OpenAI - Codex Docs Changes 2026-04-13 18:37 UTC → 2026-05-07 20:02 UTC

24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.

25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

26 26 

27In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.27In the `Auto` preset (for example, `--sandbox workspace-write --ask-for-approval on-request`), Codex can read files, make edits, and run commands in the working directory automatically.

28 28 

29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

30 30 

31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

32 32 

33## Network access [Elevated Risk](https://help.openai.com/articles/20001061)33## Network access <ElevatedRiskBadge class="ml-2" />

34 34 

35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

36 36 

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.74- Protection is recursive, so everything under those paths is read-only.

75 75 

76### Deny reads with filesystem profiles

77 

78Named permission profiles can also deny reads for exact paths or glob patterns.

79This is useful when a workspace should stay writable but specific sensitive

80files, such as local environment files, must stay unreadable:

81 

82```toml

83default_permissions = "workspace"

84 

85[permissions.workspace.filesystem]

86":project_roots" = { "." = "write", "**/*.env" = "none" }

87glob_scan_max_depth = 3

88```

89 

90Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy

91evaluates globs for local macOS and Linux command execution. On platforms that

92pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for

93unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and

94`*/*/*.env`.

95 

76### Run without approval prompts96### Run without approval prompts

77 97 

78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).98You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

83 103 

84For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

85 105 

86Set `approvals_reviewer = "guardian_subagent"` to route eligible approval reviews through the Guardian reviewer subagent instead of prompting the user directly. Admin requirements can constrain this with `allowed_approvals_reviewers`.106### Automatic approval reviews

107 

108By default, approval requests route to you:

109 

110```toml

111approvals_reviewer = "user"

112```

113 

114Automatic approval reviews apply when approvals are interactive, such as

115`approval_policy = "on-request"` or a granular approval policy. Set

116`approvals_reviewer = "auto_review"` to route eligible approval requests

117through a reviewer agent before Codex runs the request:

118 

119```toml

120approval_policy = "on-request"

121approvals_reviewer = "auto_review"

122```

123 

124The reviewer evaluates only actions that already need approval, such as sandbox

125escalations, network requests, `request_permissions` prompts, or side-effecting

126app and MCP tool calls. Actions that stay inside the sandbox continue without an

127extra review step.

128 

129The reviewer policy checks for data exfiltration, credential probing, persistent

130security weakening, and destructive actions. Low-risk and medium-risk actions

131can proceed when policy allows them. The policy denies critical-risk actions.

132High-risk actions require enough user authorization and no matching deny rule.

133Timeouts, parse failures, and review errors fail closed.

134 

135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

136is in the open-source Codex repository. Enterprises can replace its

137tenant-specific section with `guardian_policy_config` in managed requirements.

138Local `[auto_review].policy` text is also supported, but managed requirements

139take precedence. For setup details, see

140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

141 

142In the Codex app, these reviews appear as automatic review items with a status such

143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a

144risk level for the reviewed request.

145 

146Automatic review uses extra model calls, so it can add to Codex usage. Admins

147can constrain it with `allowed_approvals_reviewers`.

87 148 

88### Common sandbox and approval combinations149### Common sandbox and approval combinations

89 150 

90| Intent | Flags | Effect |151| Intent | Flags | Effect |

91| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |152| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |

92| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |153| Auto (preset) | _no flags needed_ or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

93| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |154| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

94| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |155| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |

95| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |156| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

96| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |157| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | <ElevatedRiskBadge /> No sandbox; no approvals _(not recommended)_ |

97 158 

98`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.159For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.

99 160 

100With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.161With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

101 162 

141 202 

142```bash203```bash

143# macOS204# macOS

144codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...205codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...

145# Linux206# Linux

146codex sandbox linux [--full-auto] [COMMAND]...207codex sandbox linux [--permissions-profile <name>] [COMMAND]...

208# Windows

209codex sandbox windows [--permissions-profile <name>] [COMMAND]...

147```210```

148 211 

149The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).212The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

153Codex enforces the sandbox differently depending on your OS:216Codex enforces the sandbox differently depending on your OS:

154 217 

155- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.218- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

156- **Linux** uses the `bwrap` pipeline plus `seccomp` by default. `use_legacy_landlock` is available when you need the older path. In managed proxy mode, the default `bwrap` pipeline routes egress through a proxy-only bridge and fails closed if it can’t build valid local proxy routes.219- **Linux** uses `bwrap` plus `seccomp` by default.

157- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.220- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

158 221 

159If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:222If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:

176 239 

177See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.240See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

178 241 

179When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.242When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration blocks the namespace, setuid `bwrap`, or `seccomp` operations that Codex needs.

180 243 

181In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.244In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

182 245 

246### Run Codex in Dev Containers

247 

248If your host cannot run the Linux sandbox directly, or if your organization already standardizes on containerized development, run Codex with Dev Containers and let Docker provide the outer isolation boundary. This works with Visual Studio Code Dev Containers and compatible tools.

249 

250Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.

251 

252Devcontainers provide substantial protection, but they do not prevent every

253 attack. If you run Codex with `--sandbox danger-full-access` or

254 `--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious

255 project can exfiltrate anything available inside the devcontainer, including

256 Codex credentials. Use this pattern only with trusted repositories, and

257 monitor Codex activity as you would in any other elevated environment.

258 

259The reference implementation includes:

260 

261- an Ubuntu 24.04 base image with Codex and common development tools installed;

262- an allowlist-driven firewall profile for outbound access;

263- VS Code settings and extension recommendations for reopening the workspace in a container;

264- persistent mounts for command history and Codex configuration;

265- `bubblewrap`, so Codex can still use its Linux sandbox when the container grants the needed capabilities.

266 

267To try it:

268 

2691. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).

2702. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.

2713. In VS Code, run **Dev Containers: Open Folder in Container...** and select `.devcontainer/devcontainer.secure.json`.

2724. After the container starts, open a terminal and run `codex`.

273 

274You can also start the container from the CLI:

275 

276```bash

277devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json

278```

279 

280The example has three main pieces:

281 

282- `.devcontainer/devcontainer.secure.json` controls container settings, capabilities, mounts, environment variables, and VS Code extensions.

283- `.devcontainer/Dockerfile.secure` defines the Ubuntu-based image and installed tools.

284- `.devcontainer/init-firewall.sh` applies the outbound network policy.

285 

286The reference firewall is intentionally a starting point. If you depend on domain allowlisting for isolation, implement DNS rebinding and DNS refresh protections that fit your environment, such as TTL-aware refreshes or a DNS-aware firewall.

287 

288Inside the container, choose one of these modes:

289 

290- Keep Codex's Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.

291- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.

292 

183## Version control293## Version control

184 294 

185Codex works best with a version control workflow:295Codex works best with a version control workflow:

4 4 

5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).5ChatGPT Plus, Pro, Business, Edu, and Enterprise plans include Codex. Learn more about [what's included](https://developers.openai.com/codex/pricing).

6 6 

7![Codex app for Windows showing a project sidebar, active thread, and review pane](/images/codex/windows/codex-windows-light.webp)7<PlatformSpecificContent>

8 8 <CodexScreenshot

9![Codex app window with a project sidebar, active thread, and review pane](/images/codex/app/app-screenshot-light.webp)9 slot="windows"

10 alt="Codex app for Windows showing a project sidebar, active thread, and review pane"

11 lightSrc="/images/codex/windows/codex-windows-light.webp"

12 darkSrc="/images/codex/windows/codex-windows-dark.webp"

13 variant="no-wallpaper"

14 maxHeight="300px"

15 />

16 <CodexScreenshot

17 alt="Codex app window with a project sidebar, active thread, and review pane"

18 lightSrc="/images/codex/app/app-screenshot-light.webp"

19 darkSrc="/images/codex/app/app-screenshot-dark.webp"

20 variant="no-wallpaper"

21 maxHeight="300px"

22 />

23</PlatformSpecificContent>

10 24 

11## Getting started25## Getting started

12 26 

13The Codex app is available on macOS (Apple Silicon).27The Codex app is available on macOS and Windows.

28 

29Most Codex app features are available on both platforms. Platform-specific

30exceptions are noted in the relevant docs.

