OpenAI - Codex Docs Changes 2026-03-17 18:24 UTC → 2026-05-18 22:01 UTC

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

10 10 

11For a high-level explanation of how sandboxing works across the Codex app, IDE11For a high-level explanation of how sandboxing works across the Codex app, IDE

12extension, and CLI, see [Sandboxing](https://developers.openai.com/codex/concepts/sandboxing).12extension, and CLI, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing).

13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

14 14 

15## Sandbox and approvals15## Sandbox and approvals

24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.

25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

26 26 

27In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.27In the `Auto` preset (for example, `--sandbox workspace-write --ask-for-approval on-request`), Codex can read files, make edits, and run commands in the working directory automatically.

28 28 

29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

30 30 

31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

32 32 

33## Network access [Elevated Risk](https://help.openai.com/articles/20001061)33## Network access <ElevatedRiskBadge class="ml-2" />

34 34 

35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

36 36 

41network_access = true41network_access = true

42```42```

43 43 

44### Network isolation

45 

46Network access is controlled through destination rules that apply to scripts,

47programs, and subprocesses spawned by commands. When command network access is

48already enabled, turn on the `network_proxy` feature to constrain that traffic

49to the network policy you configure.

50 

51```toml

52[features.network_proxy]

53enabled = true

54domains = { "api.openai.com" = "allow", "example.com" = "deny" }

55```

56 

57For a one-off CLI session, use the boolean shorthand when you only need the

58toggle, and the table form when you also set policy options:

59 

60```bash

61codex \

62 -c 'features.network_proxy=true' \

63 -c 'sandbox_workspace_write.network_access=true'

64 

65codex \

66 -c 'features.network_proxy.enabled=true' \

67 -c 'features.network_proxy.domains={ "api.openai.com" = "allow", "example.com" = "deny" }' \

68 -c 'sandbox_workspace_write.network_access=true'

69```

70 

71The feature changes how enabled network access is enforced; it does not grant

72network access by itself. Use `sandbox_workspace_write.network_access` with

73`workspace-write` config to decide whether commands have network access at all:

74 

75- Network off + `network_proxy` on: network stays off, and the feature does nothing.

76- Network on + `network_proxy` off: network stays on with unrestricted direct

77 outbound access.

78- Network on + `network_proxy` on: network stays on, and outbound traffic is

79 constrained by the configured network policy.

80 

81Admin-managed `experimental_network` requirements are separate from the user

82feature toggle. They can configure and start sandboxed networking without

83`features.network_proxy`, but they do not turn on network access when the active

84sandbox keeps it off. See [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-network-access-requirements)

85for the administrator-side `requirements.toml` shape.

86 

87#### Network policy

88 

89Domain rules are allowlist-first:

90 

91- Exact hosts match only themselves.

92- `*.example.com` matches subdomains such as `api.example.com`, but not

93 `example.com`.

94- `**.example.com` matches both the apex and subdomains.

95- A global `*` allow rule matches any public host that is not denied. Treat `*`

96 as broad network access and prefer scoped rules when you can.

97- `deny` always wins over `allow`, and global `*` is only valid for allow rules.

98 

99#### Local and private destinations

100 

101By default, `allow_local_binding = false` blocks loopback, link-local, and

102private destinations:

103 

104- Specific exceptions: add an exact local IP literal or `localhost` allow rule

105 when a command needs one local target.

106- Broader access: set `allow_local_binding = true` only when you intentionally

107 want wider local/private reach.

108- Wildcards: wildcard rules do not count as explicit local exceptions.

109- Resolved addresses: hostnames that resolve to local/private IPs stay blocked

110 even if they match the allowlist.

111 

112#### DNS rebinding protections

113 

114Before allowing a hostname, Codex performs a best-effort DNS and IP

115classification check:

116 

117- Lookups that fail or time out are blocked.

118- Hostnames that resolve to non-public addresses are blocked.

119- The check reduces DNS rebinding risk, but it does not eliminate it. Preventing

120 rebinding completely would require pinning resolved IPs through the transport

121 layer.

122 

123If hostile DNS is in scope, enforce egress controls at a lower layer too.

124 

125#### Dangerous settings

126 

127Two settings deliberately widen the trust boundary:

128 

129- `dangerously_allow_non_loopback_proxy = true` can expose proxy listeners beyond

130 loopback.

131- `dangerously_allow_all_unix_sockets = true` bypasses the Unix socket allowlist.

132 

133Use them only in tightly controlled environments. When Unix socket proxying is

134enabled, listeners stay loopback-only even if non-loopback binding was requested,

135so sandboxed networking does not become a remote bridge into local daemons.

136 

137`network_proxy` is off by default. When you enable it:

138 

139| Setting | Default | Behavior |

140| -------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

141| `enabled` | `false` | Starts sandboxed networking only when command network access is already on. |

142| `domains` | unset | Uses allowlist behavior, so no external destinations are allowed until you add `allow` rules. Supports exact hosts, scoped wildcards, and global `*` allow rules; `deny` always wins. |

143| `unix_sockets` | unset | No Unix socket destinations are allowed until you add explicit `allow` rules. |

144| `allow_local_binding` | `false` | Blocks local and private-network destinations unless you add an exact local IP literal or `localhost` allow rule, or explicitly opt into broader local/private access. |

145| `enable_socks5` | `true` | Exposes SOCKS5 support when policy allows it. |

146| `enable_socks5_udp` | `true` | Allows UDP over SOCKS5 when SOCKS5 is available. |

147| `allow_upstream_proxy` | `true` | Lets sandboxed networking honor an upstream proxy from the environment. |

148| `dangerously_allow_non_loopback_proxy` | `false` | Keeps listener endpoints on loopback unless you deliberately expose them beyond localhost. |

149| `dangerously_allow_all_unix_sockets` | `false` | Keeps Unix socket access allowlist-based unless you deliberately bypass that protection. |

150 

44You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:151You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

45 152 

46```toml153```toml

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.180- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.181- Protection is recursive, so everything under those paths is read-only.

75 182 

183### Deny reads with filesystem profiles

184 

185Named permission profiles can also deny reads for exact paths or glob patterns.

186This is useful when a workspace should stay writable but specific sensitive

187files, such as local environment files, must stay unreadable:

188 

189```toml

190default_permissions = "workspace"

191 

192[permissions.workspace.filesystem]

193":project_roots" = { "." = "write", "**/*.env" = "none" }

194glob_scan_max_depth = 3

195```

196 

197Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy

198evaluates globs for local macOS and Linux command execution. On platforms that

199pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for

200unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and

201`*/*/*.env`.

202 

76### Run without approval prompts203### Run without approval prompts

77 204 

78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).205You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

81 208 

82If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.209If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

83 210 

84For a middle ground, `approval_policy = { reject = { ... } }` lets you auto-reject specific approval prompt categories (sandbox escalation, execpolicy-rule prompts, or MCP elicitations) while keeping other prompts interactive.211For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

212 

213### Automatic approval reviews

214 

215By default, approval requests route to you:

216 

217```toml

218approvals_reviewer = "user"

219```

220 

221Automatic approval reviews apply when approvals are interactive, such as

222`approval_policy = "on-request"` or a granular approval policy. Set

223`approvals_reviewer = "auto_review"` to route eligible approval requests

224through a reviewer agent before Codex runs the request:

225 

226```toml

227approval_policy = "on-request"

228approvals_reviewer = "auto_review"

229```

230 

231For the full reviewer lifecycle, trigger conditions, configuration precedence,

232and failure behavior, see

233[Auto-review](https://developers.openai.com/codex/concepts/sandboxing/auto-review).

234 

235The reviewer evaluates only actions that already need approval, such as sandbox

236escalations, blocked network requests, `request_permissions` prompts, or

237side-effecting app and MCP tool calls. Actions that stay inside the sandbox

238continue without an extra review step.

239 

240The reviewer policy checks for data exfiltration, credential probing, persistent

241security weakening, and destructive actions. Low-risk and medium-risk actions

242can proceed when policy allows them. The policy denies critical-risk actions.

