OpenAI - Codex Docs Changes

agent-approvals-security.md +62 −1

Details

73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

74- Protection is recursive, so everything under those paths is read-only.74- Protection is recursive, so everything under those paths is read-only.

75 75

76### Deny reads with filesystem profiles

78Named permission profiles can also deny reads for exact paths or glob patterns.

79This is useful when a workspace should stay writable but specific sensitive

80files, such as local environment files, must stay unreadable:

82```toml

83default_permissions = "workspace"

85[permissions.workspace.filesystem]

86":project_roots" = { "." = "write", "**/*.env" = "none" }

87glob_scan_max_depth = 3

88```

90Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy

91evaluates globs for local macOS and Linux command execution. On platforms that

92pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for

93unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and

94`*/*/*.env`.

76### Run without approval prompts96### Run without approval prompts

77 97

78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).98You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

83 103

84For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

85 105

86Set `approvals_reviewer = "guardian_subagent"` to route eligible approval reviews through the Guardian reviewer subagent instead of prompting the user directly. Admin requirements can constrain this with `allowed_approvals_reviewers`.106### Automatic approval reviews

107

108By default, approval requests route to you:

109

110```toml

111approvals_reviewer = "user"

112```

113

114Automatic approval reviews apply when approvals are interactive, such as

115`approval_policy = "on-request"` or a granular approval policy. Set

116`approvals_reviewer = "auto_review"` to route eligible approval requests

117through a reviewer agent before Codex runs the request:

118

119```toml

120approval_policy = "on-request"

121approvals_reviewer = "auto_review"

122```

123

124The reviewer evaluates only actions that already need approval, such as sandbox

125escalations, network requests, `request_permissions` prompts, or side-effecting

126app and MCP tool calls. Actions that stay inside the sandbox continue without an

127extra review step.

128

129The reviewer policy checks for data exfiltration, credential probing, persistent

130security weakening, and destructive actions. Low-risk and medium-risk actions

131can proceed when policy allows them. The policy denies critical-risk actions.

132High-risk actions require enough user authorization and no matching deny rule.

133Timeouts, parse failures, and review errors fail closed.

134

135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

136is in the open-source Codex repository. Enterprises can replace its

137tenant-specific section with `guardian_policy_config` in managed requirements.

138Local `[auto_review].policy` text is also supported, but managed requirements

139take precedence. For setup details, see

140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

141

142In the Codex app, these reviews appear as automatic review items with a status such

143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a

144risk level for the reviewed request.

145

146Automatic review uses extra model calls, so it can add to Codex usage. Admins

147can constrain it with `allowed_approvals_reviewers`.

87 148

88### Common sandbox and approval combinations149### Common sandbox and approval combinations

89 150

app.md +5 −2

Details

12 12

13The Codex app is available on macOS and Windows.13The Codex app is available on macOS and Windows.

14 14

15Most Codex app features are available on both platforms. Platform-specific

16exceptions are noted in the relevant docs.

151. Download and install the Codex app181. Download and install the Codex app

16 19

~~17 Download the Codex app for Windows or macOS. Choose the Intel build if you’re using an Intel-based Mac.~~20 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.

18 21

19 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)22 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)

20 23

63 66

64Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser67Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser

65 68

~~66Open unauthenticated local or public pages and comment on rendered output.](https://developers.openai.com/codex/app/browser)[### Image generation~~69Open rendered pages, leave comments, or let Codex operate local browser flows.](https://developers.openai.com/codex/app/browser)[### Image generation

67 70

68Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations71Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations

69 72

app-server.md +233 −32

Details

12Supported transports:12Supported transports:

13 13

14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).

~~15- `websocket` (`--listen ws://IP:PORT`, experimental): one JSON-RPC message per WebSocket text frame.~~15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one JSON-RPC message per WebSocket text frame.

16- `off` (`--listen off`): don't expose a local transport.

18When you run with `--listen ws://IP:PORT`, the same listener also serves basic HTTP health probes:

20- `GET /readyz` returns `200 OK` once the listener accepts new connections.

21- `GET /healthz` returns `200 OK` when the request doesn't include an `Origin` header.

22- Requests with an `Origin` header are rejected with `403 Forbidden`.

24WebSocket transport is experimental and unsupported. Loopback listeners such as `ws://127.0.0.1:PORT` are appropriate for localhost and SSH port-forwarding workflows. Non-loopback WebSocket listeners currently allow unauthenticated connections by default during rollout, so configure WebSocket auth before exposing one remotely.

26Supported WebSocket auth flags:

28- `--ws-auth capability-token --ws-token-file /absolute/path`

29- `--ws-auth capability-token --ws-token-sha256 HEX`

30- `--ws-auth signed-bearer-token --ws-shared-secret-file /absolute/path`

32For signed bearer tokens, you can also set `--ws-issuer`, `--ws-audience`, and `--ws-max-clock-skew-seconds`. Clients present the credential as `Authorization: Bearer <token>` during the WebSocket handshake, and app-server enforces auth before JSON-RPC `initialize`.

34Prefer `--ws-token-file` over passing raw bearer tokens on the command line. Use `--ws-token-sha256` only when the client keeps the raw high-entropy token in a separate local secret store; the hash is only a verifier, and clients still need the original token.

16 35

17In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.36In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.

18 37

199- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.218- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

200- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.219- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.

201- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.220- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

202- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.221- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.

222- `thread/turns/list` - page through a stored thread's turn history without resuming it.

203- `thread/loaded/list` - list the thread ids currently loaded in memory.223- `thread/loaded/list` - list the thread ids currently loaded in memory.

204- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.224- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

225- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.

205- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.226- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

206- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.227- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.

207- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.228- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

208- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.229- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

209- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.230- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

211- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).232- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

212- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.233- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

213- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."234- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

235- `thread/inject_items` - append raw Responses API items to a loaded thread's model-visible history without starting a user turn.

214- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.236- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

215- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.237- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

216- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.238- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

218- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.240- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.

219- `command/exec/resize` - resize a running PTY-backed `command/exec` session.241- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

220- `command/exec/terminate` - stop a running `command/exec` session.242- `command/exec/terminate` - stop a running `command/exec` session.

243- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.

221- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.244- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

222- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.245- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

246- `experimentalFeature/enablement/set` - patch in-memory runtime enablement for supported feature keys such as `apps` and `plugins`.

223- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).247- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

224- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).248- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

225- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace errors, featured plugin ids, and the development-only `forceRemoteSync` option.249- `skills/changed` (notify) - emitted when watched local skill files change.

226- `plugin/read` - read one plugin by marketplace path and plugin name, including bundled skills, apps, and MCP server names.250- `marketplace/add` - add a remote plugin marketplace and persist it into the user's marketplace config.

227- `plugin/install` - install a plugin from a marketplace path.251- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.

252- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.

253- `plugin/install` - install a plugin from a marketplace path or remote marketplace name.

228- `plugin/uninstall` - uninstall an installed plugin.254- `plugin/uninstall` - uninstall an installed plugin.

229- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.255- `app/list` - list available apps (connectors) with pagination plus accessibility/enabled metadata.

230- `skills/config/write` - enable or disable skills by path.256- `skills/config/write` - enable or disable skills by path.

233- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.259- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

234- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.260- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

235- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.261- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

262- `mcpServer/tool/call` - call a tool on a thread's configured MCP server.

263- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread.

236- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.264- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

237- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).265- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

238- `config/read` - fetch the effective configuration on disk after resolving configuration layering.266- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

239- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).267- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

240- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).268- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home); plugin imports emit `externalAgentConfig/import/completed`.

241- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.269- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

242- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.270- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

243- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).271- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

244- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, and `fs/copy` - operate on absolute filesystem paths through the app-server v2 filesystem API.272- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.

273

274Plugin summaries include a `source` union. Local plugins return

275`{ "type": "local", "path": ... }`, Git-backed marketplace entries return

276`{ "type": "git", "url": ..., "path": ..., "refName": ..., "sha": ... }`,

277and remote catalog entries return `{ "type": "remote" }`. For remote-only

278catalog entries, `PluginMarketplaceEntry.path` can be `null`; pass

279`remoteMarketplaceName` instead of `marketplacePath` when reading or installing

280those plugins.

245 281

246## Models282## Models

247 283

310## Threads346## Threads

311 347

312- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.348- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.

313- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.349- `thread/turns/list` pages through a stored thread's turn history without resuming it.

350- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.

314- `thread/loaded/list` returns the thread IDs currently in memory.351- `thread/loaded/list` returns the thread IDs currently in memory.

315- `thread/archive` moves the thread's persisted JSONL log into the archived directory.352- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

316- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.353- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.

354- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.

317- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.355- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

318- `thread/compact/start` triggers compaction and returns `{}` immediately.356- `thread/compact/start` triggers compaction and returns `{}` immediately.

319- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.357- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

358- `thread/inject_items` appends raw Responses API items to a loaded thread's model-visible history without starting a user turn.

320 359

321### Start or resume a thread360### Start or resume a thread

322 361

387 426

388Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.427Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

389 428

429### List thread turns

430

431Use `thread/turns/list` to page a stored thread's turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.

432

433```json

434{ "method": "thread/turns/list", "id": 20, "params": {

435 "threadId": "thr_123",

436 "limit": 50,

437 "sortDirection": "desc"

438} }

439{ "id": 20, "result": {

440 "data": [],

441 "nextCursor": "older-turns-cursor-or-null",

442 "backwardsCursor": "newer-turns-cursor-or-null"

443} }

444```

445

390### List threads (with pagination & filters)446### List threads (with pagination & filters)

391 447

392`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:448`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:

398- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.454- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.

399- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).455- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).

400- `cwd` - restrict results to threads whose session current working directory exactly matches this path.456- `cwd` - restrict results to threads whose session current working directory exactly matches this path.

457- `searchTerm` - search stored thread summaries and metadata before pagination.

401 458

402`sourceKinds` accepts the following values:459`sourceKinds` accepts the following values:

403 460

431 488

432When `nextCursor` is `null`, you have reached the final page.489When `nextCursor` is `null`, you have reached the final page.

433 490

491### Update stored thread metadata

492

493Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.

494

495```json

496{ "method": "thread/metadata/update", "id": 21, "params": {

497 "threadId": "thr_123",

498 "gitInfo": { "branch": "feature/sidebar-pr" }

499} }

500{ "id": 21, "result": {

501 "thread": {

502 "id": "thr_123",

503 "gitInfo": { "sha": null, "branch": "feature/sidebar-pr", "originUrl": null }

504 }

505} }

506```

507

434### Track thread status changes508### Track thread status changes

435 509

436`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.510`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

462- `notSubscribed` when the connection wasn't subscribed to that thread.536- `notSubscribed` when the connection wasn't subscribed to that thread.

463- `notLoaded` when the thread isn't loaded.537- `notLoaded` when the thread isn't loaded.

464 538

465If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.539If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

466 540

467```json541```json

468{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }542{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

469{ "id": 22, "result": { "status": "unsubscribed" } }543{ "id": 22, "result": { "status": "unsubscribed" } }

544```

545

546If the thread later expires:

547

548```json

470{ "method": "thread/status/changed", "params": {549{ "method": "thread/status/changed", "params": {

471 "threadId": "thr_123",550 "threadId": "thr_123",

472 "status": { "type": "notLoaded" }551 "status": { "type": "notLoaded" }

615{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }694{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }

616```695```

617 696

697### Inject items into a thread

698

699Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread's prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.

700

701```json

702{ "method": "thread/inject_items", "id": 31, "params": {

703 "threadId": "thr_123",

704 "items": [

705 {

706 "type": "message",

707 "role": "assistant",

708 "content": [{ "type": "output_text", "text": "Previously computed context." }]

709 }

710 ]

711} }

712{ "id": 31, "result": {} }

713```

714

618### Steer an active turn715### Steer an active turn

619 716

620Use `turn/steer` to append more user input to the active in-flight turn.717Use `turn/steer` to append more user input to the active in-flight turn.

796- `elevated` - run the elevated Windows sandbox setup path.893- `elevated` - run the elevated Windows sandbox setup path.

797- `unelevated` - run the legacy setup/preflight path.894- `unelevated` - run the legacy setup/preflight path.

798 895

896## Filesystem

897

898The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.

899

900```json

901{ "method": "fs/watch", "id": 54, "params": {

902 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

903 "path": "/Users/me/project/.git/HEAD"

904} }

905{ "id": 54, "result": { "path": "/Users/me/project/.git/HEAD" } }

906{ "method": "fs/changed", "params": {

907 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

908 "changedPaths": ["/Users/me/project/.git/HEAD"]

909} }

910{ "method": "fs/unwatch", "id": 55, "params": {

911 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1"

912} }

913{ "id": 55, "result": {} }

914```

915

916Watching a file emits `fs/changed` for that file path, including updates delivered by replace or rename operations.

917

799## Events918## Events

800 919

801Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.920Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

1016} }1135} }

1017```1136```

1018 1137

1138The server also emits `skills/changed` notifications when watched local skill files change. Treat this as an invalidation signal and rerun `skills/list` with your current params when needed.

1139

1019To enable or disable a skill by path:1140To enable or disable a skill by path:

1020 1141

1021```json1142```json

1222{ "id": 64, "result": {} }1343{ "id": 64, "result": {} }

1223```1344```

1224 1345

1225Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, and `MCP_SERVER_CONFIG`. Detection returns only items that still have work to do. For example, AGENTS migration is skipped when `AGENTS.md` already exists and is non-empty, and skill imports don’t overwrite existing skill directories.1346When a request includes plugin imports, the server emits `externalAgentConfig/import/completed` after the import finishes. This notification may arrive immediately after the response or after background remote imports complete.

1347

1348Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, `PLUGINS`,

1349and `MCP_SERVER_CONFIG`. For `PLUGINS` items, `details.plugins` lists each

1350`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection

1351returns only items that still have work to do. For example, Codex skips AGENTS

1352migration when `AGENTS.md` already exists and is non-empty, and skill imports

1353don't overwrite existing skill directories.

1354

1355When detecting plugins from `.claude/settings.json`, Codex reads configured

1356marketplace sources from `extraKnownMarketplaces`. If `enabledPlugins` contains

1357plugins from `claude-plugins-official` but the marketplace source is missing,

1358Codex infers `anthropics/claude-plugins-official` as the source.

1226 1359

1227## Auth endpoints1360## Auth endpoints

1228 1361

1229The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1362The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, inspect ChatGPT rate limits, and notify workspace owners about depleted credits or usage limits.

1230 1363

1231### Authentication modes1364### Authentication modes

1232 1365

1233Codex supports three authentication modes. `account/updated.authMode` shows the active mode, and `account/read` also reports it.1366Codex supports these authentication modes. `account/updated.authMode` shows the active mode and includes the current ChatGPT `planType` when available. `account/read` also reports account and plan details.

1234 1367

1235- **API key (`apikey`)** - the caller supplies an OpenAI API key and Codex stores it for API requests.1368- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.

1236- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically.1369- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.

