OpenAI - Codex Docs Changes 2026-03-17 00:33 UTC → 2026-04-24 18:20 UTC

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

10 10 

11For a high-level explanation of how sandboxing works across the Codex app, IDE11For a high-level explanation of how sandboxing works across the Codex app, IDE

12extension, and CLI, see [Sandboxing](https://developers.openai.com/codex/concepts/sandboxing).12extension, and CLI, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing).

13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

14 14 

15## Sandbox and approvals15## Sandbox and approvals

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.74- Protection is recursive, so everything under those paths is read-only.

75 75 

76### Deny reads with filesystem profiles

77 

78Named permission profiles can also deny reads for exact paths or glob patterns.

79This is useful when a workspace should stay writable but specific sensitive

80files, such as local environment files, must stay unreadable:

81 

82```toml

83default_permissions = "workspace"

84 

85[permissions.workspace.filesystem]

86":project_roots" = { "." = "write", "**/*.env" = "none" }

87glob_scan_max_depth = 3

88```

89 

90Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy

91evaluates globs for local macOS and Linux command execution. On platforms that

92pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for

93unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and

94`*/*/*.env`.

95 

76### Run without approval prompts96### Run without approval prompts

77 97 

78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).98You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

81 101 

82If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.102If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

83 103 

84For a middle ground, `approval_policy = { reject = { ... } }` lets you auto-reject specific approval prompt categories (sandbox escalation, execpolicy-rule prompts, or MCP elicitations) while keeping other prompts interactive.104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

105 

106### Automatic approval reviews

107 

108By default, approval requests route to you:

109 

110```toml

111approvals_reviewer = "user"

112```

113 

114Automatic approval reviews apply when approvals are interactive, such as

115`approval_policy = "on-request"` or a granular approval policy. Set

116`approvals_reviewer = "auto_review"` to route eligible approval requests

117through a reviewer agent before Codex runs the request:

118 

119```toml

120approval_policy = "on-request"

121approvals_reviewer = "auto_review"

122```

123 

124The reviewer evaluates only actions that already need approval, such as sandbox

125escalations, network requests, `request_permissions` prompts, or side-effecting

126app and MCP tool calls. Actions that stay inside the sandbox continue without an

127extra review step.

128 

129The reviewer policy checks for data exfiltration, credential probing, persistent

130security weakening, and destructive actions. Low-risk and medium-risk actions

131can proceed when policy allows them. The policy denies critical-risk actions.

132High-risk actions require enough user authorization and no matching deny rule.

133Timeouts, parse failures, and review errors fail closed.

134 

135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

136is in the open-source Codex repository. Enterprises can replace its

137tenant-specific section with `guardian_policy_config` in managed requirements.

138Local `[auto_review].policy` text is also supported, but managed requirements

139take precedence. For setup details, see

140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

141 

142In the Codex app, these reviews appear as automatic review items with a status such

143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a

144risk level for the reviewed request.

145 

146Automatic review uses extra model calls, so it can add to Codex usage. Admins

147can constrain it with `allowed_approvals_reviewers`.

85 148 

86### Common sandbox and approval combinations149### Common sandbox and approval combinations

87 150 

111[sandbox_workspace_write]174[sandbox_workspace_write]

112network_access = true175network_access = true

113 176 

114# Optional: granular approval prompt auto-rejection177# Optional: granular approval policy

115# approval_policy = { reject = { sandbox_approval = true, rules = false, mcp_elicitations = false } }178# approval_policy = { granular = {

179# sandbox_approval = true,

180# rules = true,

181# mcp_elicitations = true,

182# request_permissions = false,

183# skill_approval = false

184# } }

116```185```

117 186 

118You can also save presets as profiles, then select them with `codex --profile <name>`:187You can also save presets as profiles, then select them with `codex --profile <name>`:

145Codex enforces the sandbox differently depending on your OS:214Codex enforces the sandbox differently depending on your OS:

146 215 

147- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.216- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

148- **Linux** uses `Landlock` plus `seccomp` by default. You can opt into the alternative Linux sandbox pipeline with `features.use_linux_sandbox_bwrap = true` (or `-c use_linux_sandbox_bwrap=true`). In managed proxy mode, the bwrap pipeline routes egress through a proxy-only bridge and fails closed if it cannot build valid loopback proxy routes; landlock-only flows do not use that bridge behavior.217- **Linux** uses `bwrap` plus `seccomp` by default.

149- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux (WSL)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.218- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

150 219 

151If you use the Codex IDE extension on Windows, it supports WSL directly. Set the following in your VS Code settings to keep the agent inside WSL whenever it’s available:220If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:

152 221 

153```json222```json

154{223{

163```toml232```toml

164[windows]233[windows]

165sandbox = "unelevated" # or "elevated"234sandbox = "unelevated" # or "elevated"

235# sandbox_private_desktop = true # default; set false only for compatibility

166```236```

167 237 

168See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.238See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

169 239 

170When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.240When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration blocks the namespace, setuid `bwrap`, or `seccomp` operations that Codex needs.

171 241 

172In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.242In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

173 243 

244### Run Codex in Dev Containers

245 

246If your host cannot run the Linux sandbox directly, or if your organization already standardizes on containerized development, run Codex with Dev Containers and let Docker provide the outer isolation boundary. This works with Visual Studio Code Dev Containers and compatible tools.

247 

248Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.

249 

250Devcontainers provide substantial protection, but they do not prevent every

251 attack. If you run Codex with `--sandbox danger-full-access` or

252 `--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious

253 project can exfiltrate anything available inside the devcontainer, including

254 Codex credentials. Use this pattern only with trusted repositories, and

255 monitor Codex activity as you would in any other elevated environment.

256 

257The reference implementation includes:

258 

259- an Ubuntu 24.04 base image with Codex and common development tools installed;

260- an allowlist-driven firewall profile for outbound access;

261- VS Code settings and extension recommendations for reopening the workspace in a container;

262- persistent mounts for command history and Codex configuration;

263- `bubblewrap`, so Codex can still use its Linux sandbox when the container grants the needed capabilities.

264 

265To try it:

266 

2671. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).

2682. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.

2693. In VS Code, run **Dev Containers: Open Folder in Container…** and select `.devcontainer/devcontainer.secure.json`.

2704. After the container starts, open a terminal and run `codex`.

271 

272You can also start the container from the CLI:

273 

274```bash

275devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json

276```

277 

278The example has three main pieces:

279 

280- `.devcontainer/devcontainer.secure.json` controls container settings, capabilities, mounts, environment variables, and VS Code extensions.

281- `.devcontainer/Dockerfile.secure` defines the Ubuntu-based image and installed tools.

282- `.devcontainer/init-firewall.sh` applies the outbound network policy.

283 

284The reference firewall is intentionally a starting point. If you depend on domain allowlisting for isolation, implement DNS rebinding and DNS refresh protections that fit your environment, such as TTL-aware refreshes or a DNS-aware firewall.

285 

286Inside the container, choose one of these modes:

287 

288- Keep Codex's Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.

289- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.

290 

174## Version control291## Version control

175 292 

176Codex works best with a version control workflow:293Codex works best with a version control workflow:

10 10 

11## Getting started11## Getting started

12 12 

13The Codex app is available on macOS (Apple Silicon).13The Codex app is available on macOS and Windows.

14 

15Most Codex app features are available on both platforms. Platform-specific

16exceptions are noted in the relevant docs.

14 17 

151. Download and install the Codex app181. Download and install the Codex app

16 19 

17 Download the Codex app for Windows or macOS.20 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.

21 

22 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)

23 

24 Need a different operating system?

18 25 

19 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)26 [Download for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi)

20 27 

21 [Get notified for Linux](https://openai.com/form/codex-app/)28 [Get notified for Linux](https://openai.com/form/codex-app/)

222. Open Codex and sign in292. Open Codex and sign in

40- Build a classic Snake game in this repo.47- Build a classic Snake game in this repo.

