OpenAI - Codex Docs Changes 2026-04-21 12:30 UTC → 2026-04-29 00:50 UTC

103 103 

104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

105 105 

106Set `approvals_reviewer = "guardian_subagent"` to route eligible approval reviews through the Guardian reviewer subagent instead of prompting the user directly. Admin requirements can constrain this with `allowed_approvals_reviewers`.106### Automatic approval reviews

107 

108By default, approval requests route to you:

109 

110```toml

111approvals_reviewer = "user"

112```

113 

114Automatic approval reviews apply when approvals are interactive, such as

115`approval_policy = "on-request"` or a granular approval policy. Set

116`approvals_reviewer = "auto_review"` to route eligible approval requests

117through a reviewer agent before Codex runs the request:

118 

119```toml

120approval_policy = "on-request"

121approvals_reviewer = "auto_review"

122```

123 

124The reviewer evaluates only actions that already need approval, such as sandbox

125escalations, network requests, `request_permissions` prompts, or side-effecting

126app and MCP tool calls. Actions that stay inside the sandbox continue without an

127extra review step.

128 

129The reviewer policy checks for data exfiltration, credential probing, persistent

130security weakening, and destructive actions. Low-risk and medium-risk actions

131can proceed when policy allows them. The policy denies critical-risk actions.

132High-risk actions require enough user authorization and no matching deny rule.

133Timeouts, parse failures, and review errors fail closed.

134 

135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

136is in the open-source Codex repository. Enterprises can replace its

137tenant-specific section with `guardian_policy_config` in managed requirements.

138Local `[auto_review].policy` text is also supported, but managed requirements

139take precedence. For setup details, see

140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

141 

142In the Codex app, these reviews appear as automatic review items with a status such

143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a

144risk level for the reviewed request.

145 

146Automatic review uses extra model calls, so it can add to Codex usage. Admins

147can constrain it with `allowed_approvals_reviewers`.

107 148 

108### Common sandbox and approval combinations149### Common sandbox and approval combinations

109 150 

12 12 

13The Codex app is available on macOS and Windows.13The Codex app is available on macOS and Windows.

14 14 

15Most Codex app features are available on both platforms. Platform-specific

16exceptions are noted in the relevant docs.

17 

151. Download and install the Codex app181. Download and install the Codex app

16 19 

17 Download the Codex app for Windows or macOS. Choose the Intel build if you’re using an Intel-based Mac.20 Download the Codex app for macOS or Windows. Choose the Intel build if you're using an Intel-based Mac.

18 21 

19 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)22 [Download for macOS (Apple Silicon)](https://persistent.oaistatic.com/codex-app-prod/Codex.dmg)[Download for macOS (Intel)](https://persistent.oaistatic.com/codex-app-prod/Codex-latest-x64.dmg)

20 23 

63 66 

64Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser67Run commands in each thread and launch repeatable project actions.](https://developers.openai.com/codex/app/features#integrated-terminal)[### In-app browser

65 68 

66Open unauthenticated local or public pages and comment on rendered output.](https://developers.openai.com/codex/app/browser)[### Image generation69Open rendered pages, leave comments, or let Codex operate local browser flows.](https://developers.openai.com/codex/app/browser)[### Image generation

67 70 

68Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations71Generate or edit images in a thread while you work on the surrounding code and assets.](https://developers.openai.com/codex/app/features#image-generation)[### Automations

69 72 

12Supported transports:12Supported transports:

13 13 

14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).14- `stdio` (`--listen stdio://`, default): newline-delimited JSON (JSONL).

15- `websocket` (`--listen ws://IP:PORT`, experimental): one JSON-RPC message per WebSocket text frame.15- `websocket` (`--listen ws://IP:PORT`, experimental and unsupported): one JSON-RPC message per WebSocket text frame.

16- `off` (`--listen off`): don't expose a local transport.

17 

18When you run with `--listen ws://IP:PORT`, the same listener also serves basic HTTP health probes:

19 

20- `GET /readyz` returns `200 OK` once the listener accepts new connections.

21- `GET /healthz` returns `200 OK` when the request doesn't include an `Origin` header.

22- Requests with an `Origin` header are rejected with `403 Forbidden`.

23 

24WebSocket transport is experimental and unsupported. Loopback listeners such as `ws://127.0.0.1:PORT` are appropriate for localhost and SSH port-forwarding workflows. Non-loopback WebSocket listeners currently allow unauthenticated connections by default during rollout, so configure WebSocket auth before exposing one remotely.

25 

26Supported WebSocket auth flags:

27 

28- `--ws-auth capability-token --ws-token-file /absolute/path`

29- `--ws-auth capability-token --ws-token-sha256 HEX`

30- `--ws-auth signed-bearer-token --ws-shared-secret-file /absolute/path`

31 

32For signed bearer tokens, you can also set `--ws-issuer`, `--ws-audience`, and `--ws-max-clock-skew-seconds`. Clients present the credential as `Authorization: Bearer <token>` during the WebSocket handshake, and app-server enforces auth before JSON-RPC `initialize`.

33 

34Prefer `--ws-token-file` over passing raw bearer tokens on the command line. Use `--ws-token-sha256` only when the client keeps the raw high-entropy token in a separate local secret store; the hash is only a verifier, and clients still need the original token.

16 35 

17In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.36In WebSocket mode, app-server uses bounded queues. When request ingress is full, the server rejects new requests with JSON-RPC error code `-32001` and message `"Server overloaded; retry later."` Clients should retry with an exponentially increasing delay and jitter.

18 37 

199- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.218- `thread/resume` - reopen an existing thread by id so later `turn/start` calls append to it.

200- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.219- `thread/fork` - fork a thread into a new thread id by copying stored history; emits `thread/started` for the new thread.

201- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.220- `thread/read` - read a stored thread by id without resuming it; set `includeTurns` to return full turn history. Returned `thread` objects include runtime `status`.

202- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters. Returned `thread` objects include runtime `status`.221- `thread/list` - page through stored thread logs; supports cursor-based pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Returned `thread` objects include runtime `status`.

222- `thread/turns/list` - page through a stored thread's turn history without resuming it.

203- `thread/loaded/list` - list the thread ids currently loaded in memory.223- `thread/loaded/list` - list the thread ids currently loaded in memory.

204- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.224- `thread/name/set` - set or update a thread's user-facing name for a loaded thread or a persisted rollout; emits `thread/name/updated`.

225- `thread/metadata/update` - patch SQLite-backed stored thread metadata; currently supports persisted `gitInfo`.

205- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.226- `thread/archive` - move a thread's log file into the archived directory; returns `{}` on success and emits `thread/archived`.

206- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread and emits `thread/closed`.227- `thread/unsubscribe` - unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server unloads the thread after a no-subscriber inactivity grace period and emits `thread/closed`.

207- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.228- `thread/unarchive` - restore an archived thread rollout back into the active sessions directory; returns the restored `thread` and emits `thread/unarchived`.

208- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.229- `thread/status/changed` - notification emitted when a loaded thread's runtime `status` changes.

209- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.230- `thread/compact/start` - trigger conversation history compaction for a thread; returns `{}` immediately while progress streams via `turn/*` and `item/*` notifications.

211- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).232- `thread/backgroundTerminals/clean` - stop all running background terminals for a thread (experimental; requires `capabilities.experimentalApi`).

212- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.233- `thread/rollback` - drop the last N turns from the in-memory context and persist a rollback marker; returns the updated `thread`.

213- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."234- `turn/start` - add user input to a thread and begin Codex generation; responds with the initial `turn` and streams events. For `collaborationMode`, `settings.developer_instructions: null` means "use built-in instructions for the selected mode."

235- `thread/inject_items` - append raw Responses API items to a loaded thread's model-visible history without starting a user turn.

214- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.236- `turn/steer` - append user input to the active in-flight turn for a thread; returns the accepted `turnId`.

215- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.237- `turn/interrupt` - request cancellation of an in-flight turn; success is `{}` and the turn ends with `status: "interrupted"`.

216- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.238- `review/start` - kick off the Codex reviewer for a thread; emits `enteredReviewMode` and `exitedReviewMode` items.

218- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.240- `command/exec/write` - write `stdin` bytes to a running `command/exec` session or close `stdin`.

219- `command/exec/resize` - resize a running PTY-backed `command/exec` session.241- `command/exec/resize` - resize a running PTY-backed `command/exec` session.

220- `command/exec/terminate` - stop a running `command/exec` session.242- `command/exec/terminate` - stop a running `command/exec` session.

243- `command/exec/outputDelta` (notify) - emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.

221- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.244- `model/list` - list available models (set `includeHidden: true` to include entries with `hidden: true`) with effort options, optional `upgrade`, and `inputModalities`.

222- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.245- `experimentalFeature/list` - list feature flags with lifecycle stage metadata and cursor pagination.

246- `experimentalFeature/enablement/set` - patch in-memory runtime enablement for supported feature keys such as `apps` and `plugins`.

223- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).247- `collaborationMode/list` - list collaboration mode presets (experimental, no pagination).

224- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).248- `skills/list` - list skills for one or more `cwd` values (supports `forceReload` and optional `perCwdExtraUserRoots`).

249- `skills/changed` (notify) - emitted when watched local skill files change.

250- `marketplace/add` - add a remote plugin marketplace and persist it into the user's marketplace config.

225- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.251- `plugin/list` - list discovered plugin marketplaces and plugin state, including install/auth policy metadata, marketplace load errors, featured plugin ids, and local, Git, or remote plugin source metadata.

226- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.252- `plugin/read` - read one plugin by marketplace path or remote marketplace name and plugin name, including bundled skills, apps, and MCP server names when those details are available.

227- `plugin/install` - install a plugin from a marketplace path or remote marketplace name.253- `plugin/install` - install a plugin from a marketplace path or remote marketplace name.

233- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.259- `config/mcpServer/reload` - reload MCP server configuration from disk and queue a refresh for loaded threads.

234- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.260- `mcpServerStatus/list` - list MCP servers, tools, resources, and auth status (cursor + limit pagination). Use `detail: "full"` for full data or `detail: "toolsAndAuthOnly"` to omit resources.

235- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.261- `mcpServer/resource/read` - read a single MCP resource through an initialized MCP server.

262- `mcpServer/tool/call` - call a tool on a thread's configured MCP server.

263- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread.

236- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.264- `windowsSandbox/setupStart` - start Windows sandbox setup for `elevated` or `unelevated` mode; returns quickly and later emits `windowsSandbox/setupCompleted`.

237- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).265- `feedback/upload` - submit a feedback report (classification + optional reason/logs + conversation id, plus optional `extraLogFiles` attachments).

238- `config/read` - fetch the effective configuration on disk after resolving configuration layering.266- `config/read` - fetch the effective configuration on disk after resolving configuration layering.

239- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).267- `externalAgentConfig/detect` - detect external-agent artifacts that can be migrated with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).

240- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).268- `externalAgentConfig/import` - apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home); plugin imports emit `externalAgentConfig/import/completed`.

241- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.269- `config/value/write` - write a single configuration key/value to the user's `config.toml` on disk.

242- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.270- `config/batchWrite` - apply configuration edits atomically to the user's `config.toml` on disk.

243- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).271- `configRequirements/read` - fetch requirements from `requirements.toml` and/or MDM, including allow-lists, pinned `featureRequirements`, and residency/network requirements (or `null` if you haven't set any up).

244- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, and `fs/copy` - operate on absolute filesystem paths through the app-server v2 filesystem API.272- `fs/readFile`, `fs/writeFile`, `fs/createDirectory`, `fs/getMetadata`, `fs/readDirectory`, `fs/remove`, `fs/copy`, `fs/watch`, `fs/unwatch`, and `fs/changed` (notify) - operate on absolute filesystem paths through the app-server v2 filesystem API.

245 273 

246Plugin summaries include a `source` union. Local plugins return274Plugin summaries include a `source` union. Local plugins return

247`{ "type": "local", "path": ... }`, Git-backed marketplace entries return275`{ "type": "local", "path": ... }`, Git-backed marketplace entries return

318## Threads346## Threads

319 347 

320- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.348- `thread/read` reads a stored thread without subscribing to it; set `includeTurns` to include turns.

321- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, and `cwd` filtering.349- `thread/turns/list` pages through a stored thread's turn history without resuming it.

350- `thread/list` supports cursor pagination plus `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filtering.

322- `thread/loaded/list` returns the thread IDs currently in memory.351- `thread/loaded/list` returns the thread IDs currently in memory.

323- `thread/archive` moves the thread's persisted JSONL log into the archived directory.352- `thread/archive` moves the thread's persisted JSONL log into the archived directory.

324- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed`.353- `thread/metadata/update` patches stored thread metadata, currently including persisted `gitInfo`.

354- `thread/unsubscribe` unsubscribes the current connection from a loaded thread and can trigger `thread/closed` after an inactivity grace period.

325- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.355- `thread/unarchive` restores an archived thread rollout back into the active sessions directory.

326- `thread/compact/start` triggers compaction and returns `{}` immediately.356- `thread/compact/start` triggers compaction and returns `{}` immediately.

327- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.357- `thread/rollback` drops the last N turns from the in-memory context and records a rollback marker in the thread's persisted JSONL log.

358- `thread/inject_items` appends raw Responses API items to a loaded thread's model-visible history without starting a user turn.

328 359 

329### Start or resume a thread360### Start or resume a thread

330 361 

395 426 

396Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.427Unlike `thread/resume`, `thread/read` doesn't load the thread into memory or emit `thread/started`.

397 428 

429### List thread turns

430 

431Use `thread/turns/list` to page a stored thread's turn history without resuming it. Results default to newest-first so clients can fetch older turns with `nextCursor`. The response also includes `backwardsCursor`; pass it as `cursor` with `sortDirection: "asc"` to fetch turns newer than the first item from the earlier page.

432 

433```json

434{ "method": "thread/turns/list", "id": 20, "params": {

435 "threadId": "thr_123",

436 "limit": 50,

437 "sortDirection": "desc"

438} }

439{ "id": 20, "result": {

440 "data": [],

441 "nextCursor": "older-turns-cursor-or-null",

442 "backwardsCursor": "newer-turns-cursor-or-null"

443} }

444```

445 

398### List threads (with pagination & filters)446### List threads (with pagination & filters)

399 447 

400`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:448`thread/list` lets you render a history UI. Results default to newest-first by `createdAt`. Filters apply before pagination. Pass any combination of:

406- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.454- `sourceKinds` - restrict results to specific thread sources. When omitted or `[]`, the server defaults to interactive sources only: `cli` and `vscode`.

407- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).455- `archived` - when `true`, list archived threads only. When `false` or omitted, list non-archived threads (default).

408- `cwd` - restrict results to threads whose session current working directory exactly matches this path.456- `cwd` - restrict results to threads whose session current working directory exactly matches this path.

457- `searchTerm` - search stored thread summaries and metadata before pagination.

409 458 

410`sourceKinds` accepts the following values:459`sourceKinds` accepts the following values:

411 460 

439 488 

440When `nextCursor` is `null`, you have reached the final page.489When `nextCursor` is `null`, you have reached the final page.

441 490 

491### Update stored thread metadata

492 

493Use `thread/metadata/update` to patch stored thread metadata without resuming the thread. Today this supports persisted `gitInfo`; omitted fields are left unchanged, and explicit `null` clears a stored value.

494 

495```json

496{ "method": "thread/metadata/update", "id": 21, "params": {

497 "threadId": "thr_123",

498 "gitInfo": { "branch": "feature/sidebar-pr" }

499} }

500{ "id": 21, "result": {

501 "thread": {

502 "id": "thr_123",

503 "gitInfo": { "sha": null, "branch": "feature/sidebar-pr", "originUrl": null }

504 }

505} }

506```

507 

442### Track thread status changes508### Track thread status changes

443 509 

444`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.510`thread/status/changed` is emitted whenever a loaded thread's runtime status changes. The payload includes `threadId` and the new `status`.

470- `notSubscribed` when the connection wasn't subscribed to that thread.536- `notSubscribed` when the connection wasn't subscribed to that thread.

471- `notLoaded` when the thread isn't loaded.537- `notLoaded` when the thread isn't loaded.

472 538 

473If this was the last subscriber, the server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.539If this was the last subscriber, the server keeps the thread loaded until it has no subscribers and no thread activity for 30 minutes. When the grace period expires, app-server unloads the thread and emits a `thread/status/changed` transition to `notLoaded` plus `thread/closed`.

474 540 

475```json541```json

476{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }542{ "method": "thread/unsubscribe", "id": 22, "params": { "threadId": "thr_123" } }

477{ "id": 22, "result": { "status": "unsubscribed" } }543{ "id": 22, "result": { "status": "unsubscribed" } }

544```

545 

546If the thread later expires:

547 

548```json

478{ "method": "thread/status/changed", "params": {549{ "method": "thread/status/changed", "params": {

479 "threadId": "thr_123",550 "threadId": "thr_123",

480 "status": { "type": "notLoaded" }551 "status": { "type": "notLoaded" }

623{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }694{ "id": 30, "result": { "turn": { "id": "turn_456", "status": "inProgress", "items": [], "error": null } } }

624```695```

625 696 

697### Inject items into a thread

698 

699Use `thread/inject_items` to append prebuilt Responses API items to a loaded thread's prompt history without starting a user turn. These items are persisted to the rollout and included in subsequent model requests.

700 

701```json

702{ "method": "thread/inject_items", "id": 31, "params": {

703 "threadId": "thr_123",

704 "items": [

705 {

706 "type": "message",

707 "role": "assistant",

708 "content": [{ "type": "output_text", "text": "Previously computed context." }]

709 }

710 ]

711} }

712{ "id": 31, "result": {} }

713```

714 

626### Steer an active turn715### Steer an active turn

627 716 

628Use `turn/steer` to append more user input to the active in-flight turn.717Use `turn/steer` to append more user input to the active in-flight turn.

804- `elevated` - run the elevated Windows sandbox setup path.893- `elevated` - run the elevated Windows sandbox setup path.

805- `unelevated` - run the legacy setup/preflight path.894- `unelevated` - run the legacy setup/preflight path.

806 895 

896## Filesystem

897 

898The v2 filesystem APIs operate on absolute paths. Use `fs/watch` when a client needs to invalidate UI state after a file or directory changes.

899 

900```json

901{ "method": "fs/watch", "id": 54, "params": {

902 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

903 "path": "/Users/me/project/.git/HEAD"

904} }

905{ "id": 54, "result": { "path": "/Users/me/project/.git/HEAD" } }

906{ "method": "fs/changed", "params": {

907 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",

908 "changedPaths": ["/Users/me/project/.git/HEAD"]

909} }

910{ "method": "fs/unwatch", "id": 55, "params": {

911 "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1"

912} }

913{ "id": 55, "result": {} }

914```

915 

916Watching a file emits `fs/changed` for that file path, including updates delivered by replace or rename operations.

917 

807## Events918## Events

808 919 

809Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.920Event notifications are the server-initiated stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading the active transport stream for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `thread/status/changed`, `turn/*`, `item/*`, and `serverRequest/resolved` notifications.

1024} }1135} }

1025```1136```

1026 1137 

1138The server also emits `skills/changed` notifications when watched local skill files change. Treat this as an invalidation signal and rerun `skills/list` with your current params when needed.

1139 

1027To enable or disable a skill by path:1140To enable or disable a skill by path:

1028 1141 

1029```json1142```json

1230{ "id": 64, "result": {} }1343{ "id": 64, "result": {} }

1231```1344```

1232 1345 

1346When a request includes plugin imports, the server emits `externalAgentConfig/import/completed` after the import finishes. This notification may arrive immediately after the response or after background remote imports complete.

1347 

1233Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, `PLUGINS`,1348Supported `itemType` values are `AGENTS_MD`, `CONFIG`, `SKILLS`, `PLUGINS`,

1234and `MCP_SERVER_CONFIG`. For `PLUGINS` items, `details.plugins` lists each1349and `MCP_SERVER_CONFIG`. For `PLUGINS` items, `details.plugins` lists each

1235`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection1350`marketplaceName` and the `pluginNames` Codex can try to migrate. Detection

1244 1359 

1245## Auth endpoints1360## Auth endpoints

1246 1361 

1247The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.1362The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, inspect ChatGPT rate limits, and notify workspace owners about depleted credits or usage limits.

1248 1363 

1249### Authentication modes1364### Authentication modes

1250 1365 

1251Codex supports three authentication modes. `account/updated.authMode` shows the active mode, and `account/read` also reports it.1366Codex supports these authentication modes. `account/updated.authMode` shows the active mode and includes the current ChatGPT `planType` when available. `account/read` also reports account and plan details.

1252 1367 

1253- **API key (`apikey`)** - the caller supplies an OpenAI API key and Codex stores it for API requests.1368- **API key (`apikey`)** - the caller supplies an OpenAI API key with `type: "apiKey"`, and Codex stores it for API requests.

1254- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically.1369- **ChatGPT managed (`chatgpt`)** - Codex owns the ChatGPT OAuth flow, persists tokens, and refreshes them automatically. Start with `type: "chatgpt"` for the browser flow or `type: "chatgptDeviceCode"` for the device-code flow.

1255- **ChatGPT external tokens (`chatgptAuthTokens`)** - a host app supplies `idToken` and `accessToken` directly. Codex stores these tokens in memory, and the host app must refresh them when asked.1370- **ChatGPT external tokens (`chatgptAuthTokens`)** - experimental and intended for host apps that already own the user's ChatGPT auth lifecycle. The host app supplies an `accessToken`, `chatgptAccountId`, and optional `chatgptPlanType` directly, and must refresh the token when asked.

1256 1371 

1257### API overview1372### API overview

1258 1373 

1259- `account/read` - fetch current account info; optionally refresh tokens.1374- `account/read` - fetch current account info; optionally refresh tokens.

1260- `account/login/start` - begin login (`apiKey`, `chatgpt`, or `chatgptAuthTokens`).1375- `account/login/start` - begin login (`apiKey`, `chatgpt`, `chatgptDeviceCode`, or experimental `chatgptAuthTokens`).

1261- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).1376- `account/login/completed` (notify) - emitted when a login attempt finishes (success or error).

1262- `account/login/cancel` - cancel a pending ChatGPT login by `loginId`.1377- `account/login/cancel` - cancel a pending managed ChatGPT login by `loginId`.

1263- `account/logout` - sign out; triggers `account/updated`.1378- `account/logout` - sign out; triggers `account/updated`.

1264- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`).1379- `account/updated` (notify) - emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, `chatgptAuthTokens`, or `null`) and includes `planType` when available.

1265- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.1380- `account/chatgptAuthTokens/refresh` (server request) - request fresh externally managed ChatGPT tokens after an authorization error.

1266- `account/rateLimits/read` - fetch ChatGPT rate limits.1381- `account/rateLimits/read` - fetch ChatGPT rate limits.