1237- **ChatGPT external tokens (`chatgptAuthTokens`)** - a host app supplies `idToken` and `accessToken` directly. Codex stores these tokens in memory, and the host app must refresh them when asked.1370- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user's ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.

1238 1371

1239### API overview1372### API overview

1240 1373

1241- `account/read` - fetch current account info; optionally refresh tokens.1374- `account/read` - fetch current account info; optionally refresh tokens.

1242- `account/login/start` - begin login (`apiKey`, `chatgpt`, or `chatgptAuthTokens`).1375- `account/login/start` - begin login (`apiKey`, `chatgpt`, `chatgptDeviceCode`, or experimental `chatgptAuthTokens`).

1243- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).1376- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).

1244- `account/login/cancel` - cancel a pending ChatGPT login by `loginId`.1377- `account/login/cancel` - cancel a pending managed ChatGPT login by `loginId`.

1245- `account/logout` - sign out; triggers `account/updated`.1378- `account/logout` - sign out; triggers `account/updated`.

1246- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`).1379- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.

1247- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.1380- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.

1248- `account/rateLimits/read` - fetch ChatGPT rate limits.1381- `account/rateLimits/read` - fetch ChatGPT rate limits.

1249- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.1382- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.

1383- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.

1250- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.1384- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.

1385- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread; payload includes `{ name, status, error }`.

1251 1386

1252### 1) Check auth state1387### 1) Check auth state

1253 1388

1319 ```1454 ```

1320 1455

1321 ```json1456 ```json

1322 { "method": "account/updated", "params": { "authMode": "apikey" } }1457 {

1458 "method": "account/updated",

1459 "params": { "authMode": "apikey", "planType": null }

1460 }

1323 ```1461 ```

1324 1462

1325### 3) Log in with ChatGPT (browser flow)1463### 3) Log in with ChatGPT (browser flow)

1351 ```1489 ```

1352 1490

1353 ```json1491 ```json

1354 { "method": "account/updated", "params": { "authMode": "chatgpt" } }1492 {

1493 "method": "account/updated",

1494 "params": { "authMode": "chatgpt", "planType": "plus" }

1495 }

1496 ```

1497

1498### 3b) Log in with ChatGPT (device-code flow)

1499

1500Use this flow when your client owns the sign-in ceremony or when a browser callback is brittle.

1501

15021. Start:

1503

1504 ```json

1505 {

1506 "method": "account/login/start",

1507 "id": 4,

1508 "params": { "type": "chatgptDeviceCode" }

1509 }

1510 ```

1511

1512 ```json

1513 {

1514 "id": 4,

1515 "result": {

1516 "type": "chatgptDeviceCode",

1517 "loginId": "<uuid>",

1518 "verificationUrl": "https://auth.openai.com/codex/device",

1519 "userCode": "ABCD-1234"

1520 }

1521 }

1522 ```

15232. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.

15243. Wait for notifications:

1525

1526 ```json

1527 {

1528 "method": "account/login/completed",

1529 "params": { "loginId": "<uuid>", "success": true, "error": null }

1530 }

1531 ```

1532

1533 ```json

1534 {

1535 "method": "account/updated",

1536 "params": { "authMode": "chatgpt", "planType": "plus" }

1537 }

1355 ```1538 ```

1356 1539

1357### 3b) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)1540### 3c) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)

1358 1541

1359Use this mode when a host application owns the user’s ChatGPT auth lifecycle and supplies tokens directly.1542Use this experimental mode only when a host application owns the user's ChatGPT auth lifecycle and supplies tokens directly. Clients must set `capabilities.experimentalApi = true` during `initialize` before using this login type.

1360 1543

13611. Send:15441. Send:

1362 1545

1366 "id": 7,1549 "id": 7,

1367 "params": {1550 "params": {

1368 "type": "chatgptAuthTokens",1551 "type": "chatgptAuthTokens",

1369 "idToken": "<jwt>",1552 "accessToken": "<jwt>",

1370 "accessToken": "<jwt>"1553 "chatgptAccountId": "org-123",

1554 "chatgptPlanType": "business"

1371 }1555 }

1372 }1556 }

1373 ```1557 ```

1388 ```json1572 ```json

1389 {1573 {

1390 "method": "account/updated",1574 "method": "account/updated",

1391 "params": { "authMode": "chatgptAuthTokens" }1575 "params": { "authMode": "chatgptAuthTokens", "planType": "business" }

1392 }1576 }

1393 ```1577 ```

1394 1578

1400 "id": 8,1584 "id": 8,

1401 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }1585 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }

1402}1586}

1403{ "id": 8, "result": { "idToken": "<jwt>", "accessToken": "<jwt>" } }1587{ "id": 8, "result": { "accessToken": "<jwt>", "chatgptAccountId": "org-123", "chatgptPlanType": "business" } }

1404```1588```

1405 1589

1406The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.1590The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.

1417```json1601```json

1418{ "method": "account/logout", "id": 5 }1602{ "method": "account/logout", "id": 5 }

1419{ "id": 5, "result": {} }1603{ "id": 5, "result": {} }

1420{ "method": "account/updated", "params": { "authMode": null } }1604{ "method": "account/updated", "params": { "authMode": null, "planType": null } }

1421```1605```

1422 1606

1423### 6) Rate limits (ChatGPT)1607### 6) Rate limits (ChatGPT)

1429 "limitId": "codex",1613 "limitId": "codex",

1430 "limitName": null,1614 "limitName": null,

1431 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1615 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1432 "secondary": null1616 "secondary": null,

1617 "rateLimitReachedType": null

1433 },1618 },

1434 "rateLimitsByLimitId": {1619 "rateLimitsByLimitId": {

1435 "codex": {1620 "codex": {

1436 "limitId": "codex",1621 "limitId": "codex",

1437 "limitName": null,1622 "limitName": null,

1438 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1623 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1439 "secondary": null1624 "secondary": null,

1625 "rateLimitReachedType": null

1440 },1626 },

1441 "codex_other": {1627 "codex_other": {

1442 "limitId": "codex_other",1628 "limitId": "codex_other",

1443 "limitName": "codex_other",1629 "limitName": "codex_other",

1444 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },1630 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },

1445 "secondary": null1631 "secondary": null,

1632 "rateLimitReachedType": null

1446 }1633 }

1447 }1634 }

1448} }1635} }

1463- `usedPercent` is current usage within the quota window.1650- `usedPercent` is current usage within the quota window.

1464- `windowDurationMins` is the quota window length.1651- `windowDurationMins` is the quota window length.

1465- `resetsAt` is a Unix timestamp (seconds) for the next reset.1652- `resetsAt` is a Unix timestamp (seconds) for the next reset.

1653- `planType` is included when the backend returns the ChatGPT plan associated with a bucket.

1654- `credits` is included when the backend returns remaining workspace credit details.

1655- `rateLimitReachedType` identifies the backend-classified limit state when one has been reached.

1656

1657### 7) Notify a workspace owner about a limit

1658

1659Use `account/sendAddCreditsNudgeEmail` to ask ChatGPT to email a workspace owner when credits are depleted or a usage limit has been reached.

1660

1661```json

1662{ "method": "account/sendAddCreditsNudgeEmail", "id": 7, "params": { "creditType": "credits" } }

1663{ "id": 7, "result": { "status": "sent" } }

1664```

1665

1666Use `creditType: "credits"` when workspace credits are depleted, or `creditType: "usage_limit"` when the workspace usage limit has been reached. If the owner was already notified recently, the response status is `cooldown_active`.

app/browser.md +22 −0

Details

20 20

21![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)21![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)

22 22

23## Browser use

25Browser use lets Codex operate the in-app browser directly. Use it for local

26development servers and file-backed previews when Codex needs to click, type,

27inspect rendered state, take screenshots, or verify a fix in the page.

29To use it, install and enable the Browser plugin. Then ask Codex to use the

30browser in your task, or reference it directly with `@Browser`. The app keeps

31browser use inside the in-app browser and lets you manage allowed and blocked

32websites from settings.

34Example:

36```text

37Use the browser to open http://localhost:3000/settings, reproduce the layout

38bug, and fix only the overflowing controls.

39```

41Codex asks before using a website unless you've allowed it. Removing a site from

42the allowed list means Codex asks again before using it; removing a site from the

43blocked list means Codex can ask again instead of treating it as blocked.

23## Preview a page45## Preview a page

24 46

251. Start your app's development server in the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or with a [local environment action](https://developers.openai.com/codex/app/local-environments#actions).471. Start your app's development server in the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or with a [local environment action](https://developers.openai.com/codex/app/local-environments#actions).

app/features.md +14 −1

Details

3The Codex app is a focused desktop experience for working on Codex threads in parallel,3The Codex app is a focused desktop experience for working on Codex threads in parallel,

4with built-in worktree support, automations, and Git functionality.4with built-in worktree support, automations, and Git functionality.

5 5

6Most Codex app features are available on both macOS and Windows.

7The sections below note platform-specific exceptions.

6---9---

7 10

8## Multitask across projects11## Multitask across projects

143Use browser comments to mark specific elements or areas on a page, then ask146Use browser comments to mark specific elements or areas on a page, then ask

144Codex to address that feedback.147Codex to address that feedback.

145 148

149When you want Codex to operate the page directly, use

150[browser use](https://developers.openai.com/codex/app/browser#browser-use) for local development servers and

151file-backed pages. You can manage the Browser plugin, allowed websites, and

152blocked websites from settings.

153

146![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)154![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)

147 155

148## Computer use156## Computer use

222opening separate projects or using worktrees rather than asking Codex to roam230opening separate projects or using worktrees rather than asking Codex to roam

223outside the project root.231outside the project root.

224 232

233If [automatic review](https://developers.openai.com/codex/agent-approvals-security#automatic-approval-reviews)

234is available in your workspace, you can choose it from the permissions selector.

235It keeps the same sandbox boundary but routes eligible approval requests through

236the configured review policy instead of waiting for you.

237

225For a high-level overview, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For238For a high-level overview, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For

226configuration details, see the239configuration details, see the

227[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).240[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).

247 260

248You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.261You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.

249 262

250Built-in image generation uses `gpt-image-1.5`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).263Built-in image generation uses `gpt-image-2`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).

251 264

252For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.265For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.

253 266

app/settings.md +10 −0

Details

43also apply to the Codex CLI and IDE extension because the MCP configuration lives in43also apply to the Codex CLI and IDE extension because the MCP configuration lives in

44`config.toml`. See the [Model Context Protocol docs](https://developers.openai.com/codex/mcp) for details.44`config.toml`. See the [Model Context Protocol docs](https://developers.openai.com/codex/mcp) for details.

45 45

46## Browser use

48Use these settings to install or enable the bundled Browser plugin and manage

49allowlisted and blocklisted websites. Codex asks before using a website

50unless you’ve allowlisted it. Removing a site from the blocklist lets Codex ask

51again before using it in the browser.

53See [In-app browser](https://developers.openai.com/codex/app/browser) for browser preview, comment, and

54browser use workflows.

46## Computer Use56## Computer Use

47 57

48On macOS, check your Computer Use settings to review desktop-app access and related58On macOS, check your Computer Use settings to review desktop-app access and related

app/windows.md +2 −0

Details

2 2

3The [Codex app for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi) gives you one interface for3The [Codex app for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi) gives you one interface for

4working across projects, running parallel agent threads, and reviewing results.4working across projects, running parallel agent threads, and reviewing results.

5The Windows app supports core workflows such as worktrees, automations, Git

6functionality, the in-app browser, artifact previews, plugins, and skills.

5It runs natively on Windows using PowerShell and the7It runs natively on Windows using PowerShell and the

6[Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox), or you can configure it to8[Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox), or you can configure it to

7run in [Windows Subsystem for Linux 2 (WSL2)](#windows-subsystem-for-linux-wsl).9run in [Windows Subsystem for Linux 2 (WSL2)](#windows-subsystem-for-linux-wsl).

cli.md +4 −3

Details

43 43

44 npm i -g @openai/codex@latestCopy44 npm i -g @openai/codex@latestCopy

45 45

~~46The Codex CLI is available on macOS and Linux. Windows support is~~46The Codex CLI is available on macOS, Windows, and Linux. On Windows, run Codex

~~47experimental. For the best Windows experience, use Codex in a WSL2 workspace~~47 natively in PowerShell with the Windows sandbox, or use WSL2 when you need a

~~48and follow our [Windows setup guide](https://developers.openai.com/codex/windows).~~48Linux-native environment. For setup details, see the

49[Windows setup guide](https://developers.openai.com/codex/windows).

49 50

50If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).51If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

51 52

cli/features.md +12 −10

Details

22- Watch Codex explain its plan before making a change, and approve or reject steps inline.22- Watch Codex explain its plan before making a change, and approve or reject steps inline.

23- Read syntax-highlighted markdown code blocks and diffs in the TUI, then use `/theme` to preview and save a preferred theme.23- Read syntax-highlighted markdown code blocks and diffs in the TUI, then use `/theme` to preview and save a preferred theme.

24- Use `/clear` to wipe the terminal and start a fresh chat, or press <kbd>Ctrl</kbd>+<kbd>L</kbd> to clear the screen without starting a new conversation.24- Use `/clear` to wipe the terminal and start a fresh chat, or press <kbd>Ctrl</kbd>+<kbd>L</kbd> to clear the screen without starting a new conversation.

~~25- Use `/copy` to copy the latest completed Codex output. If a turn is still running, Codex copies the most recent finished output instead of in-progress text.~~25- Use `/copy` or press <kbd>Ctrl</kbd>+<kbd>O</kbd> to copy the latest completed Codex output. If a turn is still running, Codex copies the most recent finished output instead of in-progress text.

26- Press <kbd>Tab</kbd> while Codex is running to queue follow-up text, slash commands, or `!` shell commands for the next turn.

26- Navigate draft history in the composer with <kbd>Up</kbd>/<kbd>Down</kbd>; Codex restores prior draft text and image placeholders.27- Navigate draft history in the composer with <kbd>Up</kbd>/<kbd>Down</kbd>; Codex restores prior draft text and image placeholders.

28- Press <kbd>Ctrl</kbd>+<kbd>R</kbd> to search prompt history from the composer, then press <kbd>Enter</kbd> to accept a match or <kbd>Esc</kbd> to cancel.

27- Press <kbd>Ctrl</kbd>+<kbd>C</kbd> or use `/exit` to close the interactive session when you're done.29- Press <kbd>Ctrl</kbd>+<kbd>C</kbd> or use `/exit` to close the interactive session when you're done.

28 30

29## Resuming conversations31## Resuming conversations

105 107

106## Models and reasoning108## Models and reasoning

107 109

108For most tasks in Codex, `gpt-5.4` is the recommended model. It brings the110For most tasks in Codex, `gpt-5.5` is the recommended model when it is

109industry-leading coding capabilities of `gpt-5.3-codex` to OpenAI’s flagship111available. It is OpenAI's newest frontier model for complex coding, computer

110frontier model, combining frontier coding performance with stronger reasoning,112use, knowledge work, and research workflows, with stronger planning, tool use,

111native computer use, and broader professional workflows. For extra fast tasks,113and follow-through on multi-step tasks. If `gpt-5.5` is not yet available,

112ChatGPT Pro subscribers have access to the GPT-5.3-Codex-Spark model in114continue using `gpt-5.4`. For extra fast tasks, ChatGPT Pro subscribers have

113research preview.115access to the GPT-5.3-Codex-Spark model in research preview.