41- Find and fix bugs in my codebase with minimal, high-confidence changes.48- Find and fix bugs in my codebase with minimal, high-confidence changes.

42 49 

43 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).50 If you need more inspiration, explore [Codex use cases](https://developers.openai.com/codex/use-cases).

44 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).51 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

45 52 

46---53---

49 56 

50[### Multitask across projects57[### Multitask across projects

51 58 

52Run multiple tasks in parallel and switch quickly between them.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Built-in Git tools59Run project threads side by side and switch between them quickly.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Worktrees

60 

61Keep parallel code changes isolated with built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Computer use

62 

63Let Codex use macOS apps for GUI tasks, browser flows, and native app testing.](https://developers.openai.com/codex/app/computer-use)[### Review and ship changes

64 

65Inspect diffs, address PR feedback, stage files, commit, and push.](https://developers.openai.com/codex/app/review)[### Terminal and actions

53 66 

54Review diffs, comment inline, stage or revert chunks, and commit without leaving the app.](https://developers.openai.com/codex/app/features#built-in-git-tools)[### Worktrees for parallel tasks67Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser

55 68 

56Isolate changes of multiple Codex threads using built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Skills support69Open rendered pages, leave comments, or let Codex operate local browser flows.](https://developers.openai.com/codex/app/browser)[### Image generation

57 70 

58Give your Codex agent additional capabilities and reuse skills across App, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Automations71Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations

59 72 

60Pair skills with automations to automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives runs if there’s nothing to report.](https://developers.openai.com/codex/app/automations)[### Built-in terminal73Schedule recurring tasks, or wake up the same thread for ongoing checks.](https://developers.openai.com/codex/app/automations)[### Skills

61 74 

62Open a terminal per thread to test your changes, run dev servers, scripts, and custom commands.](https://developers.openai.com/codex/app/features#integrated-terminal)[### Local environments75Reuse instructions and workflows across the app, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Sidebar and artifacts

63 76 

64Define worktree setup scripts and common project actions for easy access.](https://developers.openai.com/codex/app/local-environments)[### Sync with the IDE extension77Follow plans, sources, task summaries, and generated file previews.](https://developers.openai.com/codex/app/features#richer-outputs-and-artifacts)[### Plugins

65 78 

66Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)[### MCP support79Connect apps, skills, and MCP servers to extend what Codex can do.](https://developers.openai.com/codex/plugins)[### IDE Extension sync

67 80 

68Connect your Codex agent to additional services using MCP.](https://developers.openai.com/codex/app/features#mcp-support)81Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)

69 82 

70---83---

71 84 

12Supported transports:12Supported transports:

13 13 

14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).

15- `websocket` (`--listen ws://IP:PORT`, experimental): one JSON-RPC message per WebSocket text frame.15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one JSON-RPC message per WebSocket text frame.

16- `off` (`--listen off`): don't expose a local transport.

17 

18When you run with `--listen ws://IP:PORT`, the same listener also serves basic HTTP health probes:

19 

20- `GET /readyz` returns `200 OK` once the listener accepts new connections.

21- `GET /healthz` returns `200 OK` when the request doesn't include an `Origin` header.

22- Requests with an `Origin` header are rejected with `403 Forbidden`.

23 

24WebSocket transport is experimental and unsupported. Loopback listeners such as `ws://127.0.0.1:PORT` are appropriate for localhost and SSH port-forwarding workflows. Non-loopback WebSocket listeners currently allow unauthenticated connections by default during rollout, so configure WebSocket auth before exposing one remotely.

25 

26Supported WebSocket auth flags:

27 

28- `--ws-auth capability-token --ws-token-file /absolute/path`

29- `--ws-auth capability-token --ws-token-sha256 HEX`

30- `--ws-auth signed-bearer-token --ws-shared-secret-file /absolute/path`

31 

32For signed bearer tokens, you can also set `--ws-issuer`, `--ws-audience`, and `--ws-max-clock-skew-seconds`. Clients present the credential as `Authorization: Bearer <token>` during the WebSocket handshake, and app-server enforces auth before JSON-RPC `initialize`.

33 

34Prefer `--ws-token-file` over passing raw bearer tokens on the command line. Use `--ws-token-sha256` only when the client keeps the raw high-entropy token in a separate local secret store; the hash is only a verifier, and clients still need the original token.

16 35 

17In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.36In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.

18 37 

21Requests include `method`, `params`, and `id`:40Requests include `method`, `params`, and `id`:

22 41 

23```json42```json

24{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.1-codex" } }43{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.4" } }

25```44```

26 45 

27Responses echo the `id` with either `result` or `error`:46Responses echo the `id` with either `result` or `error`:

99 },118 },

100});119});

101send({ method: "initialized", params: {} });120send({ method: "initialized", params: {} });

102send({ method: "thread/start", id: 1, params: { model: "gpt-5.1-codex" } });121send({ method: "thread/start", id: 1, params: { model: "gpt-5.4" } });

103```122```

104 123 

105## Core primitives124## Core primitives

123 142 

124Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.143Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.

125 144 

126The server returns the user agent string it will present to upstream services. Set `clientInfo` to identify your integration.145The server returns the user agent string it will present to upstream services plus `platformFamily` and `platformOs` values that describe the runtime target. Set `clientInfo` to identify your integration.

127 146 

128`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.147`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.

129 148 

159 },178 },

160 "capabilities": {179 "capabilities": {

161 "experimentalApi": true,180 "experimentalApi": true,

162 "optOutNotificationMethods": [181 "optOutNotificationMethods": ["thread/started", "item/agentMessage/delta"]

163 "codex/event/session_configured",

164 "item/agentMessage/delta"

165 ]

166 }182 }

167 }183 }

168}184}

202- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.218- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

203- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.219- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.

204- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.220- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

205- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.221- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.

222- `thread/turns/list` - page through a stored thread's turn history without resuming it.

206- `thread/loaded/list` - list the thread ids currently loaded in memory.223- `thread/loaded/list` - list the thread ids currently loaded in memory.

224- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

225- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.

207- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.226- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

208- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.227- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.

209- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.228- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

210- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.229- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

211- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.230- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

231- `thread/shellCommand` - run a user-initiated shell command against a thread. This runs outside the sandbox with full access and doesn't inherit the thread sandbox policy.

232- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

212- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.233- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

213- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."234- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

235- `thread/inject_items` - append raw Responses API items to a loaded thread's model-visible history without starting a user turn.

214- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.236- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

215- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.237- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

216- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.238- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

217- `command/exec` - run a single command under the server sandbox without starting a thread/turn.239- `command/exec` - run a single command under the server sandbox without starting a thread/turn.

240- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.

241- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

242- `command/exec/terminate` - stop a running `command/exec` session.

243- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.

218- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.244- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

219- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.245- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

246- `experimentalFeature/enablement/set` - patch in-memory runtime enablement for supported feature keys such as `apps` and `plugins`.

220- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).247- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

221- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).248- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

249- `skills/changed` (notify) - emitted when watched local skill files change.

250- `marketplace/add` - add a remote plugin marketplace and persist it into the user's marketplace config.

251- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.

252- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.

253- `plugin/install` - install a plugin from a marketplace path or remote marketplace name.

254- `plugin/uninstall` - uninstall an installed plugin.

222- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.255- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.

223- `skills/config/write` - enable or disable skills by path.256- `skills/config/write` - enable or disable skills by path.

224- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.257- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.

225- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.258- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.

226- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.259- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

227- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination).260- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

261- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

262- `mcpServer/tool/call` - call a tool on a thread's configured MCP server.

263- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread.

228- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.264- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

229- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).265- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

230- `config/read` - fetch the effective configuration on disk after resolving configuration layering.266- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

231- `externalAgentConfig/detect` - detect migratable external-agent artifacts with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).267- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

232- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).268- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home); plugin imports emit `externalAgentConfig/import/completed`.

233- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.269- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

234- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.270- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

235- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).271- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

272- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.