1267- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.1382- `account/rateLimits/updated` (notify) - emitted whenever a user's ChatGPT rate limits change.

1383- `account/sendAddCreditsNudgeEmail` - ask ChatGPT to email a workspace owner about depleted credits or a reached usage limit.

1268- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.1384- `mcpServer/oauthLogin/completed` (notify) - emitted after a `mcpServer/oauth/login` flow finishes; payload includes `{ name, success, error? }`.

1385- `mcpServer/startupStatus/updated` (notify) - emitted when a configured MCP server's startup status changes for a loaded thread; payload includes `{ name, status, error }`.

1269 1386 

1270### 1) Check auth state1387### 1) Check auth state

1271 1388 

1337 ```1454 ```

1338 1455 

1339 ```json1456 ```json

1340 { "method": "account/updated", "params": { "authMode": "apikey" } }1457 {

1458 "method": "account/updated",

1459 "params": { "authMode": "apikey", "planType": null }

1460 }

1341 ```1461 ```

1342 1462 

1343### 3) Log in with ChatGPT (browser flow)1463### 3) Log in with ChatGPT (browser flow)

1369 ```1489 ```

1370 1490 

1371 ```json1491 ```json

1372 { "method": "account/updated", "params": { "authMode": "chatgpt" } }1492 {

1493 "method": "account/updated",

1494 "params": { "authMode": "chatgpt", "planType": "plus" }

1495 }

1373 ```1496 ```

1374 1497 

1375### 3b) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)1498### 3b) Log in with ChatGPT (device-code flow)

1499 

1500Use this flow when your client owns the sign-in ceremony or when a browser callback is brittle.

1376 1501 

1377Use this mode when a host application owns the user’s ChatGPT auth lifecycle and supplies tokens directly.15021. Start:

1503 

1504 ```json

1505 {

1506 "method": "account/login/start",

1507 "id": 4,

1508 "params": { "type": "chatgptDeviceCode" }

1509 }

1510 ```

1511 

1512 ```json

1513 {

1514 "id": 4,

1515 "result": {

1516 "type": "chatgptDeviceCode",

1517 "loginId": "<uuid>",

1518 "verificationUrl": "https://auth.openai.com/codex/device",

1519 "userCode": "ABCD-1234"

1520 }

1521 }

1522 ```

15232. Show `verificationUrl` and `userCode` to the user; the frontend owns the UX.

15243. Wait for notifications:

1525 

1526 ```json

1527 {

1528 "method": "account/login/completed",

1529 "params": { "loginId": "<uuid>", "success": true, "error": null }

1530 }

1531 ```

1532 

1533 ```json

1534 {

1535 "method": "account/updated",

1536 "params": { "authMode": "chatgpt", "planType": "plus" }

1537 }

1538 ```

1539 

1540### 3c) Log in with externally managed ChatGPT tokens (`chatgptAuthTokens`)

1541 

1542Use this experimental mode only when a host application owns the user's ChatGPT auth lifecycle and supplies tokens directly. Clients must set `capabilities.experimentalApi = true` during `initialize` before using this login type.

1378 1543 

13791. Send:15441. Send:

1380 1545 

1384 "id": 7,1549 "id": 7,

1385 "params": {1550 "params": {

1386 "type": "chatgptAuthTokens",1551 "type": "chatgptAuthTokens",

1387 "idToken": "<jwt>",1552 "accessToken": "<jwt>",

1388 "accessToken": "<jwt>"1553 "chatgptAccountId": "org-123",

1554 "chatgptPlanType": "business"

1389 }1555 }

1390 }1556 }

1391 ```1557 ```

1406 ```json1572 ```json

1407 {1573 {

1408 "method": "account/updated",1574 "method": "account/updated",

1409 "params": { "authMode": "chatgptAuthTokens" }1575 "params": { "authMode": "chatgptAuthTokens", "planType": "business" }

1410 }1576 }

1411 ```1577 ```

1412 1578 

1418 "id": 8,1584 "id": 8,

1419 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }1585 "params": { "reason": "unauthorized", "previousAccountId": "org-123" }

1420}1586}

1421{ "id": 8, "result": { "idToken": "<jwt>", "accessToken": "<jwt>" } }1587{ "id": 8, "result": { "accessToken": "<jwt>", "chatgptAccountId": "org-123", "chatgptPlanType": "business" } }

1422```1588```

1423 1589 

1424The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.1590The server retries the original request after a successful refresh response. Requests time out after about 10 seconds.

1435```json1601```json

1436{ "method": "account/logout", "id": 5 }1602{ "method": "account/logout", "id": 5 }

1437{ "id": 5, "result": {} }1603{ "id": 5, "result": {} }

1438{ "method": "account/updated", "params": { "authMode": null } }1604{ "method": "account/updated", "params": { "authMode": null, "planType": null } }

1439```1605```

1440 1606 

1441### 6) Rate limits (ChatGPT)1607### 6) Rate limits (ChatGPT)

1447 "limitId": "codex",1613 "limitId": "codex",

1448 "limitName": null,1614 "limitName": null,

1449 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1615 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1450 "secondary": null1616 "secondary": null,

1617 "rateLimitReachedType": null

1451 },1618 },

1452 "rateLimitsByLimitId": {1619 "rateLimitsByLimitId": {

1453 "codex": {1620 "codex": {

1454 "limitId": "codex",1621 "limitId": "codex",

1455 "limitName": null,1622 "limitName": null,

1456 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },1623 "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 },

1457 "secondary": null1624 "secondary": null,

1625 "rateLimitReachedType": null

1458 },1626 },

1459 "codex_other": {1627 "codex_other": {

1460 "limitId": "codex_other",1628 "limitId": "codex_other",

1461 "limitName": "codex_other",1629 "limitName": "codex_other",

1462 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },1630 "primary": { "usedPercent": 42, "windowDurationMins": 60, "resetsAt": 1730950800 },

1463 "secondary": null1631 "secondary": null,

1632 "rateLimitReachedType": null

1464 }1633 }

1465 }1634 }

1466} }1635} }

1481- `usedPercent` is current usage within the quota window.1650- `usedPercent` is current usage within the quota window.

1482- `windowDurationMins` is the quota window length.1651- `windowDurationMins` is the quota window length.

1483- `resetsAt` is a Unix timestamp (seconds) for the next reset.1652- `resetsAt` is a Unix timestamp (seconds) for the next reset.

1653- `planType` is included when the backend returns the ChatGPT plan associated with a bucket.

1654- `credits` is included when the backend returns remaining workspace credit details.

1655- `rateLimitReachedType` identifies the backend-classified limit state when one has been reached.

1656 

1657### 7) Notify a workspace owner about a limit

1658 

1659Use `account/sendAddCreditsNudgeEmail` to ask ChatGPT to email a workspace owner when credits are depleted or a usage limit has been reached.

1660 

1661```json

1662{ "method": "account/sendAddCreditsNudgeEmail", "id": 7, "params": { "creditType": "credits" } }

1663{ "id": 7, "result": { "status": "sent" } }

1664```

1665 

1666Use `creditType: "credits"` when workspace credits are depleted, or `creditType: "usage_limit"` when the workspace usage limit has been reached. If the owner was already notified recently, the response status is `cooldown_active`.

20 20 

21![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)21![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)

22 22 

23## Browser use

24 

25Browser use lets Codex operate the in-app browser directly. Use it for local

26development servers and file-backed previews when Codex needs to click, type,

27inspect rendered state, take screenshots, or verify a fix in the page.

28 

29To use it, install and enable the Browser plugin. Then ask Codex to use the

30browser in your task, or reference it directly with `@Browser`. The app keeps

31browser use inside the in-app browser and lets you manage allowed and blocked

32websites from settings.

33 

34Example:

35 

36```text

37Use the browser to open http://localhost:3000/settings, reproduce the layout

38bug, and fix only the overflowing controls.

39```

40 

41Codex asks before using a website unless you've allowed it. Removing a site from

42the allowed list means Codex asks again before using it; removing a site from the

43blocked list means Codex can ask again instead of treating it as blocked.

44 

23## Preview a page45## Preview a page

24 46 

251. Start your app's development server in the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or with a [local environment action](https://developers.openai.com/codex/app/local-environments#actions).471. Start your app's development server in the [integrated terminal](https://developers.openai.com/codex/app/features#integrated-terminal) or with a [local environment action](https://developers.openai.com/codex/app/local-environments#actions).

3The Codex app is a focused desktop experience for working on Codex threads in parallel,3The Codex app is a focused desktop experience for working on Codex threads in parallel,

4with built-in worktree support, automations, and Git functionality.4with built-in worktree support, automations, and Git functionality.

5 5 

6Most Codex app features are available on both macOS and Windows.

7The sections below note platform-specific exceptions.

8 

6---9---

7 10 

8## Multitask across projects11## Multitask across projects

143Use browser comments to mark specific elements or areas on a page, then ask146Use browser comments to mark specific elements or areas on a page, then ask

144Codex to address that feedback.147Codex to address that feedback.

145 148 

149When you want Codex to operate the page directly, use

150[browser use](https://developers.openai.com/codex/app/browser#browser-use) for local development servers and

151file-backed pages. You can manage the Browser plugin, allowed websites, and

152blocked websites from settings.

153 

146![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)154![Codex app showing a browser comment on a local web app preview](/images/codex/app/in-app-browser-light.webp)

147 155 

148## Computer use156## Computer use

222opening separate projects or using worktrees rather than asking Codex to roam230opening separate projects or using worktrees rather than asking Codex to roam

223outside the project root.231outside the project root.

224 232 

233If [automatic review](https://developers.openai.com/codex/agent-approvals-security#automatic-approval-reviews)

234is available in your workspace, you can choose it from the permissions selector.

235It keeps the same sandbox boundary but routes eligible approval requests through

236the configured review policy instead of waiting for you.

237 

225For a high-level overview, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For238For a high-level overview, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing). For

226configuration details, see the239configuration details, see the

227[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).240[agent approvals & security documentation](https://developers.openai.com/codex/agent-approvals-security).

247 260 

248You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.261You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.

249 262 

250Built-in image generation uses `gpt-image-1.5`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).263Built-in image generation uses `gpt-image-2`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).

251 264 

252For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.265For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.

253 266 

43also apply to the Codex CLI and IDE extension because the MCP configuration lives in43also apply to the Codex CLI and IDE extension because the MCP configuration lives in

44`config.toml`. See the [Model Context Protocol docs](https://developers.openai.com/codex/mcp) for details.44`config.toml`. See the [Model Context Protocol docs](https://developers.openai.com/codex/mcp) for details.

45 45 

46## Browser use

47 

48Use these settings to install or enable the bundled Browser plugin and manage

49allowlisted and blocklisted websites. Codex asks before using a website

50unless you’ve allowlisted it. Removing a site from the blocklist lets Codex ask

51again before using it in the browser.

52 

53See [In-app browser](https://developers.openai.com/codex/app/browser) for browser preview, comment, and

54browser use workflows.

55 

46## Computer Use56## Computer Use

47 57 

48On macOS, check your Computer Use settings to review desktop-app access and related58On macOS, check your Computer Use settings to review desktop-app access and related

2 2 

3The [Codex app for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi) gives you one interface for3The [Codex app for Windows](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi) gives you one interface for

4working across projects, running parallel agent threads, and reviewing results.4working across projects, running parallel agent threads, and reviewing results.

5The Windows app supports core workflows such as worktrees, automations, Git

6functionality, the in-app browser, artifact previews, plugins, and skills.