114 116

115Switch models mid-session with the `/model` command, or specify one when launching the CLI.117Switch models mid-session with the `/model` command, or specify one when launching the CLI.

116 118

117```bash119```bash

118codex --model gpt-5.4120codex --model gpt-5.5

119```121```

120 122

121[Learn more about the models available in Codex](https://developers.openai.com/codex/models).123[Learn more about the models available in Codex](https://developers.openai.com/codex/models).

160 162

161You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.163You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.

162 164

163Built-in image generation uses `gpt-image-1.5`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).165Built-in image generation uses `gpt-image-2`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).

164 166

165For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.167For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.

166 168

271## Tips and shortcuts273## Tips and shortcuts

272 274

273- Type `@` in the composer to open a fuzzy file search over the workspace root; press <kbd>Tab</kbd> or <kbd>Enter</kbd> to drop the highlighted path into your message.275- Type `@` in the composer to open a fuzzy file search over the workspace root; press <kbd>Tab</kbd> or <kbd>Enter</kbd> to drop the highlighted path into your message.

274- Press `Enter` while Codex is running to inject new instructions into the current turn, or press `Tab` to queue a follow-up prompt for the next turn.276- Press <kbd>Enter</kbd> while Codex is running to inject new instructions into the current turn, or press <kbd>Tab</kbd> to queue follow-up input for the next turn. Queued input can be a normal prompt, a slash command such as `/review`, or a `!` shell command. Codex parses queued slash commands when they run.

275- Prefix a line with `!` to run a local shell command (for example, `!ls`). Codex treats the output like a user-provided command result and still applies your approval and sandbox settings.277- Prefix a line with `!` to run a local shell command (for example, `!ls`). Codex treats the output like a user-provided command result and still applies your approval and sandbox settings.

276- Tap <kbd>Esc</kbd> twice while the composer is empty to edit your previous user message. Continue pressing <kbd>Esc</kbd> to walk further back in the transcript, then hit <kbd>Enter</kbd> to fork from that point.278- Tap <kbd>Esc</kbd> twice while the composer is empty to edit your previous user message. Continue pressing <kbd>Esc</kbd> to walk further back in the transcript, then hit <kbd>Enter</kbd> to fork from that point.

277- Launch Codex from any directory using `codex --cd <path>` to set the working root without running `cd` first. The active path appears in the TUI header.279- Launch Codex from any directory using `codex --cd <path>` to set the working root without running `cd` first. The active path appears in the TUI header.

cli/reference.md +66 −8

Details

262| Key | Maturity | Details |262| Key | Maturity | Details |

263| --- | --- | --- |263| --- | --- | --- |

264| [`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive) | Stable | Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments. |264| [`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive) | Stable | Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments. |

265| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS, optionally opening a specific workspace path. |265| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open. |

266| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging. |266| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging. |

267| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |267| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |

268| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |268| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |

277| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |277| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |

278| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |278| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |

279| [`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace) | Experimental | Add, upgrade, or remove plugin marketplaces from Git or local sources. |

279| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |280| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |

280| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS seatbelt or Linux bubblewrap sandboxes. |281| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS seatbelt or Linux bubblewrap sandboxes. |

281 282

301 302

302Details303Details

303 304

304Launch the Codex desktop app on macOS, optionally opening a specific workspace path.305Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open.

305 306

306Key307Key

307 308

461 462

462Key463Key

463 464

465[`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace)

466

467Maturity

468

469Experimental

470

471Details

472

473Add, upgrade, or remove plugin marketplaces from Git or local sources.

474

475Key

476

464[`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume)477[`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume)

465 478

466Maturity479Maturity

595 608

596### `codex app`609### `codex app`

597 610

598Launch Codex Desktop from the terminal on macOS and optionally open a specific workspace path.611Launch Codex Desktop from the terminal on macOS or Windows. On macOS, Codex can open a specific workspace path; on Windows, Codex prints the path to open.

599 612

600| Key | Type / Values | Details |613| Key | Type / Values | Details |

601| --- | --- | --- |614| --- | --- | --- |

602| `--download-url` | `url` | Advanced override for the Codex desktop DMG download URL used during install. |615| `--download-url` | `url` | Advanced override for the Codex desktop installer URL used during install. |

604 617

605Key618Key

606 619

612 625

613Details626Details

614 627

615Advanced override for the Codex desktop DMG download URL used during install.628Advanced override for the Codex desktop installer URL used during install.

616 629

617Key630Key

618 631

624 637

625Details638Details

626 639

627Workspace path to open in Codex Desktop (`codex app` is available on macOS only).640Workspace path for Codex Desktop. On macOS, Codex opens this path; on Windows, Codex prints the path.

628 641

629`codex app` installs/opens the desktop app on macOS, then opens the provided workspace path. This subcommand is macOS-only.642`codex app` opens an installed Codex Desktop app, or starts the installer when

643the app is missing. On macOS, Codex opens the provided workspace path; on

644Windows, it prints the path to open after installation.

630 645

631### `codex debug app-server send-message-v2`646### `codex debug app-server send-message-v2`

632 647

1381 1396

1382OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).1397OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).

1383 1398

1399### `codex plugin marketplace`

1400

1401Manage plugin marketplace sources that Codex can browse and install from.

1402

1403| Key | Type / Values | Details |

1404| --- | --- | --- |

1405| `add <source>` | `[--ref REF] [--sparse PATH]` | Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated. |

1406| `remove <marketplace-name>` | | Remove a configured plugin marketplace. |

1407| `upgrade [marketplace-name]` | | Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided. |

1408

1409Key

1410

1411`add <source>`

1412

1413Type / Values

1414

1415`[--ref REF] [--sparse PATH]`

1416

1417Details

1418

1419Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated.

1420

1421Key

1422

1423`remove <marketplace-name>`

1424

1425Details

1426

1427Remove a configured plugin marketplace.

1428

1429Key

1430

1431`upgrade [marketplace-name]`

1432

1433Details

1434

1435Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided.

1436

1437`codex plugin marketplace add` accepts GitHub shorthand such as `owner/repo` or

1438`owner/repo@ref`, HTTP or HTTPS Git URLs, SSH Git URLs, and local marketplace

1439root directories. Use `--ref` to pin a Git ref, and repeat `--sparse PATH` to

1440use a sparse checkout for Git-backed marketplace repositories.

1441

1384### `codex mcp-server`1442### `codex mcp-server`

1385 1443

1386Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.1444Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.

cli/slash-commands.md +14 −5

Details

16Codex ships with the following commands. Open the slash popup and start typing16Codex ships with the following commands. Open the slash popup and start typing

17the command name to filter the list.17the command name to filter the list.

18 18

19When a task is already running, you can type a slash command and press `Tab` to

20queue it for the next turn. Codex parses queued slash commands when they run, so

21command menus and errors appear after the current turn finishes. Slash

22completion still works before you queue the command.

20| ------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |25| ------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |

21| [`/permissions`](#update-permissions-with-permissions) | Set what Codex can do without asking first. | Relax or tighten approval requirements mid-session, such as switching between Auto and Read Only. |26| [`/permissions`](#update-permissions-with-permissions) | Set what Codex can do without asking first. | Relax or tighten approval requirements mid-session, such as switching between Auto and Read Only. |

25| [`/plugins`](#browse-plugins-with-plugins) | Browse installed and discoverable plugins. | Inspect plugin tools, install suggested plugins, or manage plugin availability. |30| [`/plugins`](#browse-plugins-with-plugins) | Browse installed and discoverable plugins. | Inspect plugin tools, install suggested plugins, or manage plugin availability. |

26| [`/clear`](#clear-the-terminal-and-start-a-new-chat-with-clear) | Clear the terminal and start a fresh chat. | Reset the visible UI and conversation together when you want a fresh start. |31| [`/clear`](#clear-the-terminal-and-start-a-new-chat-with-clear) | Clear the terminal and start a fresh chat. | Reset the visible UI and conversation together when you want a fresh start. |

27| [`/compact`](#keep-transcripts-lean-with-compact) | Summarize the visible conversation to free tokens. | Use after long runs so Codex retains key points without blowing the context window. |32| [`/compact`](#keep-transcripts-lean-with-compact) | Summarize the visible conversation to free tokens. | Use after long runs so Codex retains key points without blowing the context window. |

~~28| [`/copy`](#copy-the-latest-response-with-copy) | Copy the latest completed Codex output. | Grab the latest finished response or plan text without manually selecting it. |~~33| [`/copy`](#copy-the-latest-response-with-copy) | Copy the latest completed Codex output. | Grab the latest finished response or plan text without manually selecting it. You can also press `Ctrl+O`. |

37| [`/model`](#set-the-active-model-with-model) | Choose the active model (and reasoning effort, when available). | Switch between general-purpose models (`gpt-4.1-mini`) and deeper reasoning models before running a task. |42| [`/model`](#set-the-active-model-with-model) | Choose the active model (and reasoning effort, when available). | Switch between general-purpose models (`gpt-4.1-mini`) and deeper reasoning models before running a task. |

39| [`/plan`](#switch-to-plan-mode-with-plan) | Switch to plan mode and optionally send a prompt. | Ask Codex to propose an execution plan before implementation work starts. |44| [`/plan`](#switch-to-plan-mode-with-plan) | Switch to plan mode and optionally send a prompt. | Ask Codex to propose an execution plan before implementation work starts. |

40| [`/personality`](#set-a-communication-style-with-personality) | Choose a communication style for responses. | Make Codex more concise, more explanatory, or more collaborative without changing your instructions. |45| [`/personality`](#set-a-communication-style-with-personality) | Choose a communication style for responses. | Make Codex more concise, more explanatory, or more collaborative without changing your instructions. |

41| [`/ps`](#check-background-terminals-with-ps) | Show experimental background terminals and their recent output. | Check long-running commands without leaving the main transcript. |46| [`/ps`](#check-background-terminals-with-ps) | Show experimental background terminals and their recent output. | Check long-running commands without leaving the main transcript. |

138the in-progress response. The command is unavailable before the first completed143the in-progress response. The command is unavailable before the first completed

139Codex output and immediately after a rollback.144Codex output and immediately after a rollback.

140 145

146You can also press <kbd>Ctrl</kbd>+<kbd>O</kbd> from the main TUI to copy the

147latest completed response without opening the slash command menu.

148

141### Grant sandbox read access with `/sandbox-add-read-dir`149### Grant sandbox read access with `/sandbox-add-read-dir`

142 150

143This command is available only when running the CLI natively on Windows.151This command is available only when running the CLI natively on Windows.

295### Browse plugins with `/plugins`303### Browse plugins with `/plugins`

296 304

2971. Type `/plugins`.3051. Type `/plugins`.

2982. Pick a plugin from the list to inspect its capabilities or available actions.3062. Choose a marketplace tab, then pick a plugin to inspect its capabilities or available actions.

299 307

300Expected: Codex opens the plugin browser so you can review installed plugins and308Expected: Codex opens the plugin browser so you can review installed plugins,

301discoverable plugins that your configuration allows.309discoverable plugins that your configuration allows, and installed plugin state.

310Press <kbd>Space</kbd> on an installed plugin to toggle its enabled state.

302 311

303### Switch agent threads with `/agent`312### Switch agent threads with `/agent`

304 313

concepts/sandboxing.md +38 −1

Details

67 67

68Codex surfaces a startup warning when `bwrap` is missing or when the helper68Codex surfaces a startup warning when `bwrap` is missing or when the helper

69can't create the needed user namespace. On distributions that restrict this69can't create the needed user namespace. On distributions that restrict this

~~70AppArmor setting, you can enable it with:~~70AppArmor setting, prefer loading the `bwrap` AppArmor profile so `bwrap` can

71keep working without disabling the restriction globally.

73**Ubuntu AppArmor note:** On Ubuntu 25.04, installing `bubblewrap` from

74 Ubuntu's package repository should work without extra AppArmor setup. The

75 `bwrap-userns-restrict` profile ships in the `apparmor` package at

76 `/etc/apparmor.d/bwrap-userns-restrict`.

78On Ubuntu 24.04, Codex may still warn that it can't create the needed user

79namespace after `bubblewrap` is installed. Copy and load the extra profile:

81```bash

82sudo apt update

83sudo apt install apparmor-profiles apparmor-utils

84sudo install -m 0644 \

85 /usr/share/apparmor/extra-profiles/bwrap-userns-restrict \

86 /etc/apparmor.d/bwrap-userns-restrict

87sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict

88```

90`apparmor_parser -r` loads the profile into the kernel without a reboot. You

91can also reload all AppArmor profiles:

93```bash

94sudo systemctl reload apparmor.service

95```

97If that profile is unavailable or does not resolve the issue, you can disable

98the AppArmor unprivileged user namespace restriction with:

71 99

72```bash100```bash

73sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0101sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

131Managed network profiles use map tables such as159Managed network profiles use map tables such as

132`[permissions.<name>.network.domains]` and160`[permissions.<name>.network.domains]` and

133`[permissions.<name>.network.unix_sockets]` for domain and socket rules.161`[permissions.<name>.network.unix_sockets]` for domain and socket rules.

162Filesystem profiles can also deny reads for exact paths or glob patterns by

163setting matching entries to `"none"`; use this to keep files such as local

164secrets unreadable without turning off workspace writes.

134 165

135When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules166When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules

136let you allow, prompt, or forbid command prefixes outside the sandbox, which is167let you allow, prompt, or forbid command prefixes outside the sandbox, which is

139[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the170[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the

140IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).171IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).

141 172

173Automatic review, when available, doesn't change the sandbox boundary. It

174reviews approval requests, such as sandbox escalations or network access, while

175actions already allowed inside the sandbox run without extra review. See

176[Automatic approval reviews](https://developers.openai.com/codex/agent-approvals-security#automatic-approval-reviews)

177for the policy behavior.

178

142Platform details live in the platform-specific docs. For native Windows setup,179Platform details live in the platform-specific docs. For native Windows setup,

143behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin180behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin

144requirements and organization-level constraints on sandboxing and approvals, see181requirements and organization-level constraints on sandboxing and approvals, see

concepts/subagents.md +11 −9

Details

65 65

66If you don't pin a model or `model_reasoning_effort`, Codex can choose a setup66If you don't pin a model or `model_reasoning_effort`, Codex can choose a setup

67that balances intelligence, speed, and price for the task. It may favor67that balances intelligence, speed, and price for the task. It may favor

~~68`gpt-5.4-mini` for fast scans or a higher-effort `gpt-5.4`~~68`gpt-5.4-mini` for fast scans or a higher-effort `gpt-5.5` configuration for

~~69configuration for more demanding reasoning. When you want finer control, steer that~~69more demanding reasoning when that model is available. When you want finer

~~70choice in your prompt or set `model` and `model_reasoning_effort` directly in~~70control, steer that choice in your prompt or set `model` and

~~71the agent file.~~71`model_reasoning_effort` directly in the agent file.