14 31 

32<WorkflowSteps variant="headings">

151. Download and install the Codex app331. Download and install the Codex app

16 34 

17 Download the Codex app for Windows or macOS.35 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.

18 36 

19 [Download for macOS](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)37 <CodexAppDownloadCta client:load className="mb-4" />

20 38 

39 <div class="text-sm">

21 [Get notified for Linux](https://openai.com/form/codex-app/)40 [Get notified for Linux](https://openai.com/form/codex-app/)

41 </div>

42 

222. Open Codex and sign in432. Open Codex and sign in

23 44 

24 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.45 Once you downloaded and installed the Codex app, open it and sign in with your ChatGPT account or an OpenAI API key.

36 58 

37 You can ask Codex anything about the project or your computer in general. Here are some examples:59 You can ask Codex anything about the project or your computer in general. Here are some examples:

38 60 

39- Tell me about this project61 <ExampleGallery>

40- Build a classic Snake game in this repo.62 <ExampleTask

41- Find and fix bugs in my codebase with minimal, high-confidence changes.63 client:load

42 64 id="intro"

43 If you need more inspiration, check out the [explore section](https://developers.openai.com/codex/explore).65 prompt="Tell me about this project"

66 iconName="brain"

67 />

68 <ExampleTask

69 client:load

70 id="snake-game"

71 shortDescription="Build a classic Snake game in this repo."

72 prompt={[

73 "Build a classic Snake game in this repo.",

74 "",

75 "Scope & constraints:",

76 "- Implement ONLY the classic Snake loop: grid movement, growing snake, food spawn, score, game-over, restart.",

77 "- Reuse existing project tooling/frameworks; do NOT add new dependencies unless truly required.",

78 "- Keep UI minimal and consistent with the repo’s existing styles (no new design systems, no extra animations).",

79 "",

80 "Implementation plan:",

81 "1) Inspect the repo to find the right place to add a small interactive game (existing pages/routes/components).",

82 "2) Implement game state (snake positions, direction, food, score, tick timer) with deterministic, testable logic.",

83 "3) Render: simple grid + snake + food; support keyboard controls (arrow keys/WASD) and on-screen controls if mobile is present in the repo.",

84 "4) Add basic tests for the core game logic (movement, collisions, growth, food placement) if the repo has a test runner.",

85 "",

86 "Deliverables:",

87 "- A small set of files/changes with clear names.",

88 "- Short run instructions (how to start dev server + where to navigate).",

89 "- A brief checklist of what to manually verify (controls, pause/restart, boundaries).",

90 ].join("\n")}

91 iconName="gamepad"

92 />

93 <ExampleTask

94 client:load

95 id="fix-bugs"

96 shortDescription="Find and fix bugs in my codebase with minimal, high-confidence changes."

97 prompt={[

98 "Find and fix bugs in my codebase with minimal, high-confidence changes.",

99 "",

100 "Method (grounded + disciplined):",

101 "1) Reproduce: run tests/lint/build (or follow the existing repo scripts). If I provided an error, reproduce that exact failure.",

102 "2) Localize: identify the smallest set of files/lines involved (stack traces, failing tests, logs).",

103 "3) Fix: implement the minimal change that resolves the issue without refactors or unrelated cleanup.",

104 "4) Prove: add/update a focused test (or a tight repro) that fails before and passes after.",

105 "",

106 "Constraints:",

107 "- Do NOT invent errors or pretend to run commands you cannot run.",

108 "- No scope drift: no new features, no UI embellishments, no style overhauls.",

109 "- If information is missing, state what you can confirm from the repo and what remains unknown.",

110 "",

111 "Output:",

112 "- Summary (3–6 sentences max): what was broken, why, and the fix.",

113 "- Then ≤5 bullets: What changed, Where (paths), Evidence (tests/logs), Risks, Next steps.",

114 ].join("\n")}

115 iconName="search"

116 />

117 </ExampleGallery>

118 

119 If you need more inspiration, explore [Codex use cases](https://developers.openai.com/codex/use-cases).

44 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).120 If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

45 121 

122</WorkflowSteps>

123 

46---124---

47 125 

48## Work with the Codex app126## Work with the Codex app

49 127 

50[### Multitask across projects128<BentoContainer class="mt-6">

129 <BentoContent href="/codex/app/features#multitask-across-projects">

130 

131### Multitask across projects

132 

133Run project threads side by side and switch between them quickly.

134 

135 </BentoContent>

136 <BentoContent href="/codex/app/worktrees">

137 

138### Worktrees

139 

140Keep parallel code changes isolated with built-in Git worktree support.

141 

142 </BentoContent>

143 <BentoContent href="/codex/app/computer-use">

144 

145### Computer use

146 

147Let Codex use macOS apps for GUI tasks, browser flows, and native app testing.

148 

149 </BentoContent>

150 <BentoContent href="/codex/app/review">

151 

152### Review and ship changes

153 

154Inspect diffs, address PR feedback, stage files, commit, and push.

155 

156 </BentoContent>

157 <BentoContent href="/codex/app/features#integrated-terminal">

158 

159### Terminal and actions

160 

161Run commands in each thread and launch repeatable project actions.

162 

163 </BentoContent>

164 <BentoContent href="/codex/app/browser">

165 

166### In-app browser

167 

168Open rendered pages, leave comments, or let Codex operate local browser flows.

169 

170 </BentoContent>

171 <BentoContent href="/codex/app/chrome-extension">

172 

173### Chrome extension

174 

175Add the Chrome plugin so Codex can use Chrome for signed-in browser tasks while you manage website approvals.

176 

177 </BentoContent>

178 <BentoContent href="/codex/app/features#image-generation">

179 

180### Image generation

181 

182Generate or edit images in a thread while you work on the surrounding code and assets.

183 

184 </BentoContent>

185 <BentoContent href="/codex/app/automations">

186 

187### Automations

188 

189Schedule recurring tasks, or wake up the same thread for ongoing checks.

190 

191 </BentoContent>

192 <BentoContent href="/codex/app/features#skills-support">

193 

194### Skills

195 

196Reuse instructions and workflows across the app, CLI, and IDE Extension.

197 

198 </BentoContent>

199 <BentoContent href="/codex/app/features#richer-outputs-and-artifacts">

51 200 

52Run multiple tasks in parallel and switch quickly between them.](https://developers.openai.com/codex/app/features#multitask-across-projects)[### Built-in Git tools201### Sidebar and artifacts

53 202 

54Review diffs, comment inline, stage or revert chunks, and commit without leaving the app.](https://developers.openai.com/codex/app/features#built-in-git-tools)[### Worktrees for parallel tasks203Follow plans, sources, task summaries, and generated file previews.

55 204 

56Isolate changes of multiple Codex threads using built-in Git worktree support.](https://developers.openai.com/codex/app/worktrees)[### Skills support205 </BentoContent>

206 <BentoContent href="/codex/plugins">

57 207 

58Give your Codex agent additional capabilities and reuse skills across App, CLI, and IDE Extension.](https://developers.openai.com/codex/app/features#skills-support)[### Automations208### Plugins

59 209 

60Pair skills with automations to automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives runs if there’s nothing to report.](https://developers.openai.com/codex/app/automations)[### Built-in terminal210Connect apps, skills, and MCP servers to extend what Codex can do.

61 211 

62Open a terminal per thread to test your changes, run dev servers, scripts, and custom commands.](https://developers.openai.com/codex/app/features#integrated-terminal)[### Local environments212 </BentoContent>

213 <BentoContent href="/codex/app/features#sync-with-the-ide-extension">

63 214 

64Define worktree setup scripts and common project actions for easy access.](https://developers.openai.com/codex/app/local-environments)[### Sync with the IDE extension215### IDE Extension sync

65 216 

66Share Auto Context and active threads across app and IDE sessions.](https://developers.openai.com/codex/app/features#sync-with-the-ide-extension)[### MCP support217Share Auto Context and active threads across app and IDE sessions.

67 218 

68Connect your Codex agent to additional services using MCP.](https://developers.openai.com/codex/app/features#mcp-support)219 </BentoContent>

220</BentoContainer>

69 221 

70---222---

71 223 

3Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.3Codex app-server is the interface Codex uses to power rich clients (for example, the Codex VS Code extension). Use it when you want a deep integration inside your own product: authentication, conversation history, approvals, and streamed agent events. The app-server implementation is open source in the Codex GitHub repository ([openai/codex/codex-rs/app-server](https://github.com/openai/codex/tree/main/codex-rs/app-server)). See the [Open Source](https://developers.openai.com/codex/open-source) page for the full list of open-source Codex components.