273 

274Plugin summaries include a `source` union. Local plugins return

275`{ "type": "local", "path": ... }`, Git-backed marketplace entries return

276`{ "type": "git", "url": ..., "path": ..., "refName": ..., "sha": ... }`,

277and remote catalog entries return `{ "type": "remote" }`. For remote-only

278catalog entries, `PluginMarketplaceEntry.path` can be `null`; pass

279`remoteMarketplaceName` instead of `marketplacePath` when reading or installing

280those plugins.

236 281 

237## Models282## Models

238 283 

301## Threads346## Threads

302 347 

303- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.348- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.

304- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.349- `thread/turns/list` pages through a stored thread's turn history without resuming it.

350- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.

305- `thread/loaded/list` returns the thread IDs currently in memory.351- `thread/loaded/list` returns the thread IDs currently in memory.

306- `thread/archive` moves the thread's persisted JSONL log into the archived directory.352- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

307- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.353- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.

354- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.

308- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.355- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

309- `thread/compact/start` triggers compaction and returns `{}` immediately.356- `thread/compact/start` triggers compaction and returns `{}` immediately.

310- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.357- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

358- `thread/inject_items` appends raw Responses API items to a loaded thread's model-visible history without starting a user turn.

311 359 

312### Start or resume a thread360### Start or resume a thread

313 361 

315 363 

316```json364```json

317{ "method": "thread/start", "id": 10, "params": {365{ "method": "thread/start", "id": 10, "params": {

318 "model": "gpt-5.1-codex",366 "model": "gpt-5.4",

319 "cwd": "/Users/me/project",367 "cwd": "/Users/me/project",

320 "approvalPolicy": "never",368 "approvalPolicy": "never",

321 "sandbox": "workspaceWrite",369 "sandbox": "workspaceWrite",

378 426 

379Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.427Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

380 428 

429### List thread turns

430 

431Use `thread/turns/list` to page a stored thread's turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.

432 

433```json

434{ "method": "thread/turns/list", "id": 20, "params": {

435 "threadId": "thr_123",

436 "limit": 50,

437 "sortDirection": "desc"

438} }

439{ "id": 20, "result": {

440 "data": [],

441 "nextCursor": "older-turns-cursor-or-null",

442 "backwardsCursor": "newer-turns-cursor-or-null"

443} }

444```

445 

381### List threads (with pagination & filters)446### List threads (with pagination & filters)

382 447 

383`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:448`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:

389- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.454- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.

390- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).455- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).

391- `cwd` - restrict results to threads whose session current working directory exactly matches this path.456- `cwd` - restrict results to threads whose session current working directory exactly matches this path.

457- `searchTerm` - search stored thread summaries and metadata before pagination.

392 458 

393`sourceKinds` accepts the following values:459`sourceKinds` accepts the following values:

394 460 

422 488 

423When `nextCursor` is `null`, you have reached the final page.489When `nextCursor` is `null`, you have reached the final page.

424 490 

491### Update stored thread metadata

492 

493Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.

494 

495```json

496{ "method": "thread/metadata/update", "id": 21, "params": {

497 "threadId": "thr_123",

498 "gitInfo": { "branch": "feature/sidebar-pr" }

499} }

500{ "id": 21, "result": {

501 "thread": {

502 "id": "thr_123",

503 "gitInfo": { "sha": null, "branch": "feature/sidebar-pr", "originUrl": null }

504 }

505} }

506```

507 

425### Track thread status changes508### Track thread status changes

426 509 

427`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.510`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

450`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:533`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:

451 534 

452- `unsubscribed` when the connection was subscribed and is now removed.535- `unsubscribed` when the connection was subscribed and is now removed.

453- `notSubscribed` when the connection was not subscribed to that thread.536- `notSubscribed` when the connection wasn't subscribed to that thread.

454- `notLoaded` when the thread is not loaded.537- `notLoaded` when the thread isn't loaded.

455 538 

456If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.539If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

457 540 

458```json541```json

459{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }542{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

460{ "id": 22, "result": { "status": "unsubscribed" } }543{ "id": 22, "result": { "status": "unsubscribed" } }

544```

545 

546If the thread later expires:

547 

548```json

461{ "method": "thread/status/changed", "params": {549{ "method": "thread/status/changed", "params": {

462 "threadId": "thr_123",550 "threadId": "thr_123",

463 "status": { "type": "notLoaded" }551 "status": { "type": "notLoaded" }

498{ "id": 25, "result": {} }586{ "id": 25, "result": {} }

499```587```

500 588 

589### Run a thread shell command

590 

591Use `thread/shellCommand` for user-initiated shell commands that belong to a thread. The request returns immediately with `{}` while progress streams through standard `turn/*` and `item/*` notifications.

592 

593This API runs outside the sandbox with full access and doesn't inherit the thread sandbox policy. Clients should expose it only for explicit user-initiated commands.

594 

595If the thread already has an active turn, the command runs as an auxiliary action on that turn and its formatted output is injected into the turn's message stream. If the thread is idle, app-server starts a standalone turn for the shell command.

596 

597```json

598{ "method": "thread/shellCommand", "id": 26, "params": { "threadId": "thr_b", "command": "git status --short" } }

599{ "id": 26, "result": {} }

600```

601 

602### Clean background terminals

603 

604Use `thread/backgroundTerminals/clean` to stop all running background terminals associated with a thread. This method is experimental and requires `capabilities.experimentalApi = true`.

605 

606```json

607{ "method": "thread/backgroundTerminals/clean", "id": 27, "params": { "threadId": "thr_b" } }

608{ "id": 27, "result": {} }

609```

610 

501### Roll back recent turns611### Roll back recent turns

502 612 

503Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.613Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.

504 614 

505```json615```json

506{ "method": "thread/rollback", "id": 26, "params": { "threadId": "thr_b", "numTurns": 1 } }616{ "method": "thread/rollback", "id": 28, "params": { "threadId": "thr_b", "numTurns": 1 } }

507{ "id": 26, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }617{ "id": 28, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }

508```618```

509 619 

510## Turns620## Turns

570 "writableRoots": ["/Users/me/project"],680 "writableRoots": ["/Users/me/project"],

571 "networkAccess": true681 "networkAccess": true

572 },682 },

573 "model": "gpt-5.1-codex",683 "model": "gpt-5.4",

574 "effort": "medium",684 "effort": "medium",

575 "summary": "concise",685 "summary": "concise",

576 "personality": "friendly",686 "personality": "friendly",

584{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }694{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }

585```695```

586 696 

697### Inject items into a thread

698 

699Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread's prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.

700 

701```json

702{ "method": "thread/inject_items", "id": 31, "params": {

703 "threadId": "thr_123",

704 "items": [

705 {

706 "type": "message",

707 "role": "assistant",

708 "content": [{ "type": "output_text", "text": "Previously computed context." }]

709 }

710 ]

711} }

712{ "id": 31, "result": {} }

713```

714 

587### Steer an active turn715### Steer an active turn

588 716 

589Use `turn/steer` to append more user input to the active in-flight turn.717Use `turn/steer` to append more user input to the active in-flight turn.

713- The server rejects empty `command` arrays.841- The server rejects empty `command` arrays.

714- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).842- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).

715- When omitted, `timeoutMs` falls back to the server default.843- When omitted, `timeoutMs` falls back to the server default.

844- Set `tty: true` for PTY-backed sessions, and use `processId` when you plan to follow up with `command/exec/write`, `command/exec/resize`, or `command/exec/terminate`.

845- Set `streamStdoutStderr: true` to receive `command/exec/outputDelta` notifications while the command is running.

716 846 

717### Read admin requirements (`configRequirements/read`)847### Read admin requirements (`configRequirements/read`)

718 848 

763- `elevated` - run the elevated Windows sandbox setup path.893- `elevated` - run the elevated Windows sandbox setup path.

764- `unelevated` - run the legacy setup/preflight path.894- `unelevated` - run the legacy setup/preflight path.

765 895 

896## Filesystem

897 

898The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.