72 72

~~73For most tasks in Codex, start with `gpt-5.4`. Use `gpt-5.4-mini` when you~~73For most tasks in Codex, start with `gpt-5.5` when it is available. Continue

~~74want a faster, lower-cost option for lighter subagent work. If you have~~74 using `gpt-5.4` during the rollout if `gpt-5.5` is not yet available. Use

~~75ChatGPT Pro and want near-instant text-only iteration, `gpt-5.3-codex-spark`~~75 `gpt-5.4-mini` when you want a faster, lower-cost option for lighter subagent

~~76remains available in research preview.~~76 work. If you have ChatGPT Pro and want near-instant text-only iteration,

77 `gpt-5.3-codex-spark` remains available in research preview.

77 78

78### Model choice79### Model choice

79 80

~~80- **`gpt-5.4`**: Start here for most agents. It combines strong coding, reasoning, tool use, and broader workflows. The main agent and agents that coordinate ambiguous or multi-step work fit here.~~81- **`gpt-5.5`**: Start here for demanding agents when it is available. It is strongest for ambiguous, multi-step work that needs planning, tool use, validation, and follow-through across a larger context.

82- **`gpt-5.4`**: Use this when `gpt-5.5` is not yet available or when a workflow is pinned to GPT-5.4. It combines strong coding, reasoning, tool use, and broader workflows.

81- **`gpt-5.4-mini`**: Use for agents that favor speed and efficiency over depth, such as exploration, read-heavy scans, large-file review, or processing supporting documents. It works well for parallel workers that return distilled results to the main agent.83- **`gpt-5.4-mini`**: Use for agents that favor speed and efficiency over depth, such as exploration, read-heavy scans, large-file review, or processing supporting documents. It works well for parallel workers that return distilled results to the main agent.

82- **`gpt-5.3-codex-spark`**: If you have ChatGPT Pro, use this research preview model for near-instant, text-only iteration when latency matters more than broader capability.84- **`gpt-5.3-codex-spark`**: If you have ChatGPT Pro, use this research preview model for near-instant, text-only iteration when latency matters more than broader capability.

83 85

config-advanced.md +165 −22

Details

84 84

85In addition to your user config, Codex reads project-scoped overrides from `.codex/config.toml` files inside your repo. Codex walks from the project root to your current working directory and loads every `.codex/config.toml` it finds. If multiple files define the same key, the closest file to your working directory wins.85In addition to your user config, Codex reads project-scoped overrides from `.codex/config.toml` files inside your repo. Codex walks from the project root to your current working directory and loads every `.codex/config.toml` it finds. If multiple files define the same key, the closest file to your working directory wins.

86 86

~~87For security, Codex loads project-scoped config files only when the project is trusted. If the project is untrusted, Codex ignores `.codex/config.toml` files in the project.~~87For security, Codex loads project-scoped config files only when the project is trusted. If the project is untrusted, Codex ignores project `.codex/` layers, including `.codex/config.toml`, project-local hooks, and project-local rules. User and system layers remain separate and still load.

88 88

89Relative paths inside a project config (for example, `model_instructions_file`) are resolved relative to the `.codex/` folder that contains the `config.toml`.89Relative paths inside a project config (for example, `model_instructions_file`) are resolved relative to the `.codex/` folder that contains the `config.toml`.

90 90

91## Hooks (experimental)91## Hooks (experimental)

92 92

~~93Codex can also load lifecycle hooks from `hooks.json` files that sit next to~~93Codex can also load lifecycle hooks from either `hooks.json` files or inline

~~94active config layers.~~94`[hooks]` tables in `config.toml` files that sit next to active config layers.

95 95

96In practice, the two most useful locations are:96In practice, the two most useful locations are:

97 97

98- `~/.codex/hooks.json`98- `~/.codex/hooks.json`

99- `~/.codex/config.toml`

99- `<repo>/.codex/hooks.json`100- `<repo>/.codex/hooks.json`

101- `<repo>/.codex/config.toml`

102

103Project-local hooks load only when the project `.codex/` layer is trusted.

104User-level hooks remain independent of project trust.

100 105

101Turn hooks on with:106Turn hooks on with:

102 107

105codex_hooks = true110codex_hooks = true

106```111```

107 112

113Inline TOML hooks use the same event structure as `hooks.json`:

114

115```toml

116[[hooks.PreToolUse]]

117matcher = "^Bash$"

118

119[[hooks.PreToolUse.hooks]]

120type = "command"

121command = '/usr/bin/python3 "$(git rev-parse --show-toplevel)/.codex/hooks/pre_tool_use_policy.py"'

122timeout = 30

123statusMessage = "Checking Bash command"

124```

125

126If a single layer contains both `hooks.json` and inline `[hooks]`, Codex loads

127both and warns. Prefer one representation per layer.

128

108For the current event list, input fields, output behavior, and limitations, see129For the current event list, input fields, output behavior, and limitations, see

109[Hooks](https://developers.openai.com/codex/hooks).130[Hooks](https://developers.openai.com/codex/hooks).

110 131

230 251

231You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.252You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.

232 253

233```254Set `approvals_reviewer = "auto_review"` to route eligible interactive approval

255requests through automatic review. This changes the reviewer, not the sandbox

256boundary.

257

258Use `[auto_review].policy` for local reviewer policy instructions. Managed

259`guardian_policy_config` takes precedence.

260

261```toml

234approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }262approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }

263approvals_reviewer = "user" # Or "auto_review" for automatic review

235sandbox_mode = "workspace-write"264sandbox_mode = "workspace-write"

236allow_login_shell = false # Optional hardening: disallow login shells for shell tools265allow_login_shell = false # Optional hardening: disallow login shells for shell tools

237 266

249exclude_slash_tmp = false # Allow /tmp278exclude_slash_tmp = false # Allow /tmp

250writable_roots = ["/Users/YOU/.pyenv/shims"]279writable_roots = ["/Users/YOU/.pyenv/shims"]

251network_access = false # Opt in to outbound network280network_access = false # Opt in to outbound network

281

282[auto_review]

283policy = """

284Use your organization's automatic review policy.

285"""

252```286```

253 287

254Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).288Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).

370 404

371#### Metrics catalog405#### Metrics catalog

372 406

373Each metric includes the required fields plus the default context fields above. Every metric is prefixed by `codex.`.407Each metric includes the required fields plus the default context fields above. Metric names below omit the `codex.` prefix.

408Most metric names are centralized in `codex-rs/otel/src/metrics/names.rs`; feature-specific metrics emitted outside that file are included here too.

374If a metric includes the `tool` field, it reflects the internal tool used (for example, `apply_patch` or `shell`) and doesn't contain the actual shell command or patch `codex` is trying to apply.409If a metric includes the `tool` field, it reflects the internal tool used (for example, `apply_patch` or `shell`) and doesn't contain the actual shell command or patch `codex` is trying to apply.

375 410

411#### Runtime and model transport

412

414| --- | --- | --- | --- |

438

439The `cloud_requirements.fetch_attempt` metric includes `trigger`, `attempt`, `outcome`, and `status_code` fields. The `cloud_requirements.fetch_final` metric includes `trigger`, `outcome`, `reason`, `attempt_count`, and `status_code` fields.

440

441#### Turn and tool activity

442

444| --- | --- | --- | --- |

463

464The `mcp.call` and `mcp.call.duration_ms` metrics include `status`; normal tool-call emissions also include `tool`, plus `connector_id` and `connector_name` when available. Blocked Codex Apps MCP calls may emit `mcp.call` with only `status`.

465

466#### Threads, tasks, and features

467

377| --- | --- | --- | --- |469| --- | --- | --- | --- |

493

494The `shell_snapshot` metric includes `success` and, on failures, `failure_reason`.

495

496#### Memory and local state

497

499| --- | --- | --- | --- |

515The `external_agent_config.detect` and `external_agent_config.import` metrics include `migration_type`; skills migrations also include `skills_count`.

516

517#### Windows sandbox

518

520| --- | --- | --- | --- |

539

540The elevated setup failure metrics include `code` and `message` when Windows setup failure details are available, and may include `originator` when emitted from the shared setup path. The `windows_sandbox.legacy_setup_preflight_failed` metric includes `originator` when emitted from the shared setup path, but fallback-prompt preflight failures may not include any fields.

402 541

403### Feedback controls542### Feedback controls

404 543

476- `notify` runs an external program (good for webhooks, desktop notifiers, CI hooks).615- `notify` runs an external program (good for webhooks, desktop notifiers, CI hooks).

477- `tui.notifications` is built in to the TUI and can optionally filter by event type (for example, `agent-turn-complete` and `approval-requested`).616- `tui.notifications` is built in to the TUI and can optionally filter by event type (for example, `agent-turn-complete` and `approval-requested`).

478- `tui.notification_method` controls how the TUI emits terminal notifications (`auto`, `osc9`, or `bel`).617- `tui.notification_method` controls how the TUI emits terminal notifications (`auto`, `osc9`, or `bel`).

618- `tui.notification_condition` controls whether TUI notifications fire only when

619 the terminal is `unfocused` or `always`.

479 620

480In `auto` mode, Codex prefers OSC 9 notifications (a terminal escape sequence some terminals interpret as a desktop notification) and falls back to BEL (`\x07`) otherwise.621In `auto` mode, Codex prefers OSC 9 notifications (a terminal escape sequence some terminals interpret as a desktop notification) and falls back to BEL (`\x07`) otherwise.

481 622

522 663

523- `tui.notifications`: enable/disable notifications (or restrict to specific types)664- `tui.notifications`: enable/disable notifications (or restrict to specific types)

524- `tui.notification_method`: choose `auto`, `osc9`, or `bel` for terminal notifications665- `tui.notification_method`: choose `auto`, `osc9`, or `bel` for terminal notifications

666- `tui.notification_condition`: choose `unfocused` or `always` for when

667 notifications fire

525- `tui.animations`: enable/disable ASCII animations and shimmer effects668- `tui.animations`: enable/disable ASCII animations and shimmer effects

526- `tui.alternate_screen`: control alternate screen usage (set to `never` to keep terminal scrollback)669- `tui.alternate_screen`: control alternate screen usage (set to `never` to keep terminal scrollback)

527- `tui.show_tooltips`: show or hide onboarding tooltips on the welcome screen670- `tui.show_tooltips`: show or hide onboarding tooltips on the welcome screen

config-basic.md +4 −5

Details

1# Config basics1# Config basics

2 2

3Codex reads configuration details from more than one location. Your personal defaults live in `~/.codex/config.toml`, and you can add project overrides with `.codex/config.toml` files. For security, Codex loads project config files only when you trust the project.3Codex reads configuration details from more than one location. Your personal defaults live in `~/.codex/config.toml`, and you can add project overrides with `.codex/config.toml` files. For security, Codex loads project `.codex/` layers only when you trust the project.

4 4

5## Codex configuration file5## Codex configuration file

6 6

27 27

28Use that precedence to set shared defaults at the top level and keep profiles focused on the values that differ.28Use that precedence to set shared defaults at the top level and keep profiles focused on the values that differ.

29 29

~~30If you mark a project as untrusted, Codex skips project-scoped `.codex/` layers (including `.codex/config.toml`) and falls back to user, system, and built-in defaults.~~30If you mark a project as untrusted, Codex skips project-scoped `.codex/` layers, including project-local config, hooks, and rules. User and system config still load, including user/global hooks and rules.

31 31

32For one-off overrides via `-c`/`--config` (including TOML quoting rules), see [Advanced Config](https://developers.openai.com/codex/config-advanced#one-off-overrides-from-the-cli).32For one-off overrides via `-c`/`--config` (including TOML quoting rules), see [Advanced Config](https://developers.openai.com/codex/config-advanced#one-off-overrides-from-the-cli).

33 33

46Choose the model Codex uses by default in the CLI and IDE.46Choose the model Codex uses by default in the CLI and IDE.

47 47

48```toml48```toml

~~49model = "gpt-5.4"~~49model = "gpt-5.5"

50```50```

51 51

52#### Approval prompts52#### Approval prompts

148| Key | Default | Maturity | Description |148| Key | Default | Maturity | Description |

149| -------------------- | :-------------------: | ------------ | ---------------------------------------------------------------------------------------- |149| -------------------- | :-------------------: | ------------ | ---------------------------------------------------------------------------------------- |

config-reference.md +282 −48

Details

27| `approvals_reviewer` | `user | guardian_subagent` | Select who reviews eligible approval prompts. Defaults to `user`; `guardian_subagent` routes supported reviews through the Guardian reviewer subagent. |27| `approvals_reviewer` | `user | auto_review` | Who reviews eligible approval prompts under `on-request` or granular approval policies. Defaults to `user`; `auto_review` uses the reviewer subagent. This setting doesn't change sandboxing or review actions already allowed inside the sandbox. |

38| `auto_review.policy` | `string` | Local Markdown policy instructions for automatic review. Managed `guardian_policy_config` takes precedence. Blank values are ignored. |

38| `background_terminal_max_timeout` | `number` | Maximum poll window in milliseconds for empty `write_stdin` polls (background terminal polling). Default: `300000` (5 minutes). Replaces the older `background_terminal_timeout` key. |39| `background_terminal_max_timeout` | `number` | Maximum poll window in milliseconds for empty `write_stdin` polls (background terminal polling). Default: `300000` (5 minutes). Replaces the older `background_terminal_timeout` key. |

53| `features.guardian_approval` | `boolean` | Route eligible approval requests through the guardian reviewer subagent (experimental; off by default). Use with `approvals_reviewer = "guardian_subagent"`. |

73| `hooks` | `table` | Lifecycle hooks configured inline in `config.toml`. Uses the same event schema as `hooks.json`; see the Hooks guide for examples and supported events. |

~~87| `mcp_servers.<id>.env_vars` | `array<string>` | Additional environment variables to whitelist for an MCP stdio server. |~~88| `mcp_servers.<id>.env_vars` | `array<string | { name = string, source = "local" | "remote" }>` | Additional environment variables to whitelist for an MCP stdio server. String entries default to `source = "local"`; use `source = "remote"` only with executor-backed remote stdio. |

89| `mcp_servers.<id>.experimental_environment` | `local | remote` | Experimental placement for an MCP server. `remote` starts stdio servers through a remote executor environment; streamable HTTP remote placement is not implemented. |

99| `memories.disable_on_external_context` | `boolean` | When `true`, threads that use external context such as MCP tool calls, web search, or tool search are kept out of memory generation. Defaults to `false`. Legacy alias: `memories.no_memories_if_mcp_or_web_search`. |

102| `memories.max_unused_days` | `number` | Maximum days since a memory was last used before it becomes ineligible for consolidation. Defaults to `30` and is clamped to `0`-`365`. |105| `memories.max_unused_days` | `number` | Maximum days since a memory was last used before it becomes ineligible for consolidation. Defaults to `30` and is clamped to `0`-`365`. |

104| `memories.no_memories_if_mcp_or_web_search` | `boolean` | When `true`, threads that use MCP tool calls or web search are kept out of memory generation. Defaults to `false`. |

108| `model_catalog_json` | `string (path)` | Optional path to a JSON model catalog loaded on startup. Profile-level `profiles.<name>.model_catalog_json` can override this per profile. |110| `model_catalog_json` | `string (path)` | Optional path to a JSON model catalog loaded on startup. Profile-level `profiles.<name>.model_catalog_json` can override this per profile. |

163| `permissions.<name>.filesystem` | `table` | Named filesystem permission profile. Each key is an absolute path or special token such as `:minimal` or `:project_roots`. |165| `permissions.<name>.filesystem` | `table` | Named filesystem permission profile. Each key is an absolute path or special token such as `:minimal` or `:project_roots`. |

164| `permissions.<name>.filesystem.":project_roots".<subpath>` | `"read" | "write" | "none"` | Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself. |166| `permissions.<name>.filesystem.":project_roots".<subpath-or-glob>` | `"read" | "write" | "none"` | Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself; glob subpaths such as `"**/*.env"` can deny reads with `"none"`. |

168| `permissions.<name>.filesystem.glob_scan_max_depth` | `number` | Maximum depth for expanding deny-read glob patterns on platforms that snapshot matches before sandbox startup. Must be at least `1` when set. |

228| `tui.notification_method` | `auto | osc9 | bel` | Notification method for terminal notifications (default: auto). |

406 410

407Type / Values411Type / Values

408 412

409`user | guardian_subagent`413`user | auto_review`

410 414

411Details415Details

412 416

413Select who reviews eligible approval prompts. Defaults to `user`; `guardian_subagent` routes supported reviews through the Guardian reviewer subagent.417Who reviews eligible approval prompts under `on-request` or granular approval policies. Defaults to `user`; `auto_review` uses the reviewer subagent. This setting doesn't change sandboxing or review actions already allowed inside the sandbox.