4 4 

5If you are automating jobs or running Codex in CI, use the5If you are automating jobs or running Codex in CI, use the

6[Codex SDK](https://developers.openai.com/codex/sdk) instead.6 <a href="/codex/sdk">Codex SDK</a> instead.

7 7 

8## Protocol8## Protocol

9 9 

12Supported transports:12Supported transports:

13 13 

14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).

15- `websocket` (`--listen ws://IP:PORT`, experimental): one JSON-RPC message per WebSocket text frame.15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one JSON-RPC message per WebSocket text frame.

16- `off` (`--listen off`): don't expose a local transport.

17 

18When you run with `--listen ws://IP:PORT`, the same listener also serves basic HTTP health probes:

19 

20- `GET /readyz` returns `200 OK` once the listener accepts new connections.

21- `GET /healthz` returns `200 OK` when the request doesn't include an `Origin` header.

22- Requests with an `Origin` header are rejected with `403 Forbidden`.

23 

24WebSocket transport is experimental and unsupported. Loopback listeners such as `ws://127.0.0.1:PORT` are appropriate for localhost and SSH port-forwarding workflows. Non-loopback WebSocket listeners currently allow unauthenticated connections by default during rollout, so configure WebSocket auth before exposing one remotely.

25 

26Supported WebSocket auth flags:

27 

28- `--ws-auth capability-token --ws-token-file /absolute/path`

29- `--ws-auth capability-token --ws-token-sha256 HEX`

30- `--ws-auth signed-bearer-token --ws-shared-secret-file /absolute/path`

31 

32For signed bearer tokens, you can also set `--ws-issuer`, `--ws-audience`, and `--ws-max-clock-skew-seconds`. Clients present the credential as `Authorization: Bearer <token>` during the WebSocket handshake, and app-server enforces auth before JSON-RPC `initialize`.

33 

34Prefer `--ws-token-file` over passing raw bearer tokens on the command line. Use `--ws-token-sha256` only when the client keeps the raw high-entropy token in a separate local secret store; the hash is only a verifier, and clients still need the original token.

16 35 

17In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.36In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.

18 37 

56Example (Node.js / TypeScript):75Example (Node.js / TypeScript):

57 76 

58```ts77```ts

59import { spawn } from "node:child_process";78 

60import readline from "node:readline";79 

61 80 

62const proc = spawn("codex", ["app-server"], {81const proc = spawn("codex", ["app-server"], {

63 stdio: ["pipe", "pipe", "inherit"],82 stdio: ["pipe", "pipe", "inherit"],

199- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.218- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

200- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.219- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.

201- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.220- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

202- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.221- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.

222- `thread/turns/list` - page through a stored thread's turn history without resuming it.

203- `thread/loaded/list` - list the thread ids currently loaded in memory.223- `thread/loaded/list` - list the thread ids currently loaded in memory.

204- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.224- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

225- `thread/goal/set` - set the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/updated`.

226- `thread/goal/get` - read the current goal for a loaded thread (experimental; requires `capabilities.experimentalApi`).

227- `thread/goal/clear` - clear the goal for a loaded thread (experimental; requires `capabilities.experimentalApi`); emits `thread/goal/cleared`.

228- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.

205- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.229- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

206- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.230- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.

207- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.231- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

208- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.232- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

209- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.233- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

211- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).235- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

212- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.236- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

213- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."237- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

238- `thread/inject_items` - append raw Responses API items to a loaded thread's model-visible history without starting a user turn.

214- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.239- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

215- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.240- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

216- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.241- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

218- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.243- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.

219- `command/exec/resize` - resize a running PTY-backed `command/exec` session.244- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

220- `command/exec/terminate` - stop a running `command/exec` session.245- `command/exec/terminate` - stop a running `command/exec` session.

246- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.

221- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.247- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

248- `modelProvider/capabilities/read` - read provider capability bounds for model/provider combinations (experimental; requires `capabilities.experimentalApi`).

222- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.249- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

250- `experimentalFeature/enablement/set` - patch in-memory runtime enablement for supported feature keys such as `apps` and `plugins`.

223- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).251- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

224- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).252- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

225- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace errors, featured plugin ids, and the development-only `forceRemoteSync` option.253- `skills/changed` (notify) - emitted when watched local skill files change.

226- `plugin/read` - read one plugin by marketplace path and plugin name, including bundled skills, apps, and MCP server names.254- `marketplace/add` - add a remote plugin marketplace and persist it into the user's marketplace config.

227- `plugin/install` - install a plugin from a marketplace path.255- `marketplace/upgrade` - refresh a configured Git marketplace, or all configured Git marketplaces when you omit the marketplace name.

256- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.

257- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.

258- `plugin/install` - install a plugin from a marketplace path or remote marketplace name.

228- `plugin/uninstall` - uninstall an installed plugin.259- `plugin/uninstall` - uninstall an installed plugin.

229- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.260- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.

230- `skills/config/write` - enable or disable skills by path.261- `skills/config/write` - enable or disable skills by path.

233- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.264- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

234- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.265- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

235- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.266- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

267- `mcpServer/tool/call` - call a tool on a thread's configured MCP server.

268- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread.

236- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.269- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

237- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).270- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

238- `config/read` - fetch the effective configuration on disk after resolving configuration layering.271- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

239- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).272- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

240- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).273- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home). Supported item types include config, skills, `AGENTS.md`, plugins, MCP server config, subagents, hooks, commands, and sessions; plugin imports emit `externalAgentConfig/import/completed`.

241- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.274- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

242- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.275- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

243- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).276- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

244- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, and `fs/copy` - operate on absolute filesystem paths through the app-server v2 filesystem API.277- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.

278 

279Plugin summaries include a `source` union. Local plugins return

280`{ "type": "local", "path": ... }`, Git-backed marketplace entries return

281`{ "type": "git", "url": ..., "path": ..., "refName": ..., "sha": ... }`,

282and remote catalog entries return `{ "type": "remote" }`. For remote-only

283catalog entries, `PluginMarketplaceEntry.path` can be `null`; pass

284`remoteMarketplaceName` instead of `marketplacePath` when reading or installing

285those plugins.

245 286 

246## Models287## Models

247 288 

310## Threads351## Threads

311 352 

312- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.353- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.

313- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.354- `thread/turns/list` pages through a stored thread's turn history without resuming it.

355- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.

314- `thread/loaded/list` returns the thread IDs currently in memory.356- `thread/loaded/list` returns the thread IDs currently in memory.

315- `thread/archive` moves the thread's persisted JSONL log into the archived directory.357- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

316- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.358- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.

359- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.

317- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.360- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

318- `thread/compact/start` triggers compaction and returns `{}` immediately.361- `thread/compact/start` triggers compaction and returns `{}` immediately.

319- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.362- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

363- `thread/inject_items` appends raw Responses API items to a loaded thread's model-visible history without starting a user turn.

320 364 

321### Start or resume a thread365### Start or resume a thread

322 366 

387 431 

388Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.432Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

389 433 

434### List thread turns

435 

436Use `thread/turns/list` to page a stored thread's turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.

437 

438```json

439{ "method": "thread/turns/list", "id": 20, "params": {

440 "threadId": "thr_123",

441 "limit": 50,

442 "sortDirection": "desc"

443} }

444{ "id": 20, "result": {

445 "data": [],

446 "nextCursor": "older-turns-cursor-or-null",

447 "backwardsCursor": "newer-turns-cursor-or-null"

448} }

449```

450 

390### List threads (with pagination & filters)451### List threads (with pagination & filters)

391 452 

392`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:453`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:

398- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.459- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.

399- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).460- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).

400- `cwd` - restrict results to threads whose session current working directory exactly matches this path.461- `cwd` - restrict results to threads whose session current working directory exactly matches this path.

462- `searchTerm` - search stored thread summaries and metadata before pagination.

401 463 

402`sourceKinds` accepts the following values:464`sourceKinds` accepts the following values:

403 465 

431 493 

432When `nextCursor` is `null`, you have reached the final page.494When `nextCursor` is `null`, you have reached the final page.

433 495 

496### Update stored thread metadata

497 

498Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.

499 

500```json

501{ "method": "thread/metadata/update", "id": 21, "params": {

502 "threadId": "thr_123",

503 "gitInfo": { "branch": "feature/sidebar-pr" }

504} }

505{ "id": 21, "result": {

506 "thread": {

507 "id": "thr_123",

508 "gitInfo": { "sha": null, "branch": "feature/sidebar-pr", "originUrl": null }

509 }

510} }

511```

512 

434### Track thread status changes513### Track thread status changes

435 514 

436`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.515`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

462- `notSubscribed` when the connection wasn't subscribed to that thread.541- `notSubscribed` when the connection wasn't subscribed to that thread.