5It runs natively on Windows using PowerShell and the7It runs natively on Windows using PowerShell and the

6[Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox), or you can configure it to8[Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox), or you can configure it to

7run in [Windows Subsystem for Linux 2 (WSL2)](#windows-subsystem-for-linux-wsl).9run in [Windows Subsystem for Linux 2 (WSL2)](#windows-subsystem-for-linux-wsl).

43 43 

44 npm i -g @openai/codex@latestCopy44 npm i -g @openai/codex@latestCopy

45 45 

46The Codex CLI is available on macOS and Linux. Windows support is46The Codex CLI is available on macOS, Windows, and Linux. On Windows, run Codex

47experimental. For the best Windows experience, use Codex in a WSL2 workspace47 natively in PowerShell with the Windows sandbox, or use WSL2 when you need a

48and follow our [Windows setup guide](https://developers.openai.com/codex/windows).48Linux-native environment. For setup details, see the

49[Windows setup guide](https://developers.openai.com/codex/windows).

49 50 

50If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).51If you're new to Codex, read the [best practices guide](https://developers.openai.com/codex/learn/best-practices).

51 52 

107 107 

108## Models and reasoning108## Models and reasoning

109 109 

110For most tasks in Codex, `gpt-5.4` is the recommended model. It brings the110For most tasks in Codex, `gpt-5.5` is the recommended model when it is

111industry-leading coding capabilities of `gpt-5.3-codex` to OpenAI’s flagship111available. It is OpenAI's newest frontier model for complex coding, computer

112frontier model, combining frontier coding performance with stronger reasoning,112use, knowledge work, and research workflows, with stronger planning, tool use,

113native computer use, and broader professional workflows. For extra fast tasks,113and follow-through on multi-step tasks. If `gpt-5.5` is not yet available,

114ChatGPT Pro subscribers have access to the GPT-5.3-Codex-Spark model in114continue using `gpt-5.4`. For extra fast tasks, ChatGPT Pro subscribers have

115research preview.115access to the GPT-5.3-Codex-Spark model in research preview.

116 116 

117Switch models mid-session with the `/model` command, or specify one when launching the CLI.117Switch models mid-session with the `/model` command, or specify one when launching the CLI.

118 118 

119```bash119```bash

120codex --model gpt-5.4120codex --model gpt-5.5

121```121```

122 122 

123[Learn more about the models available in Codex](https://developers.openai.com/codex/models).123[Learn more about the models available in Codex](https://developers.openai.com/codex/models).

162 162 

163You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.163You can ask in natural language or explicitly invoke the image generation skill by including `$imagegen` in your prompt.

164 164 

165Built-in image generation uses `gpt-image-1.5`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).165Built-in image generation uses `gpt-image-2`, counts toward your general Codex usage limits, and uses included limits 3-5x faster on average than similar turns without image generation, depending on image quality and size. For details, see [Pricing](https://developers.openai.com/codex/pricing#image-generation-usage-limits). For prompting tips and model details, see the [image generation guide](https://developers.openai.com/api/docs/guides/image-generation).

166 166 

167For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.167For larger batches of image generation, set `OPENAI_API_KEY` in your environment variables and ask Codex to generate images through the API so API pricing applies instead.

168 168 

40| [`/mcp`](#list-mcp-tools-with-mcp) | List configured Model Context Protocol (MCP) tools. | Check which external tools Codex can call during the session. |40| [`/mcp`](#list-mcp-tools-with-mcp) | List configured Model Context Protocol (MCP) tools. | Check which external tools Codex can call during the session. |

41| [`/mention`](#highlight-files-with-mention) | Attach a file to the conversation. | Point Codex at specific files or folders you want it to inspect next. |41| [`/mention`](#highlight-files-with-mention) | Attach a file to the conversation. | Point Codex at specific files or folders you want it to inspect next. |

42| [`/model`](#set-the-active-model-with-model) | Choose the active model (and reasoning effort, when available). | Switch between general-purpose models (`gpt-4.1-mini`) and deeper reasoning models before running a task. |42| [`/model`](#set-the-active-model-with-model) | Choose the active model (and reasoning effort, when available). | Switch between general-purpose models (`gpt-4.1-mini`) and deeper reasoning models before running a task. |

43| [`/fast`](#toggle-fast-mode-with-fast) | Toggle Fast mode for GPT-5.4. | Turn Fast mode on or off, or check whether the current thread is using it. |43| [`/fast`](#toggle-fast-mode-with-fast) | Toggle Fast mode for supported models. | Turn Fast mode on or off, or check whether the current thread is using it. |

44| [`/plan`](#switch-to-plan-mode-with-plan) | Switch to plan mode and optionally send a prompt. | Ask Codex to propose an execution plan before implementation work starts. |44| [`/plan`](#switch-to-plan-mode-with-plan) | Switch to plan mode and optionally send a prompt. | Ask Codex to propose an execution plan before implementation work starts. |

45| [`/personality`](#set-a-communication-style-with-personality) | Choose a communication style for responses. | Make Codex more concise, more explanatory, or more collaborative without changing your instructions. |45| [`/personality`](#set-a-communication-style-with-personality) | Choose a communication style for responses. | Make Codex more concise, more explanatory, or more collaborative without changing your instructions. |

46| [`/ps`](#check-background-terminals-with-ps) | Show experimental background terminals and their recent output. | Check long-running commands without leaving the main transcript. |46| [`/ps`](#check-background-terminals-with-ps) | Show experimental background terminals and their recent output. | Check long-running commands without leaving the main transcript. |

67 67 

68Codex surfaces a startup warning when `bwrap` is missing or when the helper68Codex surfaces a startup warning when `bwrap` is missing or when the helper

69can't create the needed user namespace. On distributions that restrict this69can't create the needed user namespace. On distributions that restrict this

70AppArmor setting, you can enable it with:70AppArmor setting, prefer loading the `bwrap` AppArmor profile so `bwrap` can

71keep working without disabling the restriction globally.

72 

73**Ubuntu AppArmor note:** On Ubuntu 25.04, installing `bubblewrap` from

74 Ubuntu's package repository should work without extra AppArmor setup. The

75 `bwrap-userns-restrict` profile ships in the `apparmor` package at

76 `/etc/apparmor.d/bwrap-userns-restrict`.

77 

78On Ubuntu 24.04, Codex may still warn that it can't create the needed user

79namespace after `bubblewrap` is installed. Copy and load the extra profile:

80 

81```bash

82sudo apt update

83sudo apt install apparmor-profiles apparmor-utils

84sudo install -m 0644 \

85 /usr/share/apparmor/extra-profiles/bwrap-userns-restrict \

86 /etc/apparmor.d/bwrap-userns-restrict

87sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict

88```

89 

90`apparmor_parser -r` loads the profile into the kernel without a reboot. You

91can also reload all AppArmor profiles:

92 

93```bash

94sudo systemctl reload apparmor.service

95```

96 

97If that profile is unavailable or does not resolve the issue, you can disable

98the AppArmor unprivileged user namespace restriction with:

71 99 

72```bash100```bash

73sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0101sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

142[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the170[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the

143IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).171IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).

144 172 

173Automatic review, when available, doesn't change the sandbox boundary. It

174reviews approval requests, such as sandbox escalations or network access, while

175actions already allowed inside the sandbox run without extra review. See

176[Automatic approval reviews](https://developers.openai.com/codex/agent-approvals-security#automatic-approval-reviews)

177for the policy behavior.

178 

145Platform details live in the platform-specific docs. For native Windows setup,179Platform details live in the platform-specific docs. For native Windows setup,

146behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin180behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin

147requirements and organization-level constraints on sandboxing and approvals, see181requirements and organization-level constraints on sandboxing and approvals, see

65 65 

66If you don't pin a model or `model_reasoning_effort`, Codex can choose a setup66If you don't pin a model or `model_reasoning_effort`, Codex can choose a setup

67that balances intelligence, speed, and price for the task. It may favor67that balances intelligence, speed, and price for the task. It may favor

68`gpt-5.4-mini` for fast scans or a higher-effort `gpt-5.4`68`gpt-5.4-mini` for fast scans or a higher-effort `gpt-5.5` configuration for

69configuration for more demanding reasoning. When you want finer control, steer that69more demanding reasoning when that model is available. When you want finer

70choice in your prompt or set `model` and `model_reasoning_effort` directly in70control, steer that choice in your prompt or set `model` and

71the agent file.71`model_reasoning_effort` directly in the agent file.

72 72 

73For most tasks in Codex, start with `gpt-5.4`. Use `gpt-5.4-mini` when you73For most tasks in Codex, start with `gpt-5.5` when it is available. Continue

74want a faster, lower-cost option for lighter subagent work. If you have74 using `gpt-5.4` during the rollout if `gpt-5.5` is not yet available. Use

75ChatGPT Pro and want near-instant text-only iteration, `gpt-5.3-codex-spark`75 `gpt-5.4-mini` when you want a faster, lower-cost option for lighter subagent

76remains available in research preview.76 work. If you have ChatGPT Pro and want near-instant text-only iteration,

77 `gpt-5.3-codex-spark` remains available in research preview.

77 78 

78### Model choice79### Model choice

79 80 

80- **`gpt-5.4`**: Start here for most agents. It combines strong coding, reasoning, tool use, and broader workflows. The main agent and agents that coordinate ambiguous or multi-step work fit here.81- **`gpt-5.5`**: Start here for demanding agents when it is available. It is strongest for ambiguous, multi-step work that needs planning, tool use, validation, and follow-through across a larger context.

82- **`gpt-5.4`**: Use this when `gpt-5.5` is not yet available or when a workflow is pinned to GPT-5.4. It combines strong coding, reasoning, tool use, and broader workflows.

81- **`gpt-5.4-mini`**: Use for agents that favor speed and efficiency over depth, such as exploration, read-heavy scans, large-file review, or processing supporting documents. It works well for parallel workers that return distilled results to the main agent.83- **`gpt-5.4-mini`**: Use for agents that favor speed and efficiency over depth, such as exploration, read-heavy scans, large-file review, or processing supporting documents. It works well for parallel workers that return distilled results to the main agent.

82- **`gpt-5.3-codex-spark`**: If you have ChatGPT Pro, use this research preview model for near-instant, text-only iteration when latency matters more than broader capability.84- **`gpt-5.3-codex-spark`**: If you have ChatGPT Pro, use this research preview model for near-instant, text-only iteration when latency matters more than broader capability.

83 85 

84 84 

85In addition to your user config, Codex reads project-scoped overrides from `.codex/config.toml` files inside your repo. Codex walks from the project root to your current working directory and loads every `.codex/config.toml` it finds. If multiple files define the same key, the closest file to your working directory wins.85In addition to your user config, Codex reads project-scoped overrides from `.codex/config.toml` files inside your repo. Codex walks from the project root to your current working directory and loads every `.codex/config.toml` it finds. If multiple files define the same key, the closest file to your working directory wins.

86 86 

87For security, Codex loads project-scoped config files only when the project is trusted. If the project is untrusted, Codex ignores `.codex/config.toml` files in the project.87For security, Codex loads project-scoped config files only when the project is trusted. If the project is untrusted, Codex ignores project `.codex/` layers, including `.codex/config.toml`, project-local hooks, and project-local rules. User and system layers remain separate and still load.

88 88 

89Relative paths inside a project config (for example, `model_instructions_file`) are resolved relative to the `.codex/` folder that contains the `config.toml`.89Relative paths inside a project config (for example, `model_instructions_file`) are resolved relative to the `.codex/` folder that contains the `config.toml`.