414 418

415Key419Key

416 420

534 538

535Key539Key

536 540

541`auto_review.policy`

542

543Type / Values

544

545`string`

546

547Details

548

549Local Markdown policy instructions for automatic review. Managed `guardian_policy_config` takes precedence. Blank values are ignored.

550

551Key

552

537`background_terminal_max_timeout`553`background_terminal_max_timeout`

538 554

539Type / Values555Type / Values

686 702

687Details703Details

688 704

689Enable lifecycle hooks loaded from `hooks.json` (under development; off by default).705Enable lifecycle hooks loaded from `hooks.json` or inline `[hooks]` config.

690 706

691Key707Key

692 708

714 730

715Key731Key

716 732

717`features.guardian_approval`

~~718~~

719Type / Values

~~720~~

721`boolean`

~~722~~

723Details

~~724~~

725Route eligible approval requests through the guardian reviewer subagent (experimental; off by default). Use with `approvals_reviewer = "guardian_subagent"`.

~~726~~

727Key

~~728~~

729`features.memories`733`features.memories`

730 734

731Type / Values735Type / Values

954 958

955Key959Key

956 960

961`hooks`

962

963Type / Values

964

965`table`

966

967Details

968

969Lifecycle hooks configured inline in `config.toml`. Uses the same event schema as `hooks.json`; see the Hooks guide for examples and supported events.

970

971Key

972

957`instructions`973`instructions`

958 974

959Type / Values975Type / Values

1126 1142

1127Type / Values1143Type / Values

1128 1144

1129`array<string>`1145`array<string | { name = string, source = "local" | "remote" }>`

1146

1147Details

1148

1149Additional environment variables to whitelist for an MCP stdio server. String entries default to `source = "local"`; use `source = "remote"` only with executor-backed remote stdio.

1150

1151Key

1152

1153`mcp_servers.<id>.experimental_environment`

1154

1155Type / Values

1156

1157`local | remote`

1130 1158

1131Details1159Details

1132 1160

1133Additional environment variables to whitelist for an MCP stdio server.1161Experimental placement for an MCP server. `remote` starts stdio servers through a remote executor environment; streamable HTTP remote placement is not implemented.

1134 1162

1135Key1163Key

1136 1164

1242 1270

1243Key1271Key

1244 1272

1273`memories.disable_on_external_context`

1274

1275Type / Values

1276

1277`boolean`

1278

1279Details

1280

1281When `true`, threads that use external context such as MCP tool calls, web search, or tool search are kept out of memory generation. Defaults to `false`. Legacy alias: `memories.no_memories_if_mcp_or_web_search`.

1282

1283Key

1284

1245`memories.extract_model`1285`memories.extract_model`

1246 1286

1247Type / Values1287Type / Values

1326 1366

1327Key1367Key

1328 1368

1329`memories.no_memories_if_mcp_or_web_search`

~~1330~~

1331Type / Values

~~1332~~

1333`boolean`

~~1334~~

1335Details

~~1336~~

1337When `true`, threads that use MCP tool calls or web search are kept out of memory generation. Defaults to `false`.

~~1338~~

1339Key

~~1340~~

1341`memories.use_memories`1369`memories.use_memories`

1342 1370

1343Type / Values1371Type / Values

1358 1386

1359Details1387Details

1360 1388

1361Model to use (e.g., `gpt-5.4`).1389Model to use (e.g., `gpt-5.5`).

1362 1390

1363Key1391Key

1364 1392

2046 2074

2047Key2075Key

2048 2076

2049`permissions.<name>.filesystem.":project_roots".<subpath>`2077`permissions.<name>.filesystem.":project_roots".<subpath-or-glob>`

2050 2078

2051Type / Values2079Type / Values

2052 2080

2054 2082

2055Details2083Details

2056 2084

2057Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself.2085Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself; glob subpaths such as `"**/*.env"` can deny reads with `"none"`.

2058 2086

2059Key2087Key

2060 2088

2061`permissions.<name>.filesystem.<path>`2089`permissions.<name>.filesystem.<path-or-glob>`

2062 2090

2063Type / Values2091Type / Values

2064 2092

2066 2094

2067Details2095Details

2068 2096

2069Grant direct access for a path or special token, or scope nested entries under that root.2097Grant direct access for a path, glob pattern, or special token, or scope nested entries under that root. Use `"none"` to deny reads for matching paths.

2098

2099Key

2100

2101`permissions.<name>.filesystem.glob_scan_max_depth`

2102

2103Type / Values

2104

2105`number`

2106

2107Details

2108

2109Maximum depth for expanding deny-read glob patterns on platforms that snapshot matches before sandbox startup. Must be at least `1` when set.

2070 2110

2071Key2111Key

2072 2112

2438 2478

2439Details2479Details

2440 2480

2441Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers.2481Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers, including project-local config, hooks, and rules.

2442 2482

2443Key2483Key

2444 2484

2766 2806

2767Key2807Key

2768 2808

2809`tui.notification_condition`

2810

2811Type / Values

2812

2813`unfocused | always`

2814

2815Details

2816

2817Control whether TUI notifications fire only when the terminal is unfocused or regardless of focus. Defaults to `unfocused`.

2818

2819Key

2820

2769`tui.notification_method`2821`tui.notification_method`

2770 2822

2771Type / Values2823Type / Values

2774 2826

2775Details2827Details

2776 2828

2777Notification method for unfocused terminal notifications (default: auto).2829Notification method for terminal notifications (default: auto).

2778 2830

2779Key2831Key

2780 2832

2909| Key | Type / Values | Details |2961| Key | Type / Values | Details |

2910| --- | --- | --- |2962| --- | --- | --- |

2914| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |2966| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |

2967| `feature_requirements` | `table` | Alias for `features` in `requirements.toml`. Use it to pin feature values by canonical feature key. |

2968| `feature_requirements.browser_use` | `boolean` | Set to `false` in `requirements.toml` to disable Browser Use and Browser Agent availability. You can also set `features.browser_use`. |

2969| `feature_requirements.computer_use` | `boolean` | Set to `false` in `requirements.toml` to disable Computer Use availability and related install or enablement flows. You can also set `features.computer_use`. |

2970| `feature_requirements.in_app_browser` | `boolean` | Set to `false` in `requirements.toml` to disable the in-app browser pane. You can also set `features.in_app_browser`. |

2973| `guardian_policy_config` | `string` | Managed Markdown policy instructions for automatic review. This takes precedence over local `[auto_review].policy`. Blank values are ignored. |

2974| `hooks` | `table` | Admin-enforced managed lifecycle hooks. Requires a managed hook directory and uses the same event schema as inline `[hooks]` in `config.toml`. |

2975| `hooks.<Event>` | `array<table>` | Matcher groups for a hook event such as `PreToolUse`, `PostToolUse`, `PermissionRequest`, `SessionStart`, `UserPromptSubmit`, or `Stop`. |

2976| `hooks.<Event>[].hooks` | `array<table>` | Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped. |

2977| `hooks.managed_dir` | `string (absolute path)` | Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks. |

2978| `hooks.windows_managed_dir` | `string (absolute path)` | Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks. |

2917| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |2979| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |

2983| `permissions.filesystem.deny_read` | `array<string>` | Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config. |

2984| `remote_sandbox_config` | `array<table>` | Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only. |

2985| `remote_sandbox_config[].allowed_sandbox_modes` | `array<string>` | Allowed sandbox modes to apply when this host-specific entry matches. |

2986| `remote_sandbox_config[].hostname_patterns` | `array<string>` | Case-insensitive host name patterns. Supports `*` for any sequence of characters and `?` for one character. |

2948 3014

2949Details3015Details

2950 3016

2951Allowed values for `approvals_reviewer` (for example `user` and `guardian_subagent`).3017Allowed values for `approvals_reviewer`, such as `user` and `auto_review`.

2952 3018

2953Key3019Key

2954 3020

2976 3042

2977Key3043Key

2978 3044

3045`feature_requirements`

3046

3047Type / Values

3048

3049`table`

3050

3051Details

3052

3053Alias for `features` in `requirements.toml`. Use it to pin feature values by canonical feature key.

3054

3055Key

3056

3057`feature_requirements.browser_use`

3058

3059Type / Values

3060

3061`boolean`

3062

3063Details

3064

3065Set to `false` in `requirements.toml` to disable Browser Use and Browser Agent availability. You can also set `features.browser_use`.

3066

3067Key

3068

3069`feature_requirements.computer_use`

3070

3071Type / Values

3072

3073`boolean`

3074

3075Details

3076

3077Set to `false` in `requirements.toml` to disable Computer Use availability and related install or enablement flows. You can also set `features.computer_use`.

3078

3079Key

3080

3081`feature_requirements.in_app_browser`

3082

3083Type / Values

3084

3085`boolean`

3086

3087Details

3088

3089Set to `false` in `requirements.toml` to disable the in-app browser pane. You can also set `features.in_app_browser`.

3090

3091Key

3092

2979`features`3093`features`

2980 3094

2981Type / Values3095Type / Values

3000 3114

3001Key3115Key

3002 3116

3117`guardian_policy_config`

3118

3119Type / Values

3120

3121`string`

3122

3123Details

3124

3125Managed Markdown policy instructions for automatic review. This takes precedence over local `[auto_review].policy`. Blank values are ignored.

3126

3127Key

3128

3129`hooks`

3130

3131Type / Values

3132

3133`table`

3134

3135Details

3136

3137Admin-enforced managed lifecycle hooks. Requires a managed hook directory and uses the same event schema as inline `[hooks]` in `config.toml`.

3138

3139Key

3140

3141`hooks.<Event>`

3142

3143Type / Values

3144

3145`array<table>`

3146

3147Details

3148

3149Matcher groups for a hook event such as `PreToolUse`, `PostToolUse`, `PermissionRequest`, `SessionStart`, `UserPromptSubmit`, or `Stop`.

3150

3151Key

3152

3153`hooks.<Event>[].hooks`

3154

3155Type / Values

3156

3157`array<table>`

3158

3159Details

3160

3161Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped.

3162

3163Key

3164

3165`hooks.managed_dir`

3166

3167Type / Values

3168

3169`string (absolute path)`

3170

3171Details

3172

3173Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks.

3174

3175Key

3176

3177`hooks.windows_managed_dir`

3178

3179Type / Values

3180

3181`string (absolute path)`

3182

3183Details

3184

3185Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks.

3186

3187Key

3188

3003`mcp_servers`3189`mcp_servers`

3004 3190

3005Type / Values3191Type / Values

3048 3234

3049Key3235Key

3050 3236

3237`permissions.filesystem.deny_read`

3238

3239Type / Values

3240

3241`array<string>`

3242

3243Details

3244

3245Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config.

3246

3247Key

3248

3249`remote_sandbox_config`

3250

3251Type / Values

3252

3253`array<table>`

3254

3255Details

3256

3257Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only.

3258

3259Key

3260

3261`remote_sandbox_config[].allowed_sandbox_modes`

3262

3263Type / Values

3264

3265`array<string>`

3266

3267Details

3268

3269Allowed sandbox modes to apply when this host-specific entry matches.

3270

3271Key

3272

3273`remote_sandbox_config[].hostname_patterns`

3274

3275Type / Values

3276

3277`array<string>`

3278

3279Details

3280

3281Case-insensitive host name patterns. Supports `*` for any sequence of characters and `?` for one character.

3282

3283Key

3284

3051`rules`3285`rules`

3052 3286

3053Type / Values3287Type / Values

config-sample.md +42 −6

Details

27# Core Model Selection27# Core Model Selection

28################################################################################28################################################################################

29 29

~~30# Primary model used by Codex. Recommended example for most users: "gpt-5.4".~~30# Primary model used by Codex. Recommended example for most users: "gpt-5.5".

~~31model = "gpt-5.4"~~31model = "gpt-5.5"

32 32

33# Communication style for supported models. Allowed values: none | friendly | pragmatic33# Communication style for supported models. Allowed values: none | friendly | pragmatic

34# personality = "pragmatic"34# personality = "pragmatic"

35 35

36# Optional model override for /review. Default: unset (uses current session model).36# Optional model override for /review. Default: unset (uses current session model).

~~37# review_model = "gpt-5.4"~~37# review_model = "gpt-5.5"

38 38

39# Provider id selected from [model_providers]. Default: "openai".39# Provider id selected from [model_providers]. Default: "openai".

40model_provider = "openai"40model_provider = "openai"

109# - never: never prompt (risky)109# - never: never prompt (risky)

110# - { granular = { ... } }: allow or auto-reject selected prompt categories110# - { granular = { ... } }: allow or auto-reject selected prompt categories

111approval_policy = "on-request"111approval_policy = "on-request"

112# Who reviews eligible approval prompts: user (default) | guardian_subagent112# Who reviews eligible approval prompts: user (default) | auto_review

113# approvals_reviewer = "user"113# approvals_reviewer = "user"

114 114

115# Example granular policy:115# Example granular policy:

133# Named permissions profile to apply by default. Required before using [permissions.<name>].133# Named permissions profile to apply by default. Required before using [permissions.<name>].

