standard way to connect Codex to external tools and context providers.107MCP (Model Context Protocol) is the standard way to connect Codex to external tools and context providers.

108It’s especially useful for remotely hosted systems such as Figma, Linear, Jira, GitHub, or internal knowledge services your team depends on.108It's especially useful for remotely hosted systems such as Figma, Linear, GitHub, or internal knowledge services your team depends on.

109 109

110Use MCP when Codex needs capabilities that live outside the local repo, such as issue trackers, design tools, browsers, or shared documentation systems.110Use MCP when Codex needs capabilities that live outside the local repo, such as issue trackers, design tools, browsers, or shared documentation systems.

111 111

112A useful mental model:112One way to think about it:

113 113

114- **Host**: Codex114- **Host**: Codex

115- **Client**: the MCP connection inside Codex115- **Client**: the MCP connection inside Codex

129 129

130[Model Context Protocol](https://developers.openai.com/codex/mcp)130[Model Context Protocol](https://developers.openai.com/codex/mcp)

131 131

132## Multi-agents132## Subagents

133 133

134You can create different agents with different roles and prompt them to use tools differently. For example, one agent might run specific testing commands and configurations, while another has MCP servers that fetch production logs for debugging. Each sub-agent stays focused and uses the right tools for its job.134You can create different agents with different roles and prompt them to use tools differently. For example, one agent might run specific testing commands and configurations, while another has MCP servers that fetch production logs for debugging. Each subagent stays focused and uses the right tools for its job.

135 135

136[Multi-agents concepts](https://developers.openai.com/codex/concepts/multi-agents)136[Subagent concepts](https://developers.openai.com/codex/concepts/subagents)

137 137

138## Skills + MCP together138## Skills + MCP together

139 139

146 146

1471. [Custom instructions with AGENTS.md](https://developers.openai.com/codex/guides/agents-md) so Codex follows your repo conventions. Add pre-commit hooks and linters to enforce those rules.1471. [Custom instructions with AGENTS.md](https://developers.openai.com/codex/guides/agents-md) so Codex follows your repo conventions. Add pre-commit hooks and linters to enforce those rules.

1482. [Skills](https://developers.openai.com/codex/skills) so you never have the same conversation twice. Skills can include a `scripts/` directory with CLI scripts or pair with [MCP](https://developers.openai.com/codex/mcp) for external systems.1482. [Skills](https://developers.openai.com/codex/skills) so you never have the same conversation twice. Skills can include a `scripts/` directory with CLI scripts or pair with [MCP](https://developers.openai.com/codex/mcp) for external systems.

1493. [MCP](https://developers.openai.com/codex/mcp) when workflows need external systems (Linear, JIRA, docs servers, design tools).1493. [MCP](https://developers.openai.com/codex/mcp) when workflows need external systems (Linear, GitHub, docs servers, design tools).

1504. [Multi-agents](https://developers.openai.com/codex/multi-agent) when you’re ready to delegate noisy or specialized tasks to sub-agents.1504. [Subagents](https://developers.openai.com/codex/subagents) when you're ready to delegate noisy or specialized tasks to subagents.

concepts/multi-agents.md +0 −53 deleted

File DeletedView Diff

~~1# Multi-agents~~

~~3Codex can run multi-agent workflows by spawning specialized agents in parallel and collecting their results in one response.~~

~~5This page explains the core concepts and tradeoffs. For setup, agent configuration, and examples, see [Multi-agents](https://developers.openai.com/codex/multi-agent).~~

~~7## Why multi-agent workflows help~~

9Even with large context windows, models have limits. If you flood the main conversation (where you’re defining requirements, constraints, and decisions) with noisy intermediate output such as exploration notes, test logs, stack traces, and command output, the session can become less reliable over time.

~~11This is often described as:~~

~~13- **Context pollution**: useful information gets buried under noisy intermediate output.~~

~~14- **Context rot**: performance degrades as the conversation fills up with less relevant details.~~

~~16For background, see Chroma’s writeup on [context rot](https://research.trychroma.com/context-rot).~~

~~18Multi-agent workflows help by moving noisy work off the main thread:~~

~~20- Keep the **main agent** focused on requirements, decisions, and final outputs.~~

~~21- Run specialized **sub-agents** in parallel for exploration, tests, or log analysis.~~

~~22- Return **summaries** from sub-agents instead of raw intermediate output.~~

24As a starting point, use parallel agents for tasks that mostly read (exploration, tests, triage, and summarization). Be more careful with parallel write-heavy workflows, because multiple agents editing code at once can create conflicts and increase coordination overhead.

~~26## Core terms~~

~~28Codex uses a few related terms in multi-agent workflows:~~

~~30- **Multi-agent**: A workflow where Codex runs multiple agents in parallel and combines their results.~~

~~31- **Sub-agent**: A delegated agent that Codex starts to handle a specific task.~~

~~32- **Agent thread**: The CLI thread for an agent, which you can inspect and switch between with `/agent`.~~

~~34## Choosing models and reasoning~~

~~36Different agents benefit from different model and reasoning settings.~~

~~38`gpt-5.3-codex-spark` is available in research preview for ChatGPT Pro~~

~~39subscribers. See [Models](https://developers.openai.com/codex/models) for current availability. If you’re~~

~~40using Codex via the API, use GPT-5.2-Codex today.~~

~~42### Model choice~~

44- **`gpt-5.3-codex`**: Use for agents that need stronger reasoning, such as code review, security analysis, multi-step implementation, or tasks with ambiguous requirements. The main agent and agents that propose or apply edits usually fit here.

45- **`gpt-5.3-codex-spark`**: Use for agents that prioritize speed over depth, such as exploration, read-heavy scans, or quick summarization tasks. Spark works well for parallel workers that return distilled results to the main agent.

~~47### Reasoning effort (`model_reasoning_effort`)~~

~~49- **`high`**: Use when an agent needs to trace complex logic, validate assumptions, or work through edge cases (for example, reviewer or security-focused agents).~~

~~50- **`medium`**: A balanced default for most agents.~~

~~51- **`low`**: Use when the task is straightforward and speed matters most.~~

53Higher reasoning effort increases response time and token usage, but it can improve quality for complex work. For details, see [Models](https://developers.openai.com/codex/models), [Config basics](https://developers.openai.com/codex/config-basic), and [Configuration Reference](https://developers.openai.com/codex/config-reference).

concepts/sandboxing.md +102 −0 added

Details

1# Sandboxing – Codex

3Sandboxing is the boundary that lets Codex act autonomously without giving it

4unrestricted access to your machine. When Codex runs local commands in the

5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a

6constrained environment instead of running with full access by default.

8That environment defines what Codex can do on its own, such as which files it

9can modify and whether commands can use the network. When a task stays inside

10those boundaries, Codex can keep moving without stopping for confirmation. When

11it needs to go beyond them, Codex falls back to the approval flow.

13Sandboxing and approvals are different controls that work together. The

14 sandbox defines technical boundaries. The approval policy decides when Codex

15 must stop and ask before crossing them.

17## What the sandbox does

19The sandbox applies to spawned commands, not just to Codex's built-in file

20operations. If Codex runs tools like `git`, package managers, or test runners,

21those commands inherit the same sandbox boundaries.

23Codex uses platform-native enforcement on each OS. The implementation differs

24between macOS, Linux, WSL, and native Windows, but the idea is the same across

25surfaces: give the agent a bounded place to work so routine tasks can run

26autonomously inside clear limits.

28## Why it matters

30Sandboxing reduces approval fatigue. Instead of asking you to confirm every

31low-risk command, Codex can read files, make edits, and run routine project

32commands within the boundary you already approved.

34It also gives you a clearer trust model for agentic work. You are not just

35trusting the agent's intentions; you are trusting that the agent is operating

36inside enforced limits. That makes it easier to let Codex work independently

37while still knowing when it will stop and ask for help.

39## How you control it

41Most people start with the permissions controls in the product.

43In the Codex app and IDE, you choose a mode from the permissions selector under

44the composer or chat input. That selector lets you rely on Codex's default

45permissions, switch to full access, or use your custom configuration.

47![Codex app permissions selector showing Default permissions, Full access, and Custom (config.toml)](/images/codex/app/permissions-selector-light.webp)

49In the CLI, use [`/permissions`](https://developers.openai.com/codex/cli/slash-commands#update-permissions-with-permissions)

50to switch modes during a session.

52## Configure defaults

54If you want Codex to start with the same behavior every time, use a custom

55configuration. Codex stores those defaults in `config.toml`, its local settings

56file. [Config basics](https://developers.openai.com/codex/config-basic) explains how it works, and the

57[Configuration reference](https://developers.openai.com/codex/config-reference) documents the exact keys for

58`sandbox_mode`, `approval_policy`, and

59`sandbox_workspace_write.writable_roots`. Use those settings to decide how much

60autonomy Codex gets by default, which directories it can write to, and when it

61should pause for approval.

63At a high level, the common sandbox modes are:

65- `read-only`: Codex can inspect files, but it cannot edit files or run

66 commands without approval.

67- `workspace-write`: Codex can read files, edit within the workspace, and run

68 routine local commands inside that boundary. This is the default low-friction

69 mode for local work.

70- `danger-full-access`: Codex runs without sandbox restrictions. This removes

71 the filesystem and network boundaries and should be used only when you want

72 Codex to act with full access.

74The common approval policies are:

76- `untrusted`: Codex asks before running commands that are not in its trusted

77 set.

78- `on-request`: Codex works inside the sandbox by default and asks when it

79 needs to go beyond that boundary.

80- `never`: Codex does not stop for approval prompts.

82Full access means using `sandbox_mode = "danger-full-access"` together with

83`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local

84automation preset: `sandbox_mode = "workspace-write"` and

85`approval_policy = "on-request"`.

87If you need Codex to work across more than one directory, writable roots let

88you extend the places it can modify without removing the sandbox entirely. If

89you need a broader or narrower trust boundary, adjust the default sandbox mode

90and approval policy instead of relying on ad hoc exceptions.

92When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules

93let you allow, prompt, or forbid command prefixes outside the sandbox, which is

94often a better fit than broadly expanding access. For a higher-level overview

95of approvals and sandbox behavior in the app, see

96[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the

97IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).

99Platform details live in the platform-specific docs. For native Windows setup,

100behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin

101requirements and organization-level constraints on sandboxing and approvals, see

102[Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

concepts/subagents.md +90 −0 added

Details

1# Subagents

3Codex can run subagent workflows by spawning specialized agents in parallel so

4they can explore, tackle, or analyze work concurrently.

6This page explains the core concepts and tradeoffs. For setup, agent configuration, and examples, see [Subagents](https://developers.openai.com/codex/subagents).

8## Why subagent workflows help

10Even with large context windows, models have limits. If you flood the main conversation (where you're defining requirements, constraints, and decisions) with noisy intermediate output such as exploration notes, test logs, stack traces, and command output, the session can become less reliable over time.

12This is often described as:

14- **Context pollution**: useful information gets buried under noisy intermediate output.

15- **Context rot**: performance degrades as the conversation fills up with less relevant details.

17For background, see the Chroma writeup on [context rot](https://research.trychroma.com/context-rot).

19Subagent workflows help by moving noisy work off the main thread:

21- Keep the **main agent** focused on requirements, decisions, and final outputs.

22- Run specialized **subagents** in parallel for exploration, tests, or log analysis.

23- Return **summaries** from subagents instead of raw intermediate output.

25They can also save time when the work can run independently in parallel, and

26they make larger-shaped tasks more tractable by breaking them into bounded

27pieces. For example, Codex can split analysis of a multi-million-token

28document into smaller problems and return distilled takeaways to the main

29thread.

31As a starting point, use parallel agents for read-heavy tasks such as

32exploration, tests, triage, and summarization. Be more careful with parallel

33write-heavy workflows, because agents editing code at once can create

34conflicts and increase coordination overhead.

36## Core terms

38Codex uses a few related terms in subagent workflows:

40- **Subagent workflow**: A workflow where Codex runs parallel agents and combines their results.

41- **Subagent**: A delegated agent that Codex starts to handle a specific task.

42- **Agent thread**: The CLI thread for an agent, which you can inspect and switch between with `/agent`.

44## Triggering subagent workflows

46Codex doesn't spawn subagents automatically, and it should only use subagents when you

47explicitly ask for subagents or parallel agent work.

49In practice, manual triggering means using direct instructions such as

50"spawn two agents," "delegate this work in parallel," or "use one agent per

51point." Subagent workflows consume more tokens than comparable single-agent runs

52because each subagent does its own model and tool work.

54A good subagent prompt should explain how to divide the work, whether Codex

55should wait for all agents before continuing, and what summary or output to

56return.

58```text

59Review this branch with parallel subagents. Spawn one subagent for security risks, one for test gaps, and one for maintainability. Wait for all three, then summarize the findings by category with file references.

60```

62## Choosing models and reasoning

64Different agents need different model and reasoning settings.

66If you don't pin a model or `model_reasoning_effort`, Codex can choose a setup

67that balances intelligence, speed, and price for the task. It may favor

68`gpt-5.4-mini` for fast scans or a higher-effort `gpt-5.4`

69configuration for more demanding reasoning. When you want finer control, steer that

70choice in your prompt or set `model` and `model_reasoning_effort` directly in

71the agent file.

73For most tasks in Codex, start with `gpt-5.4`. Use `gpt-5.4-mini` when you

74want a faster, lower-cost option for lighter subagent work. If you have

75ChatGPT Pro and want near-instant text-only iteration, `gpt-5.3-codex-spark`

76remains available in research preview.

78### Model choice

80- **`gpt-5.4`**: Start here for most agents. It combines strong coding, reasoning, tool use, and broader workflows. The main agent and agents that coordinate ambiguous or multi-step work fit here.

81- **`gpt-5.4-mini`**: Use for agents that favor speed and efficiency over depth, such as exploration, read-heavy scans, large-file review, or processing supporting documents. It works well for parallel workers that return distilled results to the main agent.

82- **`gpt-5.3-codex-spark`**: If you have ChatGPT Pro, use this research preview model for near-instant, text-only iteration when latency matters more than broader capability.

84### Reasoning effort (`model_reasoning_effort`)

86- **`high`**: Use when an agent needs to trace complex logic, check assumptions, or work through edge cases (for example, reviewer or security-focused agents).

87- **`medium`**: A balanced default for most agents.

88- **`low`**: Use when the task is straightforward and speed matters most.

90Higher reasoning effort increases response time and token usage, but it can improve quality for complex work. For details, see [Models](https://developers.openai.com/codex/models), [Config basics](https://developers.openai.com/codex/config-basic), and [Configuration Reference](https://developers.openai.com/codex/config-reference).

config-advanced.md +8 −8

Details

2 2

3Use these options when you need more control over providers, policies, and integrations. For a quick start, see [Config basics](https://developers.openai.com/codex/config-basic).3Use these options when you need more control over providers, policies, and integrations. For a quick start, see [Config basics](https://developers.openai.com/codex/config-basic).

4 4

5For background on project guidance, reusable capabilities, custom slash commands, multi-agent workflows, and integrations, see [Customization](https://developers.openai.com/codex/concepts/customization). For configuration keys, see [Configuration Reference](https://developers.openai.com/codex/config-reference).5For background on project guidance, reusable capabilities, custom slash commands, subagent workflows, and integrations, see [Customization](https://developers.openai.com/codex/concepts/customization). For configuration keys, see [Configuration Reference](https://developers.openai.com/codex/config-reference).

6 6

7## Profiles7## Profiles

8 8

45 45

46```shell46```shell

47# Dedicated flag47# Dedicated flag

~~48codex --model gpt-5.2~~48codex --model gpt-5.4

49 49

50# Generic key/value override (value is TOML, not JSON)50# Generic key/value override (value is TOML, not JSON)

~~51codex --config model='"gpt-5.2"'~~51codex --config model='"gpt-5.4"'

52codex --config sandbox_workspace_write.network_access=true52codex --config sandbox_workspace_write.network_access=true

53codex --config 'shell_environment_policy.include_only=["PATH","HOME"]'53codex --config 'shell_environment_policy.include_only=["PATH","HOME"]'

54```54```

91 91

92## Agent roles (`[agents]` in `config.toml`)92## Agent roles (`[agents]` in `config.toml`)

93 93

~~94For multi-agent role configuration (`[agents]` in `config.toml`), see [Multi-agents](https://developers.openai.com/codex/multi-agent).~~94For subagent role configuration (`[agents]` in `config.toml`), see [Subagents](https://developers.openai.com/codex/subagents).

95 95

96## Project root detection96## Project root detection

97 97

190 190

191Pick approval strictness (affects when Codex pauses) and sandbox level (affects file/network access).191Pick approval strictness (affects when Codex pauses) and sandbox level (affects file/network access).

192 192

193For operational details that are easy to miss while editing `config.toml`, see [Common sandbox and approval combinations](https://developers.openai.com/codex/security#common-sandbox-and-approval-combinations), [Protected paths in writable roots](https://developers.openai.com/codex/security#protected-paths-in-writable-roots), and [Network access](https://developers.openai.com/codex/security#network-access).193For operational details to keep in mind while editing `config.toml`, see [Common sandbox and approval combinations](https://developers.openai.com/codex/agent-approvals-security#common-sandbox-and-approval-combinations), [Protected paths in writable roots](https://developers.openai.com/codex/agent-approvals-security#protected-paths-in-writable-roots), and [Network access](https://developers.openai.com/codex/agent-approvals-security#network-access).

194 194

195You can also use a granular reject policy (`approval_policy = { reject = { ... } }`) to auto-reject only selected prompt categories (sandbox approvals, execpolicy rule prompts, or MCP elicitations) while keeping other prompts interactive.195You can also use a granular reject policy (`approval_policy = { reject = { ... } }`) to auto-reject only selected prompt categories, such as sandbox approvals, `execpolicy` rule prompts, or MCP input requests (`mcp_elicitations`), while keeping other prompts interactive.

196 196

197```197```

198approval_policy = "untrusted" # Other options: on-request, never, or { reject = { ... } }198approval_policy = "untrusted" # Other options: on-request, never, or { reject = { ... } }

206network_access = false # Opt in to outbound network206network_access = false # Opt in to outbound network

207```207```

208 208

209Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/security#managed-configuration).209Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).

210 210

211In workspace-write mode, some environments keep `.git/` and `.codex/`211In workspace-write mode, some environments keep `.git/` and `.codex/`

212 read-only even when the rest of the workspace is writable. This is why212 read-only even when the rest of the workspace is writable. This is why

304 304

305For more security and privacy guidance around telemetry, see [Security](https://developers.openai.com/codex/security#monitoring-and-telemetry).305For more security and privacy guidance around telemetry, see [Security](https://developers.openai.com/codex/agent-approvals-security#monitoring-and-telemetry).

306 306

307### Metrics307### Metrics

308 308

config-basic.md +7 −9

Details

11The CLI and IDE extension share the same configuration layers. You can use them to:11The CLI and IDE extension share the same configuration layers. You can use them to:

12 12

13- Set the default model and provider.13- Set the default model and provider.

~~14- Configure [approval policies and sandbox settings](https://developers.openai.com/codex/security#sandbox-and-approvals).~~14- Configure [approval policies and sandbox settings](https://developers.openai.com/codex/agent-approvals-security#sandbox-and-approvals).

15- Configure [MCP servers](https://developers.openai.com/codex/mcp).15- Configure [MCP servers](https://developers.openai.com/codex/mcp).

16 16

17## Configuration precedence17## Configuration precedence

34On managed machines, your organization may also enforce constraints via34On managed machines, your organization may also enforce constraints via

35 `requirements.toml` (for example, disallowing `approval_policy = "never"` or35 `requirements.toml` (for example, disallowing `approval_policy = "never"` or

36 `sandbox_mode = "danger-full-access"`). See [Managed36 `sandbox_mode = "danger-full-access"`). See [Managed

~~37configuration](https://developers.openai.com/codex/security#managed-configuration) and [Admin-enforced~~37 configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Admin-enforced

38 requirements](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).38 requirements](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).

39 39

40## Common configuration options40## Common configuration options

46Choose the model Codex uses by default in the CLI and IDE.46Choose the model Codex uses by default in the CLI and IDE.

47 47

48```toml48```toml

~~49model = "gpt-5.2"~~49model = "gpt-5.4"

50```50```

51 51

52#### Approval prompts52#### Approval prompts

57approval_policy = "on-request"57approval_policy = "on-request"

58```58```

59 59

60For behavior differences between `untrusted`, `on-request`, and `never`, see [Run without approval prompts](https://developers.openai.com/codex/security#run-without-approval-prompts) and [Common sandbox and approval combinations](https://developers.openai.com/codex/security#common-sandbox-and-approval-combinations).60For behavior differences between `untrusted`, `on-request`, and `never`, see [Run without approval prompts](https://developers.openai.com/codex/agent-approvals-security#run-without-approval-prompts) and [Common sandbox and approval combinations](https://developers.openai.com/codex/agent-approvals-security#common-sandbox-and-approval-combinations).

61 61

62#### Sandbox level62#### Sandbox level

63 63

67sandbox_mode = "workspace-write"67sandbox_mode = "workspace-write"

68```68```

69 69

70For mode-by-mode behavior (including protected `.git`/`.codex` paths and network defaults), see [Sandbox and approvals](https://developers.openai.com/codex/security#sandbox-and-approvals), [Protected paths in writable roots](https://developers.openai.com/codex/security#protected-paths-in-writable-roots), and [Network access](https://developers.openai.com/codex/security#network-access).70For mode-by-mode behavior (including protected `.git`/`.codex` paths and network defaults), see [Sandbox and approvals](https://developers.openai.com/codex/agent-approvals-security#sandbox-and-approvals), [Protected paths in writable roots](https://developers.openai.com/codex/agent-approvals-security#protected-paths-in-writable-roots), and [Network access](https://developers.openai.com/codex/agent-approvals-security#network-access).

71 71

72#### Windows sandbox mode72#### Windows sandbox mode

73 73

74When running Codex natively on Windows, set the native sandbox mode to `elevated` in the `windows` table. Use `unelevated` only if you do not have administrator permissions or if elevated setup fails.74When running Codex natively on Windows, set the native sandbox mode to `elevated` in the `windows` table. Use `unelevated` only if you don't have administrator permissions or if elevated setup fails.