899 

900```json

901{ "method": "fs/watch", "id": 54, "params": {

902 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

903 "path": "/Users/me/project/.git/HEAD"

904} }

905{ "id": 54, "result": { "path": "/Users/me/project/.git/HEAD" } }

906{ "method": "fs/changed", "params": {

907 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

908 "changedPaths": ["/Users/me/project/.git/HEAD"]

909} }

910{ "method": "fs/unwatch", "id": 55, "params": {

911 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1"

912} }

913{ "id": 55, "result": {} }

914```

915 

916Watching a file emits `fs/changed` for that file path, including updates delivered by replace or rename operations.

917 

766## Events918## Events

767 919 

768Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.920Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

773 925 

774- Exact-match only: `item/agentMessage/delta` suppresses only that method.926- Exact-match only: `item/agentMessage/delta` suppresses only that method.

775- Unknown method names are ignored.927- Unknown method names are ignored.

776- Applies to both legacy (`codex/event/*`) and v2 (`thread/*`, `turn/*`, `item/*`, etc.) notifications.928- Applies to the current `thread/*`, `turn/*`, `item/*`, and related v2 notifications.

777- Doesn't apply to requests, responses, or errors.929- Doesn't apply to requests, responses, or errors.

778 930 

779### Fuzzy file search events (experimental)931### Fuzzy file search events (experimental)

983} }1135} }

984```1136```

985 1137 

1138The server also emits `skills/changed` notifications when watched local skill files change. Treat this as an invalidation signal and rerun `skills/list` with your current params when needed.

1139 

986To enable or disable a skill by path:1140To enable or disable a skill by path:

987 1141 

988```json1142```json

1149 1303 

1150### Detect and import external agent config1304### Detect and import external agent config

1151 1305 

1152Use `externalAgentConfig/detect` to discover migratable external-agent artifacts, then pass the selected entries to `externalAgentConfig/import`.1306Use `externalAgentConfig/detect` to discover external-agent artifacts that can be migrated, then pass the selected entries to `externalAgentConfig/import`.

1153 1307 

1154Detection example:1308Detection example:

1155 1309 

1189{ "id": 64, "result": {} }1343{ "id": 64, "result": {} }

1190```1344```

1191 1345 

1192Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, and `MCP_SERVER_CONFIG`. Detection returns only items that still have work to do. For example, AGENTS migration is skipped when `AGENTS.md` already exists and is non-empty, and skill imports do not overwrite existing skill directories.1346When a request includes plugin imports, the server emits `externalAgentConfig/import/completed` after the import finishes. This notification may arrive immediately after the response or after background remote imports complete.

1347 

1348Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, `PLUGINS`,

1349and `MCP_SERVER_CONFIG`. For `PLUGINS` items, `details.plugins` lists each

1350`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection

1351returns only items that still have work to do. For example, Codex skips AGENTS

1352migration when `AGENTS.md` already exists and is non-empty, and skill imports

1353don't overwrite existing skill directories.

1354 

1355When detecting plugins from `.claude/settings.json`, Codex reads configured

1356marketplace sources from `extraKnownMarketplaces`. If `enabledPlugins` contains

1357plugins from `claude-plugins-official` but the marketplace source is missing,

1358Codex infers `anthropics/claude-plugins-official` as the source.

1193 1359 

1194## Auth endpoints1360## Auth endpoints

1195 1361 

1196The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1362The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, inspect ChatGPT rate limits, and notify workspace owners about depleted credits or usage limits.

1197 1363 

1198### Authentication modes1364### Authentication modes

1199 1365 

1200Codex supports three authentication modes. `account/updated.authMode` shows the active mode, and `account/read` also reports it.1366Codex supports these authentication modes. `account/updated.authMode` shows the active mode and includes the current ChatGPT `planType` when available. `account/read` also reports account and plan details.

1201 1367 

1202- **API key (`apikey`)** - the caller supplies an OpenAI API key and Codex stores it for API requests.1368- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.

1203- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically.1369- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.

1204- **ChatGPT external tokens (`chatgptAuthTokens`)** - a host app supplies `idToken` and `accessToken` directly. Codex stores these tokens in memory, and the host app must refresh them when asked.1370- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user's ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.

1205 1371 

1206### API overview1372### API overview

1207 1373 

1208- `account/read` - fetch current account info; optionally refresh tokens.1374- `account/read` - fetch current account info; optionally refresh tokens.

1209- `account/login/start` - begin login (`apiKey`, `chatgpt`, or `chatgptAuthTokens`).1375- `account/login/start` - begin login (`apiKey`, `chatgpt`, `chatgptDeviceCode`, or experimental `chatgptAuthTokens`).

1210- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).1376- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).

1211- `account/login/cancel` - cancel a pending ChatGPT login by `loginId`.1377- `account/login/cancel` - cancel a pending managed ChatGPT login by `loginId`.

1212- `account/logout` - sign out; triggers `account/updated`.1378- `account/logout` - sign out; triggers `account/updated`.

1213- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`).1379- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.

1214- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.1380- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.

1215- `account/rateLimits/read` - fetch ChatGPT rate limits.1381- `account/rateLimits/read` - fetch ChatGPT rate limits.

1216- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.1382- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.

1383- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.

1217- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.1384- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.

1385- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread; payload includes `{ name, status, error }`.

1218 1386 

1219### 1) Check auth state1387### 1) Check auth state

1220 1388 

1286 ```1454 ```

1287 1455 

1288 ```json1456 ```json

1289 { "method": "account/updated", "params": { "authMode": "apikey" } }1457 {

1458 "method": "account/updated",

1459 "params": { "authMode": "apikey", "planType": null }

1460 }

1290 ```1461 ```

1291 1462 

1292### 3) Log in with ChatGPT (browser flow)1463### 3) Log in with ChatGPT (browser flow)

1318 ```1489 ```

1319 1490 

1320 ```json1491 ```json

1321 { "method": "account/updated", "params": { "authMode": "chatgpt" } }1492 {

1493 "method": "account/updated",

1494 "params": { "authMode": "chatgpt", "planType": "plus" }

1495 }

1496 ```

1497 

1498### 3b) Log in with ChatGPT (device-code flow)

1499 

1500Use this flow when your client owns the sign-in ceremony or when a browser callback is brittle.

1501 

15021. Start:

1503 

1504 ```json

1505 {

1506 "method": "account/login/start",

1507 "id": 4,

1508 "params": { "type": "chatgptDeviceCode" }

1509 }

1510 ```

1511 

1512 ```json

1513 {

1514 "id": 4,

1515 "result": {

1516 "type": "chatgptDeviceCode",

1517 "loginId": "<uuid>",

1518 "verificationUrl": "https://auth.openai.com/codex/device",

1519 "userCode": "ABCD-1234"

1520 }

1521 }

1522 ```

15232. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.

15243. Wait for notifications:

1525 

1526 ```json

1527 {

1528 "method": "account/login/completed",

1529 "params": { "loginId": "<uuid>", "success": true, "error": null }

1530 }

1531 ```

1532 

1533 ```json

1534 {

1535 "method": "account/updated",

1536 "params": { "authMode": "chatgpt", "planType": "plus" }

1537 }

1322 ```1538 ```

1323 1539 

1324### 3b) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)1540### 3c) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)

1325 1541 

1326Use this mode when a host application owns the user’s ChatGPT auth lifecycle and supplies tokens directly.1542Use this experimental mode only when a host application owns the user's ChatGPT auth lifecycle and supplies tokens directly. Clients must set `capabilities.experimentalApi = true` during `initialize` before using this login type.