134# default_permissions = "workspace"134# default_permissions = "workspace"

135 135

136# Example filesystem profile. Use `"none"` to deny reads for exact paths or

137# glob patterns. On platforms that need pre-expanded glob matches, set

138# glob_scan_max_depth when using unbounded patterns such as `**`.

139# [permissions.workspace.filesystem]

140# glob_scan_max_depth = 3

141# ":project_roots" = { "." = "write", "**/*.env" = "none" }

142# "/absolute/path/to/secrets" = "none"

143

136################################################################################144################################################################################

137# Authentication & Login145# Authentication & Login

138################################################################################146################################################################################

323# Notification mechanism for terminal alerts: auto | osc9 | bel. Default: "auto"331# Notification mechanism for terminal alerts: auto | osc9 | bel. Default: "auto"

324# notification_method = "auto"332# notification_method = "auto"

325 333

334# When notifications fire: unfocused (default) | always

335# notification_condition = "unfocused"

336

326# Enables welcome/status/spinner animations. Default: true337# Enables welcome/status/spinner animations. Default: true

327animations = true338animations = true

328 339

382# multi_agent = true393# multi_agent = true

383# personality = true394# personality = true

384# fast_mode = true395# fast_mode = true

385# guardian_approval = false

386# enable_request_compression = true396# enable_request_compression = true

387# skill_mcp_dependency_install = true397# skill_mcp_dependency_install = true

388# prevent_idle_sleep = false398# prevent_idle_sleep = false

389 399

400################################################################################

401# Memories (table)

402################################################################################

403

404# Enable memories with [features].memories, then tune memory behavior here.

405# [memories]

406# generate_memories = true

407# use_memories = true

408# disable_on_external_context = false # legacy alias: no_memories_if_mcp_or_web_search

409

410################################################################################

411# Lifecycle hooks can be configured here inline or in a sibling hooks.json.

412################################################################################

413

414# [hooks]

415# [[hooks.PreToolUse]]

416# matcher = "^Bash$"

417#

418# [[hooks.PreToolUse.hooks]]

419# type = "command"

420# command = 'python3 "/absolute/path/to/pre_tool_use_policy.py"'

421# timeout = 30

422# statusMessage = "Checking Bash command"

423

390################################################################################424################################################################################

391# Define MCP servers under this table. Leave empty to disable.425# Define MCP servers under this table. Leave empty to disable.

392################################################################################426################################################################################

400# command = "docs-server" # required434# command = "docs-server" # required

401# args = ["--port", "4000"] # optional435# args = ["--port", "4000"] # optional

402# env = { "API_KEY" = "value" } # optional key/value pairs copied as-is436# env = { "API_KEY" = "value" } # optional key/value pairs copied as-is

403# env_vars = ["ANOTHER_SECRET"] # optional: forward these from the parent env437# env_vars = ["ANOTHER_SECRET"] # optional: forward local parent env vars

438# env_vars = ["LOCAL_TOKEN", { name = "REMOTE_TOKEN", source = "remote" }]

404# cwd = "/path/to/server" # optional working directory override439# cwd = "/path/to/server" # optional working directory override

440# experimental_environment = "remote" # experimental: run stdio via a remote executor

405# startup_timeout_sec = 10.0 # optional; default 10.0 seconds441# startup_timeout_sec = 10.0 # optional; default 10.0 seconds

406# # startup_timeout_ms = 10000 # optional alias for startup timeout (milliseconds)442# # startup_timeout_ms = 10000 # optional alias for startup timeout (milliseconds)

407# tool_timeout_sec = 60.0 # optional; default 60.0 seconds443# tool_timeout_sec = 60.0 # optional; default 60.0 seconds

enterprise/admin-setup.md +1 −1

Details

139 139

140Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).140Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

141 141

142Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules.142Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Disable Codex feature surfaces](https://developers.openai.com/codex/enterprise/managed-configuration#disable-codex-feature-surfaces).

143 143

144![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)144![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)

145 145

enterprise/managed-configuration.md +127 −2

Details

7 7

8## Admin-enforced requirements (requirements.toml)8## Admin-enforced requirements (requirements.toml)

9 9

10Requirements constrain security-sensitive settings (approval policy, sandbox mode, web search mode, and optionally which MCP servers users can enable). When resolving configuration (for example from `config.toml`, profiles, or CLI config overrides), if a value conflicts with an enforced rule, Codex falls back to a compatible value and notifies the user. If you configure an `mcp_servers` allowlist, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.10Requirements constrain security-sensitive settings (approval policy, approvals reviewer, automatic review policy, sandbox mode, web search mode, managed hooks, and optionally which MCP servers users can enable). When resolving configuration (for example from `config.toml`, profiles, or CLI config overrides), if a value conflicts with an enforced rule, Codex falls back to a compatible value and notifies the user. If you configure an `mcp_servers` allowlist, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.

11 11

12Requirements can also constrain [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags) via the `[features]` table in `requirements.toml`. Note that features aren't always security-sensitive, but enterprises can pin values if desired. Omitted keys remain unconstrained.12Requirements can also constrain [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags) via the `[features]` table in `requirements.toml`. Note that features aren't always security-sensitive, but enterprises can pin values if desired. Omitted keys remain unconstrained.

13 13

19 19

201. Cloud-managed requirements (ChatGPT Business or Enterprise)201. Cloud-managed requirements (ChatGPT Business or Enterprise)

212. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`212. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`

~~223. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS)~~223. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS, or `%ProgramData%\OpenAI\Codex\requirements.toml` on Windows)

23 23

24Across layers, Codex merges requirements per field: if an earlier layer sets a field (including an empty list), later layers don't override that field, but lower layers can still fill fields that remain unset.24Across layers, Codex merges requirements per field: if an earlier layer sets a field (including an empty list), later layers don't override that field, but lower layers can still fill fields that remain unset.

25 25

72allowed_sandbox_modes = ["read-only", "workspace-write"]72allowed_sandbox_modes = ["read-only", "workspace-write"]

73```73```

74 74

75### Override sandbox requirements by host

77Use `[[remote_sandbox_config]]` when one managed policy should apply different

78sandbox requirements on different hosts. For example, you can keep a stricter

79default for laptops while allowing workspace writes on matching devboxes or CI

80runners. Host-specific entries currently override `allowed_sandbox_modes` only:

82```toml

83allowed_sandbox_modes = ["read-only"]

85[[remote_sandbox_config]]

86hostname_patterns = ["*.devbox.example.com", "runner-??.ci.example.com"]

87allowed_sandbox_modes = ["read-only", "workspace-write"]

88```

90Codex compares each `hostname_patterns` entry against the best-effort resolved

91host name. It prefers the fully qualified domain name when available and falls

92back to the local host name. Matching is case-insensitive; `*` matches any

93sequence of characters, and `?` matches one character.

95The first matching `[[remote_sandbox_config]]` entry wins within the same

96requirements source. If no entry matches, Codex keeps the top-level

97`allowed_sandbox_modes`. Hostname matching is for policy selection only; don't

98treat it as authenticated device proof.

75You can also constrain web search mode:100You can also constrain web search mode:

76 101

77```toml102```toml

91 116

92Use the canonical feature keys from `config.toml`'s `[features]` table. Codex normalizes the resulting feature set to meet these pins and rejects conflicting writes to `config.toml` or profile-scoped feature settings.117Use the canonical feature keys from `config.toml`'s `[features]` table. Codex normalizes the resulting feature set to meet these pins and rejects conflicting writes to `config.toml` or profile-scoped feature settings.

93 118

119### Disable Codex feature surfaces

120

121Admins can use `[feature_requirements]` to disable specific Codex feature

122surfaces for users receiving a managed `requirements.toml`. You can also set

123the same keys in the existing `[features]` table.

124

125```

126[feature_requirements]

127browser_use = false

128in_app_browser = false

129computer_use = false

130```

131

132- `in_app_browser = false` disables the in-app browser pane.

133- `browser_use = false` disables Browser Use and Browser Agent availability.

134- `computer_use = false` disables Computer Use availability and related

135 install or enablement flows.

136

137If omitted, these features are allowed by policy, subject to normal client,

138platform, and rollout availability.

139

140### Configure automatic review policy

141

142Use `allowed_approvals_reviewers` to require or allow automatic review. Set it

143to `["auto_review"]` to require automatic review, or include `"user"` when users

144can choose manual approval.

145

146Set `guardian_policy_config` to replace the tenant-specific section of the

147automatic review policy. Codex still uses the built-in reviewer template and

148output contract. Managed `guardian_policy_config` takes precedence over local

149`[auto_review].policy`.

150

151```toml

152allowed_approval_policies = ["on-request"]

153allowed_approvals_reviewers = ["auto_review"]

154

155guardian_policy_config = """

156## Environment Profile

157- Trusted internal destinations include github.com/my-org, artifacts.example.com,

158 and internal CI systems.

159

160## Tenant Risk Taxonomy and Allow/Deny Rules

161- Treat uploads to unapproved third-party file-sharing services as high risk.

162- Deny actions that expose credentials or private source code to untrusted

163 destinations.

164"""

165```

166

167### Enforce deny-read requirements

168

169Admins can deny reads for exact paths or glob patterns with

170`[permissions.filesystem]`. Users can't weaken these requirements with local

171configuration.

172

173```toml

174[permissions.filesystem]

175deny_read = [

176 "/Users/alice/.ssh",

177 "./private/**/*.txt",

178]

179```

180

181When deny-read requirements are present, Codex constrains local sandbox mode to

182`read-only` or `workspace-write` so Codex can enforce them. On native

183Windows, managed `deny_read` applies to direct file tools; shell subprocess

184reads don't use this sandbox rule.

185

186### Enforce managed hooks from requirements

187

188Admins can also define managed lifecycle hooks directly in `requirements.toml`.

189Use `[hooks]` for the hook configuration itself, and point `managed_dir` at the

190directory where your MDM or endpoint-management tooling installs the referenced

191scripts.

192

193```toml

194[features]

195codex_hooks = true

196

197[hooks]

198managed_dir = "/enterprise/hooks"

199windows_managed_dir = 'C:\enterprise\hooks'

200

201[[hooks.PreToolUse]]

202matcher = "^Bash$"

203

204[[hooks.PreToolUse.hooks]]

205type = "command"

206command = "python3 /enterprise/hooks/pre_tool_use_policy.py"

207timeout = 30

208statusMessage = "Checking managed Bash command"

209```

210

211Notes:

212

213- Codex enforces the hook configuration from `requirements.toml`, but it does

214 not distribute the scripts in `managed_dir`.

215- Deliver those scripts separately with your MDM or device-management solution.

216- Managed hook commands should reference absolute script paths under the

217 configured managed directory.

218

94### Enforce command rules from requirements219### Enforce command rules from requirements

95 220

96Admins can also enforce restrictive command rules from `requirements.toml`221Admins can also enforce restrictive command rules from `requirements.toml`

hooks.md +186 −50

Details

1# Hooks1# Hooks

2 2

~~3Experimental. Hooks are under active development. Windows support temporarily~~

~~4disabled.~~

6Hooks are an extensibility framework for Codex. They allow3Hooks are an extensibility framework for Codex. They allow

7you to inject your own scripts into the agentic loop, enabling features such as:4you to inject your own scripts into the agentic loop, enabling features such as:

8 5

9- Send the conversation to a custom logging/analytics engine6- Send the conversation to a custom logging/analytics engine

10- Scan your team's prompts to block accidentally pasting API keys7- Scan your team's prompts to block accidentally pasting API keys

11- Summarize conversations to create persistent memories automatically8- Summarize conversations to create persistent memories automatically

~~12- Run a custom validator when a conversation turn stops, enforcing standards~~9- Run a custom validation check when a conversation turn stops, enforcing standards

13- Customize prompting when in a certain directory10- Customize prompting when in a certain directory

14 11

15Hooks are behind a feature flag in `config.toml`:12Hooks are behind a feature flag in `config.toml`:

24- Matching hooks from multiple files all run.21- Matching hooks from multiple files all run.

25- Multiple matching command hooks for the same event are launched concurrently,22- Multiple matching command hooks for the same event are launched concurrently,

26 so one hook cannot prevent another matching hook from starting.23 so one hook cannot prevent another matching hook from starting.

~~27- `PreToolUse`, `PostToolUse`, `UserPromptSubmit`, and `Stop` run at turn~~24- `PreToolUse`, `PermissionRequest`, `PostToolUse`, `UserPromptSubmit`, and

~~28 scope.~~25 `Stop` run at turn scope.

~~29- Hooks are currently disabled on Windows.~~

30 26

31## Where Codex looks for hooks27## Where Codex looks for hooks

32 28

~~33Codex discovers `hooks.json` next to active config layers.~~29Codex discovers hooks next to active config layers in either of these forms:

31- `hooks.json`

32- inline `[hooks]` tables inside `config.toml`

34 33

~~35In practice, the two most useful locations are:~~34In practice, the four most useful locations are:

36 35

37- `~/.codex/hooks.json`36- `~/.codex/hooks.json`

37- `~/.codex/config.toml`

38- `<repo>/.codex/hooks.json`38- `<repo>/.codex/hooks.json`

39- `<repo>/.codex/config.toml`

39 40

~~40If more than one `hooks.json` file exists, Codex loads all matching hooks.~~41If more than one hook source exists, Codex loads all matching hooks.

41Higher-precedence config layers do not replace lower-precedence hooks.42Higher-precedence config layers do not replace lower-precedence hooks.

43If a single layer contains both `hooks.json` and inline `[hooks]`, Codex

44merges them and warns at startup. Prefer one representation per layer.

46Project-local hooks load only when the project `.codex/` layer is trusted. In

47untrusted projects, Codex still loads user and system hooks from their own

48active config layers.

42 49

43## Config shape50## Config shape

44 51

75 ]82 ]

76 }83 }

77 ],84 ],

85 "PermissionRequest": [

86 {

87 "matcher": "Bash",

88 "hooks": [

89 {

90 "type": "command",

91 "command": "/usr/bin/python3 \"$(git rev-parse --show-toplevel)/.codex/hooks/permission_request.py\"",

92 "statusMessage": "Checking approval request"

93 }

94 ]

95 }

96 ],

78 "PostToolUse": [97 "PostToolUse": [

79 {98 {

80 "matcher": "Bash",99 "matcher": "Bash",

115Notes:134Notes:

116 135

117- `timeout` is in seconds.136- `timeout` is in seconds.

118- `timeoutSec` is also accepted as an alias.

119- If `timeout` is omitted, Codex uses `600` seconds.137- If `timeout` is omitted, Codex uses `600` seconds.

120- `statusMessage` is optional.138- `statusMessage` is optional.

121- Commands run with the session `cwd` as their working directory.139- Commands run with the session `cwd` as their working directory.

123 relative path such as `.codex/hooks/...`. Codex may be started from a141 relative path such as `.codex/hooks/...`. Codex may be started from a

124 subdirectory, and a git-root-based path keeps the hook location stable.142 subdirectory, and a git-root-based path keeps the hook location stable.