90 90 

91## Hooks (experimental)91## Hooks (experimental)

92 92 

93Codex can also load lifecycle hooks from `hooks.json` files that sit next to93Codex can also load lifecycle hooks from either `hooks.json` files or inline

94active config layers.94`[hooks]` tables in `config.toml` files that sit next to active config layers.

95 95 

96In practice, the two most useful locations are:96In practice, the two most useful locations are:

97 97 

98- `~/.codex/hooks.json`98- `~/.codex/hooks.json`

99- `~/.codex/config.toml`

99- `<repo>/.codex/hooks.json`100- `<repo>/.codex/hooks.json`

101- `<repo>/.codex/config.toml`

102 

103Project-local hooks load only when the project `.codex/` layer is trusted.

104User-level hooks remain independent of project trust.

100 105 

101Turn hooks on with:106Turn hooks on with:

102 107 

105codex_hooks = true110codex_hooks = true

106```111```

107 112 

113Inline TOML hooks use the same event structure as `hooks.json`:

114 

115```toml

116[[hooks.PreToolUse]]

117matcher = "^Bash$"

118 

119[[hooks.PreToolUse.hooks]]

120type = "command"

121command = '/usr/bin/python3 "$(git rev-parse --show-toplevel)/.codex/hooks/pre_tool_use_policy.py"'

122timeout = 30

123statusMessage = "Checking Bash command"

124```

125 

126If a single layer contains both `hooks.json` and inline `[hooks]`, Codex loads

127both and warns. Prefer one representation per layer.

128 

108For the current event list, input fields, output behavior, and limitations, see129For the current event list, input fields, output behavior, and limitations, see

109[Hooks](https://developers.openai.com/codex/hooks).130[Hooks](https://developers.openai.com/codex/hooks).

110 131 

230 251 

231You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.252You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.

232 253 

233```254Set `approvals_reviewer = "auto_review"` to route eligible interactive approval

255requests through automatic review. This changes the reviewer, not the sandbox

256boundary.

257 

258Use `[auto_review].policy` for local reviewer policy instructions. Managed

259`guardian_policy_config` takes precedence.

260 

261```toml

234approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }262approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }

263approvals_reviewer = "user" # Or "auto_review" for automatic review

235sandbox_mode = "workspace-write"264sandbox_mode = "workspace-write"

236allow_login_shell = false # Optional hardening: disallow login shells for shell tools265allow_login_shell = false # Optional hardening: disallow login shells for shell tools

237 266 

249exclude_slash_tmp = false # Allow /tmp278exclude_slash_tmp = false # Allow /tmp

250writable_roots = ["/Users/YOU/.pyenv/shims"]279writable_roots = ["/Users/YOU/.pyenv/shims"]

251network_access = false # Opt in to outbound network280network_access = false # Opt in to outbound network

281 

282[auto_review]

283policy = """

284Use your organization's automatic review policy.

285"""

252```286```

253 287 

254Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).288Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).

370 404 

371#### Metrics catalog405#### Metrics catalog

372 406 

373Each metric includes the required fields plus the default context fields above. Every metric is prefixed by `codex.`.407Each metric includes the required fields plus the default context fields above. Metric names below omit the `codex.` prefix.

408Most metric names are centralized in `codex-rs/otel/src/metrics/names.rs`; feature-specific metrics emitted outside that file are included here too.

374If a metric includes the `tool` field, it reflects the internal tool used (for example, `apply_patch` or `shell`) and doesn't contain the actual shell command or patch `codex` is trying to apply.409If a metric includes the `tool` field, it reflects the internal tool used (for example, `apply_patch` or `shell`) and doesn't contain the actual shell command or patch `codex` is trying to apply.

375 410 

411#### Runtime and model transport

412 

413| Metric | Type | Fields | Description |

414| --- | --- | --- | --- |

415| `api_request` | counter | `status`, `success` | API request count by HTTP status and success/failure. |

416| `api_request.duration_ms` | histogram | `status`, `success` | API request duration in milliseconds. |

417| `sse_event` | counter | `kind`, `success` | SSE event count by event kind and success/failure. |

418| `sse_event.duration_ms` | histogram | `kind`, `success` | SSE event processing duration in milliseconds. |

419| `websocket.request` | counter | `success` | WebSocket request count by success/failure. |

420| `websocket.request.duration_ms` | histogram | `success` | WebSocket request duration in milliseconds. |

421| `websocket.event` | counter | `kind`, `success` | WebSocket message/event count by type and success/failure. |

422| `websocket.event.duration_ms` | histogram | `kind`, `success` | WebSocket message/event processing duration in milliseconds. |

423| `responses_api_overhead.duration_ms` | histogram | | Responses API overhead timing from websocket responses. |

424| `responses_api_inference_time.duration_ms` | histogram | | Responses API inference timing from websocket responses. |

425| `responses_api_engine_iapi_ttft.duration_ms` | histogram | | Responses API engine IAPI time-to-first-token timing. |

426| `responses_api_engine_service_ttft.duration_ms` | histogram | | Responses API engine service time-to-first-token timing. |

427| `responses_api_engine_iapi_tbt.duration_ms` | histogram | | Responses API engine IAPI time-between-token timing. |

428| `responses_api_engine_service_tbt.duration_ms` | histogram | | Responses API engine service time-between-token timing. |

429| `transport.fallback_to_http` | counter | `from_wire_api` | WebSocket-to-HTTP fallback count. |

430| `remote_models.fetch_update.duration_ms` | histogram | | Time to fetch remote model definitions. |

431| `remote_models.load_cache.duration_ms` | histogram | | Time to load the remote model cache. |

432| `startup_prewarm.duration_ms` | histogram | `status` | Startup prewarm duration by outcome. |

433| `startup_prewarm.age_at_first_turn_ms` | histogram | `status` | Startup prewarm age when the first real turn resolves it. |

434| `cloud_requirements.fetch.duration_ms` | histogram | | Workspace-managed cloud requirements fetch duration. |

435| `cloud_requirements.fetch_attempt` | counter | See note | Workspace-managed cloud requirements fetch attempts. |

436| `cloud_requirements.fetch_final` | counter | See note | Final workspace-managed cloud requirements fetch outcome. |

437| `cloud_requirements.load` | counter | `trigger`, `outcome` | Workspace-managed cloud requirements load outcome. |

438 

439The `cloud_requirements.fetch_attempt` metric includes `trigger`, `attempt`, `outcome`, and `status_code` fields. The `cloud_requirements.fetch_final` metric includes `trigger`, `outcome`, `reason`, `attempt_count`, and `status_code` fields.

440 

441#### Turn and tool activity

442 

443| Metric | Type | Fields | Description |

444| --- | --- | --- | --- |

445| `turn.e2e_duration_ms` | histogram | | End-to-end time for a full turn. |

446| `turn.ttft.duration_ms` | histogram | | Time to first token for a turn. |

447| `turn.ttfm.duration_ms` | histogram | | Time to first model output item for a turn. |

448| `turn.network_proxy` | counter | `active`, `tmp_mem_enabled` | Whether the managed network proxy was active for the turn. |

449| `turn.memory` | counter | `read_allowed`, `feature_enabled`, `config_use_memories`, `has_citations` | Per-turn memory read availability and memory citation usage. |

450| `turn.tool.call` | histogram | `tmp_mem_enabled` | Number of tool calls in the turn. |

451| `turn.token_usage` | histogram | `token_type`, `tmp_mem_enabled` | Per-turn token usage by token type (`total`, `input`, `cached_input`, `output`, or `reasoning_output`). |

452| `tool.call` | counter | `tool`, `success` | Tool invocation count by tool name and success/failure. |

453| `tool.call.duration_ms` | histogram | `tool`, `success` | Tool execution duration in milliseconds by tool name and outcome. |

454| `tool.unified_exec` | counter | `tty` | Unified exec tool calls by TTY mode. |

455| `approval.requested` | counter | `tool`, `approved` | Tool approval request result (`approved`, `approved_with_amendment`, `approved_for_session`, `denied`, `abort`). |

456| `mcp.call` | counter | See note | MCP tool invocation result. |

457| `mcp.call.duration_ms` | histogram | See note | MCP tool invocation duration. |

458| `mcp.tools.list.duration_ms` | histogram | `cache` | MCP tool-list duration, including cache hit/miss state. |

459| `mcp.tools.fetch_uncached.duration_ms` | histogram | | Duration of uncached MCP tool fetches. |

460| `mcp.tools.cache_write.duration_ms` | histogram | | Duration of Codex Apps MCP tool-cache writes. |

461| `hooks.run` | counter | `hook_name`, `source`, `status` | Hook run count by hook name, source, and status. |

462| `hooks.run.duration_ms` | histogram | `hook_name`, `source`, `status` | Hook run duration in milliseconds. |

463 

464The `mcp.call` and `mcp.call.duration_ms` metrics include `status`; normal tool-call emissions also include `tool`, plus `connector_id` and `connector_name` when available. Blocked Codex Apps MCP calls may emit `mcp.call` with only `status`.

465 

466#### Threads, tasks, and features

467 

376| Metric | Type | Fields | Description |468| Metric | Type | Fields | Description |

377| --- | --- | --- | --- |469| --- | --- | --- | --- |

378| `feature.state` | counter | `feature`, `value` | Feature values that differ from defaults (emit one row per non-default). |470| `feature.state` | counter | `feature`, `value` | Feature values that differ from defaults (emit one row per non-default). |

379| `thread.started` | counter | `is_git` | New thread created. |471| `status_line` | counter | | Session started with a configured status line. |

380| `thread.fork` | counter | | New thread created by forking an existing thread. |472| `model_warning` | counter | | Warning sent to the model. |

473| `thread.started` | counter | `is_git` | New thread created, tagged by whether the working directory is in a Git repo. |

474| `conversation.turn.count` | counter | | User/assistant turns per thread, recorded at the end of the thread. |

475| `thread.fork` | counter | `source` | New thread created by forking an existing thread. |

381| `thread.rename` | counter | | Thread renamed. |476| `thread.rename` | counter | | Thread renamed. |

477| `thread.side` | counter | `source` | Side conversation created. |

478| `thread.skills.enabled_total` | histogram | | Number of skills enabled for a new thread. |

479| `thread.skills.kept_total` | histogram | | Number of enabled skills kept after prompt rendering. |

480| `thread.skills.truncated` | histogram | | Whether skill rendering truncated the enabled skills list (`1` or `0`). |

382| `task.compact` | counter | `type` | Number of compactions per type (`remote` or `local`), including manual and auto. |481| `task.compact` | counter | `type` | Number of compactions per type (`remote` or `local`), including manual and auto. |

383| `task.user_shell` | counter | | Number of user shell actions (`!` in the TUI for example). |

384| `task.review` | counter | | Number of reviews triggered. |482| `task.review` | counter | | Number of reviews triggered. |

385| `task.undo` | counter | | Number of undo actions triggered. |483| `task.undo` | counter | | Number of undo actions triggered. |

386| `approval.requested` | counter | `tool`, `approved` | Tool approval request result (`approved`, `approved_with_amendment`, `approved_for_session`, `denied`, `abort`). |484| `task.user_shell` | counter | | Number of user shell actions (`!` in the TUI for example). |

387| `conversation.turn.count` | counter | | User/assistant turns per thread, recorded at the end of the thread. |485| `shell_snapshot` | counter | See note | Whether taking a shell snapshot succeeded. |

388| `turn.e2e_duration_ms` | histogram | | End-to-end time for a full turn. |

389| `mcp.call` | counter | `status` | MCP tool invocation result (`ok` or error string). |

390| `model_warning` | counter | | Warning sent to the model. |

391| `tool.call` | counter | `tool`, `success` | Tool invocation result (`success`: `true` or `false`). |

392| `tool.call.duration_ms` | histogram | `tool`, `success` | Tool execution time. |

393| `remote_models.fetch_update.duration_ms` | histogram | | Time to fetch remote model definitions. |

394| `remote_models.load_cache.duration_ms` | histogram | | Time to load the remote model cache. |

395| `shell_snapshot` | counter | `success` | Whether taking a shell snapshot succeeded. |

396| `shell_snapshot.duration_ms` | histogram | `success` | Time to take a shell snapshot. |486| `shell_snapshot.duration_ms` | histogram | `success` | Time to take a shell snapshot. |

397| `db.init` | counter | `status` | State DB initialization outcomes (`opened`, `created`, `open_error`, `init_error`). |487| `skill.injected` | counter | `status`, `skill` | Skill injection outcomes by skill. |

488| `plugins.startup_sync` | counter | `transport`, `status` | Curated plugin startup sync attempts. |

489| `plugins.startup_sync.final` | counter | `transport`, `status` | Final curated plugin startup sync outcome. |

490| `multi_agent.spawn` | counter | `role` | Agent spawns by role. |

491| `multi_agent.resume` | counter | | Agent resumes. |

492| `multi_agent.nickname_pool_reset` | counter | | Agent nickname pool resets. |

493 

494The `shell_snapshot` metric includes `success` and, on failures, `failure_reason`.