75 75

76```toml76```toml

77[windows]77[windows]

81 81

82#### Web search mode82#### Web search mode

83 83

84Codex enables web search by default for local tasks and serves results from a web search cache. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](https://developers.openai.com/codex/security#common-sandbox-and-approval-combinations), web search defaults to live results. Choose a mode with `web_search`:84Codex enables web search by default for local tasks and serves results from a web search cache. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](https://developers.openai.com/codex/agent-approvals-security#common-sandbox-and-approval-combinations), web search defaults to live results. Choose a mode with `web_search`:

85 85

86- `"cached"` (default) serves results from the web search cache.86- `"cached"` (default) serves results from the web search cache.

87- `"live"` fetches the most recent data from the web (same as `--search`).87- `"live"` fetches the most recent data from the web (same as `--search`).

147 147

148| Key | Default | Maturity | Description |148| Key | Default | Maturity | Description |

149| -------------------- | :-------------------: | ------------ | ---------------------------------------------------------------------------------------- |149| -------------------- | :-------------------: | ------------ | ---------------------------------------------------------------------------------------- |

config-reference.md +676 −62

Details

6 6

7User-level configuration lives in `~/.codex/config.toml`. You can also add project-scoped overrides in `.codex/config.toml` files. Codex loads project-scoped config files only when you trust the project.7User-level configuration lives in `~/.codex/config.toml`. You can also add project-scoped overrides in `.codex/config.toml` files. Codex loads project-scoped config files only when you trust the project.

8 8

9For sandbox and approval keys (`approval_policy`, `sandbox_mode`, and `sandbox_workspace_write.*`), pair this reference with [Sandbox and approvals](https://developers.openai.com/codex/security#sandbox-and-approvals), [Protected paths in writable roots](https://developers.openai.com/codex/security#protected-paths-in-writable-roots), and [Network access](https://developers.openai.com/codex/security#network-access).9For sandbox and approval keys (`approval_policy`, `sandbox_mode`, and `sandbox_workspace_write.*`), pair this reference with [Sandbox and approvals](https://developers.openai.com/codex/agent-approvals-security#sandbox-and-approvals), [Protected paths in writable roots](https://developers.openai.com/codex/agent-approvals-security#protected-paths-in-writable-roots), and [Network access](https://developers.openai.com/codex/agent-approvals-security#network-access).

10 10

11| Key | Type / Values | Details |11| Key | Type / Values | Details |

12| --- | --- | --- |12| --- | --- | --- |

15| `agents.<name>.nickname_candidates` | `array<string>` | Optional pool of display nicknames for spawned agents in that role. |

16| `agents.job_max_runtime_seconds` | `number` | Default per-worker timeout for `spawn_agents_on_csv` jobs. When unset, the tool falls back to 1800 seconds per worker. |

17| `allow_login_shell` | `boolean` | Allow shell-based tools to use login-shell semantics. Defaults to `true`; when `false`, `login = true` requests are rejected and omitted `login` defaults to non-login shells. |19| `allow_login_shell` | `boolean` | Allow shell-based tools to use login-shell semantics. Defaults to `true`; when `false`, `login = true` requests are rejected and omitted `login` defaults to non-login shells. |

20| `analytics.enabled` | `boolean` | Enable or disable analytics for this machine/profile. When unset, the client default applies. |

18| `approval_policy` | `untrusted | on-request | never | { reject = { sandbox_approval = bool, rules = bool, mcp_elicitations = bool } }` | Controls when Codex pauses for approval before executing commands. You can also use `approval_policy = { reject = { ... } }` to auto-reject specific prompt categories while keeping other prompts interactive. `on-failure` is deprecated; use `on-request` for interactive runs or `never` for non-interactive runs. |21| `approval_policy` | `untrusted | on-request | never | { reject = { sandbox_approval = bool, rules = bool, mcp_elicitations = bool } }` | Controls when Codex pauses for approval before executing commands. You can also use `approval_policy = { reject = { ... } }` to auto-reject specific prompt categories while keeping other prompts interactive. `on-failure` is deprecated; use `on-request` for interactive runs or `never` for non-interactive runs. |

39| `commit_attribution` | `string` | Override the commit co-author trailer text. Set an empty string to disable automatic attribution. |

~~40| `experimental_use_freeform_apply_patch` | `boolean` | Legacy name for enabling freeform apply\_patch; prefer `[features].apply_patch_freeform` or `codex --enable apply_patch_freeform`. |~~

~~42| `features.apply_patch_freeform` | `boolean` | Expose the freeform `apply_patch` tool (experimental). |~~

44| `features.apps_mcp_gateway` | `boolean` | Route Apps MCP calls through the OpenAI connectors MCP gateway (`https://api.openai.com/v1/connectors/mcp/`) instead of legacy routing (experimental). |46| `features.apps_mcp_gateway` | `boolean` | Route Apps MCP calls through the OpenAI connectors MCP gateway (`https://api.openai.com/v1/connectors/mcp/`) instead of legacy routing (experimental). |

47| `features.artifact` | `boolean` | Enable native artifact tools such as slides and spreadsheets (under development). |

~~47| `features.multi_agent` | `boolean` | Enable multi-agent collaboration tools (`spawn\_agent`, `send\_input`, `resume\_agent`, `wait`, and `close\_agent`) (experimental; off by default). |~~50| `features.default_mode_request_user_input` | `boolean` | Allow `request_user_input` in default collaboration mode (under development; off by default). |

51| `features.elevated_windows_sandbox` | `boolean` | Legacy toggle for an earlier elevated Windows sandbox rollout. Current builds do not use it. |

52| `features.enable_request_compression` | `boolean` | Compress streaming request bodies with zstd when supported (stable; on by default). |

53| `features.experimental_windows_sandbox` | `boolean` | Legacy toggle for an earlier Windows sandbox rollout. Current builds do not use it. |

54| `features.fast_mode` | `boolean` | Enable Fast mode selection and the `service_tier = "fast"` path (stable; on by default). |

55| `features.image_detail_original` | `boolean` | Allow image outputs with `detail = "original"` on supported models (under development). |

56| `features.image_generation` | `boolean` | Enable the built-in image generation tool (under development). |

61| `features.request_rule` | `boolean` | Legacy toggle for Smart approvals. Current builds include this behavior by default, so most users can leave this unset. |

62| `features.responses_websockets` | `boolean` | Prefer the Responses API WebSocket transport for supported providers (under development). |

63| `features.responses_websockets_v2` | `boolean` | Enable Responses API WebSocket v2 mode (under development). |

69| `features.skill_mcp_dependency_install` | `boolean` | Allow prompting and installing missing MCP dependencies for skills (stable; on by default). |

70| `features.sqlite` | `boolean` | Enable SQLite-backed state persistence (stable; on by default). |

71| `features.steer` | `boolean` | Legacy toggle from an earlier Enter/Tab steering rollout. Current builds always use the current steering behavior. |

72| `features.undo` | `boolean` | Enable undo support (stable; off by default). |

73| `features.unified_exec` | `boolean` | Use the unified PTY-backed exec tool (stable; enabled by default except on Windows). |

~~68| `include_apply_patch_tool` | `boolean` | Legacy name for enabling freeform apply\_patch; prefer `[features].apply_patch_freeform`. |~~

101| `mcp_servers.<id>.oauth_resource` | `string` | Optional RFC 8707 OAuth resource parameter to include during MCP login. |

103| `mcp_servers.<id>.scopes` | `array<string>` | OAuth scopes to request when authenticating to that MCP server. |

127| `model_providers.<id>.wire_api` | `responses` | Protocol used by the provider. `responses` is the only supported value, and it is the default when omitted. |

157| `permissions.network.admin_url` | `string` | Admin endpoint for the managed network proxy. |

158| `permissions.network.allow_local_binding` | `boolean` | Permit local bind/listen operations through the managed proxy. |

159| `permissions.network.allow_unix_sockets` | `array<string>` | Allowlist of Unix socket paths permitted through the managed proxy. |

160| `permissions.network.allow_upstream_proxy` | `boolean` | Allow the managed proxy to chain to another upstream proxy. |

161| `permissions.network.allowed_domains` | `array<string>` | Allowlist of domains permitted through the managed proxy. |

162| `permissions.network.dangerously_allow_all_unix_sockets` | `boolean` | Allow the proxy to use arbitrary Unix sockets instead of the default restricted set. |

163| `permissions.network.dangerously_allow_non_loopback_admin` | `boolean` | Permit non-loopback bind addresses for the managed proxy admin listener. |

164| `permissions.network.dangerously_allow_non_loopback_proxy` | `boolean` | Permit non-loopback bind addresses for the managed proxy listener. |

165| `permissions.network.denied_domains` | `array<string>` | Denylist of domains blocked by the managed proxy. |

166| `permissions.network.enable_socks5` | `boolean` | Expose a SOCKS5 listener from the managed network proxy. |

167| `permissions.network.enable_socks5_udp` | `boolean` | Allow UDP over the SOCKS5 listener when enabled. |

168| `permissions.network.enabled` | `boolean` | Enable the managed network proxy configuration for subprocesses. |

170| `permissions.network.proxy_url` | `string` | HTTP proxy endpoint used by the managed network proxy. |

171| `permissions.network.socks_url` | `string` | SOCKS5 proxy endpoint used by the managed network proxy. |

142| `profiles.<name>.include_apply_patch_tool` | `boolean` | Legacy name for enabling freeform apply\_patch; prefer `[features].apply_patch_freeform`. |

143| `profiles.<name>.model_catalog_json` | `string (path)` | Profile-scoped model catalog JSON path override (applied on startup only; overrides the top-level `model_catalog_json` for that profile). |178| `profiles.<name>.model_catalog_json` | `string (path)` | Profile-scoped model catalog JSON path override (applied on startup only; overrides the top-level `model_catalog_json` for that profile). |

179| `profiles.<name>.model_instructions_file` | `string (path)` | Profile-scoped replacement for the built-in instruction file. |

184| `profiles.<name>.tools_view_image` | `boolean` | Enable or disable the `view_image` tool in that profile. |

208| `sqlite_home` | `string (path)` | Directory where Codex stores the SQLite-backed state DB used by agent jobs and other resumable runtime state. |

211| `tools.view_image` | `boolean` | Enable the local-image attachment tool `view_image`. |

170| `tui` | `table` | TUI-specific options such as enabling inline desktop notifications. |213| `tui` | `table` | TUI-specific options such as enabling inline desktop notifications. |

216| `tui.model_availability_nux.<model>` | `integer` | Internal startup-tooltip state keyed by model slug. |

173| `tui.notification_method` | `auto | osc9 | bel` | Notification method for unfocused terminal notifications (default: auto). |217| `tui.notification_method` | `auto | osc9 | bel` | Notification method for unfocused terminal notifications (default: auto). |

221| `tui.theme` | `string` | Syntax-highlighting theme override (kebab-case theme name). |

177| `web_search` | `disabled | cached | live` | Web search mode (default: `"cached"`; cached uses an OpenAI-maintained index and does not fetch live pages; if you use `--yolo` or another full access sandbox setting, it defaults to `"live"`). Use `"live"` to fetch the most recent data from the web, or `"disabled"` to remove the tool. |222| `web_search` | `disabled | cached | live` | Web search mode (default: `"cached"`; cached uses an OpenAI-maintained index and does not fetch live pages; if you use `--yolo` or another full access sandbox setting, it defaults to `"live"`). Use `"live"` to fetch the most recent data from the web, or `"disabled"` to remove the tool. |

204 249

205Key250Key

206 251

252`agents.<name>.nickname_candidates`

253

254Type / Values

255

256`array<string>`

257

258Details

259

260Optional pool of display nicknames for spawned agents in that role.

261

262Key

263

264`agents.job_max_runtime_seconds`

265

266Type / Values

267

268`number`

269

270Details

271

272Default per-worker timeout for `spawn_agents_on_csv` jobs. When unset, the tool falls back to 1800 seconds per worker.

273

274Key

275

207`agents.max_depth`276`agents.max_depth`

208 277

209Type / Values278Type / Values

224 293

225Details294Details

226 295

227Maximum number of agent threads that can be open concurrently.296Maximum number of agent threads that can be open concurrently. Defaults to `6` when unset.

228 297

229Key298Key

230 299

240 309

241Key310Key

242 311

312`analytics.enabled`

313

314Type / Values

315

316`boolean`

317

318Details

319

320Enable or disable analytics for this machine/profile. When unset, the client default applies.

321

322Key

323

243`approval_policy`324`approval_policy`

244 325

245Type / Values326Type / Values

456 537

457Key538Key

458 539

540`commit_attribution`

541

542Type / Values

543

544`string`

545

546Details

547

548Override the commit co-author trailer text. Set an empty string to disable automatic attribution.

549

550Key

551

459`compact_prompt`552`compact_prompt`

460 553

461Type / Values554Type / Values

504 597

505Key598Key

506 599

507`experimental_use_freeform_apply_patch`600`experimental_use_unified_exec_tool`

508 601

509Type / Values602Type / Values

510 603

512 605

513Details606Details

514 607

515Legacy name for enabling freeform apply\_patch; prefer `[features].apply_patch_freeform` or `codex --enable apply_patch_freeform`.608Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`.

516 609

517Key610Key

518 611

519`experimental_use_unified_exec_tool`612`features.apps`

520 613

521Type / Values614Type / Values

522 615

524 617

525Details618Details

526 619

527Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`.620Enable ChatGPT Apps/connectors support (experimental).

528 621

529Key622Key

530 623

531`features.apply_patch_freeform`624`features.apps_mcp_gateway`

532 625

533Type / Values626Type / Values

534 627

536 629

537Details630Details

538 631

539Expose the freeform `apply_patch` tool (experimental).632Route Apps MCP calls through the OpenAI connectors MCP gateway (`https://api.openai.com/v1/connectors/mcp/`) instead of legacy routing (experimental).

540 633

541Key634Key

542 635

543`features.apps`636`features.artifact`

544 637

545Type / Values638Type / Values

546 639

548 641

549Details642Details

550 643

551Enable ChatGPT Apps/connectors support (experimental).644Enable native artifact tools such as slides and spreadsheets (under development).

552 645

553Key646Key

554 647

555`features.apps_mcp_gateway`648`features.child_agents_md`

556 649

557Type / Values650Type / Values

558 651

560 653

561Details654Details

562 655

563Route Apps MCP calls through the OpenAI connectors MCP gateway (`https://api.openai.com/v1/connectors/mcp/`) instead of legacy routing (experimental).656Append AGENTS.md scope/precedence guidance even when no AGENTS.md is present (experimental).

564 657

565Key658Key

566 659

567`features.child_agents_md`660`features.collaboration_modes`

568 661

569Type / Values662Type / Values

570 663

572 665

573Details666Details

574 667

575Append AGENTS.md scope/precedence guidance even when no AGENTS.md is present (experimental).668Legacy toggle for collaboration modes. Plan and default modes are available in current builds without setting this key.

576 669

577Key670Key

578 671

579`features.collaboration_modes`672`features.default_mode_request_user_input`

673

674Type / Values

675

676`boolean`

677

678Details

679

680Allow `request_user_input` in default collaboration mode (under development; off by default).

681

682Key

683

684`features.elevated_windows_sandbox`

685

686Type / Values

687

688`boolean`

689

690Details

691

692Legacy toggle for an earlier elevated Windows sandbox rollout. Current builds do not use it.

693

694Key

695

696`features.enable_request_compression`

697

698Type / Values

699

700`boolean`

701

702Details

703

704Compress streaming request bodies with zstd when supported (stable; on by default).

705

706Key

707

708`features.experimental_windows_sandbox`

709

710Type / Values

711

712`boolean`

713

714Details

715

716Legacy toggle for an earlier Windows sandbox rollout. Current builds do not use it.

717

718Key

719

720`features.fast_mode`

721

722Type / Values

723

724`boolean`

725

726Details

727

728Enable Fast mode selection and the `service_tier = "fast"` path (stable; on by default).

729

730Key

731

732`features.image_detail_original`

580 733

581Type / Values734Type / Values

582 735

584 737

585Details738Details

586 739

587Enable collaboration modes such as plan mode (stable; on by default).740Allow image outputs with `detail = "original"` on supported models (under development).

588 741

589Key742Key

590 743

591`features.multi_agent`744`features.image_generation`

592 745

593Type / Values746Type / Values

594 747

596 749

597Details750Details

598 751

599Enable multi-agent collaboration tools (`spawn\_agent`, `send\_input`, `resume\_agent`, `wait`, and `close\_agent`) (experimental; off by default).752Enable the built-in image generation tool (under development).

600 753

601Key754Key

602 755

620 773

621Details774Details

622 775

623Force PowerShell UTF-8 output (defaults to true).776Force PowerShell UTF-8 output. Enabled by default on Windows and off elsewhere.

777

778Key

779

780`features.prevent_idle_sleep`

781

782Type / Values

783

784`boolean`

785

786Details

787

788Prevent the machine from sleeping while a turn is actively running (experimental; off by default).

624 789

625Key790Key

626 791

632 797

633Details798Details

634 799

635Refresh remote model list before showing readiness (experimental).800Legacy toggle for an older remote-model readiness flow. Current builds do not use it.

636 801

637Key802Key

638 803

644 809

645Details810Details

646 811

647Enable Smart approvals (`prefix_rule` suggestions on escalation requests; stable; on by default).812Legacy toggle for Smart approvals. Current builds include this behavior by default, so most users can leave this unset.

813

814Key

815

816`features.responses_websockets`

817

818Type / Values

819

820`boolean`

821

822Details

823

824Prefer the Responses API WebSocket transport for supported providers (under development).

825

826Key

827

828`features.responses_websockets_v2`

829

830Type / Values

831

832`boolean`

833

834Details

835

836Enable Responses API WebSocket v2 mode (under development).

648 837

649Key838Key

650 839

668 857

669Details858Details

670 859

671Enable `search_tool_bm25` for Apps tool discovery before invoking app MCP tools (experimental).860Legacy toggle for an older Apps discovery flow. Current builds do not use it.

672 861

673Key862Key

674 863

680 869

681Details870Details

682 871

683Snapshot shell environment to speed up repeated commands (beta).872Snapshot shell environment to speed up repeated commands (stable; on by default).

684 873

685Key874Key

686 875

696 885

697Key886Key

698 887

888`features.skill_env_var_dependency_prompt`

889

890Type / Values

891

892`boolean`

893

894Details

895

896Prompt for missing skill environment-variable dependencies (under development).

897

898Key

899

900`features.skill_mcp_dependency_install`

901

902Type / Values

903

904`boolean`

905

906Details

907

908Allow prompting and installing missing MCP dependencies for skills (stable; on by default).

909

910Key

911

912`features.sqlite`

913

914Type / Values

915

916`boolean`

917

918Details

919

920Enable SQLite-backed state persistence (stable; on by default).

921

922Key

923

924`features.steer`

925

926Type / Values

927

928`boolean`

929

930Details

931

932Legacy toggle from an earlier Enter/Tab steering rollout. Current builds always use the current steering behavior.

933

934Key

935

936`features.undo`

937

938Type / Values

939

940`boolean`

941

942Details

943

944Enable undo support (stable; off by default).

945

946Key

947

699`features.unified_exec`948`features.unified_exec`

700 949

701Type / Values950Type / Values

704 953

705Details954Details

706 955

707Use the unified PTY-backed exec tool (beta).956Use the unified PTY-backed exec tool (stable; enabled by default except on Windows).

708 957

709Key958Key

710 959

840 1089

841Key1090Key

842 1091

843`include_apply_patch_tool`

~~844~~

845Type / Values

~~846~~

847`boolean`

~~848~~

849Details

~~850~~

851Legacy name for enabling freeform apply\_patch; prefer `[features].apply_patch_freeform`.

~~852~~

853Key

~~854~~

855`instructions`1092`instructions`

856 1093

857Type / Values1094Type / Values

1044 1281

1045Key1282Key

1046 1283

1284`mcp_servers.<id>.oauth_resource`

1285

1286Type / Values

1287

1288`string`

1289

1290Details

1291

1292Optional RFC 8707 OAuth resource parameter to include during MCP login.

1293

1294Key

1295

1047`mcp_servers.<id>.required`1296`mcp_servers.<id>.required`

1048 1297

1049Type / Values1298Type / Values

1056 1305

1057Key1306Key

1058 1307

1308`mcp_servers.<id>.scopes`

1309

1310Type / Values

1311

1312`array<string>`

1313

1314Details

1315

1316OAuth scopes to request when authenticating to that MCP server.

1317

1318Key

1319

1059`mcp_servers.<id>.startup_timeout_ms`1320`mcp_servers.<id>.startup_timeout_ms`

1060 1321

1061Type / Values1322Type / Values

1320 1581

1321Key1582Key

1322 1583

1584`model_providers.<id>.supports_websockets`

1585

1586Type / Values

1587

1588`boolean`

1589

1590Details

1591

1592Whether that provider supports the Responses API WebSocket transport.

1593

1594Key

1595

1323`model_providers.<id>.wire_api`1596`model_providers.<id>.wire_api`

1324 1597

1325Type / Values1598Type / Values

1326 1599

1327`chat | responses`1600`responses`

1328 1601

1329Details1602Details

1330 1603

1331Protocol used by the provider (defaults to `chat` if omitted).1604Protocol used by the provider. `responses` is the only supported value, and it is the default when omitted.

1332 1605

1333Key1606Key

1334 1607

1376 1649

1377Details1650Details

1378 1651

1379Control GPT-5 Responses API verbosity (defaults to `medium`).1652Optional GPT-5 Responses API verbosity override; when unset, the selected model/preset default is used.

1380 1653

1381Key1654Key

1382 1655

1584 1857

1585Key1858Key

1586 1859

1860`otel.metrics_exporter`

1861

1862Type / Values

1863

1864`none | statsig | otlp-http | otlp-grpc`

1865

1866Details

1867

1868Select the OpenTelemetry metrics exporter (defaults to `statsig`).

1869

1870Key

1871

1587`otel.trace_exporter`1872`otel.trace_exporter`

1588 1873

1589Type / Values1874Type / Values

1668 1953

1669Key1954Key

1670 1955

1956`permissions.network.admin_url`

1957

1958Type / Values

1959

1960`string`

1961

1962Details

1963

1964Admin endpoint for the managed network proxy.

1965

1966Key

1967

1968`permissions.network.allow_local_binding`

1969

1970Type / Values

1971

1972`boolean`

1973

1974Details

1975

1976Permit local bind/listen operations through the managed proxy.