243High-risk actions require enough user authorization and no matching deny rule.

244Prompt-build, review-session, and parse failures fail closed. Timeouts are

245surfaced separately, but the action still does not run.

246 

247The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

248is in the open-source Codex repository. Enterprises can replace its

249tenant-specific section with `guardian_policy_config` in managed requirements.

250Local `[auto_review].policy` text is also supported, but managed requirements

251take precedence. For setup details, see

252[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

253 

254In the Codex app, these reviews appear as automatic review items with a status

255such as Reviewing, Approved, Denied, Aborted, or Timed out. They can also

256include a risk level and user-authorization assessment for the reviewed

257request.

258 

259Automatic review uses extra model calls, so it can add to Codex usage. Admins

260can constrain it with `allowed_approvals_reviewers`.

85 261 

86### Common sandbox and approval combinations262### Common sandbox and approval combinations

87 263 

88| Intent | Flags | Effect |264| Intent | Flags / config | Effect |

89| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |265| ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |

90| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |266| Auto (preset) | _no flags needed_ or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

91| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |267| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

92| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |268| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |

93| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |269| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

94| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |270| Auto-review mode | `--sandbox workspace-write --ask-for-approval on-request -c approvals_reviewer=auto_review` or `approvals_reviewer = "auto_review"` | Same sandbox boundary as standard on-request mode, but eligible approval requests are reviewed by Auto-review instead of surfacing to the user. |

271| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | <ElevatedRiskBadge /> No sandbox; no approvals _(not recommended)_ |

95 272 

96`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.273For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.

97 274 

98With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.275With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

99 276 

111[sandbox_workspace_write]288[sandbox_workspace_write]

112network_access = true289network_access = true

113 290 

114# Optional: granular approval prompt auto-rejection291# Optional: granular approval policy

115# approval_policy = { reject = { sandbox_approval = true, rules = false, mcp_elicitations = false } }292# approval_policy = { granular = {

293# sandbox_approval = true,

294# rules = true,

295# mcp_elicitations = true,

296# request_permissions = false,

297# skill_approval = false

298# } }

116```299```

117 300 

118You can also save presets as profiles, then select them with `codex --profile <name>`:301You can also save presets as profiles, then select them with `codex --profile <name>`:

133 316 

134```bash317```bash

135# macOS318# macOS

136codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...319codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...

137# Linux320# Linux

138codex sandbox linux [--full-auto] [COMMAND]...321codex sandbox linux [--permissions-profile <name>] [COMMAND]...

322# Windows

323codex sandbox windows [--permissions-profile <name>] [COMMAND]...

139```324```

140 325 

141The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).326The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

145Codex enforces the sandbox differently depending on your OS:330Codex enforces the sandbox differently depending on your OS:

146 331 

147- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.332- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

148- **Linux** uses `Landlock` plus `seccomp` by default. You can opt into the alternative Linux sandbox pipeline with `features.use_linux_sandbox_bwrap = true` (or `-c use_linux_sandbox_bwrap=true`). In managed proxy mode, the bwrap pipeline routes egress through a proxy-only bridge and fails closed if it cannot build valid loopback proxy routes; landlock-only flows do not use that bridge behavior.333- **Linux** uses `bwrap` plus `seccomp` by default.

149- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux (WSL)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.334- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

150 335 

151If you use the Codex IDE extension on Windows, it supports WSL directly. Set the following in your VS Code settings to keep the agent inside WSL whenever it’s available:336If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:

152 337 

153```json338```json

154{339{

163```toml348```toml

164[windows]349[windows]

165sandbox = "unelevated" # or "elevated"350sandbox = "unelevated" # or "elevated"

351# sandbox_private_desktop = true # default; set false only for compatibility

166```352```

167 353 

168See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.354See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

169 355 

170When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.356When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration blocks the namespace, setuid `bwrap`, or `seccomp` operations that Codex needs.

171 357 

172In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.358In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

173 359 

360### Run Codex in Dev Containers

361 

362If your host cannot run the Linux sandbox directly, or if your organization already standardizes on containerized development, run Codex with Dev Containers and let Docker provide the outer isolation boundary. This works with Visual Studio Code Dev Containers and compatible tools.

363 

364Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.

365 

366Devcontainers provide substantial protection, but they do not prevent every

367 attack. If you run Codex with `--sandbox danger-full-access` or

368 `--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious

369 project can exfiltrate anything available inside the devcontainer, including

370 Codex credentials. Use this pattern only with trusted repositories, and

371 monitor Codex activity as you would in any other elevated environment.

372 

373The reference implementation includes:

374 

375- an Ubuntu 24.04 base image with Codex and common development tools installed;

376- an allowlist-driven firewall profile for outbound access;

377- VS Code settings and extension recommendations for reopening the workspace in a container;

378- persistent mounts for command history and Codex configuration;

379- `bubblewrap`, so Codex can still use its Linux sandbox when the container grants the needed capabilities.

380 

381To try it:

382 

3831. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).

3842. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.

3853. In VS Code, run **Dev Containers: Open Folder in Container...** and select `.devcontainer/devcontainer.secure.json`.

3864. After the container starts, open a terminal and run `codex`.

387 

388You can also start the container from the CLI:

389 

390```bash

391devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json

392```

393 

394The example has three main pieces:

395 

396- `.devcontainer/devcontainer.secure.json` controls container settings, capabilities, mounts, environment variables, and VS Code extensions.

397- `.devcontainer/Dockerfile.secure` defines the Ubuntu-based image and installed tools.

398- `.devcontainer/init-firewall.sh` applies the outbound network policy.

399 

400The reference firewall is intentionally a starting point. If you depend on domain allowlisting for isolation, implement DNS rebinding and DNS refresh protections that fit your environment, such as TTL-aware refreshes or a DNS-aware firewall.

401 

402Inside the container, choose one of these modes:

403 

404- Keep Codex's Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.

405- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.

406 

174## Version control407## Version control

175 408 

176Codex works best with a version control workflow:409Codex works best with a version control workflow:

4 4 

5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).

6 6 

7![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)7<PlatformSpecificContent>

8 8 <CodexScreenshot

9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)9 slot="windows"

10 alt="Codex app for Windows showing a project sidebar, active thread, and review pane"

11 lightSrc="/images/codex/windows/codex-windows-light.webp"

12 darkSrc="/images/codex/windows/codex-windows-dark.webp"

13 variant="no-wallpaper"

14 maxHeight="300px"

15 />

16 <CodexScreenshot

17 alt="Codex app window with a project sidebar, active thread, and review pane"

18 lightSrc="/images/codex/app/app-screenshot-light.webp"

19 darkSrc="/images/codex/app/app-screenshot-dark.webp"

20 variant="no-wallpaper"

21 maxHeight="300px"

22 />

23</PlatformSpecificContent>

10 24 

11## Getting started25## Getting started

12 26 

13The Codex app is available on macOS (Apple Silicon).27The Codex app is available on macOS and Windows.

28 

29Most Codex app features are available on both platforms. Platform-specific

30exceptions are noted in the relevant docs.

14 31 

32<WorkflowSteps variant="headings">

151. Download and install the Codex app331. Download and install the Codex app

16 34 

17 Download the Codex app for Windows or macOS.35 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.

18 36 

19 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)37 <CodexAppDownloadCta client:load className="mb-4" />

20 38 

39 <div class="text-sm">

21 [Get notified for Linux](https://openai.com/form/codex-app/)40 [Get notified for Linux](https://openai.com/form/codex-app/)

41 </div>

42 

222. Open Codex and sign in432. Open Codex and sign in

23 44 

24 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.45 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

36 58 

37 You can ask Codex anything about the project or your computer in general. Here are some examples:59 You can ask Codex anything about the project or your computer in general. Here are some examples:

38 60 

39- Tell me about this project61 <ExampleGallery>

40- Build a classic Snake game in this repo.62 <ExampleTask

41- Find and fix bugs in my codebase with minimal, high-confidence changes.63 client:load

42 64 id="intro"

43 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).65 prompt="Tell me about this project"

66 iconName="brain"

67 />

68 <ExampleTask

69 client:load

70 id="snake-game"

71 shortDescription="Build a classic Snake game in this repo."