1327 1543 

13281. Send:15441. Send:

1329 1545 

1333 "id": 7,1549 "id": 7,

1334 "params": {1550 "params": {

1335 "type": "chatgptAuthTokens",1551 "type": "chatgptAuthTokens",

1336 "idToken": "<jwt>",1552 "accessToken": "<jwt>",

1337 "accessToken": "<jwt>"1553 "chatgptAccountId": "org-123",

1554 "chatgptPlanType": "business"

1338 }1555 }

1339 }1556 }

1340 ```1557 ```

1355 ```json1572 ```json

1356 {1573 {

1357 "method": "account/updated",1574 "method": "account/updated",

1358 "params": { "authMode": "chatgptAuthTokens" }1575 "params": { "authMode": "chatgptAuthTokens", "planType": "business" }

1359 }1576 }

1360 ```1577 ```

1361 1578 

1367 "id": 8,1584 "id": 8,

1368 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }1585 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }

1369}1586}

1370{ "id": 8, "result": { "idToken": "<jwt>", "accessToken": "<jwt>" } }1587{ "id": 8, "result": { "accessToken": "<jwt>", "chatgptAccountId": "org-123", "chatgptPlanType": "business" } }

1371```1588```

1372 1589 

1373The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.1590The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.

1384```json1601```json

1385{ "method": "account/logout", "id": 5 }1602{ "method": "account/logout", "id": 5 }

1386{ "id": 5, "result": {} }1603{ "id": 5, "result": {} }

1387{ "method": "account/updated", "params": { "authMode": null } }1604{ "method": "account/updated", "params": { "authMode": null, "planType": null } }

1388```1605```

1389 1606 

1390### 6) Rate limits (ChatGPT)1607### 6) Rate limits (ChatGPT)

1396 "limitId": "codex",1613 "limitId": "codex",

1397 "limitName": null,1614 "limitName": null,

1398 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1615 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1399 "secondary": null1616 "secondary": null,

1617 "rateLimitReachedType": null

1400 },1618 },

1401 "rateLimitsByLimitId": {1619 "rateLimitsByLimitId": {

1402 "codex": {1620 "codex": {

1403 "limitId": "codex",1621 "limitId": "codex",

1404 "limitName": null,1622 "limitName": null,

1405 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1623 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1406 "secondary": null1624 "secondary": null,

1625 "rateLimitReachedType": null

1407 },1626 },

1408 "codex_other": {1627 "codex_other": {

1409 "limitId": "codex_other",1628 "limitId": "codex_other",

1410 "limitName": "codex_other",1629 "limitName": "codex_other",

1411 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },1630 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },

1412 "secondary": null1631 "secondary": null,

1632 "rateLimitReachedType": null

1413 }1633 }

1414 }1634 }

1415} }1635} }

1430- `usedPercent` is current usage within the quota window.1650- `usedPercent` is current usage within the quota window.

1431- `windowDurationMins` is the quota window length.1651- `windowDurationMins` is the quota window length.

1432- `resetsAt` is a Unix timestamp (seconds) for the next reset.1652- `resetsAt` is a Unix timestamp (seconds) for the next reset.

1653- `planType` is included when the backend returns the ChatGPT plan associated with a bucket.

1654- `credits` is included when the backend returns remaining workspace credit details.

1655- `rateLimitReachedType` identifies the backend-classified limit state when one has been reached.

1656 

1657### 7) Notify a workspace owner about a limit

1658 

1659Use `account/sendAddCreditsNudgeEmail` to ask ChatGPT to email a workspace owner when credits are depleted or a usage limit has been reached.

1660 

1661```json

1662{ "method": "account/sendAddCreditsNudgeEmail", "id": 7, "params": { "creditType": "credits" } }

1663{ "id": 7, "result": { "status": "sent" } }

1664```

1665 

1666Use `creditType: "credits"` when workspace credits are depleted, or `creditType: "usage_limit"` when the workspace usage limit has been reached. If the owner was already notified recently, the response status is `cooldown_active`.

2 2 

3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.

4 4 

5Automations run in the background in the Codex app. The app needs to be5For project-scoped automations, the app needs to be running, and the selected

6running, and the selected project needs to be available on disk.6project needs to be available on disk.

7 7 

8In Git repositories, you can choose whether an automation runs in your local8In Git repositories, you can choose whether an automation runs in your local

9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the

19 19 

20## Managing tasks20## Managing tasks

21 21 

22All automations and their runs can be found in the automations pane inside your Codex app sidebar.22Find all automations and their runs in the automations pane inside your Codex app sidebar.

23 23 

24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.

25 25 

26Standalone automations start fresh runs on a schedule and report results in

27Triage. Use them when each run should be independent or when one automation

28should run across one or more projects. If you need a custom cadence, choose a

29custom schedule and enter cron syntax.

30 

26For Git repositories, each automation can run either in your local project or31For Git repositories, each automation can run either in your local project or

27on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use32on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use

28worktrees when you want to isolate automation changes from unfinished local33worktrees when you want to isolate automation changes from unfinished local

29work. Use local mode when you want the automation to work directly in your main34work. Use local mode when you want the automation to work directly in your main

30checkout, keeping in mind that it can modify files you are actively editing.35checkout, keeping in mind that it can change files you are actively editing.

31In non-version-controlled projects, automations run directly in the project36In non-version-controlled projects, automations run directly in the project

32directory. You can have the same automation run on multiple projects.37directory. You can have the same automation run on more than one project.

33 38 

34Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).39Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).

35 40 

36To keep automations maintainable and shareable across teams, you can use [skills](https://developers.openai.com/codex/skills) to define the action and provide tools and context to Codex. You can explicitly trigger a skill as part of an automation by using `$skill-name` inside your automation.41Automations can use the same plugins and skills available to Codex. To keep

42automations maintainable and shareable across teams, use [skills](https://developers.openai.com/codex/skills)

43to define the action and provide tools and context. You can explicitly trigger a

44skill as part of an automation by using `$skill-name` inside your automation.

45 

46## Ask Codex to create or update automations

47 

48You can create and update automations from a regular Codex thread. Describe the

49task, the schedule, and whether the automation should stay attached to the

50current thread or start fresh runs. Codex can draft the automation prompt, choose

51the right automation type, and update it when the scope or cadence changes.

52 

53For example, ask Codex to remind you in this thread while a deployment finishes,

54or ask it to create a standalone automation that checks a project on a recurring

55schedule.

56 

57Skills can also create or update automations. For example, a skill for

58babysitting a pull request could set up a recurring automation that checks the

59PR status with the GitHub plugin and fixes new review feedback.

60 

61## Thread automations

62 

63Thread automations are heartbeat-style recurring wake-up calls attached to the

64current thread. Use them when you want Codex to keep returning to the same

65conversation on a schedule.

66 

67Use a thread automation when the scheduled work should preserve the thread's

68context instead of starting from a new prompt each time.

69 

70Thread automations can use minute-based intervals for active follow-up loops,

71or daily and weekly schedules when you need a check-in at a specific time.

72 

73Thread automations are useful for:

74 

75- checking a long-running command until it finishes

76- polling Slack, GitHub, or another connected source when the results should

77 stay in the same thread

78- reminding Codex to continue a review loop at a fixed cadence

79- running a skill-driven workflow that uses plugins, such as checking PR status

80 and addressing new feedback

81- keeping a chat focused on an ongoing research or triage task

82 

83Use a standalone or project automation when each run should be independent,

84when it should run across more than one project, or when findings should appear

85as separate automation runs in Triage.

86 

87When you create a thread automation, make the prompt durable. It should

88describe what Codex should do each time the thread wakes up, how to decide

89whether there is anything important to report, and when to stop or ask you for

90input.

37 91 

38## Testing automations safely92## Test automations

39 93 

40Before you schedule an automation, test the prompt manually in a regular thread94Before you schedule an automation, test the prompt manually in a regular thread

41first. This helps you confirm:95first. This helps you confirm:

44- The selected or default model, reasoning effort, and tools behave as expected.98- The selected or default model, reasoning effort, and tools behave as expected.

45- The resulting diff is reviewable.99- The resulting diff is reviewable.

46 100 

47When you start scheduling runs, review the first few outputs closely and adjust101When you start scheduling runs, review the first few outputs and adjust the

48the prompt or cadence as needed.102prompt or cadence as needed.

49 103 

50## Worktree cleanup for automations104## Worktree cleanup for automations

51 105 

55 109 

56## Permissions and security model110## Permissions and security model

57 111 

58Automations are designed to run unattended and use your default sandbox112Automations run unattended and use your default sandbox settings.