1977

1978Key

1979

1980`permissions.network.allow_unix_sockets`

1981

1982Type / Values

1983

1984`array<string>`

1985

1986Details

1987

1988Allowlist of Unix socket paths permitted through the managed proxy.

1989

1990Key

1991

1992`permissions.network.allow_upstream_proxy`

1993

1994Type / Values

1995

1996`boolean`

1997

1998Details

1999

2000Allow the managed proxy to chain to another upstream proxy.

2001

2002Key

2003

2004`permissions.network.allowed_domains`

2005

2006Type / Values

2007

2008`array<string>`

2009

2010Details

2011

2012Allowlist of domains permitted through the managed proxy.

2013

2014Key

2015

2016`permissions.network.dangerously_allow_all_unix_sockets`

2017

2018Type / Values

2019

2020`boolean`

2021

2022Details

2023

2024Allow the proxy to use arbitrary Unix sockets instead of the default restricted set.

2025

2026Key

2027

2028`permissions.network.dangerously_allow_non_loopback_admin`

2029

2030Type / Values

2031

2032`boolean`

2033

2034Details

2035

2036Permit non-loopback bind addresses for the managed proxy admin listener.

2037

2038Key

2039

2040`permissions.network.dangerously_allow_non_loopback_proxy`

2041

2042Type / Values

2043

2044`boolean`

2045

2046Details

2047

2048Permit non-loopback bind addresses for the managed proxy listener.

2049

2050Key

2051

2052`permissions.network.denied_domains`

2053

2054Type / Values

2055

2056`array<string>`

2057

2058Details

2059

2060Denylist of domains blocked by the managed proxy.

2061

2062Key

2063

2064`permissions.network.enable_socks5`

2065

2066Type / Values

2067

2068`boolean`

2069

2070Details

2071

2072Expose a SOCKS5 listener from the managed network proxy.

2073

2074Key

2075

2076`permissions.network.enable_socks5_udp`

2077

2078Type / Values

2079

2080`boolean`

2081

2082Details

2083

2084Allow UDP over the SOCKS5 listener when enabled.

2085

2086Key

2087

2088`permissions.network.enabled`

2089

2090Type / Values

2091

2092`boolean`

2093

2094Details

2095

2096Enable the managed network proxy configuration for subprocesses.

2097

2098Key

2099

2100`permissions.network.mode`

2101

2102Type / Values

2103

2104`limited | full`

2105

2106Details

2107

2108Network proxy mode used for subprocess traffic.

2109

2110Key

2111

2112`permissions.network.proxy_url`

2113

2114Type / Values

2115

2116`string`

2117

2118Details

2119

2120HTTP proxy endpoint used by the managed network proxy.

2121

2122Key

2123

2124`permissions.network.socks_url`

2125

2126Type / Values

2127

2128`string`

2129

2130Details

2131

2132SOCKS5 proxy endpoint used by the managed network proxy.

2133

2134Key

2135

1671`personality`2136`personality`

1672 2137

1673Type / Values2138Type / Values

1680 2145

1681Key2146Key

1682 2147

2148`plan_mode_reasoning_effort`

2149

2150Type / Values

2151

2153

2154Details

2155

2156Plan-mode-specific reasoning override. When unset, Plan mode uses its built-in preset default.

2157

2158Key

2159

1683`profile`2160`profile`

1684 2161

1685Type / Values2162Type / Values

1704 2181

1705Key2182Key

1706 2183

1707`profiles.<name>.experimental_use_freeform_apply_patch`2184`profiles.<name>.analytics.enabled`

1708 2185

1709Type / Values2186Type / Values

1710 2187

1712 2189

1713Details2190Details

1714 2191

1715Legacy name for enabling freeform apply\_patch; prefer `[features].apply_patch_freeform`.2192Profile-scoped analytics enablement override.

1716 2193

1717Key2194Key

1718 2195

1728 2205

1729Key2206Key

1730 2207

1731`profiles.<name>.include_apply_patch_tool`2208`profiles.<name>.model_catalog_json`

1732 2209

1733Type / Values2210Type / Values

1734 2211

1735`boolean`2212`string (path)`

1736 2213

1737Details2214Details

1738 2215

1739Legacy name for enabling freeform apply\_patch; prefer `[features].apply_patch_freeform`.2216Profile-scoped model catalog JSON path override (applied on startup only; overrides the top-level `model_catalog_json` for that profile).

1740 2217

1741Key2218Key

1742 2219

1743`profiles.<name>.model_catalog_json`2220`profiles.<name>.model_instructions_file`

1744 2221

1745Type / Values2222Type / Values

1746 2223

1748 2225

1749Details2226Details

1750 2227

1751Profile-scoped model catalog JSON path override (applied on startup only; overrides the top-level `model_catalog_json` for that profile).2228Profile-scoped replacement for the built-in instruction file.

1752 2229

1753Key2230Key

1754 2231

1776 2253

1777Key2254Key

1778 2255

2256`profiles.<name>.plan_mode_reasoning_effort`

2257

2258Type / Values

2259

2261

2262Details

2263

2264Profile-scoped Plan-mode reasoning override.

2265

2266Key

2267

2268`profiles.<name>.service_tier`

2269

2270Type / Values

2271

2272`flex | fast`

2273

2274Details

2275

2276Profile-scoped service tier preference for new turns.

2277

2278Key

2279

2280`profiles.<name>.tools_view_image`

2281

2282Type / Values

2283

2284`boolean`

2285

2286Details

2287

2288Enable or disable the `view_image` tool in that profile.

2289

2290Key

2291

1779`profiles.<name>.web_search`2292`profiles.<name>.web_search`

1780 2293

1781Type / Values2294Type / Values

1788 2301

1789Key2302Key

1790 2303

2304`profiles.<name>.windows.sandbox`

2305

2306Type / Values

2307

2308`unelevated | elevated`

2309

2310Details

2311

2312Profile-scoped Windows sandbox mode override.

2313

2314Key

2315

1791`project_doc_fallback_filenames`2316`project_doc_fallback_filenames`

1792 2317

1793Type / Values2318Type / Values

1908 2433

1909Key2434Key

1910 2435

2436`service_tier`

2437

2438Type / Values

2439

2440`flex | fast`

2441

2442Details

2443

2444Preferred service tier for new turns. `fast` is honored only when the `features.fast_mode` gate is enabled.

2445

2446Key

2447

1911`shell_environment_policy.exclude`2448`shell_environment_policy.exclude`

1912 2449

1913Type / Values2450Type / Values

2028 2565

2029Key2566Key

2030 2567

2568`sqlite_home`

2569

2570Type / Values

2571

2572`string (path)`

2573

2574Details

2575

2576Directory where Codex stores the SQLite-backed state DB used by agent jobs and other resumable runtime state.

2577

2578Key

2579

2031`suppress_unstable_features_warning`2580`suppress_unstable_features_warning`

2032 2581

2033Type / Values2582Type / Values

2052 2601

2053Key2602Key

2054 2603

2604`tools.view_image`

2605

2606Type / Values

2607

2608`boolean`

2609

2610Details

2611

2612Enable the local-image attachment tool `view_image`.

2613

2614Key

2615

2055`tools.web_search`2616`tools.web_search`

2056 2617

2057Type / Values2618Type / Values

2100 2661

2101Key2662Key

2102 2663

2664`tui.model_availability_nux.<model>`

2665

2666Type / Values

2667

2668`integer`

2669

2670Details

2671

2672Internal startup-tooltip state keyed by model slug.

2673

2674Key

2675

2103`tui.notification_method`2676`tui.notification_method`

2104 2677

2105Type / Values2678Type / Values

2148 2721

2149Key2722Key

2150 2723

2724`tui.theme`

2725

2726Type / Values

2727

2728`string`

2729

2730Details

2731

2732Syntax-highlighting theme override (kebab-case theme name).

2733

2734Key

2735

2151`web_search`2736`web_search`

2152 2737

2153Type / Values2738Type / Values

2201For ChatGPT Business and Enterprise users, Codex can also apply cloud-fetched2786For ChatGPT Business and Enterprise users, Codex can also apply cloud-fetched

2202requirements. See the security page for precedence details.2787requirements. See the security page for precedence details.

2203 2788

2789Use `[features]` in `requirements.toml` to pin feature flags by the same

2790canonical keys that `config.toml` uses. Omitted keys remain unconstrained.

2791

2204| Key | Type / Values | Details |2792| Key | Type / Values | Details |

2205| --- | --- | --- |2793| --- | --- | --- |

2208| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |2796| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |

2797| `features` | `table` | Pinned feature values keyed by the canonical names from `config.toml`'s `[features]` table. |

2798| `features.<name>` | `boolean` | Require a specific canonical feature key to stay enabled or disabled. |

2209| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |2799| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |

2256 2846

2257Key2847Key

2258 2848

2849`features`

2850

2851Type / Values

2852

2853`table`

2854

2855Details

2856

2857Pinned feature values keyed by the canonical names from `config.toml`'s `[features]` table.

2858

2859Key

2860

2861`features.<name>`

2862

2863Type / Values

2864

2865`boolean`

2866

2867Details

2868

2869Require a specific canonical feature key to stay enabled or disabled.

2870

2871Key

2872

2259`mcp_servers`2873`mcp_servers`

2260 2874

2261Type / Values2875Type / Values

config-sample.md +140 −115

Details

1# Sample Configuration1# Sample Configuration

2 2

~~3Use this example configuration as a starting point. It includes most keys Codex reads from `config.toml`, along with defaults and short notes.~~3Use this example configuration as a starting point. It includes most keys Codex reads from `config.toml`, along with default behaviors, recommended values where helpful, and short notes.

4 4

5For explanations and guidance, see:5For explanations and guidance, see:

6 6

7- [Config basics](https://developers.openai.com/codex/config-basic)7- [Config basics](https://developers.openai.com/codex/config-basic)

8- [Advanced Config](https://developers.openai.com/codex/config-advanced)8- [Advanced Config](https://developers.openai.com/codex/config-advanced)

9- [Config Reference](https://developers.openai.com/codex/config-reference)9- [Config Reference](https://developers.openai.com/codex/config-reference)

~~10- [Sandbox and approvals](https://developers.openai.com/codex/security#sandbox-and-approvals)~~10- [Sandbox and approvals](https://developers.openai.com/codex/agent-approvals-security#sandbox-and-approvals)

~~11- [Managed configuration](https://developers.openai.com/codex/security#managed-configuration)~~11- [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration)

12 12

13Use the snippet below as a reference. Copy only the keys and sections you need into `~/.codex/config.toml` (or into a project-scoped `.codex/config.toml`), then adjust values for your setup.13Use the snippet below as a reference. Copy only the keys and sections you need into `~/.codex/config.toml` (or into a project-scoped `.codex/config.toml`), then adjust values for your setup.

14 14

15```toml15```toml

16# Codex example configuration (config.toml)16# Codex example configuration (config.toml)

17#17#

~~18# This file lists all keys Codex reads from config.toml, their default values,~~18# This file lists the main keys Codex reads from config.toml, along with default

~~19# and concise explanations. Values here mirror the effective defaults compiled~~19# behaviors, recommended examples, and concise explanations. Adjust as needed.

~~20# into the CLI. Adjust as needed.~~

21#20#

22# Notes21# Notes

23# - Root keys must appear before tables in TOML.22# - Root keys must appear before tables in TOML.

28# Core Model Selection27# Core Model Selection

29################################################################################28################################################################################

30 29

~~31# Primary model used by Codex. Default: "gpt-5.2-codex" on all platforms.~~30# Primary model used by Codex. Recommended example for most users: "gpt-5.4".

~~32model = "gpt-5.2-codex"~~31model = "gpt-5.4"

33 32

~~34# Default communication style for supported models. Default: "friendly".~~33# Communication style for supported models. Allowed values: none | friendly | pragmatic

~~35# Allowed values: none | friendly | pragmatic~~34# personality = "pragmatic"

~~36# personality = "friendly"~~

37 35

38# Optional model override for /review. Default: unset (uses current session model).36# Optional model override for /review. Default: unset (uses current session model).

~~39# review_model = "gpt-5.2-codex"~~37# review_model = "gpt-5.4"

40 38

41# Provider id selected from [model_providers]. Default: "openai".39# Provider id selected from [model_providers]. Default: "openai".

42model_provider = "openai"40model_provider = "openai"

44# Default OSS provider for --oss sessions. When unset, Codex prompts. Default: unset.42# Default OSS provider for --oss sessions. When unset, Codex prompts. Default: unset.

45# oss_provider = "ollama"43# oss_provider = "ollama"

46 44

~~47# Optional manual model metadata. When unset, Codex auto-detects from model.~~45# Preferred service tier. `fast` is honored only when enabled in [features].

~~48# Uncomment to force values.~~46# service_tier = "flex" # fast | flex

48# Optional manual model metadata. When unset, Codex uses model or preset defaults.

49# model_context_window = 128000 # tokens; default: auto for model49# model_context_window = 128000 # tokens; default: auto for model

~~50# model_auto_compact_token_limit = 0 # tokens; unset uses model defaults~~50# model_auto_compact_token_limit = 64000 # tokens; unset uses model defaults

~~51# tool_output_token_limit = 10000 # tokens stored per tool output; default: 10000 for gpt-5.2-codex~~51# tool_output_token_limit = 12000 # tokens stored per tool output

52# model_catalog_json = "/absolute/path/to/models.json" # optional startup-only model catalog override52# model_catalog_json = "/absolute/path/to/models.json" # optional startup-only model catalog override

53# background_terminal_max_timeout = 300000 # ms; max empty write_stdin poll window (default 5m)53# background_terminal_max_timeout = 300000 # ms; max empty write_stdin poll window (default 5m)

54# log_dir = "/absolute/path/to/codex-logs" # directory for Codex logs; default: "$CODEX_HOME/log"54# log_dir = "/absolute/path/to/codex-logs" # directory for Codex logs; default: "$CODEX_HOME/log"

55# sqlite_home = "/absolute/path/to/codex-state" # optional SQLite-backed runtime state directory

55 56

56################################################################################57################################################################################

57# Reasoning & Verbosity (Responses API capable models)58# Reasoning & Verbosity (Responses API capable models)

58################################################################################59################################################################################

59 60

~~61model_reasoning_effort = "medium"~~62# model_reasoning_effort = "medium"

65# plan_mode_reasoning_effort = "high"

62 66

64# model_reasoning_summary = "auto"68# model_reasoning_summary = "auto"

65 69

~~66# Text verbosity for GPT-5 family (Responses API): low | medium | high (default: medium)~~70# Text verbosity for GPT-5 family (Responses API): low | medium | high

67# model_verbosity = "medium"71# model_verbosity = "medium"

68 72

~~69# Force enable or disable reasoning summaries for current model~~73# Force enable or disable reasoning summaries for current model.

70# model_supports_reasoning_summaries = true74# model_supports_reasoning_summaries = true

71 75

72################################################################################76################################################################################

76# Additional user instructions are injected before AGENTS.md. Default: unset.80# Additional user instructions are injected before AGENTS.md. Default: unset.

77# developer_instructions = ""81# developer_instructions = ""

78 82

~~79# (Ignored) Optional legacy base instructions override (prefer AGENTS.md). Default: unset.~~

~~80# instructions = ""~~

82# Inline override for the history compaction prompt. Default: unset.83# Inline override for the history compaction prompt. Default: unset.

83# compact_prompt = ""84# compact_prompt = ""

84 85

86# Override the default commit co-author trailer. Set to "" to disable it.

87# commit_attribution = "Jane Doe <jane@example.com>"

85# Override built-in base instructions with a file path. Default: unset.89# Override built-in base instructions with a file path. Default: unset.

86# model_instructions_file = "/absolute/or/relative/path/to/instructions.txt"90# model_instructions_file = "/absolute/or/relative/path/to/instructions.txt"

87 91

~~88# Migration note: experimental_instructions_file was renamed to model_instructions_file (deprecated).~~

90# Load the compact prompt override from a file. Default: unset.92# Load the compact prompt override from a file. Default: unset.

91# experimental_compact_prompt_file = "/absolute/or/relative/path/to/compact_prompt.txt"93# experimental_compact_prompt_file = "/absolute/or/relative/path/to/compact_prompt.txt"

92 94

~~93# Legacy name for apply_patch_freeform. Default: false~~

~~94include_apply_patch_tool = false~~

96################################################################################95################################################################################

97# Notifications96# Notifications

98################################################################################97################################################################################

99 98

100# External notifier program (argv array). When unset: disabled.99# External notifier program (argv array). When unset: disabled.

101# Example: notify = ["notify-send", "Codex"]100# notify = ["notify-send", "Codex"]

102notify = [ ]

103 101

104################################################################################102################################################################################

105# Approval & Sandbox103# Approval & Sandbox

131# Where to persist CLI login credentials: file (default) | keyring | auto129# Where to persist CLI login credentials: file (default) | keyring | auto

132cli_auth_credentials_store = "file"130cli_auth_credentials_store = "file"

133 131

134# Base URL for ChatGPT auth flow (not OpenAI API). Default:132# Base URL for ChatGPT auth flow (not OpenAI API).

135chatgpt_base_url = "https://chatgpt.com/backend-api/"133chatgpt_base_url = "https://chatgpt.com/backend-api/"

136 134

137# Restrict ChatGPT login to a specific workspace id. Default: unset.135# Restrict ChatGPT login to a specific workspace id. Default: unset.

138# forced_chatgpt_workspace_id = ""136# forced_chatgpt_workspace_id = "00000000-0000-0000-0000-000000000000"

139 137

140# Force login mechanism when Codex would normally auto-select. Default: unset.138# Force login mechanism when Codex would normally auto-select. Default: unset.

141# Allowed values: chatgpt | api139# Allowed values: chatgpt | api

200# If you use --yolo or another full access sandbox setting, web search defaults to live.196# If you use --yolo or another full access sandbox setting, web search defaults to live.

201web_search = "cached"197web_search = "cached"

202 198

203################################################################################

204# Profiles (named presets)

205################################################################################

~~206~~

207# Active profile name. When unset, no profile is applied.199# Active profile name. When unset, no profile is applied.

208# profile = "default"200# profile = "default"

209 201

202# Suppress the warning shown when under-development feature flags are enabled.

203# suppress_unstable_features_warning = true

204

210################################################################################205################################################################################

211# Agents (multi-agent roles and limits)206# Agents (multi-agent roles and limits)

212################################################################################207################################################################################

213 208

214# [agents]209[agents]

215# Maximum concurrently open agent threads. Default: 6210# Maximum concurrently open agent threads. Default: 6

216# max_threads = 6211# max_threads = 6

217# Maximum nested spawn depth. Root session starts at depth 0. Default: 1212# Maximum nested spawn depth. Root session starts at depth 0. Default: 1

218# max_depth = 1213# max_depth = 1

214# Default timeout per worker for spawn_agents_on_csv jobs. When unset, the tool defaults to 1800 seconds.

215# job_max_runtime_seconds = 1800

219 216

220# [agents.reviewer]217# [agents.reviewer]

221# description = "Find security, correctness, and test risks in code."218# description = "Find correctness, security, and test risks in code."

222# config_file = "./agents/reviewer.toml" # relative to the config.toml that defines it219# config_file = "./agents/reviewer.toml" # relative to the config.toml that defines it

220# nickname_candidates = ["Athena", "Ada"]

223 221

224################################################################################222################################################################################

225# Skills (per-skill overrides)223# Skills (per-skill overrides)

227 225

228# Disable or re-enable a specific skill without deleting it.226# Disable or re-enable a specific skill without deleting it.

229[[skills.config]]227[[skills.config]]

230# path = "/path/to/skill"228# path = "/path/to/skill/SKILL.md"

231# enabled = false229# enabled = false

232 230

233################################################################################

234# Experimental toggles (legacy; prefer [features])

235################################################################################

~~236~~

237experimental_use_unified_exec_tool = false

~~238~~

239# Include apply_patch via freeform editing path (affects default tool set). Default: false

240experimental_use_freeform_apply_patch = false

~~241~~

242################################################################################231################################################################################

243# Sandbox settings (tables)232# Sandbox settings (tables)

244################################################################################233################################################################################

261[shell_environment_policy]250[shell_environment_policy]

262# inherit: all (default) | core | none251# inherit: all (default) | core | none

263inherit = "all"252inherit = "all"

264# Skip default excludes for names containing KEY/SECRET/TOKEN (case-insensitive). Default: true253# Skip default excludes for names containing KEY/SECRET/TOKEN (case-insensitive). Default: false

265ignore_default_excludes = true254ignore_default_excludes = false

266# Case-insensitive glob patterns to remove (e.g., "AWS_*", "AZURE_*"). Default: []255# Case-insensitive glob patterns to remove (e.g., "AWS_*", "AZURE_*"). Default: []

267exclude = []256exclude = []

268# Explicit key/value overrides (always win). Default: {}257# Explicit key/value overrides (always win). Default: {}

272# Experimental: run via user shell profile. Default: false261# Experimental: run via user shell profile. Default: false

273experimental_use_profile = false262experimental_use_profile = false

274 263

264################################################################################

265# Managed network proxy settings

266################################################################################

267

268[permissions.network]

269# enabled = true

270# proxy_url = "http://127.0.0.1:43128"

271# admin_url = "http://127.0.0.1:43129"

272# enable_socks5 = false

273# socks_url = "http://127.0.0.1:43130"

274# enable_socks5_udp = false

275# allow_upstream_proxy = false

276# dangerously_allow_non_loopback_proxy = false

277# dangerously_allow_non_loopback_admin = false

278# dangerously_allow_all_unix_sockets = false

279# mode = "limited" # limited | full

280# allowed_domains = ["api.openai.com"]

281# denied_domains = ["example.com"]

282# allow_unix_sockets = ["/var/run/docker.sock"]

283# allow_local_binding = false

284

275################################################################################285################################################################################

276# History (table)286# History (table)

277################################################################################287################################################################################

280# save-all (default) | none290# save-all (default) | none

281persistence = "save-all"291persistence = "save-all"

282# Maximum bytes for history file; oldest entries are trimmed when exceeded. Example: 5242880292# Maximum bytes for history file; oldest entries are trimmed when exceeded. Example: 5242880

283# max_bytes = 0293# max_bytes = 5242880

284 294

285################################################################################295################################################################################

286# UI, Notifications, and Misc (tables)296# UI, Notifications, and Misc (tables)

312# You can also add custom .tmTheme files under $CODEX_HOME/themes.322# You can also add custom .tmTheme files under $CODEX_HOME/themes.