72 prompt={[

73 "Build a classic Snake game in this repo.",

74 "",

75 "Scope & constraints:",

76 "- Implement ONLY the classic Snake loop: grid movement, growing snake, food spawn, score, game-over, restart.",

77 "- Reuse existing project tooling/frameworks; do NOT add new dependencies unless truly required.",

78 "- Keep UI minimal and consistent with the repo’s existing styles (no new design systems, no extra animations).",

79 "",

80 "Implementation plan:",

81 "1) Inspect the repo to find the right place to add a small interactive game (existing pages/routes/components).",

82 "2) Implement game state (snake positions, direction, food, score, tick timer) with deterministic, testable logic.",

83 "3) Render: simple grid + snake + food; support keyboard controls (arrow keys/WASD) and on-screen controls if mobile is present in the repo.",

84 "4) Add basic tests for the core game logic (movement, collisions, growth, food placement) if the repo has a test runner.",

85 "",

86 "Deliverables:",

87 "- A small set of files/changes with clear names.",

88 "- Short run instructions (how to start dev server + where to navigate).",

89 "- A brief checklist of what to manually verify (controls, pause/restart, boundaries).",

90 ].join("\n")}

91 iconName="gamepad"

92 />

93 <ExampleTask

94 client:load

95 id="fix-bugs"

96 shortDescription="Find and fix bugs in my codebase with minimal, high-confidence changes."

97 prompt={[

98 "Find and fix bugs in my codebase with minimal, high-confidence changes.",

99 "",

100 "Method (grounded + disciplined):",

101 "1) Reproduce: run tests/lint/build (or follow the existing repo scripts). If I provided an error, reproduce that exact failure.",

102 "2) Localize: identify the smallest set of files/lines involved (stack traces, failing tests, logs).",

103 "3) Fix: implement the minimal change that resolves the issue without refactors or unrelated cleanup.",

104 "4) Prove: add/update a focused test (or a tight repro) that fails before and passes after.",

105 "",

106 "Constraints:",

107 "- Do NOT invent errors or pretend to run commands you cannot run.",

108 "- No scope drift: no new features, no UI embellishments, no style overhauls.",

109 "- If information is missing, state what you can confirm from the repo and what remains unknown.",

110 "",

111 "Output:",

112 "- Summary (3–6 sentences max): what was broken, why, and the fix.",

113 "- Then ≤5 bullets: What changed, Where (paths), Evidence (tests/logs), Risks, Next steps.",

114 ].join("\n")}

115 iconName="search"

116 />

117 </ExampleGallery>

118 

119 If you need more inspiration, explore [Codex use cases](https://developers.openai.com/codex/use-cases).

44 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).120 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

45 121 

122</WorkflowSteps>

123 

46---124---

47 125 

48## Work with the Codex app126## Work with the Codex app

49 127 

50[### Multitask across projects128<BentoContainer class="mt-6">

129 <BentoContent href="/codex/app/features#multitask-across-projects">

130 

131### Multitask across projects

132 

133Run project threads side by side and switch between them quickly.

134 

135 </BentoContent>

136 <BentoContent href="/codex/app/worktrees">

137 

138### Worktrees

139 

140Keep parallel code changes isolated with built-in Git worktree support.

141 

142 </BentoContent>

143 <BentoContent href="/codex/remote-connections">

144 

145### Remote connections

146 

147Use the ChatGPT mobile app to start, steer, approve, and review Codex work on a

148connected host.

149 

150 </BentoContent>

151 <BentoContent href="/codex/app/computer-use">

152 

153### Computer use

154 

155Let Codex use macOS apps for GUI tasks, browser flows, and native app testing.

156 

157 </BentoContent>

158 <BentoContent href="/codex/app/review">

159 

160### Review and ship changes

161 

162Inspect diffs, address PR feedback, stage files, commit, and push.

163 

164 </BentoContent>

165 <BentoContent href="/codex/app/features#integrated-terminal">

166 

167### Terminal and actions

168 

169Run commands in each thread and launch repeatable project actions.

170 

171 </BentoContent>

172 <BentoContent href="/codex/app/browser">

173 

174### In-app browser

175 

176Open rendered pages, leave comments, or let Codex operate local browser flows.

177 

178 </BentoContent>

179 <BentoContent href="/codex/app/chrome-extension">

180 

181### Chrome extension

182 

183Add the Chrome plugin so Codex can use Chrome for signed-in browser tasks while you manage website approvals.

184 

185 </BentoContent>

186 <BentoContent href="/codex/app/features#image-generation">

187 

188### Image generation

189 

190Generate or edit images in a thread while you work on the surrounding code and assets.

191 

192 </BentoContent>

193 <BentoContent href="/codex/app/automations">

194 

195### Automations

196 

197Schedule recurring tasks, or wake up the same thread for ongoing checks.

198 

199 </BentoContent>

200 <BentoContent href="/codex/app/features#skills-support">

201 

202### Skills

203 

204Reuse instructions and workflows across the app, CLI, and IDE Extension.

205 

206 </BentoContent>

207 <BentoContent href="/codex/app/features#richer-outputs-and-artifacts">

51 208 

52Run multiple tasks in parallel and switch quickly between them.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Built-in Git tools209### Sidebar and artifacts

53 210 

54Review diffs, comment inline, stage or revert chunks, and commit without leaving the app.](https://developers.openai.com/codex/app/features#built-in-git-tools)[### Worktrees for parallel tasks211Follow plans, sources, task summaries, and generated file previews.

55 212 

56Isolate changes of multiple Codex threads using built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Skills support213 </BentoContent>

214 <BentoContent href="/codex/plugins">

57 215 

58Give your Codex agent additional capabilities and reuse skills across App, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Automations216### Plugins

59 217 

60Pair skills with automations to automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives runs if there’s nothing to report.](https://developers.openai.com/codex/app/automations)[### Built-in terminal218Connect apps, skills, and MCP servers to extend what Codex can do.

61 219 

62Open a terminal per thread to test your changes, run dev servers, scripts, and custom commands.](https://developers.openai.com/codex/app/features#integrated-terminal)[### Local environments220 </BentoContent>

221 <BentoContent href="/codex/app/features#sync-with-the-ide-extension">

63 222 

64Define worktree setup scripts and common project actions for easy access.](https://developers.openai.com/codex/app/local-environments)[### Sync with the IDE extension223### IDE Extension sync

65 224 

66Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)[### MCP support225Share Auto Context and active threads across app and IDE sessions.

67 226 

68Connect your Codex agent to additional services using MCP.](https://developers.openai.com/codex/app/features#mcp-support)227 </BentoContent>

228</BentoContainer>

69 229 

70---230---

71 231 

3Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.3Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.

4 4 

5If you are automating jobs or running Codex in CI, use the5If you are automating jobs or running Codex in CI, use the

6[Codex SDK](https://developers.openai.com/codex/sdk) instead.6 <a href="/codex/sdk">Codex SDK</a> instead.

7 7 

8## Protocol8## Protocol

9 9 

12Supported transports:12Supported transports:

13 13 

14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).

15- `websocket` (`--listen ws://IP:PORT`, experimental): one JSON-RPC message per WebSocket text frame.15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one

16 16 JSON-RPC message per WebSocket text frame.

17In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.17- Unix socket (`--listen unix://` or `--listen unix://PATH`): WebSocket

18 connections over Codex's default app-server control socket or a custom Unix

19 socket path, using the standard HTTP Upgrade handshake.

20- `off` (`--listen off`): don't expose a local transport.

21 

22When you run with `--listen ws://IP:PORT`, the same listener also serves basic

23HTTP health probes:

24 

25- `GET /readyz` returns `200 OK` once the listener accepts new connections.

26- `GET /healthz` returns `200 OK` when the request doesn't include an `Origin`

27 header.

28- Requests with an `Origin` header are rejected with `403 Forbidden`.