125 143

144Equivalent inline TOML in `config.toml`:

145

146```toml

147[features]

148codex_hooks = true

149

150[[hooks.PreToolUse]]

151matcher = "^Bash$"

152

153[[hooks.PreToolUse.hooks]]

154type = "command"

155command = '/usr/bin/python3 "$(git rev-parse --show-toplevel)/.codex/hooks/pre_tool_use_policy.py"'

156timeout = 30

157statusMessage = "Checking Bash command"

158

159[[hooks.PostToolUse]]

160matcher = "^Bash$"

161

162[[hooks.PostToolUse.hooks]]

163type = "command"

164command = '/usr/bin/python3 "$(git rev-parse --show-toplevel)/.codex/hooks/post_tool_use_review.py"'

165timeout = 30

166statusMessage = "Reviewing Bash output"

167```

168

169## Managed hooks from `requirements.toml`

170

171Enterprise-managed requirements can also define hooks inline under `[hooks]`.

172This is useful when admins want to enforce the hook configuration while

173delivering the actual scripts through MDM or another device-management system.

174

175```toml

176[features]

177codex_hooks = true

178

179[hooks]

180managed_dir = "/enterprise/hooks"

181windows_managed_dir = 'C:\enterprise\hooks'

182

183[[hooks.PreToolUse]]

184matcher = "^Bash$"

185

186[[hooks.PreToolUse.hooks]]

187type = "command"

188command = "python3 /enterprise/hooks/pre_tool_use_policy.py"

189timeout = 30

190statusMessage = "Checking managed Bash command"

191```

192

193Notes for managed hooks:

194

195- `managed_dir` is used on macOS and Linux.

196- `windows_managed_dir` is used on Windows.

197- Codex does not distribute the scripts in `managed_dir`; your enterprise

198 tooling must install and update them separately.

199- Managed hook commands should use absolute script paths under the configured

200 managed directory.

201

126## Matcher patterns202## Matcher patterns

127 203

128The `matcher` field is a regex string that filters when hooks fire. Use `"*"`,204The `matcher` field is a regex string that filters when hooks fire. Use `"*"`,

133 209

135| --- | --- | --- |211| --- | --- | --- |

217| `Stop` | not supported | Any configured `matcher` is ignored for this event |

218

219\*For `apply_patch`, matchers can also use `Edit` or `Write`.

141 220

142Examples:221Examples:

143 222

144- `Bash`223- `Bash`

145- `startup|resume`224- `^apply_patch$`

146- `Edit|Write`225- `Edit|Write`

~~147~~ 226- `mcp__filesystem__read_file`

148That last example is still a valid regex, but current Codex `PreToolUse` and227- `mcp__filesystem__.*`

149`PostToolUse` events only emit `Bash`, so it will not match anything today.228- `startup|resume|clear`

150 229

151## Common input fields230## Common input fields

152 231

189 268

190Exit `0` with no output is treated as success and Codex continues.269Exit `0` with no output is treated as success and Codex continues.

191 270

192`PreToolUse` supports `systemMessage`, but `continue`, `stopReason`, and271`PreToolUse` and `PermissionRequest` support `systemMessage`, but `continue`,

193`suppressOutput` are not currently supported for that event.272`stopReason`, and `suppressOutput` aren't currently supported for those events.

194 273

195`PostToolUse` supports `systemMessage`, `continue: false`, and `stopReason`.274`PostToolUse` supports `systemMessage`, `continue: false`, and `stopReason`.

196`suppressOutput` is parsed but not currently supported for that event.275`suppressOutput` is parsed but not currently supported for that event.

225 304

226### PreToolUse305### PreToolUse

227 306

228Work in progress307`PreToolUse` can intercept Bash, file edits performed through `apply_patch`,

~~229~~ 308and MCP tool calls. It is still a guardrail rather than a complete enforcement

230Currently `PreToolUse` only supports Bash tool interception. The model can309boundary because Codex can often perform equivalent work through another

231still work around this by writing its own script to disk and then running that310supported tool path.

232script with Bash, so treat this as a useful guardrail rather than a complete

233enforcement boundary

234 311

235This doesn't intercept all shell calls yet, only the simple ones. The newer312This doesn't intercept all shell calls yet, only the simple ones. The newer

236 `unified_exec` mechanism allows richer streaming stdin/stdout handling of313 `unified_exec` mechanism allows richer streaming stdin/stdout handling of

237shell, but interception is incomplete. Similarly, this doesn’t intercept MCP,314 shell, but interception is incomplete. Similarly, this doesn't intercept

238Write, WebSearch, or other non-shell tool calls.315 `WebSearch` or other non-shell, non-MCP tool calls.

239 316

240`matcher` is applied to `tool_name`, which currently always equals `Bash`.317`matcher` is applied to `tool_name` and matcher aliases. For file edits through

318`apply_patch`, matchers can use `apply_patch`, `Edit`, or `Write`; hook input

319still reports `tool_name: "apply_patch"`.

241 320

242Fields in addition to [Common input fields](#common-input-fields):321Fields in addition to [Common input fields](#common-input-fields):

243 322

245| --- | --- | --- |324| --- | --- | --- |

250 329

251Plain text on `stdout` is ignored.330Plain text on `stdout` is ignored.

252 331

278`updatedInput`, `additionalContext`, `continue: false`, `stopReason`, and357`updatedInput`, `additionalContext`, `continue: false`, `stopReason`, and

279`suppressOutput` are parsed but not supported yet, so they fail open.358`suppressOutput` are parsed but not supported yet, so they fail open.

280 359

281### PostToolUse360### PermissionRequest

361

362`PermissionRequest` runs when Codex is about to ask for approval, such as a

363shell escalation or managed-network approval. It can allow the request, deny

364the request, or decline to decide and let the normal approval prompt continue.

365It doesn't run for commands that don't need approval.

366

367`matcher` is applied to `tool_name` and matcher aliases. Current canonical

368values include `Bash`, `apply_patch`, and MCP tool names such as

369`mcp__server__tool`; `apply_patch` also matches `Edit` and `Write`.

370

371Fields in addition to [Common input fields](#common-input-fields):

372

373| Field | Type | Meaning |

374| --- | --- | --- |

375| `turn_id` | `string` | Codex-specific extension. Active Codex turn id |

376| `tool_name` | `string` | Canonical hook tool name, such as `Bash`, `apply_patch`, or an MCP name like `mcp__fs__read` |

377| `tool_input` | `JSON value` | Tool-specific input. `Bash` and `apply_patch` use `tool_input.command` while MCP tools send all the args. |

379

380Plain text on `stdout` is ignored.

381

382To approve the request, return:

383

384```json

385{

386 "hookSpecificOutput": {

387 "hookEventName": "PermissionRequest",

388 "decision": {

389 "behavior": "allow"

390 }

391 }

392}

393```

282 394

283Work in progress395To deny the request, return:

396

397```json

398{

399 "hookSpecificOutput": {

400 "hookEventName": "PermissionRequest",

401 "decision": {

402 "behavior": "deny",

403 "message": "Blocked by repository policy."

404 }

405 }

406}

407```

408

409If multiple matching hooks return decisions, any `deny` wins. Otherwise, an

410`allow` lets the request proceed without surfacing the approval prompt. If no

411matching hook decides, Codex uses the normal approval flow.

412

413Don't return `updatedInput`, `updatedPermissions`, or `interrupt` for

414`PermissionRequest`; those fields are reserved for future behavior and fail

415closed today.

416

417### PostToolUse

284 418

285Currently `PostToolUse` only supports Bash tool results. It is not limited to419`PostToolUse` runs after supported tools produce output, including Bash,

286commands that exit successfully: non-interactive `exec_command` calls can still420`apply_patch`, and MCP tool calls. For Bash, it also runs after commands that

287trigger `PostToolUse` when Codex emits a Bash post-tool payload. It cannot undo421exit with a non-zero status. It can't undo side effects from the tool that

288side effects from the command that already ran.422already ran.

289 423

290This doesn't intercept all shell calls yet, only the simple ones. The newer424This doesn't intercept all shell calls yet, only the simple ones. The newer

291 `unified_exec` mechanism allows richer streaming stdin/stdout handling of425 `unified_exec` mechanism allows richer streaming stdin/stdout handling of

292shell, but interception is incomplete. Similarly, this doesn’t intercept MCP,426 shell, but interception is incomplete. Similarly, this doesn't intercept

293Write, WebSearch, or other non-shell tool calls.427 `WebSearch` or other non-shell, non-MCP tool calls.

294 428

295`matcher` is applied to `tool_name`, which currently always equals `Bash`.429`matcher` is applied to `tool_name` and matcher aliases. For file edits through

430`apply_patch`, matchers can use `apply_patch`, `Edit`, or `Write`; hook input

431still reports `tool_name: "apply_patch"`.

296 432

297Fields in addition to [Common input fields](#common-input-fields):433Fields in addition to [Common input fields](#common-input-fields):

298 434

300| --- | --- | --- |436| --- | --- | --- |

306 442

307Plain text on `stdout` is ignored.443Plain text on `stdout` is ignored.

308 444

321 457

322That `additionalContext` text is added as extra developer context.458That `additionalContext` text is added as extra developer context.

323 459

324For this event, `decision: "block"` does not undo the completed Bash command.460For this event, `decision: "block"` doesn't undo the completed Bash command.

325Instead, Codex records the feedback, replaces the tool result with that461Instead, Codex records the feedback, replaces the tool result with that

326feedback, and continues the model from the hook-provided message.462feedback, and continues the model from the hook-provided message.

327 463

336 472

337### UserPromptSubmit473### UserPromptSubmit

338 474

339`matcher` is not currently used for this event.475`matcher` isn't currently used for this event.

340 476

341Fields in addition to [Common input fields](#common-input-fields):477Fields in addition to [Common input fields](#common-input-fields):

342 478

344| --- | --- | --- |480| --- | --- | --- |

347 483

348Plain text on `stdout` is added as extra developer context.484Plain text on `stdout` is added as extra developer context.

349 485

374 510

375### Stop511### Stop

376 512

377`matcher` is not currently used for this event.513`matcher` isn't currently used for this event.

378 514

379Fields in addition to [Common input fields](#common-input-fields):515Fields in addition to [Common input fields](#common-input-fields):

380 516

399 535

400You can also use exit code `2` and write the continuation reason to `stderr`.536You can also use exit code `2` and write the continuation reason to `stderr`.

401 537

402For this event, `decision: "block"` does not reject the turn. Instead, it tells538For this event, `decision: "block"` doesn't reject the turn. Instead, it tells

403Codex to continue and automatically creates a new continuation prompt that acts539Codex to continue and automatically creates a new continuation prompt that acts

404as a new user prompt, using your `reason` as that prompt text.540as a new user prompt, using your `reason` as that prompt text.

405 541

ide.md +4 −3

Details

16- [Download for Visual Studio Code Insiders](https://marketplace.visualstudio.com/items?itemName=openai.chatgpt)16- [Download for Visual Studio Code Insiders](https://marketplace.visualstudio.com/items?itemName=openai.chatgpt)

17- [Download for JetBrains IDEs](#jetbrains-ide-integration)17- [Download for JetBrains IDEs](#jetbrains-ide-integration)

18 18

~~19The Codex VS Code extension is available on macOS and Linux. Windows support~~19Codex IDE integrations for VS Code-compatible editors and JetBrains IDEs are

~~20is experimental. For the best Windows experience, use Codex in a WSL2~~20 available on macOS, Windows, and Linux. On Windows, run Codex natively with

~~21workspace and follow our [Windows setup guide](https://developers.openai.com/codex/windows).~~21 the Windows sandbox, or use WSL2 when you need a Linux-native environment. For

22setup details, see the [Windows setup guide](https://developers.openai.com/codex/windows).

22 23

23After you install it, you'll find Codex in your editor sidebar.24After you install it, you'll find Codex in your editor sidebar.

24In VS Code, Codex opens in the right sidebar by default.25In VS Code, Codex opens in the right sidebar by default.

ide/features.md +1 −1

Details

73 73

74You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.74You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.

75 75

76Built-in image generation uses `gpt-image-1.5`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).76Built-in image generation uses `gpt-image-2`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).

77 77

78For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.78For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.

79 79

ide/settings.md +1 −1

Details

27| `chatgpt.runCodexInWindowsSubsystemForLinux` | Windows only: Run Codex in WSL when Windows Subsystem for Linux (WSL) is available. Recommended for improved sandbox security and better performance. Codex agent mode on Windows currently requires WSL. Changing this setting reloads VS Code to apply the change. |27| `chatgpt.runCodexInWindowsSubsystemForLinux` | Windows only: Run Codex in WSL when Windows Subsystem for Linux (WSL) is available. Use this when your repositories and tooling live in WSL2 or when you need Linux-native tooling. Otherwise, Codex can run natively on Windows with the Windows sandbox. Changing this setting reloads VS Code to apply the change. |

mcp.md +14 −1

Details

58- `env` (optional): Environment variables to set for the server.58- `env` (optional): Environment variables to set for the server.

59- `env_vars` (optional): Environment variables to allow and forward.59- `env_vars` (optional): Environment variables to allow and forward.

60- `cwd` (optional): Working directory to start the server from.60- `cwd` (optional): Working directory to start the server from.

61- `experimental_environment` (optional): Set to `remote` to start the stdio

62 server through a remote executor environment when one is available.

64`env_vars` can contain plain variable names or objects with a source:

66```toml

67env_vars = ["LOCAL_TOKEN", { name = "REMOTE_TOKEN", source = "remote" }]

68```

70String entries and `source = "local"` read from Codex's local environment.

71`source = "remote"` reads from the remote executor environment and requires

72remote MCP stdio.

61 73

62#### Streamable HTTP servers74#### Streamable HTTP servers

63 75

77 89

78If your OAuth provider requires a fixed callback port, set the top-level `mcp_oauth_callback_port` in `config.toml`. If unset, Codex binds to an ephemeral port.90If your OAuth provider requires a fixed callback port, set the top-level `mcp_oauth_callback_port` in `config.toml`. If unset, Codex binds to an ephemeral port.

79 91

80If your MCP OAuth flow must use a specific callback URL (for example, a remote devbox ingress URL or a custom callback path), set `mcp_oauth_callback_url`. Codex uses this value as the OAuth `redirect_uri` while still using `mcp_oauth_callback_port` for the callback listener port. Local callback URLs (for example `localhost`) bind on loopback; non-local callback URLs bind on `0.0.0.0` so the callback can reach the host.92If your MCP OAuth flow must use a specific callback URL (for example, a remote Devbox ingress URL or a custom callback path), set `mcp_oauth_callback_url`. Codex uses this value as the OAuth `redirect_uri` while still using `mcp_oauth_callback_port` for the callback listener port. Local callback URLs (for example `localhost`) bind on the local interface; non-local callback URLs bind on `0.0.0.0` so the callback can reach the host.