313# theme = "catppuccin-mocha"323# theme = "catppuccin-mocha"

314 324

325# Internal tooltip state keyed by model slug. Usually managed by Codex.

326# [tui.model_availability_nux]

327# "gpt-5.4" = 1

328

329# Enable or disable analytics for this machine. When unset, Codex uses its default behavior.

330[analytics]

331enabled = true

332

315# Control whether users can submit feedback from `/feedback`. Default: true333# Control whether users can submit feedback from `/feedback`. Default: true

316[feedback]334[feedback]

317enabled = true335enabled = true

325# "hide_gpt-5.1-codex-max_migration_prompt" = true343# "hide_gpt-5.1-codex-max_migration_prompt" = true

326# model_migrations = { "gpt-4.1" = "gpt-5.1" }344# model_migrations = { "gpt-4.1" = "gpt-5.1" }

327 345

328# Suppress the warning shown when under-development feature flags are enabled.

329# suppress_unstable_features_warning = true

~~330~~

331################################################################################346################################################################################

332# Centralized Feature Flags (preferred)347# Centralized Feature Flags (preferred)

333################################################################################348################################################################################

337# shell_tool = true352# shell_tool = true

338# apps = false353# apps = false

339# apps_mcp_gateway = false354# apps_mcp_gateway = false

340# web_search_cached = false

341# web_search_request = false

342# unified_exec = false355# unified_exec = false

343# shell_snapshot = false356# shell_snapshot = false

344# apply_patch_freeform = false

345# multi_agent = false

346# search_tool = false

347# personality = true357# personality = true

348# request_rule = true

349# collaboration_modes = true

350# use_linux_sandbox_bwrap = false358# use_linux_sandbox_bwrap = false

351# remote_models = false359# runtime_metrics = true

352# runtime_metrics = false

353# powershell_utf8 = true360# powershell_utf8 = true

354# child_agents_md = false361# child_agents_md = false

362# sqlite = true

363# fast_mode = true

364# enable_request_compression = true

365# image_generation = false

366# skill_mcp_dependency_install = true

367# skill_env_var_dependency_prompt = false

368# default_mode_request_user_input = false

369# artifact = false

370# prevent_idle_sleep = false

371# responses_websockets = false

372# responses_websockets_v2 = false

373# image_detail_original = false

355 374

356################################################################################375################################################################################

357# Define MCP servers under this table. Leave empty to disable.376# Define MCP servers under this table. Leave empty to disable.

373# tool_timeout_sec = 60.0 # optional; default 60.0 seconds392# tool_timeout_sec = 60.0 # optional; default 60.0 seconds

374# enabled_tools = ["search", "summarize"] # optional allow-list393# enabled_tools = ["search", "summarize"] # optional allow-list

375# disabled_tools = ["slow-tool"] # optional deny-list (applied after allow-list)394# disabled_tools = ["slow-tool"] # optional deny-list (applied after allow-list)

395# scopes = ["read:docs"] # optional OAuth scopes

396# oauth_resource = "https://docs.example.com/" # optional OAuth resource

376 397

377# --- Example: Streamable HTTP transport ---398# --- Example: Streamable HTTP transport ---

378# [mcp_servers.github]399# [mcp_servers.github]

385# startup_timeout_sec = 10.0 # optional406# startup_timeout_sec = 10.0 # optional

386# tool_timeout_sec = 60.0 # optional407# tool_timeout_sec = 60.0 # optional

387# enabled_tools = ["list_issues"] # optional allow-list408# enabled_tools = ["list_issues"] # optional allow-list

409# disabled_tools = ["delete_issue"] # optional deny-list

410# scopes = ["repo"] # optional OAuth scopes

388 411

389################################################################################412################################################################################

390# Model Providers413# Model Providers

391################################################################################414################################################################################

392 415

393# Built-ins include:416# Built-ins include:

394# - openai (Responses API; requires login or OPENAI_API_KEY via auth flow)417# - openai

395# - oss (Chat Completions API; defaults to http://localhost:11434/v1)418# - ollama

419# - lmstudio

396 420

397[model_providers]421[model_providers]

398 422

400# [model_providers.openaidr]424# [model_providers.openaidr]

401# name = "OpenAI Data Residency"425# name = "OpenAI Data Residency"

402# base_url = "https://us.api.openai.com/v1" # example with 'us' domain prefix426# base_url = "https://us.api.openai.com/v1" # example with 'us' domain prefix

403# wire_api = "responses" # "responses" | "chat" (default varies)427# wire_api = "responses" # only supported value

404# # requires_openai_auth = true # built-in OpenAI defaults to true428# # requires_openai_auth = true # built-in OpenAI defaults to true

405# # request_max_retries = 4 # default 4; max 100429# # request_max_retries = 4 # default 4; max 100

406# # stream_max_retries = 5 # default 5; max 100430# # stream_max_retries = 5 # default 5; max 100

407# # stream_idle_timeout_ms = 300000 # default 300_000 (5m)431# # stream_idle_timeout_ms = 300000 # default 300_000 (5m)

432# # supports_websockets = true # optional

408# # experimental_bearer_token = "sk-example" # optional dev-only direct bearer token433# # experimental_bearer_token = "sk-example" # optional dev-only direct bearer token

409# # http_headers = { "X-Example" = "value" }434# # http_headers = { "X-Example" = "value" }

410# # env_http_headers = { "OpenAI-Organization" = "OPENAI_ORGANIZATION", "OpenAI-Project" = "OPENAI_PROJECT" }435# # env_http_headers = { "OpenAI-Organization" = "OPENAI_ORGANIZATION", "OpenAI-Project" = "OPENAI_PROJECT" }

411 436

412# --- Example: Azure (Chat/Responses depending on endpoint) ---437# --- Example: Azure/OpenAI-compatible provider ---

413# [model_providers.azure]438# [model_providers.azure]

414# name = "Azure"439# name = "Azure"

415# base_url = "https://YOUR_PROJECT_NAME.openai.azure.com/openai"440# base_url = "https://YOUR_PROJECT_NAME.openai.azure.com/openai"

416# wire_api = "responses" # or "chat" per endpoint441# wire_api = "responses"

417# query_params = { api-version = "2025-04-01-preview" }442# query_params = { api-version = "2025-04-01-preview" }

418# env_key = "AZURE_OPENAI_API_KEY"443# env_key = "AZURE_OPENAI_API_KEY"

419# # env_key_instructions = "Set AZURE_OPENAI_API_KEY in your environment"444# env_key_instructions = "Set AZURE_OPENAI_API_KEY in your environment"

445# # supports_websockets = false

420 446

421# --- Example: Local OSS (e.g., Ollama-compatible) ---447# --- Example: Local OSS (e.g., Ollama-compatible) ---

422# [model_providers.ollama]448# [model_providers.ollama]

423# name = "Ollama"449# name = "Ollama"

424# base_url = "http://localhost:11434/v1"450# base_url = "http://localhost:11434/v1"

425# wire_api = "chat"451# wire_api = "responses"

~~426~~

427################################################################################

428# Profiles (named presets)

429################################################################################

~~430~~

431[profiles]

~~432~~

433# [profiles.default]

434# model = "gpt-5.2-codex"

435# model_provider = "openai"

436# approval_policy = "on-request"

437# sandbox_mode = "read-only"

438# oss_provider = "ollama"

439# model_reasoning_effort = "medium"

440# model_reasoning_summary = "auto"

441# model_verbosity = "medium"

442# personality = "friendly" # or "pragmatic" or "none"

443# chatgpt_base_url = "https://chatgpt.com/backend-api/"

444# model_catalog_json = "./models.json"

445# experimental_compact_prompt_file = "./compact_prompt.txt"

446# include_apply_patch_tool = false

447# experimental_use_unified_exec_tool = false

448# experimental_use_freeform_apply_patch = false

449# tools.web_search = false # deprecated legacy alias; prefer top-level `web_search`

450# features = { unified_exec = false }

451 452

452################################################################################453################################################################################

453# Apps / Connectors454# Apps / Connectors

471# enabled = false472# enabled = false

472# approval_mode = "approve"473# approval_mode = "approve"

473 474

475################################################################################

476# Profiles (named presets)

477################################################################################

478

479[profiles]

480

481# [profiles.default]

482# model = "gpt-5.4"

483# model_provider = "openai"

484# approval_policy = "on-request"

485# sandbox_mode = "read-only"

486# service_tier = "flex"

487# oss_provider = "ollama"

488# model_reasoning_effort = "medium"

489# plan_mode_reasoning_effort = "high"

490# model_reasoning_summary = "auto"

491# model_verbosity = "medium"

492# personality = "pragmatic" # or "friendly" or "none"

493# chatgpt_base_url = "https://chatgpt.com/backend-api/"

494# model_catalog_json = "./models.json"

495# model_instructions_file = "/absolute/or/relative/path/to/instructions.txt"

496# experimental_compact_prompt_file = "./compact_prompt.txt"

497# tools_view_image = true

498# features = { unified_exec = false }

499

474################################################################################500################################################################################

475# Projects (trust levels)501# Projects (trust levels)

476################################################################################502################################################################################

477 503

478# Mark specific worktrees as trusted or untrusted.

479[projects]504[projects]

505# Mark specific worktrees as trusted or untrusted.

480# [projects."/absolute/path/to/project"]506# [projects."/absolute/path/to/project"]

481# trust_level = "trusted" # or "untrusted"507# trust_level = "trusted" # or "untrusted"

482 508

509################################################################################

510# Tools

511################################################################################

512

513[tools]

514# view_image = true

515

483################################################################################516################################################################################

484# OpenTelemetry (OTEL) - disabled by default517# OpenTelemetry (OTEL) - disabled by default

485################################################################################518################################################################################

493exporter = "none"526exporter = "none"

494# Trace exporter: none (default) | otlp-http | otlp-grpc527# Trace exporter: none (default) | otlp-http | otlp-grpc

495trace_exporter = "none"528trace_exporter = "none"

529# Metrics exporter: none | statsig | otlp-http | otlp-grpc

530metrics_exporter = "statsig"

496 531

497# Example OTLP/HTTP exporter configuration532# Example OTLP/HTTP exporter configuration

498# [otel.exporter."otlp-http"]533# [otel.exporter."otlp-http"]

502# [otel.exporter."otlp-http".headers]537# [otel.exporter."otlp-http".headers]

503# "x-otlp-api-key" = "${OTLP_TOKEN}"538# "x-otlp-api-key" = "${OTLP_TOKEN}"

504 539

505# Example OTLP/gRPC exporter configuration

506# [otel.exporter."otlp-grpc"]

507# endpoint = "https://otel.example.com:4317",

508# headers = { "x-otlp-meta" = "abc123" }

~~509~~

510# Example OTLP exporter with mutual TLS

511# [otel.exporter."otlp-http"]

512# endpoint = "https://otel.example.com/v1/logs"

513# protocol = "binary"

~~514~~

515# [otel.exporter."otlp-http".headers]

516# "x-otlp-api-key" = "${OTLP_TOKEN}"

~~517~~

518# [otel.exporter."otlp-http".tls]540# [otel.exporter."otlp-http".tls]

519# ca-certificate = "certs/otel-ca.pem"541# ca-certificate = "certs/otel-ca.pem"

520# client-certificate = "/etc/codex/certs/client.pem"542# client-certificate = "/etc/codex/certs/client.pem"

521# client-private-key = "/etc/codex/certs/client-key.pem"543# client-private-key = "/etc/codex/certs/client-key.pem"

522```

523 544

524################################################################################545# Example OTLP/gRPC trace exporter configuration

546# [otel.trace_exporter."otlp-grpc"]

547# endpoint = "https://otel.example.com:4317"

548# headers = { "x-otlp-meta" = "abc123" }

525 549

550################################################################################

526# Windows551# Windows

~~527~~

528################################################################################552################################################################################

529 553

530[windows]554[windows]

~~531~~

532# Native Windows sandbox mode (Windows only): unelevated | elevated555# Native Windows sandbox mode (Windows only): unelevated | elevated

~~533~~

534sandbox = "unelevated"556sandbox = "unelevated"

557```

enterprise/admin-setup.md +232 −79

Details

1# Admin Setup1# Admin Setup

2 2

3![Codex enterprise admin toggle](/images/codex/codex_enterprise_admin.png)

3This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.

4 6

5Use this page as the step-by-step rollout guide. It focuses on setup order and decision points. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Security](https://developers.openai.com/codex/security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).7Use this page as the step-by-step rollout guide. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).

6 8

7## Enterprise-grade security and privacy9## Enterprise-grade security and privacy

8 10

9Codex supports ChatGPT Enterprise security features, including:11Codex supports ChatGPT Enterprise security features, including:

10 12

11- No training on enterprise data13- No training on enterprise data

~~12- Zero data retention for the App, CLI, and IDE (code remains in developer environment)~~14- Zero data retention for the App, CLI, and IDE (code stays in the developer environment)

13- Residency and retention that follow ChatGPT Enterprise policies15- Residency and retention that follow ChatGPT Enterprise policies

14- Granular user access controls16- Granular user access controls

15- Data encryption at rest (AES-256) and in transit (TLS 1.2+)17- Data encryption at rest (AES-256) and in transit (TLS 1.2+)

18- Audit logging via the ChatGPT Compliance API

16 19

17For security controls and runtime protections, see [Security](https://developers.openai.com/codex/security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.20For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.

18 21For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

~~19## Local vs. cloud setup~~

~~21Codex operates in two environments: local and cloud.~~

~~231. **Codex local** includes the Codex app, CLI, and IDE extension. The agent runs on the developer’s computer in a sandbox.~~

242. **Codex cloud** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.

~~26You can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).~~

~~28## Step 0: Owners and rollout decision~~

29 22

~~30Ensure you have the following owners:~~23## Pre-requisites: Determine owners and rollout strategy

31 24

~~32- Workspace owner with access to ChatGPT Enterprise~~25During your rollout, team members may support different aspects of integrating Codex into your organization. Ensure you have the following owners:

~~33- IT management owner for managed configuration~~

~~34- Governance owner for analytics / compliance review~~

35 26

~~36A rollout decision:~~27- **ChatGPT Enterprise workspace owner:** required to configure Codex settings in your workspace.

28- **Security owner:** determines agent permissions settings for Codex.

29- **Analytics owner:** integrates analytics and compliance APIs into your data pipelines.

37 30

~~38- Codex local only (Codex app, CLI, and IDE extension)~~31Decide which Codex surfaces you will use:

~~39- Codex cloud only (Codex web, GitHub code review)~~

~~40- Both local + cloud~~

41 32

~~42Review [authentication](https://developers.openai.com/codex/auth) before rollout:~~33- **Codex local:** includes the Codex app, CLI, and IDE extension. The agent runs on the developer's computer in a sandbox.

34- **Codex cloud:** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.

35- **Both:** use local + cloud together.

43 36

~~44- Codex local supports ChatGPT sign-in or API keys. Confirm MFA/SSO requirements and any managed login restrictions in authentication~~37You can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).

~~45- Codex cloud requires ChatGPT sign-in~~

46 38

~~47## Step 1: Enable workspace toggles~~39## Step 1: Enable Codex in your workspace

48 40

~~49Turn on only the Codex features you plan to roll out in this phase.~~41You configure access to Codex in ChatGPT Enterprise workspace settings.

50 42

51Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).43Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).

52 44

53### Codex local45### Codex local

54 46

47Codex local is enabled by default for new ChatGPT Enterprise workspaces. If

48 you are not a ChatGPT workspace owner, you can test whether you have access by

49 [installing Codex](https://developers.openai.com/codex/quickstart) and logging in with your work email.

55Turn on **Allow members to use Codex Local**.51Turn on **Allow members to use Codex Local**.

56 52

57This enables use of the Codex app, CLI, and IDE extension for allowed users.53This enables use of the Codex app, CLI, and IDE extension for allowed users.

60 56

61#### Enable device code authentication for Codex CLI57#### Enable device code authentication for Codex CLI

62 58

~~63Allow developers to sign in with device codes when using Codex CLI in a non-interactive environment. More details in [authentication](https://developers.openai.com/codex/auth/).~~59Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).

64 60

65![Codex local toggle](/images/codex/enterprise/local-toggle-config.png)61![Codex local toggle](/images/codex/enterprise/local-toggle-config.png)

66 62

82 78

83Note that it may take up to 10 minutes for Codex to appear in ChatGPT.79Note that it may take up to 10 minutes for Codex to appear in ChatGPT.

84 80

~~85#### Allow members to administer Codex~~

87Allows users to view overall Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics), access [cloud-managed requirements](https://chatgpt.com/codex/settings/managed-configs), and manage Cloud environments (edit and delete).

~~89Codex cloud not required.~~

91#### Enable Codex Slack app to post answers on task completion81#### Enable Codex Slack app to post answers on task completion

92 82

93Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.83Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.

98 88

99By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.89By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.

100 90

101This setting enables users to use an allowlist for common software dependency domains, add more domains and trusted sites, and specify allowed HTTP methods.91This setting lets users use an allowlist for common software dependency domains, add domains and trusted sites, and specify allowed HTTP methods.

102 92

103For security implications of internet access and runtime controls, see [Security](https://developers.openai.com/codex/security).93For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

104 94

105![Codex cloud toggle](/images/codex/enterprise/cloud-toggle-config.png)95![Codex cloud toggle](/images/codex/enterprise/cloud-toggle-config.png)

106 96

107## Step 2: Set up custom roles (RBAC)97## Step 2: Set up custom roles (RBAC)

108 98

109Use RBAC to control which users or groups can access Codex local and Codex cloud.99Use RBAC to control granular permissions for access Codex local and Codex cloud.

100

101![Codex cloud toggle](/images/codex/enterprise/rbac_custom_roles.png)

110 102

111### What RBAC lets you do103### What RBAC lets you do

112 104

113Workspace Owners can use RBAC in ChatGPT admin settings to:105Workspace Owners can use RBAC in ChatGPT admin settings to:

114 106

115- Set a default role for users who are not assigned any custom role107- Set a default role for users who aren't assigned any custom role

116- Create custom roles with granular permissions108- Create custom roles with granular permissions

117- Assign one or more custom roles to Groups (including SCIM-synced groups)109- Assign one or more custom roles to Groups

110- Automatically sync users into Groups via SCIM

118- Manage roles centrally from the Custom Roles tab111- Manage roles centrally from the Custom Roles tab

119 112

120Users can inherit multiple roles, and permissions resolve to the maximum allowed across those roles.113Users can inherit more than one role, and permissions resolve to the most permissive (least restrictive) access across those roles.

114

115### Create a Codex Admin group

116

117Set up a dedicated "Codex Admin" group rather than granting Codex administration to a broad audience.

118

119The **Allow members to administer Codex** toggle grants the Codex Admin role. Codex Admins can:

120

121- View Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics)

122- Open the Codex [Policies page](https://chatgpt.com/codex/settings/policies) to manage cloud-managed `requirements.toml` policies

123- Assign those managed policies to user groups or configure a default fallback policy

124- Manage Codex cloud environments, including editing and deleting environments

125

126Use this role for the small set of admins who own Codex rollout, policy management, and governance. It's not required for general Codex users. You don't need Codex cloud to enable this toggle.

127

128Recommended rollout pattern:

129

130- Create a "Codex Users" group for people who should use Codex

131- Create a separate "Codex Admin" group for the smaller set of people who should manage Codex settings and policies

132- Assign the custom role with **Allow members to administer Codex** enabled only to the "Codex Admin" group

133- Keep membership in the "Codex Admin" group limited to workspace owners or designated platform, IT, and governance operators

134- If you use SCIM, back the "Codex Admin" group with your identity provider so membership changes are auditable and centrally managed

121 135

122### Important behavior to plan for136This separation makes it easier to roll out Codex while keeping analytics, environment management, and policy deployment limited to trusted admins. For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).

123 137

124Users in any custom role group do not use the workspace default permissions.138## Step 3: Configure Codex local requirements

125 139

126If you are gradually rolling out Codex, one suggestion is to have a “Codex Users” group and a second “Codex Admin” group that has the “Allow members to administer Codex” toggle enabled.140Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

127 141

128For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).142Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules.

129 143

130## Step 3: Configure Codex local managed settings144![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)

131 145

132For Codex local, set an admin-approved baseline for local behavior before broader rollout.146Recommended setup:

133 147

134### Use managed configuration for two different goals1481. Create a baseline policy for most users, then create stricter or more permissive variants only where needed.

1492. Assign each managed policy to a specific user group, and configure a default fallback policy for everyone else.

1503. Order group rules with care. If a user matches more than one group-specific rule, the first matching rule applies.

1514. Treat each policy as a complete profile for that group. Codex doesn't fill missing fields from later matching group rules.

135 152

136- **Requirements** (`requirements.toml`): Admin-enforced constraints users cannot override153These cloud-managed policies apply across Codex local surfaces when users sign in with ChatGPT, including the Codex app, CLI, and IDE extension.

137- **Managed defaults** (`managed_config.toml`): Starting values applied when Codex launches

138 154

139### Team Config155### Example requirements.toml policies

156

157Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.

158

159![Example managed requirements policy](/images/codex/enterprise/example_policy.png)

160

161Example: limit web search, sandbox mode, and approvals for a standard local rollout:

162

163```toml

164allowed_web_search_modes = ["disabled", "cached"]

165allowed_sandbox_modes = ["workspace-write"]

166allowed_approval_policies = ["on-request"]

167```

168

169Example: add a restrictive command rule when you want admins to block or gate specific commands:

170

171```toml

172[rules]

173prefix_rules = [

174 { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before mutating remote history." },

175]

176```

177

178You can use either example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

179

180### Checking user policies

181

182Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.

183

184![Policy lookup by group or user email](/images/codex/enterprise/policy_lookup.png)

185

186If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

187

188## Step 4: Standardize local configuration with Team Config

140 189

141Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.190Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.

142 191

192You can check Team Config settings into the repository under the `.codex` directory. Codex automatically picks up Team Config settings when a user opens that repository.

193

194Start with Team Config for your highest-traffic repositories so teams get consistent behavior in the places they use Codex most.

195

144| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |197| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |

148 201

149For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).202For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).

150 203

151### Recommended first decisions for local rollout204## Step 5: Configure Codex cloud usage (if enabled)

152 205

153Define a baseline for your pilot:206This step covers repository and environment setup after you enable the Codex cloud workspace toggle.