29 

30WebSocket transport is experimental and unsupported. Local listeners such as

31`ws://127.0.0.1:PORT` are appropriate for localhost and SSH port-forwarding

32workflows. Non-loopback WebSocket listeners currently allow unauthenticated

33connections by default during rollout, so configure WebSocket auth before

34exposing one remotely.

35 

36Supported WebSocket auth flags:

37 

38- `--ws-auth capability-token --ws-token-file /absolute/path`

39- `--ws-auth capability-token --ws-token-sha256 HEX`

40- `--ws-auth signed-bearer-token --ws-shared-secret-file /absolute/path`

41 

42For signed bearer tokens, you can also set `--ws-issuer`, `--ws-audience`, and

43`--ws-max-clock-skew-seconds`. Clients present the credential as

44`Authorization: Bearer <token>` during the WebSocket handshake, and app-server

45enforces auth before JSON-RPC `initialize`.

46 

47Prefer `--ws-token-file` over passing raw bearer tokens on the command line. Use

48`--ws-token-sha256` only when the client keeps the raw high-entropy token in a

49separate local secret store; the hash is only a verifier, and clients still need

50the original token.

51 

52In WebSocket mode, app-server uses bounded queues. When request ingress is full,

53the server rejects new requests with JSON-RPC error code `-32001` and message

54`"Server overloaded; retry later."` Clients should retry with an exponentially

55increasing delay and jitter.

18 56 

19## Message schema57## Message schema

20 58 

21Requests include `method`, `params`, and `id`:59Requests include `method`, `params`, and `id`:

22 60 

23```json61```json

24{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.1-codex" } }62{ "method": "thread/start", "id": 10, "params": { "model": "gpt-5.4" } }

25```63```

26 64 

27Responses echo the `id` with either `result` or `error`:65Responses echo the `id` with either `result` or `error`:

49 87 

50## Getting started88## Getting started

51 89 

521. Start the server with `codex app-server` (default stdio transport) or `codex app-server --listen ws://127.0.0.1:4500` (experimental WebSocket transport).901. Start the server with `codex app-server` (default stdio transport),

91 `codex app-server --listen ws://127.0.0.1:4500` (TCP WebSocket), or

92 `codex app-server --listen unix://` (default Unix socket).

532. Connect a client over the selected transport, then send `initialize` followed by the `initialized` notification.932. Connect a client over the selected transport, then send `initialize` followed by the `initialized` notification.

543. Start a thread and a turn, then keep reading notifications from the active transport stream.943. Start a thread and a turn, then keep reading notifications from the active transport stream.

55 95 

56Example (Node.js / TypeScript):96Example (Node.js / TypeScript):

57 97 

58```ts98```ts

59import { spawn } from "node:child_process";99 

60import readline from "node:readline";100 

61 101 

62const proc = spawn("codex", ["app-server"], {102const proc = spawn("codex", ["app-server"], {

63 stdio: ["pipe", "pipe", "inherit"],103 stdio: ["pipe", "pipe", "inherit"],

99 },139 },

100});140});

101send({ method: "initialized", params: {} });141send({ method: "initialized", params: {} });

102send({ method: "thread/start", id: 1, params: { model: "gpt-5.1-codex" } });142send({ method: "thread/start", id: 1, params: { model: "gpt-5.4" } });

103```143```

104 144 

105## Core primitives145## Core primitives

123 163 

124Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.164Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. Requests sent before initialization receive a `Not initialized` error, and repeated `initialize` calls on the same connection return `Already initialized`.

125 165 

126The server returns the user agent string it will present to upstream services. Set `clientInfo` to identify your integration.166The server returns the user agent string it will present to upstream services plus `platformFamily` and `platformOs` values that describe the runtime target. Set `clientInfo` to identify your integration.

127 167 

128`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.168`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.

129 169 

159 },199 },

160 "capabilities": {200 "capabilities": {

161 "experimentalApi": true,201 "experimentalApi": true,

162 "optOutNotificationMethods": [202 "optOutNotificationMethods": ["thread/started", "item/agentMessage/delta"]

163 "codex/event/session_configured",

164 "item/agentMessage/delta"

165 ]

166 }203 }

167 }204 }

168}205}

200 237 

201- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.238- `thread/start` - create a new thread; emits `thread/started` and automatically subscribes you to turn/item events for that thread.

202- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.239- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

203- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.240- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread. Returned threads include `forkedFromId` when available.

204- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.241- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

205- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.242- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.

243- `thread/turns/list` - page through a stored thread's turn history without resuming it. `itemsView` controls whether turn items are omitted, summarized, or fully loaded.

244- `thread/turns/items/list` - reserved for paged turn-item loading; currently returns unsupported.

206- `thread/loaded/list` - list the thread ids currently loaded in memory.245- `thread/loaded/list` - list the thread ids currently loaded in memory.

246- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

247- `thread/goal/set` - set the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/updated`.

248- `thread/goal/get` - read the current goal for a loaded thread (experimental; requires `capabilities.experimentalApi`).

249- `thread/goal/clear` - clear the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/cleared`.

250- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.

207- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.251- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

208- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.252- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.

209- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.253- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

210- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.254- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

211- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.255- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

256- `thread/shellCommand` - run a user-initiated shell command against a thread. This runs outside the sandbox with full access and doesn't inherit the thread sandbox policy.

257- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

212- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.258- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

213- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."259- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

260- `thread/inject_items` - append raw Responses API items to a loaded thread's model-visible history without starting a user turn.

214- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.261- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

215- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.262- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

216- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.263- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

217- `command/exec` - run a single command under the server sandbox without starting a thread/turn.264- `command/exec` - run a single command under the server sandbox without starting a thread/turn.

265- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.

266- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

267- `command/exec/terminate` - stop a running `command/exec` session.

268- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.

269- `process/spawn` - start an explicit process session outside Codex's sandbox (experimental; requires `capabilities.experimentalApi`).

270- `process/writeStdin` - write stdin bytes to a running `process/spawn` session or close stdin (experimental).

271- `process/resizePty` - resize a running PTY-backed process session (experimental).

272- `process/kill` - terminate a running process session (experimental).

273- `process/outputDelta` and `process/exited` (notify) - emitted for streaming process output and process exit status (experimental).

218- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.274- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

275- `modelProvider/capabilities/read` - read provider capability bounds for model/provider combinations (experimental; requires `capabilities.experimentalApi`).

219- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.276- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

277- `experimentalFeature/enablement/set` - patch in-memory runtime settings for supported feature keys such as `apps` and `plugins`.

220- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).278- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

221- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).279- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

280- `skills/changed` (notify) - emitted when watched local skill files change.

281- `marketplace/add` - add a remote plugin marketplace and persist it into the user's marketplace config.

282- `marketplace/upgrade` - refresh a configured Git marketplace, or all configured Git marketplaces when you omit the marketplace name.

283- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.

284- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.

285- `plugin/install` - install a plugin from a marketplace path or remote marketplace name.

286- `plugin/uninstall` - uninstall an installed plugin.

222- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.287- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.

223- `skills/config/write` - enable or disable skills by path.288- `skills/config/write` - enable or disable skills by path.

224- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.289- `mcpServer/oauth/login` - start an OAuth login for a configured MCP server; returns an authorization URL and emits `mcpServer/oauthLogin/completed` on completion.

225- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.290- `tool/requestUserInput` - prompt the user with 1-3 short questions for a tool call (experimental); questions can set `isOther` for a free-form option.

226- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.291- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

227- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination).292- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

293- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

294- `mcpServer/tool/call` - call a tool on a thread's configured MCP server.

295- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread.

228- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.296- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

229- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).297- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

230- `config/read` - fetch the effective configuration on disk after resolving configuration layering.298- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

231- `externalAgentConfig/detect` - detect migratable external-agent artifacts with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).299- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

232- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).300- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home). Supported item types include config, skills, `AGENTS.md`, plugins, MCP server config, subagents, hooks, commands, and sessions; plugin imports emit `externalAgentConfig/import/completed`.

233- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.301- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

234- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.302- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

235- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).303- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

304- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.