463- `notLoaded` when the thread isn't loaded.542- `notLoaded` when the thread isn't loaded.

464 543 

465If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.544If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

466 545 

467```json546```json

468{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }547{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

469{ "id": 22, "result": { "status": "unsubscribed" } }548{ "id": 22, "result": { "status": "unsubscribed" } }

549```

550 

551If the thread later expires:

552 

553```json

470{ "method": "thread/status/changed", "params": {554{ "method": "thread/status/changed", "params": {

471 "threadId": "thr_123",555 "threadId": "thr_123",

472 "status": { "type": "notLoaded" }556 "status": { "type": "notLoaded" }

615{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }699{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }

616```700```

617 701 

702### Inject items into a thread

703 

704Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread's prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.

705 

706```json

707{ "method": "thread/inject_items", "id": 31, "params": {

708 "threadId": "thr_123",

709 "items": [

710 {

711 "type": "message",

712 "role": "assistant",

713 "content": [{ "type": "output_text", "text": "Previously computed context." }]

714 }

715 ]

716} }

717{ "id": 31, "result": {} }

718```

719 

618### Steer an active turn720### Steer an active turn

619 721 

620Use `turn/steer` to append more user input to the active in-flight turn.722Use `turn/steer` to append more user input to the active in-flight turn.

796- `elevated` - run the elevated Windows sandbox setup path.898- `elevated` - run the elevated Windows sandbox setup path.

797- `unelevated` - run the legacy setup/preflight path.899- `unelevated` - run the legacy setup/preflight path.

798 900 

901## Filesystem

902 

903The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.

904 

905```json

906{ "method": "fs/watch", "id": 54, "params": {

907 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

908 "path": "/Users/me/project/.git/HEAD"

909} }

910{ "id": 54, "result": { "path": "/Users/me/project/.git/HEAD" } }

911{ "method": "fs/changed", "params": {

912 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

913 "changedPaths": ["/Users/me/project/.git/HEAD"]

914} }

915{ "method": "fs/unwatch", "id": 55, "params": {

916 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1"

917} }

918{ "id": 55, "result": {} }

919```

920 

921Watching a file emits `fs/changed` for that file path, including updates delivered by replace or rename operations.

922 

799## Events923## Events

800 924 

801Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.925Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

1016} }1141} }

1017```1142```

1018 1143 

1144The server also emits `skills/changed` notifications when watched local skill files change. Treat this as an invalidation signal and rerun `skills/list` with your current params when needed.

1145 

1019To enable or disable a skill by path:1146To enable or disable a skill by path:

1020 1147 

1021```json1148```json

1222{ "id": 64, "result": {} }1349{ "id": 64, "result": {} }

1223```1350```

1224 1351 

1225Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, and `MCP_SERVER_CONFIG`. Detection returns only items that still have work to do. For example, AGENTS migration is skipped when `AGENTS.md` already exists and is non-empty, and skill imports don’t overwrite existing skill directories.1352When a request includes plugin imports, the server emits `externalAgentConfig/import/completed` after the import finishes. This notification may arrive immediately after the response or after background remote imports complete.

1353 

1354Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, `PLUGINS`,

1355and `MCP_SERVER_CONFIG`. For `PLUGINS` items, `details.plugins` lists each

1356`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection

1357returns only items that still have work to do. For example, Codex skips AGENTS

1358migration when `AGENTS.md` already exists and is non-empty, and skill imports

1359don't overwrite existing skill directories.

1360 

1361When detecting plugins from `.claude/settings.json`, Codex reads configured

1362marketplace sources from `extraKnownMarketplaces`. If `enabledPlugins` contains

1363plugins from `claude-plugins-official` but the marketplace source is missing,

1364Codex infers `anthropics/claude-plugins-official` as the source.

1226 1365 

1227## Auth endpoints1366## Auth endpoints

1228 1367 

1229The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1368The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, inspect ChatGPT rate limits, and notify workspace owners about depleted credits or usage limits.

1230 1369 

1231### Authentication modes1370### Authentication modes

1232 1371 

1233Codex supports three authentication modes. `account/updated.authMode` shows the active mode, and `account/read` also reports it.1372Codex supports these authentication modes. `account/updated.authMode` shows the active mode and includes the current ChatGPT `planType` when available. `account/read` also reports account and plan details.

1234 1373 

1235- **API key (`apikey`)** - the caller supplies an OpenAI API key and Codex stores it for API requests.1374- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.

1236- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically.1375- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.

1237- **ChatGPT external tokens (`chatgptAuthTokens`)** - a host app supplies `idToken` and `accessToken` directly. Codex stores these tokens in memory, and the host app must refresh them when asked.1376- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user's ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.

1238 1377 

1239### API overview1378### API overview

1240 1379 

1241- `account/read` - fetch current account info; optionally refresh tokens.1380- `account/read` - fetch current account info; optionally refresh tokens.

1242- `account/login/start` - begin login (`apiKey`, `chatgpt`, or `chatgptAuthTokens`).1381- `account/login/start` - begin login (`apiKey`, `chatgpt`, `chatgptDeviceCode`, or experimental `chatgptAuthTokens`).

1243- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).1382- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).

1244- `account/login/cancel` - cancel a pending ChatGPT login by `loginId`.1383- `account/login/cancel` - cancel a pending managed ChatGPT login by `loginId`.

1245- `account/logout` - sign out; triggers `account/updated`.1384- `account/logout` - sign out; triggers `account/updated`.

1246- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`).1385- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.

1247- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.1386- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.

1248- `account/rateLimits/read` - fetch ChatGPT rate limits.1387- `account/rateLimits/read` - fetch ChatGPT rate limits.

1249- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.1388- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.

1389- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.

1250- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.1390- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.

1391- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread; payload includes `{ name, status, error }`.

1251 1392 

1252### 1) Check auth state1393### 1) Check auth state

1253 1394 

1319 ```1462 ```

1320 1463 

1321 ```json1464 ```json

1322 { "method": "account/updated", "params": { "authMode": "apikey" } }1465 {

1466 "method": "account/updated",

1467 "params": { "authMode": "apikey", "planType": null }

1468 }

1323 ```1469 ```

1324 1470 

1325### 3) Log in with ChatGPT (browser flow)1471### 3) Log in with ChatGPT (browser flow)

1351 ```1498 ```

1352 1499 

1353 ```json1500 ```json

1354 { "method": "account/updated", "params": { "authMode": "chatgpt" } }1501 {

1502 "method": "account/updated",

1503 "params": { "authMode": "chatgpt", "planType": "plus" }

1504 }

1355 ```1505 ```

1356 1506 

1357### 3b) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)1507### 3b) Log in with ChatGPT (device-code flow)

1358 1508 

1359Use this mode when a host application owns the user’s ChatGPT auth lifecycle and supplies tokens directly.1509Use this flow when your client owns the sign-in ceremony or when a browser callback is brittle.

1510 

15111. Start:

1512 

1513 ```json

1514 {

1515 "method": "account/login/start",

1516 "id": 4,

1517 "params": { "type": "chatgptDeviceCode" }

1518 }

1519 ```

1520 

1521 ```json

1522 {

1523 "id": 4,

1524 "result": {

1525 "type": "chatgptDeviceCode",

1526 "loginId": "<uuid>",

1527 "verificationUrl": "https://auth.openai.com/codex/device",

1528 "userCode": "ABCD-1234"

1529 }

1530 }

1531 ```

1532 

15332. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.

15343. Wait for notifications:

1535 

1536 ```json

1537 {

1538 "method": "account/login/completed",

1539 "params": { "loginId": "<uuid>", "success": true, "error": null }

1540 }

1541 ```

1542 

1543 ```json

1544 {

1545 "method": "account/updated",

1546 "params": { "authMode": "chatgpt", "planType": "plus" }

1547 }

1548 ```

1549 

1550### 3c) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)

1551 

1552Use this experimental mode only when a host application owns the user's ChatGPT auth lifecycle and supplies tokens directly. Clients must set `capabilities.experimentalApi = true` during `initialize` before using this login type.