59settings.

60 113 

61- If your sandbox mode is **read-only**, tool calls fail if they require114- If your sandbox mode is **read-only**, tool calls fail if they require

62 modifying files, accessing network, or working with apps on your computer.115 modifying files, accessing network, or working with apps on your computer.

66 on your computer. You can selectively allowlist commands to run outside the119 on your computer. You can selectively allowlist commands to run outside the

67 sandbox using [rules](https://developers.openai.com/codex/rules).120 sandbox using [rules](https://developers.openai.com/codex/rules).

68- If your sandbox mode is **full access**, background automations carry121- If your sandbox mode is **full access**, background automations carry

69 elevated risk, as Codex may modify files, run commands, and access network122 elevated risk, as Codex may change files, run commands, and access network

70 without asking. Consider updating sandbox settings to workspace write, and123 without asking. Consider updating sandbox settings to workspace write, and

71 using [rules](https://developers.openai.com/codex/rules) to selectively define which commands the agent124 using [rules](https://developers.openai.com/codex/rules) to selectively define which commands the agent

72 can run with full access.125 can run with full access.

76[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).129[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).

77 130 

78Automations use `approval_policy = "never"` when your organization policy131Automations use `approval_policy = "never"` when your organization policy

79allows it. If `approval_policy = "never"` is disallowed by admin requirements,132allows it. If admin requirements disallow `approval_policy = "never"`,

80automations fall back to the approval behavior of your selected mode.133automations fall back to the approval behavior of your selected mode.

81 134 

82## Examples135## Examples

1# In-app browser

2 

3The in-app browser gives you and Codex a shared view of rendered web pages

4inside a thread. Use it when you're building or debugging a web app and want to

5preview pages and attach visual comments.

6 

7Use it for local development servers, file-backed previews, and public pages

8that don't require sign-in. For anything that depends on login state or browser

9extensions, use your regular browser.

10 

11Open the in-app browser from the toolbar, by clicking a URL, by navigating

12manually in the browser, or by pressing <kbd>Cmd</kbd>+<kbd>Shift</kbd>+<kbd>B</kbd>

13(<kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>B</kbd> on Windows).

14 

15The in-app browser does not support authentication flows, signed-in pages,

16 your regular browser profile, cookies, extensions, or existing tabs. Use it

17 for pages Codex can open without logging in.

18 

19Treat page content as untrusted context. Don't paste secrets into browser flows.

20 

21![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)

22 

23## Browser use

24 

25Browser use lets Codex operate the in-app browser directly. Use it for local

26development servers and file-backed previews when Codex needs to click, type,

27inspect rendered state, take screenshots, or verify a fix in the page.

28 

29To use it, install and enable the Browser plugin. Then ask Codex to use the

30browser in your task, or reference it directly with `@Browser`. The app keeps

31browser use inside the in-app browser and lets you manage allowed and blocked

32websites from settings.

33 

34Example:

35 

36```text

37Use the browser to open http://localhost:3000/settings, reproduce the layout

38bug, and fix only the overflowing controls.

39```

40 

41Codex asks before using a website unless you've allowed it. Removing a site from

42the allowed list means Codex asks again before using it; removing a site from the

43blocked list means Codex can ask again instead of treating it as blocked.

44 

45## Preview a page

46 

471. Start your app's development server in the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or with a [local environment action](https://developers.openai.com/codex/app/local-environments#actions).

482. Open an unauthenticated local route, file-backed page, or public page by

49 clicking a URL or navigating manually in the browser.

503. Review the rendered state alongside the code diff.

514. Leave browser comments on the elements or areas that need changes.

525. Ask Codex to address the comments and keep the scope narrow.

53 

54Example feedback:

55 

56```text

57I left comments on the pricing page in the in-app browser. Address the mobile

58layout issues and keep the card structure unchanged.

59```

60 

61## Comment on the page

62 

63When a bug is visible only in the rendered page, use browser comments to give

64Codex precise feedback on the page.

65 

66- Turn on comment mode, select an element or area, and submit a comment.

67- In comment mode, hold <kbd>Shift</kbd> and click to select an area.

68- Hold <kbd>Cmd</kbd> while clicking to send a comment immediately.

69 

70After you leave comments, send a message in the thread asking Codex to address

71them. Comments are most useful when Codex needs to make a precise visual change.

72 

73Good feedback is specific:

74 

75```text

76This button overflows on mobile. Keep the label on one line if it fits,

77otherwise wrap it without changing the card height.

78```

79 

80```text

81This tooltip covers the data point under the cursor. Reposition the tooltip so

82it stays inside the chart bounds.

83```

84 

85## Keep browser tasks scoped

86 

87The in-app browser is for review and iteration. Keep each browser task small

88enough to review in one pass.

89 

90- Name the page, route, or local URL.

91- Name the visual state you care about, such as loading, empty, error, or

92 success.

93- Leave comments on the exact elements or areas that need changes.

94- Review the updated route after Codex changes the code.

95- Ask Codex to start or check the dev server before it uses the browser.

96 

97For repository changes, use the [review pane](https://developers.openai.com/codex/app/review) to inspect the

98changes and leave comments.

36 36 

37You can also explicitly invoke skills by typing `$` in the thread composer. See [Skills](https://developers.openai.com/codex/skills).37You can also explicitly invoke skills by typing `$` in the thread composer. See [Skills](https://developers.openai.com/codex/skills).

38 38 

39Enabled skills also appear in the slash command list (for example, `/imagegen`).39Enabled skills also appear in the slash command list.

40 40 

41### Available slash commands41### Available slash commands

42 42 

62 62 

63For new-thread deeplinks:63For new-thread deeplinks:

64 64 

65- `prompt` prefills the composer.65- `prompt` sets the initial composer text.

66- `path` must be an absolute path to a local directory and, when valid, makes that directory the active workspace for the new thread.66- `path` must be an absolute path to a local directory and, when valid, makes that directory the active workspace for the new thread.

67- `originUrl` tries to match one of your current workspace roots by Git remote URL. If both `path` and `originUrl` are present, Codex resolves `path` first.67- `originUrl` tries to match one of your current workspace roots by Git remote URL. If both `path` and `originUrl` are present, Codex resolves `path` first.

68 68 

1# Computer Use

2 

3In the Codex app, computer use is currently available on macOS, except in the

4 European Economic Area, the United Kingdom, and Switzerland at launch. Install

5 the Computer Use plugin, then grant Screen Recording and Accessibility

6 permissions when macOS prompts you.

7 

8With computer use, Codex can see and operate graphical user interfaces on macOS.

9Use it for tasks where command-line tools or structured integrations aren't

10enough, such as checking a desktop app, using a browser, changing app settings,

11working with a data source that isn't available as a plugin, or reproducing a

12bug that only happens in a graphical user interface.

13 

14Because computer use can affect app and system state outside your project

15workspace, use it for scoped tasks and review permission prompts before

16continuing.

17 

18## Set up computer use

19 

20In Codex settings, open **Computer Use** and click **Install** to install the

21Computer Use plugin before you ask Codex to operate desktop apps. When macOS

22prompts for access, grant Screen Recording and Accessibility permissions if you

23want Codex to see and interact with the target app.

24 

25To use computer use, grant:

26 

27- **Screen Recording** permission so Codex can see the target app.

28- **Accessibility** permission so Codex can click, type, and navigate.

29 

30## When to use computer use

31 

32Choose computer use when the task depends on a graphical user interface that's

33hard to verify through files or command output alone.

34 

35Good fits include:

36 

37- Testing a macOS app, an iOS simulator flow, or another desktop app that Codex

38 is building.

39- Performing a task that requires your web browser.

40- Reproducing a bug that only appears in a graphical interface.

41- Changing app settings that require clicking through a UI.

42- Inspecting information in an app or data source that isn't available through a

43 plugin.

44- Running a scoped task in the background while you keep working elsewhere.