305 

306Plugin summaries include a `source` union. Local plugins return

307`{ "type": "local", "path": ... }`, Git-backed marketplace entries return

308`{ "type": "git", "url": ..., "path": ..., "refName": ..., "sha": ... }`,

309and remote catalog entries return `{ "type": "remote" }`. For remote-only

310catalog entries, `PluginMarketplaceEntry.path` can be `null`; pass

311`remoteMarketplaceName` instead of `marketplacePath` when reading or installing

312those plugins.

236 313 

237## Models314## Models

238 315 

301## Threads378## Threads

302 379 

303- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.380- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.

304- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.381- `thread/turns/list` pages through a stored thread's turn history without

382 resuming it. Use `itemsView` to choose whether turn items are omitted,

383 summarized, or fully loaded.

384- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.

305- `thread/loaded/list` returns the thread IDs currently in memory.385- `thread/loaded/list` returns the thread IDs currently in memory.

306- `thread/archive` moves the thread's persisted JSONL log into the archived directory.386- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

307- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.387- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.

388- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.

308- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.389- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

309- `thread/compact/start` triggers compaction and returns `{}` immediately.390- `thread/compact/start` triggers compaction and returns `{}` immediately.

310- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.391- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

392- `thread/inject_items` appends raw Responses API items to a loaded thread's model-visible history without starting a user turn.

311 393 

312### Start or resume a thread394### Start or resume a thread

313 395 

315 397 

316```json398```json

317{ "method": "thread/start", "id": 10, "params": {399{ "method": "thread/start", "id": 10, "params": {

318 "model": "gpt-5.1-codex",400 "model": "gpt-5.4",

319 "cwd": "/Users/me/project",401 "cwd": "/Users/me/project",

320 "approvalPolicy": "never",402 "approvalPolicy": "never",

321 "sandbox": "workspaceWrite",403 "sandbox": "workspaceWrite",

325{ "id": 10, "result": {407{ "id": 10, "result": {

326 "thread": {408 "thread": {

327 "id": "thr_123",409 "id": "thr_123",

410 "sessionId": "thr_123",

328 "preview": "",411 "preview": "",

329 "ephemeral": false,412 "ephemeral": false,

330 "modelProvider": "openai",413 "modelProvider": "openai",

336 419 

337`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration's service name.420`serviceName` is optional. Set it when you want app-server to tag thread-level metrics with your integration's service name.

338 421 

422`thread.sessionId` identifies the current live session tree root. Root threads

423use their own thread id as the session id; forked threads keep the session id

424of the root they came from. Clients should read the session id from

425`thread.sessionId` instead of deriving it from the thread id.

426 

339To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:427To continue a stored session, call `thread/resume` with the `thread.id` you recorded earlier. The response shape matches `thread/start`. You can also pass the same configuration overrides supported by `thread/start`, such as `personality`:

340 428 

341```json429```json

354 442 

355If you resume with a different model than the one recorded in the rollout, Codex emits a warning and applies a one-time model-switch instruction on the next turn.443If you resume with a different model than the one recorded in the rollout, Codex emits a warning and applies a one-time model-switch instruction on the next turn.

356 444 

445### Manage a thread goal

446 

447`thread/goal/set`, `thread/goal/get`, and `thread/goal/clear` are experimental

448and require `capabilities.experimentalApi = true` plus the `goals` feature. Use

449them for the same persisted goal state surfaced by `/goal` in the TUI.

450 

451```json

452{ "method": "thread/goal/set", "id": 13, "params": {

453 "threadId": "thr_123",

454 "objective": "Finish the migration and keep tests green",

455 "status": "active",

456 "tokenBudget": 40000

457} }

458{ "id": 13, "result": { "goal": {

459 "threadId": "thr_123",

460 "objective": "Finish the migration and keep tests green",

461 "status": "active",

462 "tokenBudget": 40000,

463 "tokensUsed": 0,

464 "timeUsedSeconds": 0

465} } }

466{ "method": "thread/goal/updated", "params": {

467 "threadId": "thr_123",

468 "goal": {

469 "threadId": "thr_123",

470 "objective": "Finish the migration and keep tests green",

471 "status": "active",

472 "tokenBudget": 40000,

473 "tokensUsed": 0,

474 "timeUsedSeconds": 0

475 }

476} }

477```

478 

479Goal objectives must be non-empty and at most 4,000 characters. Supplying a new

480objective replaces the goal and resets usage accounting. Supplying the current

481non-terminal objective, or omitting `objective`, updates status or token budget

482while preserving usage history.

483 

357To branch from a stored session, call `thread/fork` with the `thread.id`. This creates a new thread id and emits a `thread/started` notification for it:484To branch from a stored session, call `thread/fork` with the `thread.id`. This creates a new thread id and emits a `thread/started` notification for it:

358 485 

359```json486```json

360{ "method": "thread/fork", "id": 12, "params": { "threadId": "thr_123" } }487{ "method": "thread/fork", "id": 12, "params": { "threadId": "thr_123" } }

361{ "id": 12, "result": { "thread": { "id": "thr_456" } } }488{ "id": 12, "result": { "thread": { "id": "thr_456", "sessionId": "thr_123", "forkedFromId": "thr_123" } } }

362{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }489{ "method": "thread/started", "params": { "thread": { "id": "thr_456" } } }

363```490```

364 491 

378 505 

379Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.506Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

380 507 

508### List thread turns

509 

510Use `thread/turns/list` to page a stored thread's turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.

511 

512`itemsView` controls how much turn-item data the response includes:

513 

514- `notLoaded` omits items.

515- `summary` returns summarized item data and is the default when omitted.

516- `full` returns full item data.

517 

518```json

519{ "method": "thread/turns/list", "id": 20, "params": {

520 "threadId": "thr_123",

521 "limit": 50,

522 "sortDirection": "desc",

523 "itemsView": "summary"

524} }

525{ "id": 20, "result": {

526 "data": [],

527 "nextCursor": "older-turns-cursor-or-null",

528 "backwardsCursor": "newer-turns-cursor-or-null"

529} }

530```

531 

532`thread/turns/items/list` is reserved for paged turn-item loading, but the

533current server returns an unsupported-method error.

534 

381### List threads (with pagination & filters)535### List threads (with pagination & filters)

382 536 

383`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:537`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:

389- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.543- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.

390- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).544- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).

391- `cwd` - restrict results to threads whose session current working directory exactly matches this path.545- `cwd` - restrict results to threads whose session current working directory exactly matches this path.

546- `searchTerm` - search stored thread summaries and metadata before pagination.

392 547 

393`sourceKinds` accepts the following values:548`sourceKinds` accepts the following values:

394 549 

422 577 

423When `nextCursor` is `null`, you have reached the final page.578When `nextCursor` is `null`, you have reached the final page.

424 579 

580### Update stored thread metadata

581 

582Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.

583 

584```json

585{ "method": "thread/metadata/update", "id": 21, "params": {

586 "threadId": "thr_123",

587 "gitInfo": { "branch": "feature/sidebar-pr" }

588} }

589{ "id": 21, "result": {

590 "thread": {

591 "id": "thr_123",

592 "gitInfo": { "sha": null, "branch": "feature/sidebar-pr", "originUrl": null }

593 }

594} }

595```

596 

425### Track thread status changes597### Track thread status changes

426 598 

427`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.599`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

450`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:622`thread/unsubscribe` removes the current connection's subscription to a thread. The response status is one of:

451 623 

452- `unsubscribed` when the connection was subscribed and is now removed.624- `unsubscribed` when the connection was subscribed and is now removed.

453- `notSubscribed` when the connection was not subscribed to that thread.625- `notSubscribed` when the connection wasn't subscribed to that thread.

454- `notLoaded` when the thread is not loaded.626- `notLoaded` when the thread isn't loaded.