1360 1553 

13611. Send:15541. Send:

1362 1555 

1366 "id": 7,1559 "id": 7,

1367 "params": {1560 "params": {

1368 "type": "chatgptAuthTokens",1561 "type": "chatgptAuthTokens",

1369 "idToken": "<jwt>",1562 "accessToken": "<jwt>",

1370 "accessToken": "<jwt>"1563 "chatgptAccountId": "org-123",

1564 "chatgptPlanType": "business"

1371 }1565 }

1372 }1566 }

1373 ```1567 ```

1388 ```json1584 ```json

1389 {1585 {

1390 "method": "account/updated",1586 "method": "account/updated",

1391 "params": { "authMode": "chatgptAuthTokens" }1587 "params": { "authMode": "chatgptAuthTokens", "planType": "business" }

1392 }1588 }

1393 ```1589 ```

1394 1590 

1400 "id": 8,1596 "id": 8,

1401 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }1597 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }

1402}1598}

1403{ "id": 8, "result": { "idToken": "<jwt>", "accessToken": "<jwt>" } }1599{ "id": 8, "result": { "accessToken": "<jwt>", "chatgptAccountId": "org-123", "chatgptPlanType": "business" } }

1404```1600```

1405 1601 

1406The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.1602The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.

1417```json1613```json

1418{ "method": "account/logout", "id": 5 }1614{ "method": "account/logout", "id": 5 }

1419{ "id": 5, "result": {} }1615{ "id": 5, "result": {} }

1420{ "method": "account/updated", "params": { "authMode": null } }1616{ "method": "account/updated", "params": { "authMode": null, "planType": null } }

1421```1617```

1422 1618 

1423### 6) Rate limits (ChatGPT)1619### 6) Rate limits (ChatGPT)

1429 "limitId": "codex",1625 "limitId": "codex",

1430 "limitName": null,1626 "limitName": null,

1431 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1627 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1432 "secondary": null1628 "secondary": null,

1629 "rateLimitReachedType": null

1433 },1630 },

1434 "rateLimitsByLimitId": {1631 "rateLimitsByLimitId": {

1435 "codex": {1632 "codex": {

1436 "limitId": "codex",1633 "limitId": "codex",

1437 "limitName": null,1634 "limitName": null,

1438 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1635 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1439 "secondary": null1636 "secondary": null,

1637 "rateLimitReachedType": null

1440 },1638 },

1441 "codex_other": {1639 "codex_other": {

1442 "limitId": "codex_other",1640 "limitId": "codex_other",

1443 "limitName": "codex_other",1641 "limitName": "codex_other",

1444 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },1642 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },

1445 "secondary": null1643 "secondary": null,

1644 "rateLimitReachedType": null

1446 }1645 }

1447 }1646 }

1448} }1647} }

1463- `usedPercent` is current usage within the quota window.1662- `usedPercent` is current usage within the quota window.

1464- `windowDurationMins` is the quota window length.1663- `windowDurationMins` is the quota window length.

1465- `resetsAt` is a Unix timestamp (seconds) for the next reset.1664- `resetsAt` is a Unix timestamp (seconds) for the next reset.

1665- `planType` is included when the backend returns the ChatGPT plan associated with a bucket.

1666- `credits` is included when the backend returns remaining workspace credit details.

1667- `rateLimitReachedType` identifies the backend-classified limit state when one has been reached.

1668 

1669### 7) Notify a workspace owner about a limit

1670 

1671Use `account/sendAddCreditsNudgeEmail` to ask ChatGPT to email a workspace owner when credits are depleted or a usage limit has been reached.

1672 

1673```json

1674{ "method": "account/sendAddCreditsNudgeEmail", "id": 7, "params": { "creditType": "credits" } }

1675{ "id": 7, "result": { "status": "sent" } }

1676```

1677 

1678Use `creditType: "credits"` when workspace credits are depleted, or `creditType: "usage_limit"` when the workspace usage limit has been reached. If the owner was already notified recently, the response status is `cooldown_active`.

1# Automations1# Automations

2 2 

3<div class="feature-grid">

4 

5<div>

6 

3Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.7Automate recurring tasks in the background. Codex adds findings to the inbox, or automatically archives the task if there's nothing to report. You can combine automations with [skills](https://developers.openai.com/codex/skills) for more complex tasks.

4 8 

5Automations run in the background in the Codex app. The app needs to be9For project-scoped automations, the app needs to be running, and the selected

6running, and the selected project needs to be available on disk.10project needs to be available on disk.

7 11 

8In Git repositories, you can choose whether an automation runs in your local12In Git repositories, you can choose whether an automation runs in your local

9project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the13project or on a new [worktree](https://developers.openai.com/codex/app/worktrees). Both options run in the

15You can also leave the model and reasoning effort on their default settings, or19You can also leave the model and reasoning effort on their default settings, or

16choose them explicitly if you want more control over how the automation runs.20choose them explicitly if you want more control over how the automation runs.

17 21 

18![Automation creation form with schedule and prompt fields](/images/codex/app/codex-automations-light.webp)22</div>

23 

24<CodexScreenshot

25 alt="Automation creation form with schedule and prompt fields"

26 lightSrc="/images/codex/app/codex-automations-light.webp"

27 darkSrc="/images/codex/app/codex-automations-dark.webp"

28 maxHeight="400px"

29/>

30 

31</div>

19 32 

20## Managing tasks33## Managing tasks

21 34 

22All automations and their runs can be found in the automations pane inside your Codex app sidebar.35Find all automations and their runs in the automations pane inside your Codex app sidebar.

23 36 

24The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.37The "Triage" section acts as your inbox. Automation runs with findings show up there, and you can filter your inbox to show all automation runs or only unread ones.

25 38 

39Standalone automations start fresh runs on a schedule and report results in

40Triage. Use them when each run should be independent or when one automation

41should run across one or more projects. If you need a custom cadence, choose a

42custom schedule and enter cron syntax.

43 

26For Git repositories, each automation can run either in your local project or44For Git repositories, each automation can run either in your local project or

27on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use45on a dedicated background [worktree](https://developers.openai.com/codex/app/features#worktree-support). Use

28worktrees when you want to isolate automation changes from unfinished local46worktrees when you want to isolate automation changes from unfinished local

29work. Use local mode when you want the automation to work directly in your main47work. Use local mode when you want the automation to work directly in your main

30checkout, keeping in mind that it can modify files you are actively editing.48checkout, keeping in mind that it can change files you are actively editing.

31In non-version-controlled projects, automations run directly in the project49In non-version-controlled projects, automations run directly in the project

32directory. You can have the same automation run on multiple projects.50directory. You can have the same automation run on more than one project.

33 51 

34Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).52Automations use your default sandbox settings. In read-only mode, tool calls fail if they require modifying files, network access, or working with apps on your computer. With full access enabled, background automations carry elevated risk. You can adjust sandbox settings in [Settings](https://developers.openai.com/codex/app/settings) and selectively allowlist commands with [rules](https://developers.openai.com/codex/rules).

35 53 

36To keep automations maintainable and shareable across teams, you can use [skills](https://developers.openai.com/codex/skills) to define the action and provide tools and context to Codex. You can explicitly trigger a skill as part of an automation by using `$skill-name` inside your automation.54Automations can use the same plugins and skills available to Codex. To keep

55automations maintainable and shareable across teams, use [skills](https://developers.openai.com/codex/skills)

56to define the action and provide tools and context. You can explicitly trigger a

57skill as part of an automation by using `$skill-name` inside your automation.

58 

59## Ask Codex to create or update automations

60 

61You can create and update automations from a regular Codex thread. Describe the

62task, the schedule, and whether the automation should stay attached to the

63current thread or start fresh runs. Codex can draft the automation prompt, choose

64the right automation type, and update it when the scope or cadence changes.

65 

66For example, ask Codex to remind you in this thread while a deployment finishes,

67or ask it to create a standalone automation that checks a project on a recurring

68schedule.

69 

70Skills can also create or update automations. For example, a skill for

71babysitting a pull request could set up a recurring automation that checks the

72PR status with the GitHub plugin and fixes new review feedback.

73 

74## Thread automations

75 

76Thread automations are heartbeat-style recurring wake-up calls attached to the

77current thread. Use them when you want Codex to keep returning to the same

78conversation on a schedule.

79 

80Use a thread automation when the scheduled work should preserve the thread's

81context instead of starting from a new prompt each time.

82 

83Thread automations can use minute-based intervals for active follow-up loops,

84or daily and weekly schedules when you need a check-in at a specific time.