~~154~~

155- Approval policy posture

156- Sandbox mode posture

157- Web search posture

158- MCP / connectors policy

159- Local logging and telemetry posture

~~160~~

161For exact keys, precedence, MDM deployment, and examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Security](https://developers.openai.com/codex/security).

~~162~~

163If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

~~164~~

165## Step 4: Configure Codex cloud usage (if enabled)

~~166~~

167This step covers repository and environment setup after the Codex cloud workspace toggle is enabled.

168 207

169### Connect Codex cloud to repositories208### Connect Codex cloud to repositories

170 209

1711. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**2101. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**

1722. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT2112. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT

1733. Install or authorize the ChatGPT GitHub Connector2123. Install or connect the ChatGPT GitHub Connector

1744. Choose an installation target for the ChatGPT Connector (typically your main organization)2134. Choose an installation target for the ChatGPT Connector (typically your main organization)

1755. Allow the repositories you want to connect to Codex2145. Allow the repositories you want to connect to Codex

176 215

216For GitHub Enterprise Managed Users (EMU), an organization owner must install

217 the Codex GitHub App for the organization before users can connect

218 repositories in Codex cloud.

219

177For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).220For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).

178 221

179Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.222Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.

180 223

181### Configure IP addresses (as needed)224### Configure IP addresses

182 225

183Configure connector / IP allow lists if required by your network policy with these [egress IP ranges](https://openai.com/chatgpt-agents.json).226If your GitHub organization controls the IP addresses that apps use to connect, make sure to include these [egress IP ranges](https://openai.com/chatgpt-agents.json).

184 227

185These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.228These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.

186 229

188 231

189To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).232To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).

190 233

191Code review can be configured at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details on [GitHub](https://developers.openai.com/codex/integrations/github) integration page.234You can configure code review at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details are on the [GitHub integration page](https://developers.openai.com/codex/integrations/github).

235

236Use the overview page to confirm your workspace has code review turned on and to see the available review controls.

237

238![Code review settings overview](/images/codex/enterprise/code_review_settings_overview.png)

239

240 Use the auto review settings to decide whether Codex should review pull

241 requests automatically for connected repositories.

242

243![Automatic code review settings](/images/codex/enterprise/auto_code_review_settings.png)

244

245 Use review triggers to control which pull request events should start a

246 Codex review.

247

248![Code review trigger settings](/images/codex/enterprise/review_triggers.png)

249

250### Configure Codex security

192 251

193Additional integration docs for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).252Codex Security helps engineering and security teams find, confirm, and remediate likely vulnerabilities in connected GitHub repositories.

194 253

195## Step 5: Set up governance and observability254At a high level, Codex Security:

196 255

197Codex gives enterprise teams several options for visibility into adoption and impact. Set up governance early so your team can monitor adoption, investigate issues, and support compliance workflows.256- scans connected repositories commit by commit

257- ranks likely findings and confirms them when possible

258- shows structured findings with evidence, criticality, and suggested remediation

259- lets teams refine a repository threat model to improve prioritization and review quality

260

261For setup, scan creation, findings review, and threat model guidance, see [Codex Security setup](https://developers.openai.com/codex/security/setup). For a product overview, see [Codex Security](https://developers.openai.com/codex/security).

262

263Integration docs are also available for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).

264

265## Step 6: Set up governance and observability

266

267Codex gives enterprise teams options for visibility into adoption and impact. Set up governance early so your team can track adoption, investigate issues, and support compliance workflows.

198 268

199### Codex governance typically uses269### Codex governance typically uses

200 270

201- Analytics Dashboard for quick, self-serve visibility271- Analytics Dashboard for quick, self-serve visibility

202- Analytics API for programmatic reporting and BI integration272- Analytics API for programmatic reporting and business intelligence integration

203- Compliance API for audit and investigation workflows273- Compliance API for audit and investigation workflows

204 274

205### Recommended minimum setup275### Recommended baseline setup

206 276

207- Assign an owner for adoption reporting277- Assign an owner for adoption reporting

208- Assign an owner for audit and compliance review278- Assign an owner for audit and compliance review

209- Define a review cadence279- Define a review cadence

210- Decide what success looks like280- Decide what success looks like

211 281

212For details and examples, see [Governance](https://developers.openai.com/codex/enterprise/governance).282### Analytics API setup steps

283

284To set up the Analytics API key:

285

2861. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.

2872. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).

2883. Create a new secret key dedicated to Codex Analytics, and give it a descriptive name such as Codex Analytics API.

2894. Select the appropriate project for your organization. If you only have one project, the default project is fine.

2905. Set the key permissions to Read only, since this API only retrieves analytics data.

2916. Copy the key value and store it securely, because you can only view it once.

2927. Email [support@openai.com](mailto:support@openai.com) to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.

293

294![Codex analytics key creation](/images/codex/codex_analytics_key.png)

295

296To use the Analytics API key:

297

2981. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.

2992. Call the Analytics API at `https://api.chatgpt.com/v1/analytics/codex` using your Platform API key, and include your `workspace_id` in the path.

3003. Choose the endpoint you want to query:

301

302- /workspaces/`{workspace_id}`/usage

303- /workspaces/`{workspace_id}`/code_reviews

304- /workspaces/`{workspace_id}`/code_review_responses

305

3064. Set a reporting date range with `start_time` and `end_time` if needed.

3075. Retrieve the next page of results with `next_page` if the response spans more than one page.

308

309Example curl command to retrieve workspace usage:

310

311```bash

312curl -H "Authorization: Bearer YOUR_PLATFORM_API_KEY" \

313 "https://api.chatgpt.com/v1/analytics/codex/workspaces/WORKSPACE_ID/usage"

314```

315

316For more details on the Analytics API, see [Analytics API](https://developers.openai.com/codex/enterprise/governance#analytics-api).

317

318### Compliance API setup steps

319

320To set up the Compliance API key:

321

3221. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.

3232. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).

3243. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.

3254. Choose All permissions.

3265. Copy the key value and store it securely, because you can only view it once.

3276. Send an email to [support@openai.com](mailto:support@openai.com) with:

328

329- the last 4 digits of the API key

330- the key name

331- the created-by name

332- the scope needed: `read`, `delete`, or both

333

3347. Wait for OpenAI to confirm your API key has Compliance API access.

335

336To use the Compliance API key:

337

3381. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.

3392. Use the Compliance API at `https://api.chatgpt.com/v1/`

3403. Pass your Compliance API key in the Authorization header as a Bearer token.

3414. For Codex-related compliance data, use these endpoints:

342

343- /compliance/workspaces/`{workspace_id}`/logs

344- /compliance/workspaces/`{workspace_id}`/logs/`{log_file_id}`

345- /compliance/workspaces/`{workspace_id}`/codex_tasks

346- /compliance/workspaces/`{workspace_id}`/codex_environments

347

3485. For most Codex compliance integrations, start with the logs endpoint and request Codex event types such as CODEX_LOG or CODEX_SECURITY_LOG.

3496. Use /logs to list available Codex compliance log files, then /logs/`{log_file_id}` to download a specific file.

350

351Example curl command to list compliance log files:

352

353```bash

354curl -L -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \

355 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/logs?event_type=CODEX_LOG&after=2026-03-01T00:00:00Z"

356```

357

358Example curl command to list Codex tasks:

359

360```bash

361curl -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \

362 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/codex_tasks"

363```

364

365For more details on the Compliance API, see [Compliance API](https://developers.openai.com/codex/enterprise/governance#compliance-api).

213 366

214## Step 6: Confirm and validate setup367## Step 7: Confirm and verify setup

215 368

216### What to verify369### What to verify

217 370

219- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)372- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)

220- MFA and SSO requirements match your enterprise security policy373- MFA and SSO requirements match your enterprise security policy

221- RBAC and workspace toggles produce the expected access behavior374- RBAC and workspace toggles produce the expected access behavior

222- Managed configuration is applied for users375- Managed configuration applies for users

223- Governance data is visible for admins376- Governance data is visible for admins

224 377

225For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).378For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).

226 379

227Once your team is confident with setup, you can confidently roll Codex out to additional teams and organizations.380Once your team is confident with setup, you can roll Codex out to more teams and organizations.

enterprise/managed-configuration.md +21 −9

Details

7 7

8## Admin-enforced requirements (requirements.toml)8## Admin-enforced requirements (requirements.toml)

9 9

10Requirements constrain security-sensitive settings (approval policy, sandbox mode, web search mode, and optionally which MCP servers can be enabled). When resolving configuration (for example from `config.toml`, profiles, or CLI config overrides), if a value conflicts with an enforced requirement, Codex falls back to a requirements-compatible value and notifies the user. If an `mcp_servers` allowlist is configured, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.10Requirements constrain security-sensitive settings (approval policy, sandbox mode, web search mode, and optionally which MCP servers users can enable). When resolving configuration (for example from `config.toml`, profiles, or CLI config overrides), if a value conflicts with an enforced rule, Codex falls back to a compatible value and notifies the user. If you configure an `mcp_servers` allowlist, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.

12Requirements can also constrain [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags) via the `[features]` table in `requirements.toml`. Note that features aren't always security-sensitive, but enterprises can pin values if desired. Omitted keys remain unconstrained.

11 13

12For the exact key list, see the [`requirements.toml` section in Configuration Reference](https://developers.openai.com/codex/config-reference#requirementstoml).14For the exact key list, see the [`requirements.toml` section in Configuration Reference](https://developers.openai.com/codex/config-reference#requirementstoml).

13 15

14### Locations and precedence16### Locations and precedence

15 17

~~16Requirements layers are applied in this order (earlier wins per field):~~18Codex applies requirements layers in this order (earlier wins per field):

17 19

181. Cloud-managed requirements (ChatGPT Business or Enterprise)201. Cloud-managed requirements (ChatGPT Business or Enterprise)

192. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`212. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`

203. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS)223. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS)

21 23

22Across layers, requirements are merged per field: if an earlier layer sets a field (including an empty list), later layers do not override that field, but lower layers can still fill fields that remain unset.24Across layers, Codex merges requirements per field: if an earlier layer sets a field (including an empty list), later layers don't override that field, but lower layers can still fill fields that remain unset.

23 25

24For backwards compatibility, Codex also interprets legacy `managed_config.toml` fields `approval_policy` and `sandbox_mode` as requirements (allowing only that single value).26For backwards compatibility, Codex also interprets legacy `managed_config.toml` fields `approval_policy` and `sandbox_mode` as requirements (allowing only that single value).

25 27

51 53

52Admins can configure different managed requirements for different user groups, and also set a default fallback requirements policy.54Admins can configure different managed requirements for different user groups, and also set a default fallback requirements policy.

53 55

~~54If a user matches multiple group-specific rules, the first matching rule applies. Codex does not fill unset requirement fields from later matching group rules.~~56If a user matches more than one group-specific rule, the first matching rule applies. Codex doesn't fill unset fields from later matching group rules.

55 57

56For example, if the first matching group rule sets only `allowed_sandbox_modes = ["read-only"]` and a later matching group rule sets `allowed_approval_policies = ["on-request"]`, Codex applies only the first matching group rule and does not fill `allowed_approval_policies` from the later rule.58For example, if the first matching group rule sets only `allowed_sandbox_modes = ["read-only"]` and a later matching group rule sets `allowed_approval_policies = ["on-request"]`, Codex applies only the first matching group rule and doesn't fill `allowed_approval_policies` from the later rule.

57 59

58#### How Codex applies cloud-managed requirements locally60#### How Codex applies cloud-managed requirements locally

59 61

60When a user starts Codex and signs in with ChatGPT on a Business or Enterprise plan, Codex applies managed requirements on a best-effort basis. Codex first checks for a valid, unexpired local managed requirements cache entry and uses it if available. If the cache is missing, expired, invalid, or does not match the current auth identity, Codex attempts to fetch managed requirements from the service (with retries) and writes a new signed cache entry on success. If no valid cached entry is available and the fetch fails or times out, Codex continues without the managed requirements layer.62When a user starts Codex and signs in with ChatGPT on a Business or Enterprise plan, Codex applies managed requirements on a best-effort basis. Codex first checks for a valid, unexpired local managed requirements cache entry and uses it if available. If the cache is missing, expired, corrupted, or doesn't match the current auth identity, Codex attempts to fetch managed requirements from the service (with retries) and writes a new signed cache entry on success. If no valid cached entry is available and the fetch fails or times out, Codex continues without the managed requirements layer.

61 63

~~62After cache resolution, managed requirements are enforced as part of the normal requirements layering described above.~~64After cache resolution, Codex enforces managed requirements as part of the normal requirements layering described above.

63 65

64### Example requirements.toml66### Example requirements.toml

65 67

76allowed_web_search_modes = ["cached"] # "disabled" remains implicitly allowed78allowed_web_search_modes = ["cached"] # "disabled" remains implicitly allowed

77```79```

78 80

~~79`allowed_web_search_modes = []` effectively allows only `"disabled"`.~~81`allowed_web_search_modes = []` allows only `"disabled"`.

80For example, `allowed_web_search_modes = ["cached"]` prevents live web search even in `danger-full-access` sessions.82For example, `allowed_web_search_modes = ["cached"]` prevents live web search even in `danger-full-access` sessions.

81 83

84You can also pin [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags):

86```

87[features]

88personality = true

89unified_exec = false

90```

92Use the canonical feature keys from `config.toml`'s `[features]` table. Codex normalizes the resulting feature set to meet these pins and rejects conflicting writes to `config.toml` or profile-scoped feature settings.

82### Enforce command rules from requirements94### Enforce command rules from requirements

83 95

84Admins can also enforce restrictive command rules from `requirements.toml`96Admins can also enforce restrictive command rules from `requirements.toml`

142 - `config_toml_base64` (managed defaults)154 - `config_toml_base64` (managed defaults)

143 - `requirements_toml_base64` (requirements)155 - `requirements_toml_base64` (requirements)

144 156

145Codex parses these “managed preferences” payloads as TOML. For managed defaults (`config_toml_base64`), managed preferences have the highest precedence. For requirements (`requirements_toml_base64`), precedence follows the cloud-managed requirements order described above.157Codex parses these "managed preferences" payloads as TOML. For managed defaults (`config_toml_base64`), managed preferences have the highest precedence. For requirements (`requirements_toml_base64`), precedence follows the cloud-managed requirements order described above. The same requirements-side `[features]` table works in `requirements_toml_base64`; use canonical feature keys there as well.

146 158

147### MDM setup workflow159### MDM setup workflow

148 160

ide.md +1 −0

Details

64To see all available commands and bind them as keyboard shortcuts, select the settings icon in the Codex chat and select **Keyboard shortcuts**.64To see all available commands and bind them as keyboard shortcuts, select the settings icon in the Codex chat and select **Keyboard shortcuts**.

65You can also refer to the [Codex IDE extension commands](https://developers.openai.com/codex/ide/commands) page.65You can also refer to the [Codex IDE extension commands](https://developers.openai.com/codex/ide/commands) page.

66For a list of supported slash commands, see [Codex IDE extension slash commands](https://developers.openai.com/codex/ide/slash-commands).66For a list of supported slash commands, see [Codex IDE extension slash commands](https://developers.openai.com/codex/ide/slash-commands).

67If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

67 68

68---69---

69 70

ide/features.md +1 −1

Details

57 57

58## Web search58## Web search

59 59

60Codex ships with a first-party web search tool. For local tasks in the Codex IDE Extension, Codex enables web search by default and serves results from a web search cache. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you configure your sandbox for [full access](https://developers.openai.com/codex/security), web search defaults to live results. See [Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the most recent data.60Codex ships with a first-party web search tool. For local tasks in the Codex IDE Extension, Codex enables web search by default and serves results from a web search cache. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you configure your sandbox for [full access](https://developers.openai.com/codex/agent-approvals-security), web search defaults to live results. See [Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the most recent data.

61 61

62You'll see `web_search` items in the transcript or `codex exec --json` output whenever Codex looks something up.62You'll see `web_search` items in the transcript or `codex exec --json` output whenever Codex looks something up.

63 63

integrations/linear.md +1 −1

Details

62 62

63When you mention `@Codex` or assign an issue to it, Codex receives your issue content to understand your request and create a task.63When you mention `@Codex` or assign an issue to it, Codex receives your issue content to understand your request and create a task.

64Data handling follows OpenAI's [Privacy Policy](https://openai.com/privacy), [Terms of Use](https://openai.com/terms/), and other applicable [policies](https://openai.com/policies).64Data handling follows OpenAI's [Privacy Policy](https://openai.com/privacy), [Terms of Use](https://openai.com/terms/), and other applicable [policies](https://openai.com/policies).

~~65For more on security, see the [Codex security documentation](https://developers.openai.com/codex/security).~~65For more on security, see the [Codex security documentation](https://developers.openai.com/codex/agent-approvals-security).

66 66

67Codex uses large language models that can make mistakes. Always review answers and diffs.67Codex uses large language models that can make mistakes. Always review answers and diffs.

68 68

integrations/slack.md +1 −1

Details

31 31

32When you mention `@Codex`, Codex receives your message and thread history to understand your request and create a task.32When you mention `@Codex`, Codex receives your message and thread history to understand your request and create a task.

33Data handling follows OpenAI's [Privacy Policy](https://openai.com/privacy), [Terms of Use](https://openai.com/terms/), and other applicable [policies](https://openai.com/policies).33Data handling follows OpenAI's [Privacy Policy](https://openai.com/privacy), [Terms of Use](https://openai.com/terms/), and other applicable [policies](https://openai.com/policies).

~~34For more on security, see the Codex [security documentation](https://developers.openai.com/codex/security).~~34For more on security, see the Codex [security documentation](https://developers.openai.com/codex/agent-approvals-security).

35 35

36Codex uses large language models that can make mistakes. Always review answers and diffs.36Codex uses large language models that can make mistakes. Always review answers and diffs.

37 37

learn/best-practices.md +223 −0 added

Details

1# Best practices

3If you’re new to Codex or coding agents in general, this guide will help you get better results faster. It covers the core habits that make Codex more effective across the [CLI](https://developers.openai.com/codex/cli), [IDE extension](https://developers.openai.com/codex/ide), and the [Codex app](https://developers.openai.com/codex/app), from prompting and planning to validation, MCP, skills, and automations.

5Codex works best when you treat it less like a one-off assistant and more like a teammate you configure and improve over time.

7A useful way to think about this: start with the right task context, use `AGENTS.md` for durable guidance, configure Codex to match your workflow, connect external systems with MCP, turn repeated work into skills, and automate stable workflows.

9## Strong first use: Context and prompts

11Codex is already strong enough to be useful even when your prompt isn't perfect. You can often hand it a hard problem with minimal setup and still get a strong result. Clear [prompting](https://developers.openai.com/codex/prompting) isn't required to get value, but it does make results more reliable, especially in larger codebases or higher-stakes tasks.

13If you work in a large or complex repository, the biggest unlock is giving Codex the right task context and a clear structure for what you want done.

15A good default is to include four things in your prompt:

17- **Goal:** What are you trying to change or build?

18- **Context:** Which files, folders, docs, examples, or errors matter for this task? You can @ mention certain files as context.

19- **Constraints:** What standards, architecture, safety requirements, or conventions should Codex follow?

20- **Done when:** What should be true before the task is complete, such as tests passing, behavior changing, or a bug no longer reproducing?

22This helps Codex stay scoped, make fewer assumptions, and produce work that's easier to review.

24Choose a reasoning level based on how hard the task is and test what works best for your workflow. Different users and tasks work best with different settings.

26- Low for faster, well-scoped tasks

27- Medium or High for more complex changes or debugging

28- Extra High for long, agentic, reasoning-heavy tasks

30To provide context faster, try using speech dictation inside the Codex app to

31 dictate what you want Codex to do rather than typing it.

33## Plan first for difficult tasks

35If the task is complex, ambiguous, or hard to describe well, ask Codex to plan before it starts coding.

37A few approaches work well:

39**Use Plan mode:** For most users, this is the easiest and most effective option. Plan mode lets Codex gather context, ask clarifying questions, and build a stronger plan before implementation. Toggle with `/plan` or <kbd>Shift</kbd>+<kbd>Tab</kbd>.

41**Ask Codex to interview you:** If you have a rough idea of what you want but aren't sure how to describe it well, ask Codex to question you first. Tell it to challenge your assumptions and turn the fuzzy idea into something concrete before writing code.

43**Use a PLANS.md template:** For more advanced workflows, you can configure Codex to follow a `PLANS.md` or execution-plan template for longer-running or multi-step work. For more detail, see the [execution plans guide](https://developers.openai.com/cookbook/articles/codex_exec_plans).

45## Make guidance reusable with `AGENTS.md`

47Once a prompting pattern works, the next step is to stop repeating it manually. That's where [AGENTS.md](https://developers.openai.com/codex/guides/agents-md) comes in.

49Think of `AGENTS.md` as an open-format README for agents. It loads into context automatically and is the best place to encode how you and your team want Codex to work in a repository.

51A good `AGENTS.md` covers:

53- repo layout and important directories

54- How to run the project

55- Build, test, and lint commands

56- Engineering conventions and PR expectations

57- Constraints and do-not rules

58- What done means and how to verify work

60The `/init` slash command in the CLI is the quick-start command to scaffold a starter `AGENTS.md` in the current directory. It's a great starting point, but you should edit the result to match how your team actually builds, tests, reviews, and ships code.

62You can create `AGENTS.md` files at different levels: a global `AGENTS.md` for personal defaults that sits in `~/.codex`, a repo-level file for shared standards, and more specific files in subdirectories for local rules. If there’s a more specific file closer to your current directory, that guidance wins.

64Keep it practical. A short, accurate `AGENTS.md` is more useful than a long file full of vague rules. Start with the basics, then add new rules only after you notice repeated mistakes.

66If `AGENTS.md` starts getting too large, keep the main file concise and reference task-specific markdown files for things like planning, code review, or architecture.

68When Codex makes the same mistake twice, ask it for a retrospective and update

69 `AGENTS.md`. Guidance stays practical and based on real friction.

71## Configure Codex for consistency

73Configuration is one of the main ways to make Codex behave more consistently across sessions and surfaces. For example, you can set defaults for model choice, reasoning effort, sandbox mode, approval policy, profiles, and MCP setup.