455 627 

456If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.628If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

457 629 

458```json630```json

459{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }631{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

460{ "id": 22, "result": { "status": "unsubscribed" } }632{ "id": 22, "result": { "status": "unsubscribed" } }

633```

634 

635If the thread later expires:

636 

637```json

461{ "method": "thread/status/changed", "params": {638{ "method": "thread/status/changed", "params": {

462 "threadId": "thr_123",639 "threadId": "thr_123",

463 "status": { "type": "notLoaded" }640 "status": { "type": "notLoaded" }

498{ "id": 25, "result": {} }675{ "id": 25, "result": {} }

499```676```

500 677 

678### Run a thread shell command

679 

680Use `thread/shellCommand` for user-initiated shell commands that belong to a thread. The request returns immediately with `{}` while progress streams through standard `turn/*` and `item/*` notifications.

681 

682This API runs outside the sandbox with full access and doesn't inherit the thread sandbox policy. Clients should expose it only for explicit user-initiated commands.

683 

684If the thread already has an active turn, the command runs as an auxiliary action on that turn and its formatted output is injected into the turn's message stream. If the thread is idle, app-server starts a standalone turn for the shell command.

685 

686```json

687{ "method": "thread/shellCommand", "id": 26, "params": { "threadId": "thr_b", "command": "git status --short" } }

688{ "id": 26, "result": {} }

689```

690 

691### Clean background terminals

692 

693Use `thread/backgroundTerminals/clean` to stop all running background terminals associated with a thread. This method is experimental and requires `capabilities.experimentalApi = true`.

694 

695```json

696{ "method": "thread/backgroundTerminals/clean", "id": 27, "params": { "threadId": "thr_b" } }

697{ "id": 27, "result": {} }

698```

699 

501### Roll back recent turns700### Roll back recent turns

502 701 

503Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.702Use `thread/rollback` to remove the last `numTurns` entries from the in-memory context and persist a rollback marker in the rollout log. The returned `thread` includes `turns` populated after the rollback.

504 703 

505```json704```json

506{ "method": "thread/rollback", "id": 26, "params": { "threadId": "thr_b", "numTurns": 1 } }705{ "method": "thread/rollback", "id": 28, "params": { "threadId": "thr_b", "numTurns": 1 } }

507{ "id": 26, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }706{ "id": 28, "result": { "thread": { "id": "thr_b", "name": "Bug bash notes", "ephemeral": false } } }

508```707```

509 708 

510## Turns709## Turns

570 "writableRoots": ["/Users/me/project"],769 "writableRoots": ["/Users/me/project"],

571 "networkAccess": true770 "networkAccess": true

572 },771 },

573 "model": "gpt-5.1-codex",772 "model": "gpt-5.4",

574 "effort": "medium",773 "effort": "medium",

575 "summary": "concise",774 "summary": "concise",

576 "personality": "friendly",775 "personality": "friendly",

584{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }783{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }

585```784```

586 785 

786### Inject items into a thread

787 

788Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread's prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.

789 

790```json

791{ "method": "thread/inject_items", "id": 31, "params": {

792 "threadId": "thr_123",

793 "items": [

794 {

795 "type": "message",

796 "role": "assistant",

797 "content": [{ "type": "output_text", "text": "Previously computed context." }]

798 }

799 ]

800} }

801{ "id": 31, "result": {} }

802```

803 

587### Steer an active turn804### Steer an active turn

588 805 

589Use `turn/steer` to append more user input to the active in-flight turn.806Use `turn/steer` to append more user input to the active in-flight turn.

692 909 

693Use this notification to render the reviewer output in your client.910Use this notification to render the reviewer output in your client.

694 911 

912## Process execution

913 

914`process/*` is an experimental, explicit process-control API. It requires

915`capabilities.experimentalApi = true` and runs outside Codex's sandbox. Use it

916only when your client intentionally exposes local process control without a

917sandbox.

918 

919Start a process with `process/spawn` and provide a `processHandle`, then use

920that handle for stdin, resize, and kill requests. Output streams through

921`process/outputDelta` notifications and completion streams through

922`process/exited`.

923 

924```json

925{ "method": "process/spawn", "id": 48, "params": {

926 "command": ["python3", "-m", "pytest", "-q"],

927 "processHandle": "pytest-1",

928 "cwd": "/Users/me/project",

929 "tty": true

930} }

931{ "id": 48, "result": {} }

932{ "method": "process/outputDelta", "params": {

933 "processHandle": "pytest-1",

934 "stream": "stdout",

935 "deltaBase64": "Li4u"

936} }

937{ "method": "process/exited", "params": {

938 "processHandle": "pytest-1",

939 "exitCode": 0

940} }

941```

942 

943Use `process/writeStdin` with `deltaBase64`, `closeStdin`, or both to send

944input. Use `process/resizePty` for PTY resize events and `process/kill` to

945terminate a running process.

946 

695## Command execution947## Command execution

696 948 

697`command/exec` runs a single command (`argv` array) under the server sandbox without creating a thread.949`command/exec` runs a single command (`argv` array) under the server sandbox without creating a thread.

713- The server rejects empty `command` arrays.965- The server rejects empty `command` arrays.

714- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).966- `sandboxPolicy` accepts the same shape used by `turn/start` (for example, `dangerFullAccess`, `readOnly`, `workspaceWrite`, `externalSandbox`).

715- When omitted, `timeoutMs` falls back to the server default.967- When omitted, `timeoutMs` falls back to the server default.

968- Set `tty: true` for PTY-backed sessions, and use `processId` when you plan to follow up with `command/exec/write`, `command/exec/resize`, or `command/exec/terminate`.

969- Set `streamStdoutStderr: true` to receive `command/exec/outputDelta` notifications while the command is running.

716 970 

717### Read admin requirements (`configRequirements/read`)971### Read admin requirements (`configRequirements/read`)

718 972 

763- `elevated` - run the elevated Windows sandbox setup path.1017- `elevated` - run the elevated Windows sandbox setup path.

764- `unelevated` - run the legacy setup/preflight path.1018- `unelevated` - run the legacy setup/preflight path.

765 1019 

1020## Filesystem

1021 

1022The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.

1023 

1024```json

1025{ "method": "fs/watch", "id": 54, "params": {

1026 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

1027 "path": "/Users/me/project/.git/HEAD"

1028} }

1029{ "id": 54, "result": { "path": "/Users/me/project/.git/HEAD" } }

1030{ "method": "fs/changed", "params": {

1031 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

1032 "changedPaths": ["/Users/me/project/.git/HEAD"]

1033} }

1034{ "method": "fs/unwatch", "id": 55, "params": {

1035 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1"

1036} }

1037{ "id": 55, "result": {} }

1038```

1039 

1040Watching a file emits `fs/changed` for that file path, including updates delivered by replace or rename operations.

1041 

766## Events1042## Events

767 1043 

768Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.1044Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

773 1049 

774- Exact-match only: `item/agentMessage/delta` suppresses only that method.1050- Exact-match only: `item/agentMessage/delta` suppresses only that method.

775- Unknown method names are ignored.1051- Unknown method names are ignored.

776- Applies to both legacy (`codex/event/*`) and v2 (`thread/*`, `turn/*`, `item/*`, etc.) notifications.1052- Applies to the current `thread/*`, `turn/*`, `item/*`, and related v2 notifications.

777- Doesn't apply to requests, responses, or errors.1053- Doesn't apply to requests, responses, or errors.

778 1054 

779### Fuzzy file search events (experimental)1055### Fuzzy file search events (experimental)

833- `item/reasoning/summaryPartAdded` - marks a boundary between reasoning summary sections.1109- `item/reasoning/summaryPartAdded` - marks a boundary between reasoning summary sections.

834- `item/reasoning/textDelta` - streams raw reasoning text (when supported by the model).1110- `item/reasoning/textDelta` - streams raw reasoning text (when supported by the model).

835- `item/commandExecution/outputDelta` - streams stdout/stderr for a command; append deltas in order.1111- `item/commandExecution/outputDelta` - streams stdout/stderr for a command; append deltas in order.

836- `item/fileChange/outputDelta` - contains the tool call response of the underlying `apply_patch` tool call.1112- `item/fileChange/outputDelta` - deprecated compatibility notification for legacy `apply_patch` text output. Current app-server versions no longer emit it; use `fileChange` items and `turn/diff/updated` instead.