495 

496#### Memory and local state

497 

498| Metric | Type | Fields | Description |

499| --- | --- | --- | --- |

500| `memory.phase1` | counter | `status` | Memory phase 1 job counts by status. |

501| `memory.phase1.e2e_ms` | histogram | | End-to-end duration for memory phase 1. |

502| `memory.phase1.output` | counter | | Memory phase 1 outputs written. |

503| `memory.phase1.token_usage` | histogram | `token_type` | Memory phase 1 token usage by token type. |

504| `memory.phase2` | counter | `status` | Memory phase 2 job counts by status. |

505| `memory.phase2.e2e_ms` | histogram | | End-to-end duration for memory phase 2. |

506| `memory.phase2.input` | counter | | Memory phase 2 input count. |

507| `memory.phase2.token_usage` | histogram | `token_type` | Memory phase 2 token usage by token type. |

508| `memories.usage` | counter | `kind`, `tool`, `success` | Memory usage by kind, tool, and success/failure. |

509| `external_agent_config.detect` | counter | See note | External agent config detections by migration item type. |

510| `external_agent_config.import` | counter | See note | External agent config imports by migration item type. |

398| `db.backfill` | counter | `status` | Initial state DB backfill results (`upserted`, `failed`). |511| `db.backfill` | counter | `status` | Initial state DB backfill results (`upserted`, `failed`). |

399| `db.backfill.duration_ms` | histogram | `status` | Duration of the initial state DB backfill, tagged with `success`, `failed`, or `partial_failure`. |512| `db.backfill.duration_ms` | histogram | `status` | Duration of the initial state DB backfill. |

400| `db.error` | counter | `stage` | Errors during state DB operations (for example, `extract_metadata_from_rollout`, `backfill_sessions`, `apply_rollout_items`). |513| `db.error` | counter | `stage` | Errors during state DB operations. |

401| `db.compare_error` | counter | `stage`, `reason` | State DB discrepancies detected during reconciliation. |514 

515The `external_agent_config.detect` and `external_agent_config.import` metrics include `migration_type`; skills migrations also include `skills_count`.

516 

517#### Windows sandbox

518 

519| Metric | Type | Fields | Description |

520| --- | --- | --- | --- |

521| `windows_sandbox.setup_success` | counter | `originator`, `mode` | Windows sandbox setup successes. |

522| `windows_sandbox.setup_failure` | counter | `originator`, `mode` | Windows sandbox setup failures. |

523| `windows_sandbox.setup_duration_ms` | histogram | `result`, `originator`, `mode` | Windows sandbox setup duration. |

524| `windows_sandbox.elevated_setup_success` | counter | | Elevated Windows sandbox setup successes. |

525| `windows_sandbox.elevated_setup_failure` | counter | See note | Elevated Windows sandbox setup failures. |

526| `windows_sandbox.elevated_setup_canceled` | counter | See note | Canceled elevated Windows sandbox setup attempts. |

527| `windows_sandbox.elevated_setup_duration_ms` | histogram | `result` | Elevated Windows sandbox setup duration. |

528| `windows_sandbox.elevated_prompt_shown` | counter | | Elevated sandbox setup prompt shown. |

529| `windows_sandbox.elevated_prompt_accept` | counter | | Elevated sandbox setup prompt accepted. |

530| `windows_sandbox.elevated_prompt_use_legacy` | counter | | User chose legacy sandbox from the elevated prompt. |

531| `windows_sandbox.elevated_prompt_quit` | counter | | User quit from the elevated prompt. |

532| `windows_sandbox.fallback_prompt_shown` | counter | | Fallback sandbox prompt shown. |

533| `windows_sandbox.fallback_retry_elevated` | counter | | User retried elevated setup from the fallback prompt. |

534| `windows_sandbox.fallback_use_legacy` | counter | | User chose legacy sandbox from the fallback prompt. |

535| `windows_sandbox.fallback_prompt_quit` | counter | | User quit from the fallback prompt. |

536| `windows_sandbox.legacy_setup_preflight_failed` | counter | See note | Legacy Windows sandbox setup preflight failure. |

537| `windows_sandbox.setup_elevated_sandbox_command` | counter | | Elevated sandbox setup command invoked. |

538| `windows_sandbox.createprocessasuserw_failed` | counter | `error_code`, `path_kind`, `exe`, `level` | Windows `CreateProcessAsUserW` failures. |

539 

540The elevated setup failure metrics include `code` and `message` when Windows setup failure details are available, and may include `originator` when emitted from the shared setup path. The `windows_sandbox.legacy_setup_preflight_failed` metric includes `originator` when emitted from the shared setup path, but fallback-prompt preflight failures may not include any fields.

402 541 

403### Feedback controls542### Feedback controls

404 543 

1# Config basics1# Config basics

2 2 

3Codex reads configuration details from more than one location. Your personal defaults live in `~/.codex/config.toml`, and you can add project overrides with `.codex/config.toml` files. For security, Codex loads project config files only when you trust the project.3Codex reads configuration details from more than one location. Your personal defaults live in `~/.codex/config.toml`, and you can add project overrides with `.codex/config.toml` files. For security, Codex loads project `.codex/` layers only when you trust the project.

4 4 

5## Codex configuration file5## Codex configuration file

6 6 

27 27 

28Use that precedence to set shared defaults at the top level and keep profiles focused on the values that differ.28Use that precedence to set shared defaults at the top level and keep profiles focused on the values that differ.

29 29 

30If you mark a project as untrusted, Codex skips project-scoped `.codex/` layers (including `.codex/config.toml`) and falls back to user, system, and built-in defaults.30If you mark a project as untrusted, Codex skips project-scoped `.codex/` layers, including project-local config, hooks, and rules. User and system config still load, including user/global hooks and rules.

31 31 

32For one-off overrides via `-c`/`--config` (including TOML quoting rules), see [Advanced Config](https://developers.openai.com/codex/config-advanced#one-off-overrides-from-the-cli).32For one-off overrides via `-c`/`--config` (including TOML quoting rules), see [Advanced Config](https://developers.openai.com/codex/config-advanced#one-off-overrides-from-the-cli).

33 33 

46Choose the model Codex uses by default in the CLI and IDE.46Choose the model Codex uses by default in the CLI and IDE.

47 47 

48```toml48```toml

49model = "gpt-5.4"49model = "gpt-5.5"

50```50```

51 51 

52#### Approval prompts52#### Approval prompts

148| Key | Default | Maturity | Description |148| Key | Default | Maturity | Description |

149| -------------------- | :-------------------: | ------------ | ---------------------------------------------------------------------------------------- |149| -------------------- | :-------------------: | ------------ | ---------------------------------------------------------------------------------------- |

150| `apps` | false | Experimental | Enable ChatGPT Apps/connectors support |150| `apps` | false | Experimental | Enable ChatGPT Apps/connectors support |

151| `codex_hooks` | false | Under development | Enable lifecycle hooks from `hooks.json`. See [Hooks](https://developers.openai.com/codex/hooks). |151| `codex_hooks` | true | Stable | Enable lifecycle hooks from `hooks.json` or inline `[hooks]`. See [Hooks](https://developers.openai.com/codex/hooks). |

152| `fast_mode` | true | Stable | Enable Fast mode selection and the `service_tier = "fast"` path |152| `fast_mode` | true | Stable | Enable Fast mode selection and the `service_tier = "fast"` path |

153| `memories` | false | Stable | Enable [Memories](https://developers.openai.com/codex/memories) |153| `memories` | false | Stable | Enable [Memories](https://developers.openai.com/codex/memories) |

154| `multi_agent` | true | Stable | Enable subagent collaboration tools |154| `multi_agent` | true | Stable | Enable subagent collaboration tools |

155| `personality` | true | Stable | Enable personality selection controls |155| `personality` | true | Stable | Enable personality selection controls |

156| `shell_snapshot` | true | Stable | Snapshot your shell environment to speed up repeated commands |156| `shell_snapshot` | true | Stable | Snapshot your shell environment to speed up repeated commands |

157| `shell_tool` | true | Stable | Enable the default `shell` tool |157| `shell_tool` | true | Stable | Enable the default `shell` tool |

158| `guardian_approval` | false | Experimental | Route eligible approval requests through the guardian reviewer subagent (set `approvals_reviewer = "guardian_subagent"`). |

159| `unified_exec` | `true` except Windows | Stable | Use the unified PTY-backed exec tool |158| `unified_exec` | `true` except Windows | Stable | Use the unified PTY-backed exec tool |

160| `undo` | false | Stable | Enable undo via per-turn git ghost snapshots |159| `undo` | false | Stable | Enable undo via per-turn git ghost snapshots |

161| `web_search` | true | Deprecated | Legacy toggle; prefer the top-level `web_search` setting |160| `web_search` | true | Deprecated | Legacy toggle; prefer the top-level `web_search` setting |

24| `approval_policy.granular.rules` | `boolean` | When `true`, approvals triggered by execpolicy `prompt` rules are allowed to surface. |24| `approval_policy.granular.rules` | `boolean` | When `true`, approvals triggered by execpolicy `prompt` rules are allowed to surface. |

25| `approval_policy.granular.sandbox_approval` | `boolean` | When `true`, sandbox escalation approval prompts are allowed to surface. |25| `approval_policy.granular.sandbox_approval` | `boolean` | When `true`, sandbox escalation approval prompts are allowed to surface. |

26| `approval_policy.granular.skill_approval` | `boolean` | When `true`, skill-script approval prompts are allowed to surface. |26| `approval_policy.granular.skill_approval` | `boolean` | When `true`, skill-script approval prompts are allowed to surface. |

27| `approvals_reviewer` | `user | guardian_subagent` | Select who reviews eligible approval prompts. Defaults to `user`; `guardian_subagent` routes supported reviews through the Guardian reviewer subagent. |27| `approvals_reviewer` | `user | auto_review` | Who reviews eligible approval prompts under `on-request` or granular approval policies. Defaults to `user`; `auto_review` uses the reviewer subagent. This setting doesn't change sandboxing or review actions already allowed inside the sandbox. |