75A good starting pattern is:

77- Keep personal defaults in `~/.codex/config.toml` (Settings → Configuration → Open config.toml from the Codex app)

78- Keep repo-specific behavior in `.codex/config.toml`

79- Use command-line overrides only for one-off situations (if you use the CLI)

81[`config.toml`](https://developers.openai.com/codex/config-basic) is where you define durable preferences such as MCP servers, profiles, multi-agent setup, and experimental features. You can edit it directly or ask Codex to update it for you.

83Codex ships with operating level sandboxing and has two key knobs that you can control. Approval mode determines when Codex asks for your permission to run a command and sandbox mode determines if Codex can read or write in the directory and what files the agent can access.

85If you're new to coding agents, start with the default permissions. Keep approval and sandboxing tight by default, then loosen permissions only for trusted repos or specific workflows once the need is clear.

87Note that the CLI, IDE, and Codex app all share the same configuration layers. Learn more on the [sample configuration](https://developers.openai.com/codex/config-sample) page.

89Configure Codex for your real environment early. Many quality issues are

90 really setup issues, like the wrong working directory, missing write access,

91 wrong model defaults, or missing tools and connectors.

93## Improve reliability with testing and review

95Don't stop at asking Codex to make a change. Ask it to create tests when needed, run the relevant checks, confirm the result, and review the work before you accept it.

97Codex can do this loop for you, but only if it knows what “good” looks like. That guidance can come from either the prompt or `AGENTS.md`.

99That can include:

100

101- Writing or updating tests for the change

102- Running the right test suites

103- Checking lint, formatting, or type checks

104- Confirming the final behavior matches the request

105- Reviewing the diff for bugs, regressions, or risky patterns

106

107Toggle the diff panel in the Codex app to directly [review

108 changes](https://developers.openai.com/codex/app/review) locally. Click on a specific row to provide

109 feedback that gets fed as context to the next Codex turn.

110

111A useful option here is the slash command `/review`, which gives you a few ways to review code:

112

113- Review against a base branch for PR-style review

114- Review uncommitted changes

115- Review a commit

116- Use custom review instructions

117

118If you and your team have a `code_review.md` file and reference it from `AGENTS.md`, Codex can follow that guidance during review as well. This is a strong pattern for teams that want review behavior to stay consistent across repositories and contributors.

119

120Codex shouldn't just generate code. With the right instructions, it can also help **test it, check it, and review it**.

121

122If you use GitHub Cloud, you can set up Codex to run [code reviews for your PRs](https://developers.openai.com/codex/integrations/github). At OpenAI, Codex reviews 100% of PRs. You can enable automatic reviews or have Codex reactively review when you @Codex.

123

124## Use MCPs for external context

125

126Use MCPs when the context Codex needs lives outside the repo. It lets Codex connect to the tools and systems you already use, so you don't have to keep copying and pasting live information into prompts.

127

128[Model Context Protocol](https://developers.openai.com/codex/mcp), or MCP, is an open standard for connecting Codex to external tools and systems.

129

130Use MCP when:

131

132- The needed context lives outside the repo

133- The data changes frequently

134- You want Codex to use a tool rather than rely on pasted instructions

135- You need a repeatable integration across users or projects

136

137Codex supports both STDIO and Streamable HTTP servers with OAuth.

138

139In the Codex App, head to Settings → MCP servers to see custom and recommended servers. Often, Codex can help you install the needed servers. All you need to do is ask. You can also use the `codex mcp add` command in the CLI to add your custom servers with a name, URL, and other details.

140

141Add tools only when they unlock a real workflow. Do not start by wiring in

142 every tool you use. Start with one or two tools that clearly remove a manual

143 loop you already do often, then expand from there.

144

145## Turn repeatable work into skills

146

147Once a workflow becomes repeatable, stop relying on long prompts or repeated back-and-forth. Use a [Skill](https://developers.openai.com/codex/skills) to package the instructions in a SKILL.md file, context, and supporting logic Codex should apply consistently. Skills work across the CLI, IDE extension, and Codex app.

148

149Keep each skill scoped to one job. Start with 2 to 3 concrete use cases, define clear inputs and outputs, and write the description so it says what the skill does and when to use it. Include the kinds of trigger phrases a user would actually say.

150

151Don't try to cover every edge case up front. Start with one representative task, get it working well, then turn that workflow into a skill and improve from there. Include scripts or extra assets only when they improve reliability.

152

153A good rule of thumb: if you keep reusing the same prompt or correcting the same workflow, it should probably become a skill.

154

155Skills are especially useful for recurring jobs like:

156

157- Log triage

158- Release note drafting

159- PR review against a checklist

160- Migration planning

161- Telemetry or incident summaries

162- Standard debugging flows

163

164The `$skill-creator` skill is the best place to start to scaffold the first version of a skill and to use the `$skill-installer` skill to install it locally. One of the most important parts of a skill is the description. It should say what the skill does and when to use it.

165

166Personal skills are stored in `$HOME/.agents/skills`, and shared team skills

167 can be checked into `.agents/skills` inside a repository. This is especially

168 helpful for onboarding new teammates.

169

170## Use automations for repeated work

171

172Once a workflow is stable, you can schedule Codex to run it in the background for you. In the Codex app, [automations](https://developers.openai.com/codex/app/automations) let you choose the project, prompt, cadence, and execution environment for a recurring task.

173

174Once a task becomes repetitive for you, you can create an automation in the Automations tab on the Codex app. You can choose which project it runs in, the prompt it runs (you can invoke skills), and the cadence it will run. You can also choose whether the automation runs in a dedicated git worktree or in your local environment. Learn more about [git worktrees](https://developers.openai.com/codex/app/worktrees).

175

176Good candidates include:

177

178- Summarizing recent commits

179- Scanning for likely bugs

180- Drafting release notes

181- Checking CI failures

182- Producing standup summaries

183- Running repeatable analysis workflows on a schedule

184

185A useful rule is that skills define the method, automations define the schedule. If a workflow still needs a lot of steering, turn it into a skill first. Once it's predictable, automation becomes a force multiplier.

186

187Use automations for reflection and maintenance, not just execution. Review

188 recent sessions, summarize repeated friction, and improve prompts,

189 instructions, or workflow setup over time.

190

191## Organize long-running work with session controls

192

193Codex sessions aren't just chat history. They're working threads that accumulate context, decisions, and actions over time, so managing them well has a big impact on quality.

194

195The Codex app UI makes thread management easiest because you can pin threads and create worktrees. If you are using the CLI, these [slash commands](https://developers.openai.com/codex/cli/slash-commands) are especially useful:

196

197- `/experimental` to toggle experimental features and add to your `config.toml`

198- `/resume` to resume a saved conversation

199- `/fork` to create a new thread while preserving the original transcript

200- `/compact` when the thread is getting long and you want a summarized version of earlier context. Note that Codex does automatically compact conversations for you

201- `/agent` when you are running parallel agents and want to switch between the active agent thread

202- `/theme` to choose a syntax highlighting theme

203- `/apps` to use ChatGPT apps directly in Codex

204- `/status` to inspect the current session state

205

206Keep one thread per coherent unit of work. If the work is still part of the same problem, staying in the same thread is often better because it preserves the reasoning trail. Fork only when the work truly branches.

207

208Use Codex’s [subagent](https://developers.openai.com/codex/concepts/subagents) workflows to offload bounded

209 work from the main thread. Keep the main agent focused on the core problem,

210 and use subagents for tasks like exploration, tests, or triage.

211

212## Common mistakes

213

214A few common mistakes to avoid when first using Codex:

215

216- Overloading the prompt with durable rules instead of moving them into `AGENTS.md` or a skill

217- Not letting the agent see its work by not giving details on how to best run build and test commands

218- Skipping planning on multi-step and complex tasks

219- Giving Codex full permission to your computer before you understand the workflow

220- Running live threads on the same files without using git worktrees

221- Turning a recurring task into an automation before it's reliable manually

222- Treating Codex like something you have to watch step by step instead of using it in parallel with your own work

223- Using one thread per project instead of one thread per task. This leads to bloated context and worse results over time

models.md +57 −20

Details

2 2

3## Recommended models3## Recommended models

4 4

~~5![gpt-5.3-codex](/images/codex/codex-wallpaper-1.webp)~~5![gpt-5.4](/images/api/models/gpt-5.4.jpg)

6 6

~~7gpt-5.3-codex~~7gpt-5.4

8 8

~~9Most capable agentic coding model to date, combining frontier coding performance with stronger reasoning and professional knowledge capabilities.~~9Flagship frontier model for professional work that brings the industry-leading coding capabilities of GPT-5.3-Codex together with stronger reasoning, tool use, and agentic workflows.

10 10

~~11codex -m gpt-5.3-codex~~11codex -m gpt-5.4

12 12

13Copy command13Copy command

14 14

26 26

27API Access27API Access

28 28

~~29![gpt-5.3-codex-spark](/images/codex/codex-wallpaper-2.webp)~~29![gpt-5.4-mini](/images/api/models/gpt-5-mini.jpg)

30 30

~~31gpt-5.3-codex-spark~~31gpt-5.4-mini

32 32

~~33Text-only research preview model optimized for near-instant, real-time coding iteration. Available to ChatGPT Pro users.~~33Fast, efficient mini model for responsive coding tasks and subagents.

34 34

~~35codex -m gpt-5.3-codex-spark~~35codex -m gpt-5.4-mini

36 36

37Copy command37Copy command

38 38

50 50

51API Access51API Access

52 52

~~53![gpt-5.2-codex](/images/codex/gpt-5.2-codex.png)~~53![gpt-5.3-codex](/images/codex/codex-wallpaper-1.webp)

54 54

~~55gpt-5.2-codex~~55gpt-5.3-codex

56 56

~~57Advanced coding model for real-world engineering. Succeeded by GPT-5.3-Codex.~~57Industry-leading coding model for complex software engineering. Its coding capabilities now also power GPT-5.4.

58 58

~~59codex -m gpt-5.2-codex~~59codex -m gpt-5.3-codex

60 60

61Copy command61Copy command

62 62

74 74

75API Access75API Access

76 76

~~77For most coding tasks in Codex, start with gpt-5.3-codex. It is available for~~77![gpt-5.3-codex-spark](/images/codex/codex-wallpaper-2.webp)

~~78ChatGPT-authenticated Codex sessions in the Codex app, CLI, IDE extension, and~~78

~~79Codex Cloud. API access for GPT-5.3-Codex will come soon. The~~79gpt-5.3-codex-spark

~~80gpt-5.3-codex-spark model is available in research preview for ChatGPT Pro~~80

~~81subscribers.~~81Text-only research preview model optimized for near-instant, real-time coding iteration. Available to ChatGPT Pro users.

83codex -m gpt-5.3-codex-spark

85Copy command

87Capability

89Speed

91Codex CLI & SDK

93Codex app & IDE extension

95Codex Cloud

97ChatGPT Credits

99API Access

100

101For most tasks in Codex, start with `gpt-5.4`. It combines strong coding,

102reasoning, native computer use, and broader professional workflows in one

103model. Use `gpt-5.4-mini` when you want a faster, lower-cost option for

104lighter coding tasks or subagents. The `gpt-5.3-codex-spark` model remains

105available in research preview for ChatGPT Pro subscribers and is optimized for

106near-instant, text-only iteration.

82 107

83## Alternative models108## Alternative models

84 109

110![gpt-5.2-codex](/images/codex/gpt-5.2-codex.png)

111

112gpt-5.2-codex

113

114Advanced coding model for real-world engineering. Succeeded by GPT-5.3-Codex.

115

116codex -m gpt-5.2-codex

117

118Copy command

119

120Show details

121

85![gpt-5.2](/images/api/models/gpt-5.2.jpg)122![gpt-5.2](/images/api/models/gpt-5.2.jpg)

86 123

87gpt-5.2124gpt-5.2

88 125

~~89Our best general agentic model for tasks across industries and domains.~~126Previous general-purpose model for coding and agentic tasks across industries and domains. Succeeded by GPT-5.4.

90 127

91codex -m gpt-5.2128codex -m gpt-5.2

92 129

182The Codex CLI and IDE extension use the same `config.toml` [configuration file](https://developers.openai.com/codex/config-basic). To specify a model, add a `model` entry to your configuration file. If you don't specify a model, the Codex app, CLI, or IDE Extension defaults to a recommended model.219The Codex CLI and IDE extension use the same `config.toml` [configuration file](https://developers.openai.com/codex/config-basic). To specify a model, add a `model` entry to your configuration file. If you don't specify a model, the Codex app, CLI, or IDE Extension defaults to a recommended model.

183 220

184```221```

185model = "gpt-5.2"222model = "gpt-5.4"

186```223```

187 224

188### Choosing a different local model temporarily225### Choosing a different local model temporarily

192To start a new Codex CLI thread with a specific model or to specify the model for `codex exec` you can use the `--model`/`-m` flag:229To start a new Codex CLI thread with a specific model or to specify the model for `codex exec` you can use the `--model`/`-m` flag:

193 230

194```bash231```bash

195codex -m gpt-5.3-codex232codex -m gpt-5.4

196```233```

197 234

198### Choosing your model for cloud tasks235### Choosing your model for cloud tasks

multi-agent.md +0 −257 deleted

File DeletedView Diff

~~1# Multi-agents~~

3Codex can run multi-agent workflows by spawning specialized agents in parallel and then collecting their results in one response. This can be particularly helpful for complex tasks that are highly parallel, such as codebase exploration or implementing a multi-step feature plan.

~~5With multi-agent workflows you can also define your own set of agents with different model configurations and instructions depending on the agent.~~

7For the concepts and tradeoffs behind multi-agent workflows (including context pollution/context rot and model-selection guidance), see [Multi-agents concepts](https://developers.openai.com/codex/concepts/multi-agents).

~~9## Enable multi-agent~~

~~11Multi-agent workflows are currently experimental and need to be explicitly enabled.~~

~~13You can enable this feature from the CLI with `/experimental`. Enable~~

~~14**Multi-agents**, then restart Codex.~~

~~16Multi-agent activity is currently surfaced in the CLI. Visibility in other~~

~~17surfaces (the Codex app and IDE Extension) is coming soon.~~

~~19You can also add the [`multi_agent` feature flag](https://developers.openai.com/codex/config-basic#feature-flags) directly to your configuration file (`~/.codex/config.toml`):~~

~~21```~~

~~22[features]~~

~~23multi_agent = true~~

~~24```~~

~~26## Typical workflow~~

~~28Codex handles orchestration across agents, including spawning new sub-agents, routing follow-up instructions, waiting for results, and closing agent threads.~~

~~30When many agents are running, Codex waits until all requested results are available, then returns a consolidated response.~~

~~32Codex will automatically decide when to spawn a new agent or you can explicitly ask it to do so.~~

~~34For long-running commands or polling workflows, Codex can also use the built-in `monitor` role, which is tuned for waiting and repeated status checks.~~

~~36To see it in action, try the following prompt on your project:~~

~~38```~~

~~39I would like to review the following points on the current PR (this branch vs main). Spawn one agent per point, wait for all of them, and summarize the result for each point.~~

~~401. Security issue~~

~~412. Code quality~~

~~423. Bugs~~

~~434. Race~~

~~445. Test flakiness~~

~~456. Maintainability of the code~~

~~46```~~

~~48## Managing sub-agents~~

~~50- Use `/agent` in the CLI to switch between active agent threads and inspect the ongoing thread.~~

~~51- Ask Codex directly to steer a running sub-agent, stop it, or close completed agent threads.~~

~~52- The `wait` tool supports long polling windows for monitoring workflows (up to 1 hour per call).~~

~~54## Approvals and sandbox controls~~

~~56Sub-agents inherit your current sandbox policy, but they run with~~

~~57non-interactive approvals. If a sub-agent attempts an action that would require~~

~~58a new approval, that action fails and the error is surfaced in the parent~~

~~59workflow.~~

~~61You can also override the sandbox configuration for individual [agent roles](#agent-roles) such as explicitly marking an agent to work in read-only mode.~~

~~63## Agent roles~~

~~65You configure agent roles in the `[agents]` section of your [configuration](https://developers.openai.com/codex/config-basic#configuration-precedence).~~

~~67Agent roles can be defined either in your local configuration (typically `~/.codex/config.toml`) or shared in a project-specific `.codex/config.toml`.~~

~~69Each role can provide guidance (`description`) for when Codex should use this agent, and optionally load a~~

~~70role-specific config file (`config_file`) when Codex spawns an agent with that role.~~

~~72Codex ships with built-in roles:~~

~~74- `default`: general-purpose fallback role.~~

~~75- `worker`: execution-focused role for implementation and fixes.~~

~~76- `explorer`: read-heavy codebase exploration role.~~

~~77- `monitor`: long-running command/task monitoring role (optimized for waiting/polling).~~

~~79Each agent role can override your default configuration. Common settings to override for an agent role are:~~

~~81- `model` and `model_reasoning_effort` to select a specific model for your agent role~~

~~82- `sandbox_mode` to mark an agent as `read-only`~~

~~83- `developer_instructions` to give the agent role additional instructions without relying on the parent agent for passing them~~

~~85### Schema~~

~~88| --- | --- | --- | --- |~~

~~89| `agents.max_threads` | number | No | Maximum number of concurrently open agent threads. |~~

~~90| `agents.max_depth` | number | No | Maximum nesting depth for spawned agent threads (root session starts at 0). |~~

~~91| `[agents.<name>]` | table | No | Declares a role. `<name>` is used as the `agent_type` when spawning an agent. |~~

~~92| `agents.<name>.description` | string | No | Human-facing role guidance shown to Codex when it decides which role to use. |~~

~~93| `agents.<name>.config_file` | string (path) | No | Path to a TOML config layer applied to spawned agents for that role. |~~

~~95**Notes:**~~

~~97- Unknown fields in `[agents.<name>]` are rejected.~~

~~98- `agents.max_depth` defaults to `1`, which allows a direct child agent to spawn but prevents deeper nesting.~~

~~99- Relative `config_file` paths are resolved relative to the `config.toml` file that defines the role.~~

100- `agents.<name>.config_file` is validated at config load time and must point to an existing file.

101- If a role name matches a built-in role (for example, `explorer`), your user-defined role takes precedence.

102- If Codex can’t load a role config file, agent spawns can fail until you fix the file.

103- Any configuration not set by the agent role will be inherited from the parent session.

~~104~~

105### Example agent roles

~~106~~

107The best role definitions are narrow and opinionated. Give each role one clear job, a tool surface that matches that job, and instructions that keep it from drifting into adjacent work.

~~108~~

109#### Example 1: PR review team

~~110~~

111This pattern splits review into three focused roles:

~~112~~

113- `explorer` maps the codebase and gathers evidence.

114- `reviewer` looks for correctness, security, and test risks.

115- `docs_researcher` checks framework or API documentation through a dedicated MCP server.

~~116~~

117Project config (`.codex/config.toml`):

~~118~~

119```

120[agents]

121max_threads = 6

122max_depth = 1

~~123~~

124[agents.explorer]

125description = "Read-only codebase explorer for gathering evidence before changes are proposed."

126config_file = "agents/explorer.toml"

~~127~~

128[agents.reviewer]

129description = "PR reviewer focused on correctness, security, and missing tests."

130config_file = "agents/reviewer.toml"

~~131~~

132[agents.docs_researcher]

133description = "Documentation specialist that uses the docs MCP server to verify APIs and framework behavior."

134config_file = "agents/docs-researcher.toml"

135```

~~136~~

137`agents/explorer.toml`:

~~138~~

139```

140model = "gpt-5.3-codex-spark"

141model_reasoning_effort = "medium"

142sandbox_mode = "read-only"

143developer_instructions = """

144Stay in exploration mode.

145Trace the real execution path, cite files and symbols, and avoid proposing fixes unless the parent agent asks for them.

146Prefer fast search and targeted file reads over broad scans.

147"""

148```

~~149~~

150`agents/reviewer.toml`:

~~151~~

152```

153model = "gpt-5.3-codex"

154model_reasoning_effort = "high"

155sandbox_mode = "read-only"

156developer_instructions = """

157Review code like an owner.

158Prioritize correctness, security, behavior regressions, and missing test coverage.

159Lead with concrete findings, include reproduction steps when possible, and avoid style-only comments unless they hide a real bug.

160"""

161```

~~162~~

163`agents/docs-researcher.toml`:

~~164~~

165```

166model = "gpt-5.3-codex-spark"

167model_reasoning_effort = "medium"

168sandbox_mode = "read-only"

169developer_instructions = """

170Use the docs MCP server to confirm APIs, options, and version-specific behavior.

171Return concise answers with links or exact references when available.

172Do not make code changes.

173"""

~~174~~

175[mcp_servers.openaiDeveloperDocs]

176url = "https://developers.openai.com/mcp"

177```

~~178~~

179This setup works well for prompts like:

~~180~~

181```

182Review this branch against main. Have explorer map the affected code paths, reviewer find real risks, and docs_researcher verify the framework APIs that the patch relies on.

183```

~~184~~

185#### Example 2: frontend integration debugging team

~~186~~

187This pattern is useful for UI regressions, flaky browser flows, or integration bugs that cross application code and the running product.

~~188~~

189Project config (`.codex/config.toml`):

~~190~~

191```

192[agents]

193max_threads = 6

194max_depth = 1

~~195~~

196[agents.explorer]

197description = "Read-only codebase explorer for locating the relevant frontend and backend code paths."

198config_file = "agents/explorer.toml"

~~199~~

200[agents.browser_debugger]

201description = "UI debugger that uses browser tooling to reproduce issues and capture evidence."

202config_file = "agents/browser-debugger.toml"

~~203~~

204[agents.worker]

205description = "Implementation-focused agent for small, targeted fixes after the issue is understood."

206config_file = "agents/worker.toml"

207```

~~208~~

209`agents/explorer.toml`:

~~210~~

211```

212model = "gpt-5.3-codex-spark"

213model_reasoning_effort = "medium"

214sandbox_mode = "read-only"

215developer_instructions = """

216Map the code that owns the failing UI flow.

217Identify entry points, state transitions, and likely files before the worker starts editing.

218"""

219```

~~220~~

221`agents/browser-debugger.toml`:

~~222~~

223```

224model = "gpt-5.3-codex"

225model_reasoning_effort = "high"

226sandbox_mode = "workspace-write"

227developer_instructions = """

228Reproduce the issue in the browser, capture exact steps, and report what the UI actually does.

229Use browser tooling for screenshots, console output, and network evidence.

230Do not edit application code.