45- Executing a workflow that spans more than one app.

46 

47For web apps you are building locally, use the

48[in-app browser](https://developers.openai.com/codex/app/browser) first.

49 

50## Start a computer use task

51 

52Mention `@Computer Use` or `@AppName` in your prompt, or ask Codex to use

53computer use. Describe the exact app, window, or flow Codex should operate.

54 

55```text

56Open the app with computer use, reproduce the onboarding bug, and fix the

57smallest code path that causes it. After each change, run the same UI flow

58again.

59```

60 

61```text

62Open @Chrome and verify the checkout page still works after the latest changes.

63```

64 

65If the target app exposes a dedicated plugin or MCP server, prefer that

66structured integration for data access and repeatable operations. Choose

67computer use when Codex needs to inspect or operate the app visually.

68 

69## Permissions and approvals

70 

71The macOS system permissions for computer use are separate from app approvals in

72Codex. The macOS permissions let Codex see and operate apps. App approvals

73determine which apps you allow Codex to use. File reads, file edits, and shell

74commands still follow the sandbox and approval settings for the thread.

75 

76With computer use, Codex can see and take action only in the apps you allow.

77During a task, Codex asks for your permission before it can use an app on your

78computer. You can choose **Always allow** so Codex can use that app in the future

79without asking again. You can remove apps from the **Always allow** list in the

80**Computer Use** section of Codex settings.

81 

82![Codex app asking for permission to use Calculator with computer use](/images/codex/app/computer-use-approval-light.webp)

83 

84Codex may also ask for permission before taking sensitive or disruptive actions.

85 

86If Codex can't see or control an app, open **System Settings > Privacy &

87Security** and check **Screen Recording** and **Accessibility** for the Codex

88app.

89 

90## Safety guidance

91 

92With computer use, Codex can view screen content, take screenshots, and interact

93with windows, menus, keyboard input, and clipboard state in the target app.

94Treat visible app content, browser pages, screenshots, and files opened in the

95target app as context Codex may process while the task runs.

96 

97Keep tasks narrow and stay present for sensitive flows:

98 

99- Give Codex one clear target app or flow at a time.

100- You can stop the task or take over your computer at any time.

101- Keep sensitive apps closed unless they're required for the task.

102- Avoid tasks that require secrets unless you're present and can approve each

103 step.

104- Review app permission prompts before allowing Codex to use an app.

105- Use **Always allow** only for apps you trust Codex to use automatically in

106 future tasks.

107- Stay present for account, security, privacy, network, payment, or

108 credential-related settings.

109- Cancel the task if Codex starts interacting with the wrong window.

110 

111If Codex uses your browser, it can interact with pages where you're already

112signed in. Review website actions as if you were taking them yourself: web pages

113can contain malicious or misleading content, and sites may treat approved clicks,

114form submissions, and signed-in actions as coming from your account. To keep

115using your browser while Codex works, ask Codex to use a different browser.

116 

117The feature can't automate terminal apps or Codex itself, since automating them

118could bypass Codex security policies. It also can't authenticate as an

119administrator or approve security and privacy permission prompts on your

120computer.

121 

122File edits and shell commands still follow Codex approval and sandbox settings

123where applicable. Changes made through desktop apps may not appear in the review

124pane until they're saved to disk and tracked by the project. Your ChatGPT data

125controls apply to content processed through Codex, including screenshots taken

126by computer use.

3The Codex app is a focused desktop experience for working on Codex threads in parallel,3The Codex app is a focused desktop experience for working on Codex threads in parallel,

4with built-in worktree support, automations, and Git functionality.4with built-in worktree support, automations, and Git functionality.

5 5 

6Most Codex app features are available on both macOS and Windows.

7The sections below note platform-specific exceptions.

8 

6---9---

7 10 

8## Multitask across projects11## Multitask across projects

31 34 

32You can also combine skills with [automations](https://developers.openai.com/codex/app/automations) to perform routine tasks35You can also combine skills with [automations](https://developers.openai.com/codex/app/automations) to perform routine tasks

33such as evaluating errors in your telemetry and submitting fixes or creating reports on recent36such as evaluating errors in your telemetry and submitting fixes or creating reports on recent

34codebase changes.37codebase changes. For ongoing work that should stay in one thread, use a

38[thread automation](https://developers.openai.com/codex/app/automations#thread-automations).

35 39 

36![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp)40![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp)

37 41 

130 134 

131![Pop-out window preview in light mode](/images/codex/app/popover-light.webp)135![Pop-out window preview in light mode](/images/codex/app/popover-light.webp)

132 136 

137## In-app browser

138 

139Use the [in-app browser](https://developers.openai.com/codex/app/browser) to preview, review, and comment on

140local development servers, file-backed previews, and public pages that don't

141require sign-in while you iterate on a web app.

142 

143The in-app browser doesn't support authentication flows, signed-in pages, your

144regular browser profile, cookies, extensions, or existing tabs.

145 

146Use browser comments to mark specific elements or areas on a page, then ask

147Codex to address that feedback.

148 

149When you want Codex to operate the page directly, use

150[browser use](https://developers.openai.com/codex/app/browser#browser-use) for local development servers and

151file-backed pages. You can manage the Browser plugin, allowed websites, and

152blocked websites from settings.

153 

154![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)

155 

156## Computer use

157 

158[Computer use](https://developers.openai.com/codex/app/computer-use) helps Codex operate a macOS app by

159seeing, clicking, and typing. This is useful for testing desktop apps, checking

160browser or simulator flows, working with data sources that aren't available as

161plugins, changing app settings, and reproducing GUI-only bugs.

162 

163Because computer use can affect app and system state outside your project

164workspace, keep tasks narrow and review permission prompts before continuing.

165 

166The feature isn't available in the European Economic Area, the United Kingdom, or

167Switzerland at launch.

168 

169![Codex app asking for permission to use Calculator with computer use](/images/codex/app/computer-use-approval-light.webp)

170 

171## Work with non-code artifacts

172 

173When a task produces non-code artifacts, the sidebar can preview PDF files,

174spreadsheets, documents, and presentations. Give Codex the source data, expected

175file type, structure, and review criteria you care about.

176 

177For spreadsheets and presentations, describe the sheets, columns, charts, slide

178sections, and checks that matter. Ask Codex to explain where it saved the output

179and how it checked the result.

180 

181Use the task sidebar to follow what Codex is doing while a thread runs. It can

182surface the agent's plan, sources, generated artifacts, and task summary so you

183can steer the work, inspect generated files, and decide what needs another pass.

184 

185![Codex app showing a generated presentation in the artifact viewer](/images/codex/app/artifact-viewer-light.webp)

186 

133---187---

134 188 

135## Sync with the IDE extension189## Sync with the IDE extension

146If you're unsure whether the app includes context, toggle it off and ask the200If you're unsure whether the app includes context, toggle it off and ask the

147same question again to compare results.201same question again to compare results.

148 202 

203## Thread automations

204 

205Automations can also attach to a single thread. These thread automations are

206recurring wake-up calls that preserve the thread's context so Codex can check

207on long-running work, poll a source for new information, or continue a follow-up

208loop. Use them for heartbeat-style automations that should keep returning to the

209same conversation on a schedule.

210 

211Use a thread automation when the next run depends on the current conversation.

212Use a standalone or project [automation](https://developers.openai.com/codex/app/automations) when you want

213Codex to start a fresh recurring task for one or more projects.

214 

149## Approvals and sandboxing215## Approvals and sandboxing

150 216 

151Your approval and sandbox settings constrain Codex actions.217Your approval and sandbox settings constrain Codex actions.

164opening separate projects or using worktrees rather than asking Codex to roam230opening separate projects or using worktrees rather than asking Codex to roam

165outside the project root.231outside the project root.

166 232 

167For a high-level overview, see [Sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For233If [automatic review](https://developers.openai.com/codex/agent-approvals-security#automatic-approval-reviews)

234is available in your workspace, you can choose it from the permissions selector.