28| `apps._default.destructive_enabled` | `boolean` | Default allow/deny for app tools with `destructive_hint = true`. |28| `apps._default.destructive_enabled` | `boolean` | Default allow/deny for app tools with `destructive_hint = true`. |

29| `apps._default.enabled` | `boolean` | Default app enabled state for all apps unless overridden per app. |29| `apps._default.enabled` | `boolean` | Default app enabled state for all apps unless overridden per app. |

30| `apps._default.open_world_enabled` | `boolean` | Default allow/deny for app tools with `open_world_hint = true`. |30| `apps._default.open_world_enabled` | `boolean` | Default allow/deny for app tools with `open_world_hint = true`. |

35| `apps.<id>.open_world_enabled` | `boolean` | Allow or block tools in this app that advertise `open_world_hint = true`. |35| `apps.<id>.open_world_enabled` | `boolean` | Allow or block tools in this app that advertise `open_world_hint = true`. |

36| `apps.<id>.tools.<tool>.approval_mode` | `auto | prompt | approve` | Per-tool approval behavior override for a single app tool. |36| `apps.<id>.tools.<tool>.approval_mode` | `auto | prompt | approve` | Per-tool approval behavior override for a single app tool. |

37| `apps.<id>.tools.<tool>.enabled` | `boolean` | Per-tool enabled override for an app tool (for example `repos/list`). |37| `apps.<id>.tools.<tool>.enabled` | `boolean` | Per-tool enabled override for an app tool (for example `repos/list`). |

38| `auto_review.policy` | `string` | Local Markdown policy instructions for automatic review. Managed `guardian_policy_config` takes precedence. Blank values are ignored. |

38| `background_terminal_max_timeout` | `number` | Maximum poll window in milliseconds for empty `write_stdin` polls (background terminal polling). Default: `300000` (5 minutes). Replaces the older `background_terminal_timeout` key. |39| `background_terminal_max_timeout` | `number` | Maximum poll window in milliseconds for empty `write_stdin` polls (background terminal polling). Default: `300000` (5 minutes). Replaces the older `background_terminal_timeout` key. |

39| `chatgpt_base_url` | `string` | Override the base URL used during the ChatGPT login flow. |40| `chatgpt_base_url` | `string` | Override the base URL used during the ChatGPT login flow. |

40| `check_for_update_on_startup` | `boolean` | Check for Codex updates on startup (set to false only when updates are centrally managed). |41| `check_for_update_on_startup` | `boolean` | Check for Codex updates on startup (set to false only when updates are centrally managed). |

47| `experimental_compact_prompt_file` | `string (path)` | Load the compaction prompt override from a file (experimental). |48| `experimental_compact_prompt_file` | `string (path)` | Load the compaction prompt override from a file (experimental). |

48| `experimental_use_unified_exec_tool` | `boolean` | Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`. |49| `experimental_use_unified_exec_tool` | `boolean` | Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`. |

49| `features.apps` | `boolean` | Enable ChatGPT Apps/connectors support (experimental). |50| `features.apps` | `boolean` | Enable ChatGPT Apps/connectors support (experimental). |

50| `features.codex_hooks` | `boolean` | Enable lifecycle hooks loaded from `hooks.json` (under development; off by default). |51| `features.codex_hooks` | `boolean` | Enable lifecycle hooks loaded from `hooks.json` or inline `[hooks]` config. |

51| `features.enable_request_compression` | `boolean` | Compress streaming request bodies with zstd when supported (stable; on by default). |52| `features.enable_request_compression` | `boolean` | Compress streaming request bodies with zstd when supported (stable; on by default). |

52| `features.fast_mode` | `boolean` | Enable Fast mode selection and the `service_tier = "fast"` path (stable; on by default). |53| `features.fast_mode` | `boolean` | Enable Fast mode selection and the `service_tier = "fast"` path (stable; on by default). |

53| `features.guardian_approval` | `boolean` | Route eligible approval requests through the guardian reviewer subagent (experimental; off by default). Use with `approvals_reviewer = "guardian_subagent"`. |

54| `features.memories` | `boolean` | Enable [Memories](https://developers.openai.com/codex/memories) (off by default). |54| `features.memories` | `boolean` | Enable [Memories](https://developers.openai.com/codex/memories) (off by default). |

55| `features.multi_agent` | `boolean` | Enable multi-agent collaboration tools (`spawn_agent`, `send_input`, `resume_agent`, `wait_agent`, and `close_agent`) (stable; on by default). |55| `features.multi_agent` | `boolean` | Enable multi-agent collaboration tools (`spawn_agent`, `send_input`, `resume_agent`, `wait_agent`, and `close_agent`) (stable; on by default). |

56| `features.personality` | `boolean` | Enable personality selection controls (stable; on by default). |56| `features.personality` | `boolean` | Enable personality selection controls (stable; on by default). |

70| `hide_agent_reasoning` | `boolean` | Suppress reasoning events in both the TUI and `codex exec` output. |70| `hide_agent_reasoning` | `boolean` | Suppress reasoning events in both the TUI and `codex exec` output. |

71| `history.max_bytes` | `number` | If set, caps the history file size in bytes by dropping oldest entries. |71| `history.max_bytes` | `number` | If set, caps the history file size in bytes by dropping oldest entries. |

72| `history.persistence` | `save-all | none` | Control whether Codex saves session transcripts to history.jsonl. |72| `history.persistence` | `save-all | none` | Control whether Codex saves session transcripts to history.jsonl. |

73| `hooks` | `table` | Lifecycle hooks configured inline in `config.toml`. Uses the same event schema as `hooks.json`; see the Hooks guide for examples and supported events. |

73| `instructions` | `string` | Reserved for future use; prefer `model_instructions_file` or `AGENTS.md`. |74| `instructions` | `string` | Reserved for future use; prefer `model_instructions_file` or `AGENTS.md`. |

74| `log_dir` | `string (path)` | Directory where Codex writes log files (for example `codex-tui.log`); defaults to `$CODEX_HOME/log`. |75| `log_dir` | `string (path)` | Directory where Codex writes log files (for example `codex-tui.log`); defaults to `$CODEX_HOME/log`. |

75| `mcp_oauth_callback_port` | `integer` | Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS. |76| `mcp_oauth_callback_port` | `integer` | Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS. |

104| `memories.max_unused_days` | `number` | Maximum days since a memory was last used before it becomes ineligible for consolidation. Defaults to `30` and is clamped to `0`-`365`. |105| `memories.max_unused_days` | `number` | Maximum days since a memory was last used before it becomes ineligible for consolidation. Defaults to `30` and is clamped to `0`-`365`. |

105| `memories.min_rollout_idle_hours` | `number` | Minimum idle time before a thread is considered for memory generation. Defaults to `6` and is clamped to `1`-`48`. |106| `memories.min_rollout_idle_hours` | `number` | Minimum idle time before a thread is considered for memory generation. Defaults to `6` and is clamped to `1`-`48`. |

106| `memories.use_memories` | `boolean` | When `false`, Codex skips injecting existing memories into future sessions. Defaults to `true`. |107| `memories.use_memories` | `boolean` | When `false`, Codex skips injecting existing memories into future sessions. Defaults to `true`. |

107| `model` | `string` | Model to use (e.g., `gpt-5.4`). |108| `model` | `string` | Model to use (e.g., `gpt-5.5`). |

108| `model_auto_compact_token_limit` | `number` | Token threshold that triggers automatic history compaction (unset uses model defaults). |109| `model_auto_compact_token_limit` | `number` | Token threshold that triggers automatic history compaction (unset uses model defaults). |

109| `model_catalog_json` | `string (path)` | Optional path to a JSON model catalog loaded on startup. Profile-level `profiles.<name>.model_catalog_json` can override this per profile. |110| `model_catalog_json` | `string (path)` | Optional path to a JSON model catalog loaded on startup. Profile-level `profiles.<name>.model_catalog_json` can override this per profile. |

110| `model_context_window` | `number` | Context window tokens available to the active model. |111| `model_context_window` | `number` | Context window tokens available to the active model. |

195| `project_doc_fallback_filenames` | `array<string>` | Additional filenames to try when `AGENTS.md` is missing. |196| `project_doc_fallback_filenames` | `array<string>` | Additional filenames to try when `AGENTS.md` is missing. |

196| `project_doc_max_bytes` | `number` | Maximum bytes read from `AGENTS.md` when building project instructions. |197| `project_doc_max_bytes` | `number` | Maximum bytes read from `AGENTS.md` when building project instructions. |

197| `project_root_markers` | `array<string>` | List of project root marker filenames; used when searching parent directories for the project root. |198| `project_root_markers` | `array<string>` | List of project root marker filenames; used when searching parent directories for the project root. |

198| `projects.<path>.trust_level` | `string` | Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers. |199| `projects.<path>.trust_level` | `string` | Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers, including project-local config, hooks, and rules. |

199| `review_model` | `string` | Optional model override used by `/review` (defaults to the current session model). |200| `review_model` | `string` | Optional model override used by `/review` (defaults to the current session model). |

200| `sandbox_mode` | `read-only | workspace-write | danger-full-access` | Sandbox policy for filesystem and network access during command execution. |201| `sandbox_mode` | `read-only | workspace-write | danger-full-access` | Sandbox policy for filesystem and network access during command execution. |

201| `sandbox_workspace_write.exclude_slash_tmp` | `boolean` | Exclude `/tmp` from writable roots in workspace-write mode. |202| `sandbox_workspace_write.exclude_slash_tmp` | `boolean` | Exclude `/tmp` from writable roots in workspace-write mode. |

409 410 

410Type / Values411Type / Values

411 412 

412`user | guardian_subagent`413`user | auto_review`

413 414 

414Details415Details

415 416 

416Select who reviews eligible approval prompts. Defaults to `user`; `guardian_subagent` routes supported reviews through the Guardian reviewer subagent.417Who reviews eligible approval prompts under `on-request` or granular approval policies. Defaults to `user`; `auto_review` uses the reviewer subagent. This setting doesn't change sandboxing or review actions already allowed inside the sandbox.

417 418 

418Key419Key

419 420 

537 538 

538Key539Key

539 540 

541`auto_review.policy`

542 

543Type / Values

544 

545`string`

546 

547Details

548 

549Local Markdown policy instructions for automatic review. Managed `guardian_policy_config` takes precedence. Blank values are ignored.

550 

551Key

552 

540`background_terminal_max_timeout`553`background_terminal_max_timeout`

541 554 

542Type / Values555Type / Values

689 702 

690Details703Details

691 704 

692Enable lifecycle hooks loaded from `hooks.json` (under development; off by default).705Enable lifecycle hooks loaded from `hooks.json` or inline `[hooks]` config.

693 706 

694Key707Key

695 708 

717 730 

718Key731Key

719 732 

720`features.guardian_approval`

721 

722Type / Values

723 

724`boolean`

725 

726Details

727 

728Route eligible approval requests through the guardian reviewer subagent (experimental; off by default). Use with `approvals_reviewer = "guardian_subagent"`.

729 

730Key

731 

732`features.memories`733`features.memories`

733 734 

734Type / Values735Type / Values

957 958 

958Key959Key

959 960 

961`hooks`

962 

963Type / Values

964 

965`table`

966 

967Details

968 

969Lifecycle hooks configured inline in `config.toml`. Uses the same event schema as `hooks.json`; see the Hooks guide for examples and supported events.

970 

971Key

972 

960`instructions`973`instructions`

961 974 

962Type / Values975Type / Values

1373 1386 

1374Details1387Details

1375 1388 

1376Model to use (e.g., `gpt-5.4`).1389Model to use (e.g., `gpt-5.5`).