81 93

82If the MCP server advertises `scopes_supported`, Codex prefers those94If the MCP server advertises `scopes_supported`, Codex prefers those

83server-advertised scopes during OAuth login. Otherwise, Codex falls back to the95server-advertised scopes during OAuth login. Otherwise, Codex falls back to the

89[mcp_servers.context7]101[mcp_servers.context7]

90command = "npx"102command = "npx"

91args = ["-y", "@upstash/context7-mcp"]103args = ["-y", "@upstash/context7-mcp"]

104env_vars = ["LOCAL_TOKEN"]

92 105

93[mcp_servers.context7.env]106[mcp_servers.context7.env]

94MY_ENV_VAR = "MY_ENV_VALUE"107MY_ENV_VAR = "MY_ENV_VALUE"

memories.md +4 −0

Details

78 stored as memory-generation inputs.78 stored as memory-generation inputs.

79- `memories.use_memories`: controls whether Codex injects existing memories into79- `memories.use_memories`: controls whether Codex injects existing memories into

80 future sessions.80 future sessions.

81- `memories.disable_on_external_context`: when `true`, keeps threads that used

82 external context such as MCP tool calls, web search, or tool search out of

83 memory generation. The older `memories.no_memories_if_mcp_or_web_search` key

84 is still accepted as an alias.

81- `memories.extract_model`: overrides the model used for per-thread memory85- `memories.extract_model`: overrides the model used for per-thread memory

82 extraction.86 extraction.

83- `memories.consolidation_model`: overrides the model used for global memory87- `memories.consolidation_model`: overrides the model used for global memory

models.md +38 −9

Details

2 2

3## Recommended models3## Recommended models

4 4

5![gpt-5.5](/images/api/models/gpt-5.5.jpg)

7gpt-5.5

9OpenAI's newest frontier model for complex coding, computer use, knowledge work, and research workflows in Codex.

11codex -m gpt-5.5

13Copy command

15Capability

17Speed

19Codex CLI & SDK

21Codex app & IDE extension

23Codex Cloud

25ChatGPT Credits

27API Access

5![gpt-5.4](/images/api/models/gpt-5.4.jpg)29![gpt-5.4](/images/api/models/gpt-5.4.jpg)

6 30

7gpt-5.431gpt-5.4

98 122

99API Access123API Access

100 124

101For most tasks in Codex, start with `gpt-5.4`. It combines strong coding,125For most tasks in Codex, start with `gpt-5.5` when it appears in your model

102reasoning, native computer use, and broader professional workflows in one126 picker. It is strongest for complex coding, computer use, knowledge work, and

103model. Use `gpt-5.4-mini` when you want a faster, lower-cost option for127 research workflows. GPT-5.5 is currently available in Codex when you sign in

104lighter coding tasks or subagents. The `gpt-5.3-codex-spark` model is128 with ChatGPT; it isn't available with API-key authentication. During the

105available in research preview for ChatGPT Pro subscribers and is optimized for129 rollout, continue using `gpt-5.4` if `gpt-5.5` is not yet available. Use

106near-instant, real-time coding iteration.130 `gpt-5.4-mini` when you want a faster, lower-cost option for lighter coding

131 tasks or subagents. The `gpt-5.3-codex-spark` model is available in research

132 preview for ChatGPT Pro subscribers and is optimized for near-instant,

133 real-time coding iteration.

107 134

108## Alternative models135## Alternative models

109 136

134 161

135The Codex CLI and IDE extension use the same `config.toml` [configuration file](https://developers.openai.com/codex/config-basic). To specify a model, add a `model` entry to your configuration file. If you don't specify a model, the Codex app, CLI, or IDE Extension defaults to a recommended model.162The Codex CLI and IDE extension use the same `config.toml` [configuration file](https://developers.openai.com/codex/config-basic). To specify a model, add a `model` entry to your configuration file. If you don't specify a model, the Codex app, CLI, or IDE Extension defaults to a recommended model.

136 163

137```164```toml

138model = "gpt-5.4"165model = "gpt-5.5"

139```166```

140 167

168If `gpt-5.5` isn't available in your account yet, use `gpt-5.4`.

169

141### Choosing a different local model temporarily170### Choosing a different local model temporarily

142 171

143In the Codex CLI, you can use the `/model` command during an active thread to change the model. In the IDE extension, you can use the model selector below the input box to choose your model.172In the Codex CLI, you can use the `/model` command during an active thread to change the model. In the IDE extension, you can use the model selector below the input box to choose your model.

145To start a new Codex CLI thread with a specific model or to specify the model for `codex exec` you can use the `--model`/`-m` flag:174To start a new Codex CLI thread with a specific model or to specify the model for `codex exec` you can use the `--model`/`-m` flag:

146 175

147```bash176```bash

148codex -m gpt-5.4177codex -m gpt-5.5

149```178```

150 179

151### Choosing your model for cloud tasks180### Choosing your model for cloud tasks

plugins.md +4 −0

Details

43 43

44![Plugins list in Codex CLI](/images/codex/plugins/cli_light.png)44![Plugins list in Codex CLI](/images/codex/plugins/cli_light.png)

45 45

46The CLI plugin browser groups plugins by marketplace. Use the marketplace tabs

47to switch sources, open a plugin to inspect details, and press `Space`

48on an installed plugin to toggle its enabled state.

46### Install and use a plugin50### Install and use a plugin

47 51

48Once you open the plugin directory:52Once you open the plugin directory:

plugins/build.md +59 −5

Details

40 40

41![custom local marketplace in the plugin directory](/images/codex/plugins/codex-local-plugin-light.png)41![custom local marketplace in the plugin directory](/images/codex/plugins/codex-local-plugin-light.png)

42 42

43### Add a marketplace from the CLI

45Use `codex plugin marketplace add` when you want Codex to install and track a

46marketplace source for you instead of editing `config.toml` by hand.

48```bash

49codex plugin marketplace add owner/repo

50codex plugin marketplace add owner/repo --ref main

51codex plugin marketplace add https://github.com/example/plugins.git --sparse .agents/plugins

52codex plugin marketplace add ./local-marketplace-root

53```

55Marketplace sources can be GitHub shorthand (`owner/repo` or

56`owner/repo@ref`), HTTP or HTTPS Git URLs, SSH Git URLs, or local marketplace root

57directories. Use `--ref` to pin a Git ref, and repeat `--sparse PATH` to use a

58sparse checkout for Git-backed marketplace repos. `--sparse` is valid only for

59Git marketplace sources.

61To refresh or remove configured marketplaces:

63```bash

64codex plugin marketplace upgrade

65codex plugin marketplace upgrade marketplace-name

66codex plugin marketplace remove marketplace-name

67```

43### Create a plugin manually69### Create a plugin manually

44 70

45Start with a minimal plugin that packages one skill.71Start with a minimal plugin that packages one skill.

211 personal installs, a common pattern is `./.codex/plugins/<plugin-name>`.237 personal installs, a common pattern is `./.codex/plugins/<plugin-name>`.

212- Keep `source.path` relative to the marketplace root, start it with `./`, and238- Keep `source.path` relative to the marketplace root, start it with `./`, and

213 keep it inside that root.239 keep it inside that root.

240- For local entries, `source` can also be a plain string path such as

241 `"./plugins/my-plugin"`.

214- Always include `policy.installation`, `policy.authentication`, and242- Always include `policy.installation`, `policy.authentication`, and

215 `category` on each plugin entry.243 `category` on each plugin entry.

216- Use `policy.installation` values such as `AVAILABLE`,244- Use `policy.installation` values such as `AVAILABLE`,

218- Use `policy.authentication` to decide whether auth happens on install or246- Use `policy.authentication` to decide whether auth happens on install or

219 first use.247 first use.

220 248

221The marketplace controls where Codex loads the plugin from. `source.path` can249The marketplace controls where Codex loads the plugin from. A local

222point somewhere else if your plugin lives outside those example directories. A250`source.path` can point somewhere else if your plugin lives outside those

223marketplace file can live in the repo where you are developing the plugin or in251example directories. A marketplace file can live in the repo where you are

224a separate marketplace repo, and one marketplace file can point to one plugin252developing the plugin or in a separate marketplace repo, and one marketplace

225or many.253file can point to one plugin or many.

254

255Marketplace entries can also point at Git-backed plugin sources. Use

256`"source": "url"` when the plugin lives at the repository root, or

257`"source": "git-subdir"` when the plugin lives in a subdirectory:

258

259```json

260{

261 "name": "remote-helper",

262 "source": {

263 "source": "git-subdir",

264 "url": "https://github.com/example/codex-plugins.git",

265 "path": "./plugins/remote-helper",

266 "ref": "main"

267 },

268 "policy": {

269 "installation": "AVAILABLE",

270 "authentication": "ON_INSTALL"

271 },

272 "category": "Productivity"

273}

274```

275

276Git-backed entries may use `ref` or `sha` selectors. If Codex can't resolve a

277marketplace entry's source, it skips that plugin entry instead of failing the

278whole marketplace.

226 279

227### How Codex uses marketplaces280### How Codex uses marketplaces

228 281

233 286

234- the curated marketplace that powers the official Plugin Directory287- the curated marketplace that powers the official Plugin Directory

235- a repo marketplace at `$REPO_ROOT/.agents/plugins/marketplace.json`288- a repo marketplace at `$REPO_ROOT/.agents/plugins/marketplace.json`

289- a Claude-style marketplace at `$REPO_ROOT/.claude-plugin/marketplace.json`

236- a personal marketplace at `~/.agents/plugins/marketplace.json`290- a personal marketplace at `~/.agents/plugins/marketplace.json`

237 291

238You can install any plugin exposed through a marketplace. Codex installs292You can install any plugin exposed through a marketplace. Codex installs

quickstart.md +4 −1

Details

8 8

9The Codex app is available on macOS and Windows.9The Codex app is available on macOS and Windows.

10 10

11Most Codex app features are available on both platforms. Platform-specific

12exceptions are noted in the relevant docs.

111. Download and install the Codex app141. Download and install the Codex app

12 15

~~13 Download the Codex app for Windows or macOS. Choose the Intel build if you’re using an Intel-based Mac.~~16 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.

14 17

15 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)18 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)

16 19

remote-connections.md +3 −3

Details

1# Remote connections1# Remote connections

2 2

3SSH remote connections are currently in alpha. To enable them today, set3SSH remote connections are currently in alpha. To enable them today, set

~~4`remote_connections = true` in the `[features]` table in~~4 `remote_connections = true` in the `[features]` table in

~~5`~/.codex/config.toml`. Availability, setup flows, and supported environments~~5 `~/.codex/config.toml`. Availability, setup flows, and supported environments

~~6may change as the feature improves.~~6 may change as the feature improves.

7 7

8Remote connections let Codex work with projects that live on another8Remote connections let Codex work with projects that live on another

9SSH-accessible machine. Use them when the codebase, credentials, services, or9SSH-accessible machine. Use them when the codebase, credentials, services, or

rules.md +4 −2

Details

6 6

7## Create a rules file7## Create a rules file

8 8

~~91. Create a `.rules` file under `./codex/rules/` (for example, `~/.codex/rules/default.rules`).~~91. Create a `.rules` file under a `rules/` folder next to an active config layer (for example, `~/.codex/rules/default.rules`).

102. Add a rule. This example prompts before allowing `gh pr view` to run outside the sandbox.102. Add a rule. This example prompts before allowing `gh pr view` to run outside the sandbox.

11 11

12 ```python12 ```python

36 ```36 ```

373. Restart Codex.373. Restart Codex.

38 38

39Codex scans `rules/` under every [Team Config](https://developers.openai.com/codex/enterprise/admin-setup#team-config) location at startup. When you add a command to the allow list in the TUI, Codex writes to the user layer at `~/.codex/rules/default.rules` so future runs can skip the prompt.39Codex scans `rules/` under every active config layer at startup, including [Team Config](https://developers.openai.com/codex/enterprise/admin-setup#team-config) locations and the user layer at `~/.codex/rules/`. Project-local rules under `<repo>/.codex/rules/` load only when the project `.codex/` layer is trusted.

41When you add a command to the allow list in the TUI, Codex writes to the user layer at `~/.codex/rules/default.rules` so future runs can skip the prompt.

40 42

41When Smart approvals are enabled (the default), Codex may propose a43When Smart approvals are enabled (the default), Codex may propose a

42`prefix_rule` for you during escalation requests. Review the suggested prefix44`prefix_rule` for you during escalation requests. Review the suggested prefix

speed.md +8 −4

Details

5Codex offers the ability to increase the speed of the model for increased5Codex offers the ability to increase the speed of the model for increased

6credit consumption.6credit consumption.

7 7

~~8Fast mode is currently supported on GPT-5.4. When enabled, speed is increased~~8Fast mode increases supported model speed by 1.5x and consumes credits at a

~~9by 1.5x and credits are consumed at a 2x rate.~~9higher rate than Standard mode. It currently supports GPT-5.5 and GPT-5.4,

10consuming credits at 2.5x the Standard rate for GPT-5.5 and 2x the Standard

11rate for GPT-5.4.

10 12

11Use `/fast on`, `/fast off`, or `/fast status` in the CLI to change or inspect13Use `/fast on`, `/fast off`, or `/fast status` in the CLI to change or inspect

12the current setting. You can also persist the default with `service_tier = "fast"` plus `[features].fast_mode = true` in `config.toml`. Fast mode is14the current setting. You can also persist the default with `service_tier = "fast"` plus `[features].fast_mode = true` in `config.toml`. Fast mode is

20 22

21## Codex-Spark23## Codex-Spark

22 24

~~23GPT-5.3-Codex-Spark is a separate fast, less-capable Codex model optimized for near-instant, real-time coding iteration. Unlike fast mode, which speeds up GPT-5.4 at a higher credit rate,~~25GPT-5.3-Codex-Spark is a separate fast, less-capable Codex model optimized for

~~24Codex-Spark is its own model choice and has its own usage limits.~~26near-instant, real-time coding iteration. Unlike fast mode, which speeds up a

27supported model at a higher credit rate, Codex-Spark is its own model choice

28and has its own usage limits.

25 29

26During research preview Codex-Spark is only available for ChatGPT Pro subscribers.30During research preview Codex-Spark is only available for ChatGPT Pro subscribers.

windows.md +4 −0

Details

3Use Codex on Windows with the native [Codex app](https://developers.openai.com/codex/app/windows), the3Use Codex on Windows with the native [Codex app](https://developers.openai.com/codex/app/windows), the

4[CLI](https://developers.openai.com/codex/cli), or the [IDE extension](https://developers.openai.com/codex/ide).4[CLI](https://developers.openai.com/codex/cli), or the [IDE extension](https://developers.openai.com/codex/ide).

5 5

6The Codex app on Windows supports core workflows such as parallel agent threads,

7worktrees, automations, Git functionality, the in-app browser, artifact previews,

8plugins, and skills.

6[![](/images/codex/codex-banner-icon.webp)10[![](/images/codex/codex-banner-icon.webp)

7 11

8Use the Codex app on Windows12Use the Codex app on Windows

OpenAI - Codex Docs Changes 2026-04-21 06:45 UTC → 2026-04-25 00:42 UTC