85 

86Thread automations are useful for:

87 

88- checking a long-running command until it finishes

89- polling Slack, GitHub, or another connected source when the results should

90 stay in the same thread

91- reminding Codex to continue a review loop at a fixed cadence

92- running a skill-driven workflow that uses plugins, such as checking PR status

93 and addressing new feedback

94- keeping a chat focused on an ongoing research or triage task

95 

96Use a standalone or project automation when each run should be independent,

97when it should run across more than one project, or when findings should appear

98as separate automation runs in Triage.

99 

100When you create a thread automation, make the prompt durable. It should

101describe what Codex should do each time the thread wakes up, how to decide

102whether there is anything important to report, and when to stop or ask you for

103input.

37 104 

38## Testing automations safely105## Test automations

39 106 

40Before you schedule an automation, test the prompt manually in a regular thread107Before you schedule an automation, test the prompt manually in a regular thread

41first. This helps you confirm:108first. This helps you confirm:

44- The selected or default model, reasoning effort, and tools behave as expected.111- The selected or default model, reasoning effort, and tools behave as expected.

45- The resulting diff is reviewable.112- The resulting diff is reviewable.

46 113 

47When you start scheduling runs, review the first few outputs closely and adjust114When you start scheduling runs, review the first few outputs and adjust the

48the prompt or cadence as needed.115prompt or cadence as needed.

49 116 

50## Worktree cleanup for automations117## Worktree cleanup for automations

51 118 

55 122 

56## Permissions and security model123## Permissions and security model

57 124 

58Automations are designed to run unattended and use your default sandbox125Automations run unattended and use your default sandbox settings.

59settings.

60 126 

61- If your sandbox mode is **read-only**, tool calls fail if they require127- If your sandbox mode is **read-only**, tool calls fail if they require

62 modifying files, accessing network, or working with apps on your computer.128 modifying files, accessing network, or working with apps on your computer.

66 on your computer. You can selectively allowlist commands to run outside the132 on your computer. You can selectively allowlist commands to run outside the

67 sandbox using [rules](https://developers.openai.com/codex/rules).133 sandbox using [rules](https://developers.openai.com/codex/rules).

68- If your sandbox mode is **full access**, background automations carry134- If your sandbox mode is **full access**, background automations carry

69 elevated risk, as Codex may modify files, run commands, and access network135 elevated risk, as Codex may change files, run commands, and access network

70 without asking. Consider updating sandbox settings to workspace write, and136 without asking. Consider updating sandbox settings to workspace write, and

71 using [rules](https://developers.openai.com/codex/rules) to selectively define which commands the agent137 using [rules](https://developers.openai.com/codex/rules) to selectively define which commands the agent

72 can run with full access.138 can run with full access.

73 139 

74If you are in a managed environment, admins can restrict these behaviors using140If you are in a managed environment, admins can restrict these behaviors using

75admin-enforced requirements. For example, they can disallow `approval_policy = "never"` or constrain allowed sandbox modes. See141admin-enforced requirements. For example, they can disallow `approval_policy =

142"never"` or constrain allowed sandbox modes. See

76[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).143[Admin-enforced requirements (`requirements.toml`)](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).

77 144 

78Automations use `approval_policy = "never"` when your organization policy145Automations use `approval_policy = "never"` when your organization policy

79allows it. If `approval_policy = "never"` is disallowed by admin requirements,146allows it. If admin requirements disallow `approval_policy = "never"`,

80automations fall back to the approval behavior of your selected mode.147automations fall back to the approval behavior of your selected mode.

81 148 

82## Examples149## Examples

1# In-app browser

2 

3The in-app browser gives you and Codex a shared view of rendered web pages

4inside a thread. Use it when you're building or debugging a web app and want to

5preview pages and attach visual comments.

6 

7Use it for local development servers, file-backed previews, and public pages

8that don't require sign-in. For anything that depends on login state or browser

9extensions, use your regular browser or the

10[Codex Chrome extension](https://developers.openai.com/codex/app/chrome-extension).

11 

12Open the in-app browser from the toolbar, by clicking a URL, by navigating

13manually in the browser, or by pressing <kbd>Cmd</kbd>+<kbd>Shift</kbd>+<kbd>B</kbd>

14(<kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>B</kbd> on Windows).

15 

16The in-app browser does not support authentication flows, signed-in pages,

17 your regular browser profile, cookies, extensions, or existing tabs. Use it

18 for pages Codex can open without logging in.

19 

20Treat page content as untrusted context. Don't paste secrets into browser flows.

21 

22<CodexScreenshot

23 alt="Codex app showing a browser comment on a local web app preview"

24 lightSrc="/images/codex/app/in-app-browser-light.webp"

25 darkSrc="/images/codex/app/in-app-browser-dark.webp"

26 maxHeight="420px"

27 variant="no-wallpaper"

28/>

29 

30## Browser use

31 

32Browser use lets Codex operate the in-app browser directly. Use it for local

33development servers and file-backed previews when Codex needs to click, type,

34inspect rendered state, take screenshots, or verify a fix in the page.

35 

36To use it, install and enable the Browser plugin. Then ask Codex to use the

37browser in your task, or reference it directly with `@Browser`. The app keeps

38browser use inside the in-app browser and lets you manage allowed and blocked

39websites from settings.

40 

41Example:

42 

43```text

44Use the browser to open http://localhost:3000/settings, reproduce the layout

45bug, and fix only the overflowing controls.

46```

47 

48Codex asks before using a website unless you've allowed it. Removing a site from

49the allowed list means Codex asks again before using it; removing a site from the

50blocked list means Codex can ask again instead of treating it as blocked.

51 

52For signed-in websites in Chrome, see

53[Codex Chrome extension](https://developers.openai.com/codex/app/chrome-extension).

54 

55## Preview a page

56 

571. Start your app's development server in the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or with a [local environment action](https://developers.openai.com/codex/app/local-environments#actions).

582. Open an unauthenticated local route, file-backed page, or public page by

59 clicking a URL or navigating manually in the browser.

603. Review the rendered state alongside the code diff.

614. Leave browser comments on the elements or areas that need changes.

625. Ask Codex to address the comments and keep the scope narrow.

63 

64Example feedback:

65 

66```text

67I left comments on the pricing page in the in-app browser. Address the mobile

68layout issues and keep the card structure unchanged.

69```

70 

71## Comment on the page

72 

73When a bug is visible only in the rendered page, use browser comments to give

74Codex precise feedback on the page.

75 

76- Turn on comment mode, select an element or area, and submit a comment.

77- In comment mode, hold <kbd>Shift</kbd> and click to select an area.

78- Hold <kbd>Cmd</kbd> while clicking to send a comment immediately.

79 

80After you leave comments, send a message in the thread asking Codex to address

81them. Comments are most useful when Codex needs to make a precise visual change.

82 

83Good feedback is specific:

84 

85```text

86This button overflows on mobile. Keep the label on one line if it fits,

87otherwise wrap it without changing the card height.

88```

89 

90```text

91This tooltip covers the data point under the cursor. Reposition the tooltip so

92it stays inside the chart bounds.

93```

94 

95## Keep browser tasks scoped

96 

97The in-app browser is for review and iteration. Keep each browser task small

98enough to review in one pass.

99 

100- Name the page, route, or local URL.

101- Name the visual state you care about, such as loading, empty, error, or

102 success.

103- Leave comments on the exact elements or areas that need changes.

104- Review the updated route after Codex changes the code.

105- Ask Codex to start or check the dev server before it uses the browser.

106 

107For repository changes, use the [review pane](https://developers.openai.com/codex/app/review) to inspect the

108changes and leave comments.

1# Codex Chrome extension

2 

3The Codex Chrome extension lets Codex use Chrome for browser tasks that need

4your signed-in browser state. Use it when Codex needs to read or act on sites

5such as LinkedIn, Salesforce, Gmail, or internal tools.

6 

7For local development servers, file-backed previews, and public pages that do

8not require sign-in, use the [in-app browser](https://developers.openai.com/codex/app/browser) first. The

9in-app browser keeps preview and verification work inside Codex without using

10your Chrome profile.

11 

12Codex can also switch between tools as a task requires, using plugins when a

13dedicated integration is available, Chrome when it needs logged-in browser

14context, and the in-app browser for localhost.

15 

16<div className="not-prose my-4">

17 <Alert

18 client:load

19 color="warning"

20 variant="soft"

21 description="Treat page content as untrusted context, and review the website before allowing Codex to continue."