235It keeps the same sandbox boundary but routes eligible approval requests through

236the configured review policy instead of waiting for you.

237 

238For a high-level overview, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For

168configuration details, see the239configuration details, see the

169[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).240[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).

170 241 

177 248 

178## Web search249## Web search

179 250 

180Codex ships with a first-party web search tool. For local tasks in the Codex IDE Extension, Codex251Codex ships with a first-party web search tool. For local tasks in the Codex app, Codex

181enables web search by default and serves results from a web search cache. If you configure your252enables web search by default and serves results from a web search cache. If you configure your

182sandbox for [full access](https://developers.openai.com/codex/agent-approvals-security), web search defaults to live results. See253sandbox for [full access](https://developers.openai.com/codex/agent-approvals-security), web search defaults to live results. See

183[Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the254[Config basics](https://developers.openai.com/codex/config-basic) to disable web search or switch to live results that fetch the

184most recent data.255most recent data.

185 256 

257## Image generation

258 

259Ask Codex to generate or edit images directly in a thread. This is useful for UI assets, banners, backgrounds, illustrations, sprite sheets, and placeholders you want to create alongside code. Add a reference image when you want Codex to transform or extend an existing asset.

260 

261You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.

262 

263Built-in image generation uses `gpt-image-2`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).

264 

265For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.

266 

186## Image input267## Image input

187 268 

188You can drag and drop images into the prompt composer to include them as context. Hold down `Shift`269You can drag and drop images into the prompt composer to include them as context. Hold down `Shift`

191You can also ask Codex to view images on your system. By giving Codex tools to take screenshots of272You can also ask Codex to view images on your system. By giving Codex tools to take screenshots of

192the app you are working on, Codex can verify the work it's doing.273the app you are working on, Codex can verify the work it's doing.

193 274 

275## Chats

276 

277Chats are threads you can start when the task doesn't need a specific project

278folder or Git repository. Use them for research, triage, planning,

279plugin-heavy workflows, and other conversations where Codex should use connected

280tools instead of editing a codebase.

281 

282Chats use a Codex-managed `threads` directory under your Codex home as their

283working location. By default, that location is `~/.codex/threads`.

284 

285## Memories

286 

287[Memories](https://developers.openai.com/codex/memories), where available, let Codex carry useful context

288from past tasks into future threads. They're most useful for stable preferences,

289project conventions, recurring work patterns, and known pitfalls that would

290otherwise need to repeat.

291 

194## Notifications292## Notifications

195 293 

196By default, the Codex app sends notifications when a task completes or needs approval while the app294By default, the Codex app sends notifications when a task completes or needs approval while the app

208 306 

209- [Settings](https://developers.openai.com/codex/app/settings)307- [Settings](https://developers.openai.com/codex/app/settings)

210- [Automations](https://developers.openai.com/codex/app/automations)308- [Automations](https://developers.openai.com/codex/app/automations)

309- [In-app browser](https://developers.openai.com/codex/app/browser)

310- [Computer use](https://developers.openai.com/codex/app/computer-use)

311- [Review pane](https://developers.openai.com/codex/app/review)

211- [Local environments](https://developers.openai.com/codex/app/local-environments)312- [Local environments](https://developers.openai.com/codex/app/local-environments)

212- [Worktrees](https://developers.openai.com/codex/app/worktrees)313- [Worktrees](https://developers.openai.com/codex/app/worktrees)

412. Hover the line you want to comment on.412. Hover the line you want to comment on.

423. Click the **+** button that appears.423. Click the **+** button that appears.

434. Write your feedback and submit it.434. Write your feedback and submit it.

445. Once you are done with all your feedback, send a message back to the thread.445. After you finish leaving feedback, send a message back to the thread.

45 45 

46Because the comment is anchored to a line, Codex can usually respond more46Because comments are line-specific, Codex can respond more precisely than with a

47precisely than with a general instruction.47general instruction.

48 48 

49Inline comments are treated as review guidance. After leaving comments, send a49Codex treats inline comments as review guidance. After leaving comments, send a

50follow-up message that makes your intent explicit, for example “Address the50follow-up message that makes your intent explicit, for example “Address the

51inline comments and keep the scope minimal.”51inline comments and keep the scope minimal.”

52 52 

57 57 

58![Inline code review comments displayed in the review pane](/images/codex/app/inline-code-review-light.webp)58![Inline code review comments displayed in the review pane](/images/codex/app/inline-code-review-light.webp)

59 59 

60## Pull request reviews

61 

62When Codex has GitHub access for your repository and the current project is on

63the pull request branch, the Codex app can help you work through pull request

64feedback without leaving the app. The sidebar shows pull request context and

65feedback from reviewers, and the review pane shows comments alongside the diff

66so you can ask Codex to address issues in the same thread.

67 

68Install the GitHub CLI (`gh`) and authenticate it with `gh auth login` so Codex

69can load pull request context, review comments, and changed files. If `gh` is

70missing or unauthenticated, pull request details may not appear in the sidebar

71or review pane.

72 

73Use this flow when you want to keep the full fix loop in one place:

74 

751. Open the review pane on the pull request branch.

762. Review the pull request context, comments, and changed files.

773. Ask Codex to fix the specific comments you want handled.

784. Inspect the resulting diff in the review pane.

795. Stage, commit, and push the changes to the PR branch when you are ready.

80 

81For GitHub-triggered reviews, see [Use Codex in GitHub](https://developers.openai.com/codex/integrations/github).

82 

60## Staging and reverting files83## Staging and reverting files

61 84 

62The review pane includes Git actions so you can shape the diff before you85The review pane includes Git actions so you can shape the diff before you

63commit.86commit.

64 87 

65You can stage, unstage, or revert changes at multiple levels:88You can stage, unstage, or revert changes at these levels:

66 89 

67- **Entire diff**: use the action buttons in the review header (for example,90- **Entire diff**: use the action buttons in the review header (for example,

68 "Stage all" or "Revert all")91 "Stage all" or "Revert all")

72Use staging when you want to accept part of the work, and revert when you want95Use staging when you want to accept part of the work, and revert when you want

73to discard it.96to discard it.

74 97 

75### Partially staged states98### Staged and unstaged states

76 99 

77Git can represent both staged and unstaged changes in the same file. When that100Git can represent both staged and unstaged changes in the same file. When that

78happens, it can look like the pane is showing “the same file twice” across101happens, it can look like the pane is showing “the same file twice” across

43also apply to the Codex CLI and IDE extension because the MCP configuration lives in43also apply to the Codex CLI and IDE extension because the MCP configuration lives in

44`config.toml`. See the [Model Context Protocol docs](https://developers.openai.com/codex/mcp) for details.44`config.toml`. See the [Model Context Protocol docs](https://developers.openai.com/codex/mcp) for details.

45 45 

46## Browser use

47 

48Use these settings to install or enable the bundled Browser plugin and manage

49allowlisted and blocklisted websites. Codex asks before using a website

50unless you’ve allowlisted it. Removing a site from the blocklist lets Codex ask

51again before using it in the browser.

52 

53See [In-app browser](https://developers.openai.com/codex/app/browser) for browser preview, comment, and

54browser use workflows.

55 

56## Computer Use

57 

58On macOS, check your Computer Use settings to review desktop-app access and related

59preferences after setup. To revoke system-level access, update Screen Recording

60or Accessibility permissions in macOS Privacy & Security settings. The feature

61isn’t available in the European Economic Area, the United Kingdom, or Switzerland

62at launch.

63 

46## Personalization64## Personalization

47 65 

48Choose **Friendly**, **Pragmatic**, or **None** as your default personality. Use66Choose **Friendly**, **Pragmatic**, or **None** as your default personality. Use

51You can also add your own custom instructions. Editing custom instructions updates your69You can also add your own custom instructions. Editing custom instructions updates your

52[personal instructions in `AGENTS.md`](https://developers.openai.com/codex/guides/agents-md).70[personal instructions in `AGENTS.md`](https://developers.openai.com/codex/guides/agents-md).