231"""

~~232~~

233[mcp_servers.chrome_devtools]

234url = "http://localhost:3000/mcp"

235startup_timeout_sec = 20

236```

~~237~~

238`agents/worker.toml`:

~~239~~

240```

241model = "gpt-5.3-codex"

242model_reasoning_effort = "medium"

243developer_instructions = """

244Own the fix once the issue is reproduced.

245Make the smallest defensible change, keep unrelated files untouched, and validate only the behavior you changed.

246"""

~~247~~

248[[skills.config]]

249path = "/Users/me/.agents/skills/docs-editor/SKILL.md"

250enabled = false

251```

~~252~~

253This setup works well for prompts like:

~~254~~

255```

256Investigate why the settings modal fails to save. Have browser_debugger reproduce it, explorer trace the responsible code path, and worker implement the smallest fix once the failure mode is clear.

257```

noninteractive.md +22 −0

Details

111 111

112`codex exec` reuses saved CLI authentication by default. In CI, it's common to provide credentials explicitly:112`codex exec` reuses saved CLI authentication by default. In CI, it's common to provide credentials explicitly:

113 113

114### Use API key auth (recommended)

115

114- Set `CODEX_API_KEY` as a secret environment variable for the job.116- Set `CODEX_API_KEY` as a secret environment variable for the job.

115- Keep prompts and tool output in mind: they can include sensitive code or data.117- Keep prompts and tool output in mind: they can include sensitive code or data.

116 118

122 124

123`CODEX_API_KEY` is only supported in `codex exec`.125`CODEX_API_KEY` is only supported in `codex exec`.

124 126

127Use ChatGPT-managed auth in CI/CD (advanced)

128

129Read this if you need to run CI/CD jobs with a Codex user account instead of an

130API key, such as enterprise teams using ChatGPT-managed Codex access on trusted

131runners or users who need ChatGPT/Codex rate limits instead of API key usage.

132

133API keys are the right default for automation because they are simpler to

134provision and rotate. Use this path only if you specifically need to run as

135your Codex account.

136

137Treat `~/.codex/auth.json` like a password: it contains access tokens. Don't

138commit it, paste it into tickets, or share it in chat.

139

140Do not use this workflow for public or open-source repositories. If `codex login`

141is not an option on the runner, seed `auth.json` through secure storage, run

142Codex on the runner so Codex refreshes it in place, and persist the updated file

143between runs.

144

145See [Maintain Codex account auth in CI/CD (advanced)](https://developers.openai.com/codex/auth/ci-cd-auth).

146

125## Resume a non-interactive session147## Resume a non-interactive session

126 148

127If you need to continue a previous run (for example, a two-stage pipeline), use the `resume` subcommand:149If you need to continue a previous run (for example, a two-stage pipeline), use the `resume` subcommand:

open-source.md +2 −0

Details

2 2

3OpenAI develops key parts of Codex in the open. That work lives on GitHub so you can follow progress, report issues, and contribute improvements.3OpenAI develops key parts of Codex in the open. That work lives on GitHub so you can follow progress, report issues, and contribute improvements.

4 4

5If you maintain a widely used open-source project or want to nominate maintainers stewarding important projects, you can also [apply to the Codex open source program](https://developers.openai.com/codex/community/codex-for-oss) for API credits, ChatGPT Pro with Codex, and selective access to Codex Security.

5## Open-source components7## Open-source components

6 8

overview.md +5 −1

Details

24 24

25Explore Codex Ambassadors and upcoming community meetups by location.25Explore Codex Ambassadors and upcoming community meetups by location.

26 26

~~27 See community](https://developers.openai.com/codex/community/meetups)~~27 See community](https://developers.openai.com/codex/community/meetups) [### Codex for OSS

29Apply or nominate maintainers for API credits, ChatGPT Pro with Codex, and selective Codex Security access.

31 Learn more](https://developers.openai.com/codex/community/codex-for-oss)

prompting.md +1 −1

Details

31 31

32Threads can run either locally or in the cloud:32Threads can run either locally or in the cloud:

33 33

34- **Local threads** run on your machine. Codex can read and edit your files and run commands, so you can see what changes and use your existing tools. To reduce the risk of unwanted changes outside your workspace, local threads run in a [sandbox](https://developers.openai.com/codex/security).34- **Local threads** run on your machine. Codex can read and edit your files and run commands, so you can see what changes and use your existing tools. To reduce the risk of unwanted changes outside your workspace, local threads run in a [sandbox](https://developers.openai.com/codex/agent-approvals-security).

35- **Cloud threads** run in an isolated [environment](https://developers.openai.com/codex/cloud/environments). Codex clones your repository and checks out the branch it's working on. Cloud threads are useful when you want to run work in parallel or delegate tasks from another device. To use cloud threads with your repo, push your code to GitHub first. You can also [delegate tasks from your local machine](https://developers.openai.com/codex/ide/cloud-tasks), which includes your current working state.35- **Cloud threads** run in an isolated [environment](https://developers.openai.com/codex/cloud/environments). Codex clones your repository and checks out the branch it's working on. Cloud threads are useful when you want to run work in parallel or delegate tasks from another device. To use cloud threads with your repo, push your code to GitHub first. You can also [delegate tasks from your local machine](https://developers.openai.com/codex/ide/cloud-tasks), which includes your current working state.

36 36

37## Context37## Context

quickstart.md +5 −2

Details

14 14

151. Download and install the Codex app151. Download and install the Codex app

16 16

~~17 The Codex app is currently only available for macOS.~~17 Download the Codex app for Windows or macOS.

18 18

19 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)19 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)

20 20

~~21 [Get notified for Windows and Linux](https://openai.com/form/codex-app/)~~21 [Get notified for Linux](https://openai.com/form/codex-app/)

222. Open Codex and sign in222. Open Codex and sign in

23 23

24 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.24 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

41- Find and fix bugs in my codebase with minimal, high-confidence changes.40- Find and fix bugs in my codebase with minimal, high-confidence changes.

42 41

43 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).42 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).

43 If you’re new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

44 44

45 [Learn more about the Codex app](https://developers.openai.com/codex/app)45 [Learn more about the Codex app](https://developers.openai.com/codex/app)

46 46

694. Use Git checkpoints694. Use Git checkpoints

70 70

71 Codex can modify your codebase, so consider creating Git checkpoints before and after each task so you can easily revert changes if needed.71 Codex can modify your codebase, so consider creating Git checkpoints before and after each task so you can easily revert changes if needed.

72 If you’re new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

72 73

73 [Learn more about the Codex IDE extension](https://developers.openai.com/codex/ide)74 [Learn more about the Codex IDE extension](https://developers.openai.com/codex/ide)

74 75

1004. Use Git checkpoints1014. Use Git checkpoints

101 102

102 Codex can modify your codebase, so consider creating Git checkpoints before and after each task so you can easily revert changes if needed.103 Codex can modify your codebase, so consider creating Git checkpoints before and after each task so you can easily revert changes if needed.

104 If you’re new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

103 105

104[Learn more about the Codex CLI](https://developers.openai.com/codex/cli)106[Learn more about the Codex CLI](https://developers.openai.com/codex/cli)

105 107

security.md +22 −233

Details

1# Codex Security1# Codex Security

2 2

~~3Codex helps protect your code and data and reduces the risk of misuse.~~3Codex Security helps engineering and security teams find, validate, and remediate likely vulnerabilities in connected GitHub repositories.

4 4

5By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.5This page covers Codex Security, the product that scans connected GitHub

6 repositories for likely security issues. For Codex sandboxing, approvals,

7 network controls, and admin settings, see [Agent approvals &

8 security](https://developers.openai.com/codex/agent-approvals-security).

6 9

~~7## Sandbox and approvals~~10It helps teams:

8 11

~~9Codex security controls come from two layers that work together:~~121. **Find likely vulnerabilities** by using a repo-specific threat model and real code context.

132. **Reduce noise** by validating findings before you review them.

143. **Move findings toward fixes** with ranked results, evidence, and suggested patch options.

10 15

~~11- **Sandbox mode**: What Codex can do technically (for example, where it can write and whether it can reach the network) when it executes model-generated commands.~~16## How it works

~~12- **Approval policy**: When Codex must ask you before it executes an action (for example, leaving the sandbox, using the network, or running commands outside a trusted set).~~

13 17

~~14Codex uses different sandbox modes depending on where you run it:~~18Codex Security scans connected repositories commit by commit.

19It builds scan context from your repo, checks likely vulnerabilities against that context, and validates high-signal issues in an isolated environment before surfacing them.

15 20

16- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.21You get a workflow focused on:

17- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

18 22

~~19In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.~~23- repo-specific context instead of generic signatures

24- validation evidence that helps reduce false positives

25- suggested fixes you can review in GitHub

20 26

21Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.27## Access and prerequisites

22 28

23Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn’t a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).29Codex Security works with connected GitHub repositories through Codex Web. OpenAI manages access. If you need access or a repository isn't visible, contact your OpenAI account team and confirm the repository is available through your Codex Web workspace.

24 30

~~25## Network access [Elevated Risk](https://help.openai.com/articles/20001061)~~31## Related docs

26 32

~~27For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.~~33- [Codex Security setup](https://developers.openai.com/codex/security/setup) covers setup, scanning, and findings review.

28 34- [FAQ](https://developers.openai.com/codex/security/faq) covers common product questions.

~~29For the Codex app, CLI, or IDE Extension, the default `workspace-write` sandbox mode keeps network access turned off unless you enable it in your configuration:~~35- [Improving the threat model](https://developers.openai.com/codex/security/threat-model) explains how to tune scope, attack surface, and criticality assumptions.

~~31```~~

~~32[sandbox_workspace_write]~~

~~33network_access = true~~

~~34```~~

36You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

~~38```~~

~~39web_search = "cached" # default~~

~~40# web_search = "disabled"~~

~~41# web_search = "live" # same as --search~~

~~42```~~

~~44Use caution when enabling network access or web search in Codex. Prompt injection can cause the agent to fetch and follow untrusted instructions.~~

~~46## Defaults and recommendations~~

~~48- On launch, Codex detects whether the folder is version-controlled and recommends:~~

~~49 - Version-controlled folders: `Auto` (workspace write + on-request approvals)~~

~~50 - Non-version-controlled folders: `read-only`~~

~~51- Depending on your setup, Codex may also start in `read-only` until you explicitly trust the working directory (for example, via an onboarding prompt or `/permissions`).~~

~~52- The workspace includes the current directory and temporary directories like `/tmp`. Use the `/status` command to see which directories are in the workspace.~~

~~53- To accept the defaults, run `codex`.~~

~~54- You can set these explicitly:~~

~~55 - `codex --sandbox workspace-write --ask-for-approval on-request`~~

~~56 - `codex --sandbox read-only --ask-for-approval on-request`~~

~~58### Protected paths in writable roots~~

~~60In the default `workspace-write` sandbox policy, writable roots still include protected paths:~~

~~62- `<writable_root>/.git` is protected as read-only whether it appears as a directory or file.~~

~~63- If `<writable_root>/.git` is a pointer file (`gitdir: ...`), the resolved Git directory path is also protected as read-only.~~

~~64- `<writable_root>/.agents` is protected as read-only when it exists as a directory.~~

~~65- `<writable_root>/.codex` is protected as read-only when it exists as a directory.~~

~~66- Protection is recursive, so everything under those paths is read-only.~~

~~68### Run without approval prompts~~

~~70You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).~~

~~72This option works with all `--sandbox` modes, so you still control Codex’s level of autonomy. Codex makes a best effort within the constraints you set.~~

74If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

76For a middle ground, `approval_policy = { reject = { ... } }` lets you auto-reject specific approval prompt categories (sandbox escalation, execpolicy-rule prompts, or MCP elicitations) while keeping other prompts interactive.

~~78### Common sandbox and approval combinations~~

~~80| Intent | Flags | Effect |~~

~~81| --- | --- | --- |~~

82| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

~~83| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |~~

~~84| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |~~

85| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

~~86| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |~~

~~88`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.~~

90With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

~~92#### Configuration in `config.toml`~~

94For the broader configuration workflow, see [Config basics](https://developers.openai.com/codex/config-basic), [Advanced Config](https://developers.openai.com/codex/config-advanced#approval-policies-and-sandbox-modes), and the [Configuration Reference](https://developers.openai.com/codex/config-reference).

~~96```~~

~~97# Always ask for approval mode~~

~~98approval_policy = "untrusted"~~

~~99sandbox_mode = "read-only"~~

100allow_login_shell = false # optional hardening: disallow login shells for shell-based tools

~~101~~

102# Optional: Allow network in workspace-write mode

103[sandbox_workspace_write]

104network_access = true

~~105~~

106# Optional: granular approval prompt auto-rejection

107# approval_policy = { reject = { sandbox_approval = true, rules = false, mcp_elicitations = false } }

108```

~~109~~

110You can also save presets as profiles, then select them with `codex --profile <name>`:

~~111~~

112```

113[profiles.full_auto]

114approval_policy = "on-request"

115sandbox_mode = "workspace-write"

~~116~~

117[profiles.readonly_quiet]

118approval_policy = "never"

119sandbox_mode = "read-only"

120```

~~121~~

122### Test the sandbox locally

~~123~~

124To see what happens when a command runs under the Codex sandbox, use these Codex CLI commands:

~~125~~

126```

127# macOS

128codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...

129# Linux

130codex sandbox linux [--full-auto] [COMMAND]...

131```

~~132~~

133The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

~~134~~

135## OS-level sandbox

~~136~~

137Codex enforces the sandbox differently depending on your OS:

~~138~~

139- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

140- **Linux** uses `Landlock` plus `seccomp` by default. You can opt into the alternative Linux sandbox pipeline with `features.use_linux_sandbox_bwrap = true` (or `-c use_linux_sandbox_bwrap=true`). In managed proxy mode, the bwrap pipeline routes egress through a proxy-only bridge and fails closed if it cannot build valid loopback proxy routes; landlock-only flows do not use that bridge behavior.

141- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux (WSL)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

~~142~~

143If you use the Codex IDE extension on Windows, it supports WSL directly. Set the following in your VS Code settings to keep the agent inside WSL whenever it’s available:

~~144~~

145```

146{

147 "chatgpt.runCodexInWindowsSubsystemForLinux": true

148}

149```

~~150~~

151This ensures the IDE extension inherits Linux sandbox semantics for commands, approvals, and filesystem access even when the host OS is Windows. Learn more in the [Windows setup guide](https://developers.openai.com/codex/windows).

~~152~~

153When running natively on Windows, configure the native sandbox mode in `config.toml`:

~~154~~

155```

156[windows]

157sandbox = "unelevated" # or "elevated"

158```

~~159~~

160See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

~~161~~

162When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.

~~163~~

164In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

~~165~~

166## Version control

~~167~~

168Codex works best with a version control workflow:

~~169~~

170- Work on a feature branch and keep `git status` clean before delegating. This keeps Codex patches easier to isolate and revert.

171- Prefer patch-based workflows (for example, `git diff`/`git apply`) over editing tracked files directly. Commit frequently so you can roll back in small increments.

172- Treat Codex suggestions like any other PR: run targeted verification, review diffs, and document decisions in commit messages for auditing.

~~173~~

174## Monitoring and telemetry

~~175~~

176Codex supports opt-in monitoring via OpenTelemetry (OTel) to help teams audit usage, investigate issues, and meet compliance requirements without weakening local security defaults. Telemetry is off by default; enable it explicitly in your configuration.

~~177~~

178### Overview

~~179~~

180- Codex turns off OTel export by default to keep local runs self-contained.

181- When enabled, Codex emits structured log events covering conversations, API requests, SSE/WebSocket stream activity, user prompts (redacted by default), tool approval decisions, and tool results.

182- Codex tags exported events with `service.name` (originator), CLI version, and an environment label to separate dev/staging/prod traffic.

~~183~~

184### Enable OTel (opt-in)

~~185~~

186Add an `[otel]` block to your Codex configuration (typically `~/.codex/config.toml`), choosing an exporter and whether to log prompt text.

~~187~~

188```

189[otel]

190environment = "staging" # dev | staging | prod

191exporter = "none" # none | otlp-http | otlp-grpc

192log_user_prompt = false # redact prompt text unless policy allows

193```

~~194~~

195- `exporter = "none"` leaves instrumentation active but doesn’t send data anywhere.

196- To send events to your own collector, pick one of:

~~197~~

198```

199[otel]

200exporter = { otlp-http = {

201 endpoint = "https://otel.example.com/v1/logs",

202 protocol = "binary",

203 headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }

204}}

205```

~~206~~

207```

208[otel]

209exporter = { otlp-grpc = {

210 endpoint = "https://otel.example.com:4317",

211 headers = { "x-otlp-meta" = "abc123" }

212}}

213```

~~214~~

215Codex batches events and flushes them on shutdown. Codex exports only telemetry produced by its OTel module.

~~216~~

217### Event categories

~~218~~

219Representative event types include:

~~220~~

221- `codex.conversation_starts` (model, reasoning settings, sandbox/approval policy)

222- `codex.api_request` (attempt, status/success, duration, and error details)

223- `codex.sse_event` (stream event kind, success/failure, duration, plus token counts on `response.completed`)

224- `codex.websocket_request` and `codex.websocket_event` (request duration plus per-message kind/success/error)

225- `codex.user_prompt` (length; content redacted unless explicitly enabled)

226- `codex.tool_decision` (approved/denied, source: configuration vs. user)

227- `codex.tool_result` (duration, success, output snippet)

~~228~~

229Associated OTel metrics (counter plus duration histogram pairs) include `codex.api_request`, `codex.sse_event`, `codex.websocket.request`, `codex.websocket.event`, and `codex.tool.call` (with corresponding `.duration_ms` instruments).

~~230~~

231For the full event catalog and configuration reference, see the [Codex configuration documentation on GitHub](https://github.com/openai/codex/blob/main/docs/config.md#otel).

~~232~~

233### Security and privacy guidance

~~234~~

235- Keep `log_user_prompt = false` unless policy explicitly permits storing prompt contents. Prompts can include source code and sensitive data.

236- Route telemetry only to collectors you control; apply retention limits and access controls aligned with your compliance requirements.

237- Treat tool arguments and outputs as sensitive. Favor redaction at the collector or SIEM when possible.

238- Review local data retention settings (for example, `history.persistence` / `history.max_bytes`) if you don’t want Codex to save session transcripts under `CODEX_HOME`. See [Advanced Config](https://developers.openai.com/codex/config-advanced#history-persistence) and [Configuration Reference](https://developers.openai.com/codex/config-reference).

239- If you run the CLI with network access turned off, OTel export can’t reach your collector. To export, allow network access in `workspace-write` mode for the OTel endpoint, or export from Codex cloud with the collector domain on your approved list.

240- Review events periodically for approval/sandbox changes and unexpected tool executions.

~~241~~

242OTel is optional and designed to complement, not replace, the sandbox and approval protections described above.

~~243~~

244## Managed configuration

~~245~~

246Enterprise admins can configure Codex security settings for their workspace in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration). See that page for setup and policy details.

security/faq.md +104 −0 added

Details

1# FAQ

3## Getting started

5### What is Codex Security?

7Software security remains one of the hardest and most important problems in engineering. Codex Security is an LLM-driven security analysis toolkit that inspects source code and returns structured, ranked vulnerability findings with proposed patches. It helps developers and security teams discover and fix security issues at scale.

9### Why does it matter?

11Software is foundational to modern industry and society, and vulnerabilities create systemic risk. Codex Security supports a defender-first workflow by continuously identifying likely issues, validating them when possible, and proposing fixes. That helps teams improve security without slowing development.

13### What business problem does Codex Security solve?

15Codex Security shortens the path from a suspected issue to a confirmed, reproducible finding with evidence and a proposed patch. That reduces triage load and cuts false positives compared with traditional scanners alone.

17### How does Codex Security work?

19Codex Security runs analysis in an ephemeral, isolated container and temporarily clones the target repository. It performs code-level analysis and returns structured findings with a description, file and location, criticality, root cause, and a suggested remediation.

21For findings that include verification steps, the system executes proposed commands or tests in the same sandbox, records success or failure, exit codes, stdout, stderr, test results, and any generated diffs or artifacts, and attaches that output as evidence for review.

23### Does it replace SAST?

25No. Codex Security complements SAST. It adds semantic, LLM-based reasoning and automated validation, while existing SAST tools still provide broad deterministic coverage.

27## Features

29### What is the analysis pipeline?

31Codex Security follows a staged pipeline:

331. **Analysis** builds a threat model for the repository.

342. **Commit scanning** reviews merged commits and repository history for likely issues.

353. **Validation** tries to reproduce likely vulnerabilities in a sandbox to reduce false positives.

364. **Patching** integrates with Codex to propose patches that reviewers can inspect before opening a PR.

38It works alongside engineers in GitHub, Codex, and standard review workflows.

40### What languages are supported?

42Codex Security is language-agnostic. In practice, performance depends on the model's reasoning ability for the language and framework used by the repository.

44### What outputs do I get after the scan completes?

46You get ranked findings with criticality, validation status, and a proposed patch when one is available. Findings can also include crash output, reproduction evidence, call-path context, and related annotations.

48### How is customer code isolated?

50Each analysis and validation job runs in an ephemeral Codex container with session-scoped tools. Artifacts are extracted for review, and the container is torn down after the job completes.

52### Does Codex Security auto-apply patches?

54No. The proposed patch is a recommended remediation. Users can review it and push it as a PR to GitHub from the findings UI, but Codex Security does not auto-apply changes to the repository.

56### Does the project need to be built for scanning?

58No. Codex Security can produce findings from repository and commit context without a compile step. During auto-validation, it may try to build the project inside the container if that helps reproduce the issue. For environment setup details, see [Codex cloud environments](https://developers.openai.com/codex/cloud/environments).

60### How does Codex Security reduce false positives and avoid broken patches?

62Codex Security uses two stages. First, the model ranks likely issues. Then auto-validation tries to reproduce each issue in a clean container. Findings that successfully reproduce are marked as validated, which helps reduce false positives before human review.

64### How long do initial scans take, and what happens after that?

66Initial scan time depends on repository size, build time, and how many findings proceed to validation. For some repositories, scans can take several hours. For larger repositories, they can take multiple days. Later scans are usually faster because they focus on new commits and incremental changes.

68### What is a threat model?

70A threat model is the scan-time security context for a repository. It combines a concise project overview with attack-surface details such as entry points, trust boundaries, auth assumptions, and risky components. For more detail, see [Improving the threat model](https://developers.openai.com/codex/security/threat-model).