837 1113 

838## Errors1114## Errors

839 1115 

892 1169 

893`dynamicTools` on `thread/start` and the corresponding `item/tool/call` request or response flow are experimental APIs.1170`dynamicTools` on `thread/start` and the corresponding `item/tool/call` request or response flow are experimental APIs.

894 1171 

1172Dynamic tool names and namespace names must follow Responses API naming

1173constraints. Avoid reserved namespace names used by built-in Codex tools.

1174 

895When a dynamic tool is invoked during a turn, app-server emits:1175When a dynamic tool is invoked during a turn, app-server emits:

896 1176 

8971. `item/started` with `item.type = "dynamicToolCall"`, `status = "inProgress"`, plus `tool` and `arguments`.11771. `item/started` with `item.type = "dynamicToolCall"`, `status = "inProgress"`, plus `tool` and `arguments`.

983} }1263} }

984```1264```

985 1265 

1266The server also emits `skills/changed` notifications when watched local skill files change. Treat this as an invalidation signal and rerun `skills/list` with your current params when needed.

1267 

986To enable or disable a skill by path:1268To enable or disable a skill by path:

987 1269 

988```json1270```json

1149 1431 

1150### Detect and import external agent config1432### Detect and import external agent config

1151 1433 

1152Use `externalAgentConfig/detect` to discover migratable external-agent artifacts, then pass the selected entries to `externalAgentConfig/import`.1434Use `externalAgentConfig/detect` to discover external-agent artifacts that can be migrated, then pass the selected entries to `externalAgentConfig/import`.

1153 1435 

1154Detection example:1436Detection example:

1155 1437 

1189{ "id": 64, "result": {} }1471{ "id": 64, "result": {} }

1190```1472```

1191 1473 

1192Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, and `MCP_SERVER_CONFIG`. Detection returns only items that still have work to do. For example, AGENTS migration is skipped when `AGENTS.md` already exists and is non-empty, and skill imports do not overwrite existing skill directories.1474When a request includes plugin imports, the server emits `externalAgentConfig/import/completed` after the import finishes. This notification may arrive immediately after the response or after background remote imports complete.

1475 

1476Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, `PLUGINS`,

1477and `MCP_SERVER_CONFIG`. For `PLUGINS` items, `details.plugins` lists each

1478`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection

1479returns only items that still have work to do. For example, Codex skips AGENTS

1480migration when `AGENTS.md` already exists and is non-empty, and skill imports

1481don't overwrite existing skill directories.

1482 

1483When detecting plugins from `.claude/settings.json`, Codex reads configured

1484marketplace sources from `extraKnownMarketplaces`. If `enabledPlugins` contains

1485plugins from `claude-plugins-official` but the marketplace source is missing,

1486Codex infers `anthropics/claude-plugins-official` as the source.

1193 1487 

1194## Auth endpoints1488## Auth endpoints

1195 1489 

1196The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1490The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, inspect ChatGPT rate limits, and notify workspace owners about depleted credits or usage limits.

1197 1491 

1198### Authentication modes1492### Authentication modes

1199 1493 

1200Codex supports three authentication modes. `account/updated.authMode` shows the active mode, and `account/read` also reports it.1494Codex supports these authentication modes. `account/updated.authMode` shows the active mode and includes the current ChatGPT `planType` when available. `account/read` also reports account and plan details.

1201 1495 

1202- **API key (`apikey`)** - the caller supplies an OpenAI API key and Codex stores it for API requests.1496- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.

1203- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically.1497- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.

1204- **ChatGPT external tokens (`chatgptAuthTokens`)** - a host app supplies `idToken` and `accessToken` directly. Codex stores these tokens in memory, and the host app must refresh them when asked.1498- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user's ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.

1205 1499 

1206### API overview1500### API overview

1207 1501 

1208- `account/read` - fetch current account info; optionally refresh tokens.1502- `account/read` - fetch current account info; optionally refresh tokens.

1209- `account/login/start` - begin login (`apiKey`, `chatgpt`, or `chatgptAuthTokens`).1503- `account/login/start` - begin login (`apiKey`, `chatgpt`, `chatgptDeviceCode`, or experimental `chatgptAuthTokens`).

1210- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).1504- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).

1211- `account/login/cancel` - cancel a pending ChatGPT login by `loginId`.1505- `account/login/cancel` - cancel a pending managed ChatGPT login by `loginId`.

1212- `account/logout` - sign out; triggers `account/updated`.1506- `account/logout` - sign out; triggers `account/updated`.

1213- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`).1507- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.

1214- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.1508- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.

1215- `account/rateLimits/read` - fetch ChatGPT rate limits.1509- `account/rateLimits/read` - fetch ChatGPT rate limits.

1216- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.1510- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.

1511- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.

1217- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.1512- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.

1513- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread; payload includes `{ name, status, error }`.

1218 1514 

1219### 1) Check auth state1515### 1) Check auth state

1220 1516 

1286 ```1584 ```

1287 1585 

1288 ```json1586 ```json

1289 { "method": "account/updated", "params": { "authMode": "apikey" } }1587 {

1588 "method": "account/updated",

1589 "params": { "authMode": "apikey", "planType": null }

1590 }

1290 ```1591 ```

1291 1592 

1292### 3) Log in with ChatGPT (browser flow)1593### 3) Log in with ChatGPT (browser flow)

1318 ```1620 ```

1319 1621 

1320 ```json1622 ```json

1321 { "method": "account/updated", "params": { "authMode": "chatgpt" } }1623 {

1624 "method": "account/updated",

1625 "params": { "authMode": "chatgpt", "planType": "plus" }

1626 }

1627 ```

1628 

1629### 3b) Log in with ChatGPT (device-code flow)

1630 

1631Use this flow when your client owns the sign-in ceremony or when a browser callback is brittle.

1632 

16331. Start:

1634 

1635 ```json

1636 {

1637 "method": "account/login/start",

1638 "id": 4,

1639 "params": { "type": "chatgptDeviceCode" }

1640 }

1641 ```

1642 

1643 ```json

1644 {

1645 "id": 4,

1646 "result": {

1647 "type": "chatgptDeviceCode",

1648 "loginId": "<uuid>",

1649 "verificationUrl": "https://auth.openai.com/codex/device",

1650 "userCode": "ABCD-1234"

1651 }

1652 }

1653 ```

1654 

16552. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.

16563. Wait for notifications:

1657 

1658 ```json

1659 {

1660 "method": "account/login/completed",

1661 "params": { "loginId": "<uuid>", "success": true, "error": null }

1662 }

1663 ```

1664 

1665 ```json

1666 {

1667 "method": "account/updated",

1668 "params": { "authMode": "chatgpt", "planType": "plus" }

1669 }

1322 ```1670 ```

1323 1671 

1324### 3b) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)1672### 3c) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)

1325 1673 

1326Use this mode when a host application owns the user’s ChatGPT auth lifecycle and supplies tokens directly.1674Use this experimental mode only when a host application owns the user's ChatGPT auth lifecycle and supplies tokens directly. Clients must set `capabilities.experimentalApi = true` during `initialize` before using this login type.

1327 1675 

13281. Send:16761. Send:

1329 1677 

1333 "id": 7,1681 "id": 7,

1334 "params": {1682 "params": {

1335 "type": "chatgptAuthTokens",1683 "type": "chatgptAuthTokens",

1336 "idToken": "<jwt>",1684 "accessToken": "<jwt>",

1337 "accessToken": "<jwt>"1685 "chatgptAccountId": "org-123",

1686 "chatgptPlanType": "business"

1338 }1687 }

1339 }1688 }

1340 ```1689 ```

1355 ```json1706 ```json

1356 {1707 {

1357 "method": "account/updated",1708 "method": "account/updated",

1358 "params": { "authMode": "chatgptAuthTokens" }1709 "params": { "authMode": "chatgptAuthTokens", "planType": "business" }

1359 }1710 }

1360 ```1711 ```

1361 1712 

1367 "id": 8,1718 "id": 8,

1368 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }1719 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }

1369}1720}

1370{ "id": 8, "result": { "idToken": "<jwt>", "accessToken": "<jwt>" } }1721{ "id": 8, "result": { "accessToken": "<jwt>", "chatgptAccountId": "org-123", "chatgptPlanType": "business" } }

1371```1722```

1372 1723 

1373The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.1724The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.