22 />

23</div>

24 

25## Set up Chrome from Plugins

26 

27Set up the extension from Codex:

28 

291. Open Codex and go to **Plugins**.

302. Add the **Chrome** plugin.

313. Follow the setup flow. It guides you through installing or connecting the

32 Chrome extension and approving Chrome's permission prompts.

334. Open Chrome and confirm the Codex extension shows **Connected**.

34 

35After the plugin setup is complete, start a new Codex thread. Codex can suggest

36Chrome when a task needs a signed-in website. You can also invoke it directly in

37a prompt:

38 

39```text

40@Chrome open Salesforce and update the account from these call notes.

41```

42 

43If Chrome isn't already open, Codex can open it. Chrome browser tasks run in

44Chrome tab groups so the work for a thread stays grouped together.

45 

46## Control website access

47 

48By default, Codex asks before it interacts with each new website. Codex bases

49the prompt on the website host, such as `example.com`.

50 

51When Codex asks to use a website, you can choose the option that matches the

52task and your risk tolerance:

53 

54- Allow the website for the current chat.

55- Always allow the host so Codex can use that website again without asking.

56- Decline the website.

57 

58### Manage the allowlist and blocklist

59 

60In Computer Use settings, you can manage an allowlist and blocklist for

61domains. The allowlist contains domains Codex can use without asking again. The

62blocklist contains domains Codex shouldn't use.

63 

64Removing a domain from the allowlist means Codex asks again before using it.

65Removing a domain from the blocklist means Codex can ask again instead of

66treating the domain as blocked.

67 

68#### Always allow browser content <ElevatedRiskBadge class="ml-2" />

69 

70If you turn on always allow browser content, Codex no longer asks for

71confirmation before using websites.

72 

73#### Browser history <ElevatedRiskBadge class="ml-2" />

74 

75Browser history can include sensitive telemetry, internal URLs, search terms,

76and activity from Chrome sessions on signed-in devices. If you allow Codex to

77access browser history, relevant history entries can become part of the context

78Codex uses for the task. Malicious or misleading page content can increase the

79risk that Codex copies this data somewhere unintended.

80 

81Codex asks when it wants to use browser history. Codex scopes history access to

82the request, and history doesn't have an always-allow option.

83 

84## Data and security

85 

86### Chrome extension permissions

87 

88Chrome asks you to accept extension permissions when you install the extension.

89The permission prompt may include:

90 

91- Access the page debugger

92- Read and change all your data on all websites

93- Read and change your browsing history on all your signed-in devices

94- Display notifications

95- Read and change your bookmarks

96- Manage your downloads

97- Communicate with cooperating native applications

98- View and manage your tab groups

99 

100These Chrome permissions make the extension capable of operating browser

101workflows. Codex still uses its own confirmations, settings, allowlists, and

102blocklists before using websites or browser history during a task.

103 

104### Memories

105 

106Browser use follows your Codex Memories setting. If Memories is on, Codex can

107use relevant saved memories while working in Chrome. If Memories is off, browser

108use doesn't use memories.

109 

110### What OpenAI stores from browsing

111 

112OpenAI doesn't store a separate complete record of your Chrome actions from the

113extension. OpenAI stores browser activity only when it becomes part of the Codex

114context, such as text Codex reads from a page, screenshots, tool calls,

115summaries, messages, or other content included in the thread.

116 

117Your ChatGPT and Codex data controls apply to content processed in context.

118Avoid sending secrets or highly sensitive data through browser tasks unless

119they're required and you are present to review each prompt.

120 

121## Troubleshooting

122 

123If Codex can't connect to Chrome, first confirm the website Codex is trying to

124access isn't in the blocklist in Settings. If the website isn't blocked, work

125through these checks:

126 

1271. Open the Codex extension from the Chrome toolbar or Chrome's extensions

128 menu. Make sure it shows **Connected**. If it shows disconnected or mentions

129 a missing native host, remove and re-add the Chrome plugin from **Plugins**

130 in Codex, then follow the setup flow again.

1312. In Codex, open **Plugins** and confirm that the Chrome plugin is on. If the

132 plugin is off, turn it on and try the task again.

1333. Make sure you are using the same Chrome profile where the Codex extension is

134 installed. If you use more than one Chrome profile, install and enable the

135 extension in the active profile.

1364. Start a new Codex thread and try the Chrome task again. This can clear a

137 thread-specific connection state.

1385. Restart Chrome and Codex, then try again. If the extension still doesn't

139 connect, uninstall the Codex Chrome extension, remove and re-add the Chrome

140 plugin from **Plugins**, and follow the setup flow again.

1416. If the extension shows **Connected** but Codex still can't use Chrome, run

142 `/feedback` in the Codex app and include the thread ID when you contact

143 support.

144 

145<CodexScreenshot

146 alt="Codex Chrome extension showing connected status"

147 lightSrc="/images/codex/app/chrome-connected-light.png"

148 darkSrc="/images/codex/app/chrome-connected-dark.png"

149 maxHeight="300px"

150 class="mt-4"

151/>

152 

153### Upload Files

154 

155If a Chrome task needs to upload a file from your computer, allow the Codex

156extension to access file URLs in Chrome:

157 

1581. In Chrome, open the extensions icon in the toolbar, then click **Manage

159 Extensions**.

1602. On the Codex extension card, click **Details**.

1613. Turn on **Allow access to file URLs**.

162 

163After you change the setting, start the Chrome task again.

164 

165<CodexScreenshot

166 alt="Chrome extension settings showing Allow access to file URLs enabled for Codex"

167 lightSrc="/images/codex/app/chrome-file-url-access-light.webp"

168 darkSrc="/images/codex/app/chrome-file-url-access-dark.webp"

169 maxHeight="420px"

170 class="mt-4"

171/>

5## Keyboard shortcuts5## Keyboard shortcuts

6 6 

7| | Action | macOS shortcut |7| | Action | macOS shortcut |

8| --- | --- | --- |8| ----------- | ------------------ | --------------------------------------------------------------------------------- |

9| **General** | | |9| **General** | | |

10| | Command menu | <kbd>Cmd</kbd> + <kbd>Shift</kbd> + <kbd>P</kbd> or <kbd>Cmd</kbd> + <kbd>K</kbd> |10| | Command menu | <kbd>Cmd</kbd> + <kbd>Shift</kbd> + <kbd>P</kbd> or <kbd>Cmd</kbd> + <kbd>K</kbd> |

11| | Settings | <kbd>Cmd</kbd> + <kbd>,</kbd> |11| | Settings | <kbd>Cmd</kbd> + <kbd>,</kbd> |

36 36 

37You can also explicitly invoke skills by typing `$` in the thread composer. See [Skills](https://developers.openai.com/codex/skills).37You can also explicitly invoke skills by typing `$` in the thread composer. See [Skills](https://developers.openai.com/codex/skills).

38 38 

39Enabled skills also appear in the slash command list (for example, `/imagegen`).39Enabled skills also appear in the slash command list.

40 40 

41### Available slash commands41### Available slash commands

42 42 

53The Codex app registers the `codex://` URL scheme so links can open specific parts of the app directly.53The Codex app registers the `codex://` URL scheme so links can open specific parts of the app directly.

54 54 

55| Deeplink | Opens | Supported query parameters |55| Deeplink | Opens | Supported query parameters |

56| --- | --- | --- |56| ----------------------------- | --------------------------------------------- | ---------------------------------------- |

57| `codex://settings` | Settings. | None. |57| `codex://settings` | Settings. | None. |

58| `codex://skills` | Skills. | None. |58| `codex://skills` | Skills. | None. |

59| `codex://automations` | Inbox in automation create mode. | None. |59| `codex://automations` | Inbox in automation create mode. | None. |

62 62 

63For new-thread deeplinks:63For new-thread deeplinks:

64 64 

65- `prompt` prefills the composer.65- `prompt` sets the initial composer text.

66- `path` must be an absolute path to a local directory and, when valid, makes that directory the active workspace for the new thread.66- `path` must be an absolute path to a local directory and, when valid, makes that directory the active workspace for the new thread.

67- `originUrl` tries to match one of your current workspace roots by Git remote URL. If both `path` and `originUrl` are present, Codex resolves `path` first.67- `originUrl` tries to match one of your current workspace roots by Git remote URL. If both `path` and `originUrl` are present, Codex resolves `path` first.