1377 1390 

1378Key1391Key

1379 1392 

2465 2478 

2466Details2479Details

2467 2480 

2468Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers.2481Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers, including project-local config, hooks, and rules.

2469 2482 

2470Key2483Key

2471 2484 

2948| Key | Type / Values | Details |2961| Key | Type / Values | Details |

2949| --- | --- | --- |2962| --- | --- | --- |

2950| `allowed_approval_policies` | `array<string>` | Allowed values for `approval_policy` (for example `untrusted`, `on-request`, `never`, and `granular`). |2963| `allowed_approval_policies` | `array<string>` | Allowed values for `approval_policy` (for example `untrusted`, `on-request`, `never`, and `granular`). |

2951| `allowed_approvals_reviewers` | `array<string>` | Allowed values for `approvals_reviewer` (for example `user` and `guardian_subagent`). |2964| `allowed_approvals_reviewers` | `array<string>` | Allowed values for `approvals_reviewer`, such as `user` and `auto_review`. |

2952| `allowed_sandbox_modes` | `array<string>` | Allowed values for `sandbox_mode`. |2965| `allowed_sandbox_modes` | `array<string>` | Allowed values for `sandbox_mode`. |

2953| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |2966| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |

2954| `features` | `table` | Pinned feature values keyed by the canonical names from `config.toml`'s `[features]` table. |2967| `features` | `table` | Pinned feature values keyed by the canonical names from `config.toml`'s `[features]` table. |

2955| `features.<name>` | `boolean` | Require a specific canonical feature key to stay enabled or disabled. |2968| `features.<name>` | `boolean` | Require a specific canonical feature key to stay enabled or disabled. |

2969| `features.browser_use` | `boolean` | Set to `false` in `requirements.toml` to disable Browser Use and Browser Agent availability. |

2970| `features.computer_use` | `boolean` | Set to `false` in `requirements.toml` to disable Computer Use availability and related install or enablement flows. |

2971| `features.in_app_browser` | `boolean` | Set to `false` in `requirements.toml` to disable the in-app browser pane. |

2972| `guardian_policy_config` | `string` | Managed Markdown policy instructions for automatic review. This takes precedence over local `[auto_review].policy`. Blank values are ignored. |

2973| `hooks` | `table` | Admin-enforced managed lifecycle hooks. Requires a managed hook directory and uses the same event schema as inline `[hooks]` in `config.toml`. |

2974| `hooks.<Event>` | `array<table>` | Matcher groups for a hook event such as `PreToolUse`, `PostToolUse`, `PermissionRequest`, `SessionStart`, `UserPromptSubmit`, or `Stop`. |

2975| `hooks.<Event>[].hooks` | `array<table>` | Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped. |

2976| `hooks.managed_dir` | `string (absolute path)` | Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks. |

2977| `hooks.windows_managed_dir` | `string (absolute path)` | Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks. |

2956| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |2978| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |

2957| `mcp_servers.<id>.identity` | `table` | Identity rule for a single MCP server. Set either `command` (stdio) or `url` (streamable HTTP). |2979| `mcp_servers.<id>.identity` | `table` | Identity rule for a single MCP server. Set either `command` (stdio) or `url` (streamable HTTP). |

2958| `mcp_servers.<id>.identity.command` | `string` | Allow an MCP stdio server when its `mcp_servers.<id>.command` matches this command. |2980| `mcp_servers.<id>.identity.command` | `string` | Allow an MCP stdio server when its `mcp_servers.<id>.command` matches this command. |

2959| `mcp_servers.<id>.identity.url` | `string` | Allow an MCP streamable HTTP server when its `mcp_servers.<id>.url` matches this URL. |2981| `mcp_servers.<id>.identity.url` | `string` | Allow an MCP streamable HTTP server when its `mcp_servers.<id>.url` matches this URL. |

2960| `permissions.filesystem.deny_read` | `array<string>` | Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config. |2982| `permissions.filesystem.deny_read` | `array<string>` | Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config. |

2983| `remote_sandbox_config` | `array<table>` | Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only. |

2984| `remote_sandbox_config[].allowed_sandbox_modes` | `array<string>` | Allowed sandbox modes to apply when this host-specific entry matches. |

2985| `remote_sandbox_config[].hostname_patterns` | `array<string>` | Case-insensitive host name patterns. Supports `*` for any sequence of characters and `?` for one character. |

2961| `rules` | `table` | Admin-enforced command rules merged with `.rules` files. Requirements rules must be restrictive. |2986| `rules` | `table` | Admin-enforced command rules merged with `.rules` files. Requirements rules must be restrictive. |

2962| `rules.prefix_rules` | `array<table>` | List of enforced prefix rules. Each rule must include `pattern` and `decision`. |2987| `rules.prefix_rules` | `array<table>` | List of enforced prefix rules. Each rule must include `pattern` and `decision`. |

2963| `rules.prefix_rules[].decision` | `prompt | forbidden` | Required. Requirements rules can only prompt or forbid (not allow). |2988| `rules.prefix_rules[].decision` | `prompt | forbidden` | Required. Requirements rules can only prompt or forbid (not allow). |

2988 3013 

2989Details3014Details

2990 3015 

2991Allowed values for `approvals_reviewer` (for example `user` and `guardian_subagent`).3016Allowed values for `approvals_reviewer`, such as `user` and `auto_review`.

2992 3017 

2993Key3018Key

2994 3019 

3040 3065 

3041Key3066Key

3042 3067 

3068`features.browser_use`

3069 

3070Type / Values

3071 

3072`boolean`

3073 

3074Details

3075 

3076Set to `false` in `requirements.toml` to disable Browser Use and Browser Agent availability.

3077 

3078Key

3079 

3080`features.computer_use`

3081 

3082Type / Values

3083 

3084`boolean`

3085 

3086Details

3087 

3088Set to `false` in `requirements.toml` to disable Computer Use availability and related install or enablement flows.

3089 

3090Key

3091 

3092`features.in_app_browser`

3093 

3094Type / Values

3095 

3096`boolean`

3097 

3098Details

3099 

3100Set to `false` in `requirements.toml` to disable the in-app browser pane.

3101 

3102Key

3103 

3104`guardian_policy_config`

3105 

3106Type / Values

3107 

3108`string`

3109 

3110Details

3111 

3112Managed Markdown policy instructions for automatic review. This takes precedence over local `[auto_review].policy`. Blank values are ignored.

3113 

3114Key

3115 

3116`hooks`

3117 

3118Type / Values

3119 

3120`table`

3121 

3122Details

3123 

3124Admin-enforced managed lifecycle hooks. Requires a managed hook directory and uses the same event schema as inline `[hooks]` in `config.toml`.

3125 

3126Key

3127 

3128`hooks.<Event>`

3129 

3130Type / Values

3131 

3132`array<table>`

3133 

3134Details

3135 

3136Matcher groups for a hook event such as `PreToolUse`, `PostToolUse`, `PermissionRequest`, `SessionStart`, `UserPromptSubmit`, or `Stop`.

3137 

3138Key

3139 

3140`hooks.<Event>[].hooks`

3141 

3142Type / Values

3143 

3144`array<table>`

3145 

3146Details

3147 

3148Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped.

3149 

3150Key

3151 

3152`hooks.managed_dir`

3153 

3154Type / Values

3155 

3156`string (absolute path)`

3157 

3158Details

3159 

3160Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks.

3161 

3162Key

3163 

3164`hooks.windows_managed_dir`

3165 

3166Type / Values

3167 

3168`string (absolute path)`

3169 

3170Details

3171 

3172Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks.

3173 

3174Key

3175 

3043`mcp_servers`3176`mcp_servers`

3044 3177 

3045Type / Values3178Type / Values

3100 3233 

3101Key3234Key

3102 3235 

3236`remote_sandbox_config`

3237 

3238Type / Values

3239 

3240`array<table>`

3241 

3242Details

3243 

3244Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only.

3245 

3246Key

3247 

3248`remote_sandbox_config[].allowed_sandbox_modes`

3249 

3250Type / Values

3251 

3252`array<string>`

3253 

3254Details

3255 

3256Allowed sandbox modes to apply when this host-specific entry matches.

3257 

3258Key

3259 

3260`remote_sandbox_config[].hostname_patterns`

3261 

3262Type / Values

3263 

3264`array<string>`

3265 

3266Details

3267 

3268Case-insensitive host name patterns. Supports `*` for any sequence of characters and `?` for one character.

3269 

3270Key

3271 

3103`rules`3272`rules`

3104 3273 

3105Type / Values3274Type / Values

27# Core Model Selection27# Core Model Selection

28################################################################################28################################################################################

29 29 

30# Primary model used by Codex. Recommended example for most users: "gpt-5.4".30# Primary model used by Codex. Recommended example for most users: "gpt-5.5".

31model = "gpt-5.4"31model = "gpt-5.5"

32 32 

33# Communication style for supported models. Allowed values: none | friendly | pragmatic33# Communication style for supported models. Allowed values: none | friendly | pragmatic

34# personality = "pragmatic"34# personality = "pragmatic"

35 35 

36# Optional model override for /review. Default: unset (uses current session model).36# Optional model override for /review. Default: unset (uses current session model).

37# review_model = "gpt-5.4"37# review_model = "gpt-5.5"

38 38 

39# Provider id selected from [model_providers]. Default: "openai".39# Provider id selected from [model_providers]. Default: "openai".

40model_provider = "openai"40model_provider = "openai"

109# - never: never prompt (risky)109# - never: never prompt (risky)

110# - { granular = { ... } }: allow or auto-reject selected prompt categories110# - { granular = { ... } }: allow or auto-reject selected prompt categories

111approval_policy = "on-request"111approval_policy = "on-request"

112# Who reviews eligible approval prompts: user (default) | guardian_subagent112# Who reviews eligible approval prompts: user (default) | auto_review

113# approvals_reviewer = "user"113# approvals_reviewer = "user"

114 114 

115# Example granular policy:115# Example granular policy:

393# multi_agent = true393# multi_agent = true

394# personality = true394# personality = true

395# fast_mode = true395# fast_mode = true

396# guardian_approval = false

397# enable_request_compression = true396# enable_request_compression = true

398# skill_mcp_dependency_install = true397# skill_mcp_dependency_install = true

399# prevent_idle_sleep = false398# prevent_idle_sleep = false

408# use_memories = true407# use_memories = true

409# disable_on_external_context = false # legacy alias: no_memories_if_mcp_or_web_search408# disable_on_external_context = false # legacy alias: no_memories_if_mcp_or_web_search

410 409 

410################################################################################

411# Lifecycle hooks can be configured here inline or in a sibling hooks.json.

412################################################################################

413 

414# [hooks]

415# [[hooks.PreToolUse]]

416# matcher = "^Bash$"

417#

418# [[hooks.PreToolUse.hooks]]

419# type = "command"

420# command = 'python3 "/absolute/path/to/pre_tool_use_policy.py"'

421# timeout = 30

422# statusMessage = "Checking Bash command"

423 

411################################################################################424################################################################################

412# Define MCP servers under this table. Leave empty to disable.425# Define MCP servers under this table. Leave empty to disable.

413################################################################################426################################################################################

139 139 

140Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).140Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

141 141 

142Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules.142Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).

143 143 

144![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)144![Codex policies and configurations page](/images/codex/enterprise/policies_and_configurations_page.png)

145 145 

166allowed_approval_policies = ["on-request"]166allowed_approval_policies = ["on-request"]

167```167```

168 168 

169Example: disable Browser Use, the in-app browser, and Computer Use:

170 

171```toml