72### How is a threat model generated?

74Codex Security prompts the model to summarize the repository architecture and security entry points, classify the repository type, run specialized extractors, and merge the results into a project overview or threat model artifact used throughout the scan.

76### Does it replace manual security review?

78No. Codex Security accelerates review and helps rank findings, but it does not replace code-level validation, exploitability checks, or human threat assessment.

80### Can I edit the threat model?

82Yes. Codex Security creates the initial threat model, and you can update it as the architecture, risks, and business context change. For the editing workflow, see [Improving the threat model](https://developers.openai.com/codex/security/threat-model).

84### Do I need to configure a scan before using threat modeling?

86Yes. Threat-model guidance is tied to how and what you scan, so you need to configure the repository first. See [Codex Security setup](https://developers.openai.com/codex/security/setup).

88### What does the proposed patch contain?

90The proposed patch contains a minimal actionable diff with filename and line context when a remediation can be generated for the finding.

92### Does the patch directly modify my PR branch?

94No. The workflow generates a diff, patch file, or suggested change for maintainers and reviewers to inspect before applying.

96## Validation

98### What is auto-validation?

100Auto-validation is the phase that tries to reproduce a suspected issue in an isolated container. It records whether reproduction succeeded or failed and captures logs, commands, and related artifacts as evidence.

101

102### What happens if validation fails?

103

104The finding remains unvalidated. Logs and reports still capture what was attempted so engineers can retry, investigate further, or adjust the reproduction steps.

security/setup.md +97 −0 added

Details

1# Codex Security setup

3This page walks you from initial access to reviewed findings and remediation pull requests in Codex Security.

5Confirm you've set up Codex Cloud first. If not, see [Codex

6 Cloud](https://developers.openai.com/codex/cloud) to get started.

8## 1. Access and environment

10Codex Security scans GitHub repositories connected through [Codex Cloud](https://developers.openai.com/codex/cloud).

12- Confirm your workspace has access to Codex Security.

13- Confirm the repository you want to scan is available in Codex Cloud.

15Go to [Codex environments](https://chatgpt.com/codex/settings/environments) and check whether the repository already has an environment. If it doesn't, create one there before continuing.

17[Open environments](https://chatgpt.com/codex/settings/environments)

19![Codex environments](/_astro/create_environment.M-EPszPH.png)

21## 2. New security scan

23After the environment exists, go to [Create a security scan](https://chatgpt.com/codex/security/scans/new) and choose the repository you just connected.

25[Create a security scan](https://chatgpt.com/codex/security/scans/new)

27Codex Security scans repositories from newest commits backward first. It uses this to build and refresh scan context as new commits come in.

29To configure a repository:

311. Select the GitHub organization.

322. Select the repository.

333. Select the branch you want to scan.

344. Select the environment.

355. Choose a **history window**. Longer windows provide more context, but backfill takes longer.

366. Click **Create**.

38![Create a security scan](/_astro/create_scan.mEjmf4U_.png)

40## 3. Initial scans can take a while

42When you create the scan, Codex Security first runs a commit-level security pass across the selected history window.

43The initial backfill can take a few hours, especially for larger repositories or longer windows.

44If findings aren't visible right away, this is expected. Wait for the initial scan to finish before opening a ticket or troubleshooting.

46Initial scan setup is automatic and thorough. This can take a few hours. Don’t

47 be alarmed if the first set of findings is delayed.

49## 4. Review scans and improve the threat model

51[Review scans](https://chatgpt.com/codex/security/scans)

53![Threat model editor in Codex Security](/_astro/review_threat_model.JTLMQEmx.png)

55When the initial scan finishes, open the scan and review the threat model that was generated.

56After initial findings appear, update the threat model so it matches your architecture, trust boundaries, and business context.

57This helps Codex Security rank issues for your team.

59If you want scan results to change, you can edit the threat model with your

60 updated scope, priorities, and assumptions.

62After initial findings appear, revisit the model so scan guidance stays aligned with current priorities.

63Keeping it current helps Codex Security produce better suggestions.

65For a deeper explanation of threat models and how they affect criticality and triage, see [Improving the threat model](https://developers.openai.com/codex/security/threat-model).

67## 5. Review findings and patch

69After the initial backfill completes, review findings from the **Findings** view.

71[Open findings](https://chatgpt.com/codex/security/findings)

73You can use two views:

75- **Recommended Findings**: an evolving top 10 list of the most critical issues in the repo

76- **All Findings**: a sortable, filterable table of findings across the repository

78![Recommended findings view](https://developers.openai.com/codex/security/images/aardvark_recommended_findings.png)

80Click a finding to open its detail page, which includes:

82- a concise description of the issue

83- key metadata such as commit details and file paths

84- contextual reasoning about impact

85- relevant code excerpts

86- call-path or data-flow context when available

87- validation steps and validation output

89You can review each finding and create a PR directly from the finding detail page.

91[Review findings and create a PR](https://chatgpt.com/codex/security/findings)

93## Related docs

95- [Codex Security](https://developers.openai.com/codex/security) gives the product overview.

96- [FAQ](https://developers.openai.com/codex/security/faq) covers common questions.

97- [Improving the threat model](https://developers.openai.com/codex/security/threat-model) explains how to improve scan context and finding prioritization.

security/threat-model.md +40 −0 added

Details

1# Improving the threat model

3Learn what a threat model is and how editing it improves Codex Security's suggestions.

5## What a threat model is

7A threat model is a short security summary of how your repository works. In Codex Security, you edit it as a `project overview`, and the system uses it as scan context for future scans, prioritization, and review.

9Codex Security creates the first draft from the code. If the findings feel off, this is the first thing to edit.

11A useful threat model calls out:

13- entry points and untrusted inputs

14- trust boundaries and auth assumptions

15- sensitive data paths or privileged actions

16- the areas your team wants reviewed first

18For example:

20> Public API for account changes. Accepts JSON requests and file uploads. Uses an internal auth service for identity checks and writes billing changes through an internal service. Focus review on auth checks, upload parsing, and service-to-service trust boundaries.

22That gives Codex Security a better starting point for future scans and finding prioritization.

24## Improving and revisiting the threat model

26If you want to improve the results, edit the threat model first. Use it when findings are missing the areas you care about or showing up in places you don't expect. The threat model changes future scan context.

28Some users copy the current threat model into Codex, have a conversation to

29 improve it based on the areas they want reviewed more closely, and then paste

30 the updated version back into the web UI.

32### Where to edit

34To review or update the threat model, go to [Codex Security scans](https://chatgpt.com/codex/security/scans), open the repository, and click **Edit**.

36## Related docs

38- [Codex Security setup](https://developers.openai.com/codex/security/setup) covers repository setup and findings review.

39- [Codex Security](https://developers.openai.com/codex/security) gives the product overview.

40- [FAQ](https://developers.openai.com/codex/security/faq) covers common questions.

skills.md +2 −2

Details

67 67

68## Install skills68## Install skills

69 69

~~70To install skills beyond the built-ins, use `$skill-installer`:~~70To install skills beyond the built-ins, use `$skill-installer`. For example, to install the `$linear` skill:

71 71

72```bash72```bash

~~73$skill-installer install the linear skill from the .experimental folder~~73$skill-installer linear

74```74```

75 75

76You can also prompt the installer to download skills from other repositories. Codex detects newly installed skills automatically; if one doesn’t appear, restart Codex.76You can also prompt the installer to download skills from other repositories. Codex detects newly installed skills automatically; if one doesn’t appear, restart Codex.

speed.md +24 −0 added

Details

1# Speed

3## Fast mode

5Codex offers the ability to increase the speed of the model for increased

6credit consumption.

8Fast mode is currently supported on GPT-5.4. When enabled, speed is increased

9by 1.5x and credits are consumed at a 2x rate.

11Enable it by typing `/fast`. It’s available in Codex IDE Extensions, Codex

12CLI, and the Codex app when you sign in with ChatGPT. With an API key, Codex

13uses standard API pricing instead and you can’t use `/fast`.

15[

16Your browser does not support the video tag.

17](/videos/codex/fast-mode-demo.mp4)

19## Codex-Spark

21GPT-5.3-Codex-Spark is a separate fast, less-capable Codex model optimized for near-instant, real-time coding iteration. Unlike fast mode, which speeds up GPT-5.4 at a higher credit rate,

22Codex-Spark is its own model choice and has its own usage limits.

24During research preview Codex-Spark is only available for ChatGPT Pro subscribers.

subagents.md +340 −0 added

Details

1# Subagents

3Codex can run subagent workflows by spawning specialized agents in parallel and then collecting their results in one response. This can be particularly helpful for complex tasks that are highly parallel, such as codebase exploration or implementing a multi-step feature plan.

5With subagent workflows, you can also define your own custom agents with different model configurations and instructions depending on the task.

7For the concepts and tradeoffs behind subagent workflows, including context pollution, context rot, and model-selection guidance, see [Subagent concepts](https://developers.openai.com/codex/concepts/subagents).

9## Availability

11Current Codex releases enable subagent workflows by default.

13Subagent activity is currently surfaced in the Codex app and CLI. Visibility

14 in the IDE Extension is coming soon.

16Codex only spawns subagents when you explicitly ask it to. Because each

17subagent does its own model and tool work, subagent workflows consume more

18tokens than comparable single-agent runs.

20## Typical workflow

22Codex handles orchestration across agents, including spawning new subagents,

23routing follow-up instructions, waiting for results, and closing agent

24threads.

26When many agents are running, Codex waits until all requested results are

27available, then returns a consolidated response.

29Codex only spawns a new agent when you explicitly ask it to do so.

31To see it in action, try the following prompt on your project:

33```text

34I would like to review the following points on the current PR (this branch vs main). Spawn one agent per point, wait for all of them, and summarize the result for each point.

351. Security issue

362. Code quality

373. Bugs

384. Race

395. Test flakiness

406. Maintainability of the code

41```

43## Managing subagents

45- Use `/agent` in the CLI to switch between active agent threads and inspect the ongoing thread.

46- Ask Codex directly to steer a running subagent, stop it, or close completed agent threads.

48## Approvals and sandbox controls

50Subagents inherit your current sandbox policy.

52In interactive CLI sessions, approval requests can surface from inactive agent

53threads even while you are looking at the main thread. The approval overlay

54shows the source thread label, and you can press `o` to open that thread before

55you approve, reject, or answer the request.

57In non-interactive flows, or whenever a run can't surface a fresh approval, an

58action that needs new approval fails and Codex surfaces the error back to the

59parent workflow.

61Codex also reapplies the parent turn's live runtime overrides when it spawns a

62child. That includes sandbox and approval choices you set interactively during

63the session, such as `/approvals` changes or `--yolo`, even if the selected

64custom agent file sets different defaults.

66You can also override the sandbox configuration for individual [custom agents](#custom-agents), such as explicitly marking one to work in read-only mode.

68## Custom agents

70Codex ships with built-in agents:

72- `default`: general-purpose fallback agent.

73- `worker`: execution-focused agent for implementation and fixes.

74- `explorer`: read-heavy codebase exploration agent.

76To define your own custom agents, add standalone TOML files under

77`~/.codex/agents/` for personal agents or `.codex/agents/` for project-scoped

78agents.

80Each file defines one custom agent. Codex loads these files as configuration

81layers for spawned sessions, so custom agents can override the same settings as

82a normal Codex session config. That can feel heavier than a dedicated agent

83manifest, and the format may evolve as authoring and sharing mature.

85Every standalone custom agent file must define:

87- `name`

88- `description`

89- `developer_instructions`

91Optional fields such as `nickname_candidates`, `model`,

92`model_reasoning_effort`, `sandbox_mode`, `mcp_servers`, and `skills.config`

93inherit from the parent session when you omit them.

95### Global settings

97Global subagent settings still live under `[agents]` in your [configuration](https://developers.openai.com/codex/config-basic#configuration-precedence).

100| --- | --- | --- | --- |

104

105**Notes:**

106

107- `agents.max_threads` defaults to `6` when you leave it unset.

108- `agents.max_depth` defaults to `1`, which allows a direct child agent to spawn but prevents deeper nesting.

109- `agents.job_max_runtime_seconds` is optional. When you leave it unset, `spawn_agents_on_csv` falls back to its per-call default timeout of 1800 seconds per worker.

110- If a custom agent name matches a built-in agent such as `explorer`, your custom agent takes precedence.

111

112### Custom agent file schema

113

115| --- | --- | --- | --- |

120

121You can also include other supported `config.toml` keys in a custom agent file, such as `model`, `model_reasoning_effort`, `sandbox_mode`, `mcp_servers`, and `skills.config`.

122

123Codex identifies the custom agent by its `name` field. Matching the filename to

124the agent name is the simplest convention, but the `name` field is the source

125of truth.

126

127### Display nicknames

128

129Use `nickname_candidates` when you want Codex to assign more readable display

130names to spawned agents. This is especially helpful when you run many

131instances of the same custom agent and want the UI to show distinct labels

132instead of repeating the same agent name.

133

134Nicknames are presentation-only. Codex still identifies and spawns the agent by

135its `name`.

136

137Nickname candidates must be a non-empty list of unique names. Each nickname can

138use ASCII letters, digits, spaces, hyphens, and underscores.

139

140Example:

141

142```toml

143name = "reviewer"

144description = "PR reviewer focused on correctness, security, and missing tests."

145developer_instructions = """

146Review code like an owner.

147Prioritize correctness, security, behavior regressions, and missing test coverage.

148"""

149nickname_candidates = ["Atlas", "Delta", "Echo"]

150```

151

152In practice, the Codex app and CLI can show the nicknames where agent activity

153appears, while the underlying agent type stays

154`reviewer`.

155

156### Example custom agents

157

158The best custom agents are narrow and opinionated. Give each one clear job, a

159tool surface that matches that job, and instructions that keep it from

160drifting into adjacent work.

161

162#### Example 1: PR review

163

164This pattern splits review across three focused custom agents:

165

166- `pr_explorer` maps the codebase and gathers evidence.

167- `reviewer` looks for correctness, security, and test risks.

168- `docs_researcher` checks framework or API documentation through a dedicated MCP server.

169

170Project config (`.codex/config.toml`):

171

172```toml

173[agents]

174max_threads = 6

175max_depth = 1

176```

177

178`.codex/agents/pr-explorer.toml`:

179

180```toml

181name = "pr_explorer"

182description = "Read-only codebase explorer for gathering evidence before changes are proposed."

183model = "gpt-5.3-codex-spark"

184model_reasoning_effort = "medium"

185sandbox_mode = "read-only"

186developer_instructions = """

187Stay in exploration mode.

188Trace the real execution path, cite files and symbols, and avoid proposing fixes unless the parent agent asks for them.

189Prefer fast search and targeted file reads over broad scans.

190"""

191```

192

193`.codex/agents/reviewer.toml`:

194

195```toml

196name = "reviewer"

197description = "PR reviewer focused on correctness, security, and missing tests."

198model = "gpt-5.4"

199model_reasoning_effort = "high"

200sandbox_mode = "read-only"

201developer_instructions = """

202Review code like an owner.

203Prioritize correctness, security, behavior regressions, and missing test coverage.

204Lead with concrete findings, include reproduction steps when possible, and avoid style-only comments unless they hide a real bug.

205"""

206```

207

208`.codex/agents/docs-researcher.toml`:

209

210```toml

211name = "docs_researcher"

212description = "Documentation specialist that uses the docs MCP server to verify APIs and framework behavior."

213model = "gpt-5.4-mini"

214model_reasoning_effort = "medium"

215sandbox_mode = "read-only"

216developer_instructions = """

217Use the docs MCP server to confirm APIs, options, and version-specific behavior.

218Return concise answers with links or exact references when available.

219Do not make code changes.

220"""

221

222[mcp_servers.openaiDeveloperDocs]

223url = "https://developers.openai.com/mcp"

224```

225

226This setup works well for prompts like:

227

228```text

229Review this branch against main. Have pr_explorer map the affected code paths, reviewer find real risks, and docs_researcher verify the framework APIs that the patch relies on.

230```

231

232## Process CSV batches with subagents (experimental)

233

234This workflow is experimental and may change as subagent support evolves.

235Use `spawn_agents_on_csv` when you have many similar tasks that map to one row per work item. Codex reads the CSV, spawns one worker subagent per row, waits for the full batch to finish, and exports the combined results to CSV.

236

237This works well for repeated audits such as:

238

239- reviewing one file, package, or service per row

240- checking a list of incidents, PRs, or migration targets

241- generating structured summaries for many similar inputs

242

243The tool accepts:

244

245- `csv_path` for the source CSV

246- `instruction` for the worker prompt template, using `{column_name}` placeholders

247- `id_column` when you want stable item ids from a specific column

248- `output_schema` when each worker should return a JSON object with a fixed shape

249- `output_csv_path`, `max_concurrency`, and `max_runtime_seconds` for job control

250

251Each worker must call `report_agent_job_result` exactly once. If a worker exits without reporting a result, Codex marks that row with an error in the exported CSV.

252

253Example prompt:

254

255```text

256Create /tmp/components.csv with columns path,owner and one row per frontend component.

257

258Then call spawn_agents_on_csv with:

259- csv_path: /tmp/components.csv

260- id_column: path

261- instruction: "Review {path} owned by {owner}. Return JSON with keys path, risk, summary, and follow_up via report_agent_job_result."

262- output_csv_path: /tmp/components-review.csv

263- output_schema: an object with required string fields path, risk, summary, and follow_up

264```

265

266When you run this through `codex exec`, Codex shows a single-line progress update on `stderr` while the batch is running. The exported CSV includes the original row data plus metadata such as `job_id`, `item_id`, `status`, `last_error`, and `result_json`.

267

268Related runtime settings:

269

270- `agents.max_threads` caps how many agent threads can stay open concurrently.

271- `agents.job_max_runtime_seconds` sets the default per-worker timeout for CSV fan-out jobs. A per-call `max_runtime_seconds` override takes precedence.

272- `sqlite_home` controls where Codex stores the SQLite-backed state used for agent jobs and their exported results.

273

274#### Example 2: Frontend integration debugging

275

276This pattern is useful for UI regressions, flaky browser flows, or integration bugs that cross application code and the running product.

277

278Project config (`.codex/config.toml`):

279

280```toml

281[agents]

282max_threads = 6

283max_depth = 1

284```

285

286`.codex/agents/code-mapper.toml`:

287

288```toml

289name = "code_mapper"

290description = "Read-only codebase explorer for locating the relevant frontend and backend code paths."

291model = "gpt-5.4-mini"

292model_reasoning_effort = "medium"

293sandbox_mode = "read-only"

294developer_instructions = """

295Map the code that owns the failing UI flow.

296Identify entry points, state transitions, and likely files before the worker starts editing.

297"""

298```

299

300`.codex/agents/browser-debugger.toml`:

301

302```toml

303name = "browser_debugger"

304description = "UI debugger that uses browser tooling to reproduce issues and capture evidence."

305model = "gpt-5.4"

306model_reasoning_effort = "high"

307sandbox_mode = "workspace-write"

308developer_instructions = """

309Reproduce the issue in the browser, capture exact steps, and report what the UI actually does.

310Use browser tooling for screenshots, console output, and network evidence.

311Do not edit application code.

312"""

313

314[mcp_servers.chrome_devtools]

315url = "http://localhost:3000/mcp"

316startup_timeout_sec = 20

317```

318

319`.codex/agents/ui-fixer.toml`:

320

321```toml

322name = "ui_fixer"

323description = "Implementation-focused agent for small, targeted fixes after the issue is understood."

324model = "gpt-5.3-codex-spark"

325model_reasoning_effort = "medium"

326developer_instructions = """

327Own the fix once the issue is reproduced.

328Make the smallest defensible change, keep unrelated files untouched, and validate only the behavior you changed.

329"""

330

331[[skills.config]]

332path = "/Users/me/.agents/skills/docs-editor/SKILL.md"

333enabled = false

334```

335

336This setup works well for prompts like:

337

338```text

339Investigate why the settings modal fails to save. Have browser_debugger reproduce it, code_mapper trace the responsible code path, and ui_fixer implement the smallest fix once the failure mode is clear.

340```

windows.md +17 −1

Details

1# Windows1# Windows

2 2

3The easiest way to use Codex on Windows is to [set up the IDE extension](https://developers.openai.com/codex/ide) or [install the CLI](https://developers.openai.com/codex/cli) and run it from PowerShell.3The easiest way to use Codex on Windows is to use the [Codex app](https://developers.openai.com/codex/app/windows). You can also [set up the IDE extension](https://developers.openai.com/codex/ide) or [install the CLI](https://developers.openai.com/codex/cli) and run it from PowerShell.

5[![](/images/codex/codex-banner-icon.webp)

7Use the Codex app on Windows

9Work across projects, run parallel agent threads, and review results in one place with the native Windows app.](https://developers.openai.com/codex/app/windows)

4 10

5When you run Codex natively on Windows, agent mode uses a [Windows sandbox](#windows-sandbox) to block filesystem writes outside the working folder and prevent network access without your explicit approval. [Learn more below](#windows-sandbox).11When you run Codex natively on Windows, agent mode uses a [Windows sandbox](#windows-sandbox) to block filesystem writes outside the working folder and prevent network access without your explicit approval. [Learn more below](#windows-sandbox).

6 12

21- Runs commands as a dedicated Windows Sandbox User.27- Runs commands as a dedicated Windows Sandbox User.

22- Limits network access by installing Windows Firewall rules.28- Limits network access by installing Windows Firewall rules.

23 29

30### Sandbox permissions

32Running Codex in full access mode means Codex is not limited to your project

33 directory and might perform unintentional destructive actions that can lead to

34 data loss. For safer automation, keep sandbox boundaries in place and use

35 [rules](https://developers.openai.com/codex/rules) for specific exceptions, or set your [approval policy to

36 never](https://developers.openai.com/codex/agent-approvals-security#run-without-approval-prompts) to have

37 Codex attempt to solve problems without asking for escalated permissions,

38 based on your [approval and security setup](https://developers.openai.com/codex/agent-approvals-security).

24### Grant sandbox read access40### Grant sandbox read access

25 41

26When a command fails because the Windows sandbox can't read a directory, use:42When a command fails because the Windows sandbox can't read a directory, use:

OpenAI - Codex Docs Changes 2026-02-27 18:15 UTC → 2026-03-17 18:24 UTC