68 68 

1# Computer Use

2 

3In the Codex app, computer use is currently available on macOS, except in the

4 European Economic Area, the United Kingdom, and Switzerland at launch. Install

5 the Computer Use plugin, then grant Screen Recording and Accessibility

6 permissions when macOS prompts you.

7 

8With computer use, Codex can see and operate graphical user interfaces on macOS.

9Use it for tasks where command-line tools or structured integrations aren't

10enough, such as checking a desktop app, using a browser, changing app settings,

11working with a data source that isn't available as a plugin, or reproducing a

12bug that only happens in a graphical user interface.

13 

14Because computer use can affect app and system state outside your project

15workspace, use it for scoped tasks and review permission prompts before

16continuing.

17 

18## Set up computer use

19 

20In Codex settings, open **Computer Use** and click **Install** to install the

21Computer Use plugin before you ask Codex to operate desktop apps. When macOS

22prompts for access, grant Screen Recording and Accessibility permissions if you

23want Codex to see and interact with the target app.

24 

25To use computer use, grant:

26 

27- **Screen Recording** permission so Codex can see the target app.

28- **Accessibility** permission so Codex can click, type, and navigate.

29 

30## When to use computer use

31 

32Choose computer use when the task depends on a graphical user interface that's

33hard to verify through files or command output alone.

34 

35Good fits include:

36 

37- Testing a macOS app, an iOS simulator flow, or another desktop app that Codex

38 is building.

39- Performing a task that requires your web browser.

40- Reproducing a bug that only appears in a graphical interface.

41- Changing app settings that require clicking through a UI.

42- Inspecting information in an app or data source that isn't available through a

43 plugin.

44- Running a scoped task in the background while you keep working elsewhere.

45- Executing a workflow that spans more than one app.

46 

47For web apps you are building locally, use the

48[in-app browser](https://developers.openai.com/codex/app/browser) first.

49 

50## Start a computer use task

51 

52Mention `@Computer` or `@AppName` in your prompt, or ask Codex to use

53computer use. Describe the exact app, window, or flow Codex should operate.

54 

55```text

56Open the app with computer use, reproduce the onboarding bug, and fix the

57smallest code path that causes it. After each change, run the same UI flow

58again.

59```

60 

61```text

62Open @Chrome and verify the checkout page still works after the latest changes.

63```

64 

65If the target app exposes a dedicated plugin or MCP server, prefer that

66structured integration for data access and repeatable operations. Choose

67computer use when Codex needs to inspect or operate the app visually.

68 

69## Permissions and approvals

70 

71The macOS system permissions for computer use are separate from app approvals in

72Codex. The macOS permissions let Codex see and operate apps. App approvals

73determine which apps you allow Codex to use. File reads, file edits, and shell

74commands still follow the sandbox and approval settings for the thread.

75 

76With computer use, Codex can see and take action only in the apps you allow.

77During a task, Codex asks for your permission before it can use an app on your

78computer. You can choose **Always allow** so Codex can use that app in the future

79without asking again. You can remove apps from the **Always allow** list in the

80**Computer Use** section of Codex settings.

81 

82<CodexScreenshot

83 alt="Codex app asking for permission to use Calculator with computer use"

84 lightSrc="/images/codex/app/computer-use-approval-light.webp"

85 darkSrc="/images/codex/app/computer-use-approval-dark.webp"

86 maxHeight="420px"

87 variant="no-wallpaper"

88/>

89 

90Codex may also ask for permission before taking sensitive or disruptive actions.

91 

92If Codex can't see or control an app, open **System Settings > Privacy &

93Security** and check **Screen Recording** and **Accessibility** for the Codex

94app.

95 

96## Safety guidance

97 

98With computer use, Codex can view screen content, take screenshots, and interact

99with windows, menus, keyboard input, and clipboard state in the target app.

100Treat visible app content, browser pages, screenshots, and files opened in the

101target app as context Codex may process while the task runs.

102 

103Keep tasks narrow and stay present for sensitive flows:

104 

105- Give Codex one clear target app or flow at a time.

106- You can stop the task or take over your computer at any time.

107- Keep sensitive apps closed unless they're required for the task.

108- Avoid tasks that require secrets unless you're present and can approve each

109 step.

110- Review app permission prompts before allowing Codex to use an app.

111- Use **Always allow** only for apps you trust Codex to use automatically in

112 future tasks.

113- Stay present for account, security, privacy, network, payment, or

114 credential-related settings.

115- Cancel the task if Codex starts interacting with the wrong window.

116 

117If Codex uses your browser, it can interact with pages where you're already

118signed in. Review website actions as if you were taking them yourself: web pages

119can contain malicious or misleading content, and sites may treat approved clicks,

120form submissions, and signed-in actions as coming from your account. To keep

121using your browser while Codex works, ask Codex to use a different browser.

122 

123The feature can't automate terminal apps or Codex itself, since automating them

124could bypass Codex security policies. It also can't authenticate as an

125administrator or approve security and privacy permission prompts on your

126computer.

127 

128File edits and shell commands still follow Codex approval and sandbox settings

129where applicable. Changes made through desktop apps may not appear in the review

130pane until they're saved to disk and tracked by the project. Your ChatGPT data

131controls apply to content processed through Codex, including screenshots taken

132by computer use.

3The Codex app is a focused desktop experience for working on Codex threads in parallel,3The Codex app is a focused desktop experience for working on Codex threads in parallel,

4with built-in worktree support, automations, and Git functionality.4with built-in worktree support, automations, and Git functionality.

5 5 

6Most Codex app features are available on both macOS and Windows.

7The sections below note platform-specific exceptions.

8 

9<YouTubeEmbed

10 title="Introducing the Codex app"

11 videoId="HFM3se4lNiw"

12 class="max-w-md"

13/>

14 

6---15---

7 16 

17<section class="feature-grid">

18 

19<div>

20 

8## Multitask across projects21## Multitask across projects

9 22 

10Use one Codex app window to run tasks across projects. Add a project for each23Use one Codex app window to run tasks across projects. Add a project for each

17distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/agent-approvals-security)30distinct projects into separate app projects so the [sandbox](https://developers.openai.com/codex/agent-approvals-security)

18only includes the files for that project.31only includes the files for that project.

19 32 

20![Codex app showing multiple projects in the sidebar and threads in the main pane](/images/codex/app/multitask-light.webp)33</div>

34 

35<CodexScreenshot

36 alt="Codex app showing multiple projects in the sidebar and threads in the main pane"

37 lightSrc="/images/codex/app/multitask-light.webp"

38 darkSrc="/images/codex/app/multitask-dark.webp"

39 maxHeight="400px"

40/>

41 

42</section>

43 

44<section class="feature-grid inverse">

45 

46<div>

21 47 

22## Skills support48## Skills support

23 49 

25IDE Extension. You can also view and explore new skills that your team has51IDE Extension. You can also view and explore new skills that your team has

26created across your different projects by clicking Skills in the sidebar.52created across your different projects by clicking Skills in the sidebar.

27 53 

28![Skills picker showing available skills in the Codex app](/images/codex/app/skill-selector-light.webp)54</div>

55 

56<CodexScreenshot

57 alt="Skills picker showing available skills in the Codex app"

58 lightSrc="/images/codex/app/skill-selector-light.webp"

59 darkSrc="/images/codex/app/skill-selector-dark.webp"

60 maxHeight="400px"

61/>

62 

63</section>

64 

65<section class="feature-grid">

66 

67<div>

29 68 

30## Automations69## Automations

31 70 

32You can also combine skills with [automations](https://developers.openai.com/codex/app/automations) to perform routine tasks71You can also combine skills with [automations](https://developers.openai.com/codex/app/automations) to perform routine tasks

33such as evaluating errors in your telemetry and submitting fixes or creating reports on recent72such as evaluating errors in your telemetry and submitting fixes or creating reports on recent

34codebase changes.73codebase changes. For ongoing work that should stay in one thread, use a

74[thread automation](https://developers.openai.com/codex/app/automations#thread-automations).

75 

76</div>

77 

78<CodexScreenshot

79 alt="Automation creation form with schedule and prompt fields"

80 lightSrc="/images/codex/app/create-automation-light.webp"

81 darkSrc="/images/codex/app/create-automation-dark.webp"

82 maxHeight="400px"

83/>

35 84 

36![Automation creation form with schedule and prompt fields](/images/codex/app/create-automation-light.webp)85</section>

86 

87<section class="feature-grid inverse">

88