1384```json1735```json

1385{ "method": "account/logout", "id": 5 }1736{ "method": "account/logout", "id": 5 }

1386{ "id": 5, "result": {} }1737{ "id": 5, "result": {} }

1387{ "method": "account/updated", "params": { "authMode": null } }1738{ "method": "account/updated", "params": { "authMode": null, "planType": null } }

1388```1739```

1389 1740 

1390### 6) Rate limits (ChatGPT)1741### 6) Rate limits (ChatGPT)

1396 "limitId": "codex",1747 "limitId": "codex",

1397 "limitName": null,1748 "limitName": null,

1398 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1749 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1399 "secondary": null1750 "secondary": null,

1751 "rateLimitReachedType": null

1400 },1752 },

1401 "rateLimitsByLimitId": {1753 "rateLimitsByLimitId": {

1402 "codex": {1754 "codex": {

1403 "limitId": "codex",1755 "limitId": "codex",

1404 "limitName": null,1756 "limitName": null,

1405 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1757 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1406 "secondary": null1758 "secondary": null,

1759 "rateLimitReachedType": null

1407 },1760 },

1408 "codex_other": {1761 "codex_other": {

1409 "limitId": "codex_other",1762 "limitId": "codex_other",

1410 "limitName": "codex_other",1763 "limitName": "codex_other",

1411 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },1764 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },

1412 "secondary": null1765 "secondary": null,

1766 "rateLimitReachedType": null

1413 }1767 }

1414 }1768 }

1415} }1769} }

1430- `usedPercent` is current usage within the quota window.1784- `usedPercent` is current usage within the quota window.

1431- `windowDurationMins` is the quota window length.1785- `windowDurationMins` is the quota window length.

1432- `resetsAt` is a Unix timestamp (seconds) for the next reset.1786- `resetsAt` is a Unix timestamp (seconds) for the next reset.

1787- `planType` is included when the server returns the ChatGPT plan associated with a bucket.

1788- `credits` is included when the server returns remaining workspace credit details.

1789- `rateLimitReachedType` identifies the server-classified limit state when one has been reached.

1790 

1791### 7) Notify a workspace owner about a limit

1792 

1793Use `account/sendAddCreditsNudgeEmail` to ask ChatGPT to email a workspace owner when credits are depleted or a usage limit has been reached.

1794 

1795```json

1796{ "method": "account/sendAddCreditsNudgeEmail", "id": 7, "params": { "creditType": "credits" } }

1797{ "id": 7, "result": { "status": "sent" } }

1798```

1799 

1800Use `creditType: "credits"` when workspace credits are depleted, or `creditType: "usage_limit"` when the workspace usage limit has been reached. If the owner was already notified recently, the response status is `cooldown_active`.

1# Automations1# Automations

2 2 

3<div class="feature-grid">

4 

5<div>

6 

3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.7Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.

4 8 

5Automations run in the background in the Codex app. The app needs to be9For project-scoped automations, the app needs to be running, and the selected

6running, and the selected project needs to be available on disk.10project needs to be available on disk.

7 11 

8In Git repositories, you can choose whether an automation runs in your local12In Git repositories, you can choose whether an automation runs in your local

9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the13project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the

15You can also leave the model and reasoning effort on their default settings, or19You can also leave the model and reasoning effort on their default settings, or

16choose them explicitly if you want more control over how the automation runs.20choose them explicitly if you want more control over how the automation runs.

17 21 

18![Automation creation form with schedule and prompt fields](/images/codex/app/codex-automations-light.webp)22</div>

23 

24<CodexScreenshot

25 alt="Automation creation form with schedule and prompt fields"

26 lightSrc="/images/codex/app/codex-automations-light.webp"

27 darkSrc="/images/codex/app/codex-automations-dark.webp"

28 maxHeight="400px"

29/>

30 

31</div>

19 32 

20## Managing tasks33## Managing tasks

21 34 

22All automations and their runs can be found in the automations pane inside your Codex app sidebar.35Find all automations and their runs in the automations pane inside your Codex app sidebar.

23 36 

24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.37The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.

25 38 

39Standalone automations start fresh runs on a schedule and report results in

40Triage. Use them when each run should be independent or when one automation

41should run across one or more projects. If you need a custom cadence, choose a

42custom schedule and enter cron syntax.

43 

26For Git repositories, each automation can run either in your local project or44For Git repositories, each automation can run either in your local project or

27on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use45on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use

28worktrees when you want to isolate automation changes from unfinished local46worktrees when you want to isolate automation changes from unfinished local

29work. Use local mode when you want the automation to work directly in your main47work. Use local mode when you want the automation to work directly in your main

30checkout, keeping in mind that it can modify files you are actively editing.48checkout, keeping in mind that it can change files you are actively editing.

31In non-version-controlled projects, automations run directly in the project49In non-version-controlled projects, automations run directly in the project

32directory. You can have the same automation run on multiple projects.50directory. You can have the same automation run on more than one project.

33 51 

34Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).52Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).

35 53 

36To keep automations maintainable and shareable across teams, you can use [skills](https://developers.openai.com/codex/skills) to define the action and provide tools and context to Codex. You can explicitly trigger a skill as part of an automation by using `$skill-name` inside your automation.54Automations can use the same plugins and skills available to Codex. To keep

55automations maintainable and shareable across teams, use [skills](https://developers.openai.com/codex/skills)

56to define the action and provide tools and context. You can explicitly trigger a

57skill as part of an automation by using `$skill-name` inside your automation.

58 

59## Ask Codex to create or update automations

60 

61You can create and update automations from a regular Codex thread. Describe the

62task, the schedule, and whether the automation should stay attached to the

63current thread or start fresh runs. Codex can draft the automation prompt, choose

64the right automation type, and update it when the scope or cadence changes.

65 

66For example, ask Codex to remind you in this thread while a deployment finishes,

67or ask it to create a standalone automation that checks a project on a recurring

68schedule.

69 

70Skills can also create or update automations. For example, a skill for

71babysitting a pull request could set up a recurring automation that checks the

72PR status with the GitHub plugin and fixes new review feedback.

73 

74## Thread automations

75 

76Thread automations are heartbeat-style recurring wake-up calls attached to the

77current thread. Use them when you want Codex to keep returning to the same

78conversation on a schedule.

79 

80Use a thread automation when the scheduled work should preserve the thread's

81context instead of starting from a new prompt each time.

82 

83Thread automations can use minute-based intervals for active follow-up loops,

84or daily and weekly schedules when you need a check-in at a specific time.

85 

86Thread automations are useful for:

87 

88- checking a long-running command until it finishes

89- polling Slack, GitHub, or another connected source when the results should

90 stay in the same thread

91- reminding Codex to continue a review loop at a fixed cadence

92- running a skill-driven workflow that uses plugins, such as checking PR status

93 and addressing new feedback

94- keeping a chat focused on an ongoing research or triage task

95 

96Use a standalone or project automation when each run should be independent,

97when it should run across more than one project, or when findings should appear

98as separate automation runs in Triage.

99 

100When you create a thread automation, make the prompt durable. It should

101describe what Codex should do each time the thread wakes up, how to decide

102whether there is anything important to report, and when to stop or ask you for

103input.

37 104 

38## Testing automations safely105## Test automations

39 106 

40Before you schedule an automation, test the prompt manually in a regular thread107Before you schedule an automation, test the prompt manually in a regular thread

41first. This helps you confirm:108first. This helps you confirm:

44- The selected or default model, reasoning effort, and tools behave as expected.111- The selected or default model, reasoning effort, and tools behave as expected.

45- The resulting diff is reviewable.112- The resulting diff is reviewable.

46 113 

47When you start scheduling runs, review the first few outputs closely and adjust114When you start scheduling runs, review the first few outputs and adjust the