SpyBara
Go Premium Account

cli/reference.md Codex Docs, 2026-02-19 20:37 UTC → 2026-05-02 00:48 UTC

Inspect the documentation page or source diff for this selected snapshot comparison.

2026
19 Feb 2026, 20:37
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
2 May 2026, 00:48
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
Fri 1 18:29 Sat 2 00:48 Sat 2 06:45 Tue 5 23:00 Thu 7 17:08 Thu 7 20:02 Mon 11 18:00 Tue 12 01:59 Wed 13 00:57 Thu 14 07:00 Thu 14 21:00

cli/reference.md +415 −46

Details

1# Command line options1# Command line options

2 2 

3Options and flags for the Codex terminal client

4 

5## How to read this reference3## How to read this reference

6 4 

7This page catalogs every documented Codex CLI command and flag. Use the interactive tables to search by key or description. Each section indicates whether the option is stable or experimental and calls out risky combinations.5This page catalogs every documented Codex CLI command and flag. Use the interactive tables to search by key or description. Each section indicates whether the option is stable or experimental and calls out risky combinations.

22| `--dangerously-bypass-approvals-and-sandbox, --yolo` | `boolean` | Run every command without approvals or sandboxing. Only use inside an externally hardened environment. |20| `--dangerously-bypass-approvals-and-sandbox, --yolo` | `boolean` | Run every command without approvals or sandboxing. Only use inside an externally hardened environment. |

23| `--disable` | `feature` | Force-disable a feature flag (translates to `-c features.<name>=false`). Repeatable. |21| `--disable` | `feature` | Force-disable a feature flag (translates to `-c features.<name>=false`). Repeatable. |

24| `--enable` | `feature` | Force-enable a feature flag (translates to `-c features.<name>=true`). Repeatable. |22| `--enable` | `feature` | Force-enable a feature flag (translates to `-c features.<name>=true`). Repeatable. |

25| `--full-auto` | `boolean` | Shortcut for low-friction local work: sets `--ask-for-approval on-request` and `--sandbox workspace-write`. |

26| `--image, -i` | `path[,path...]` | Attach one or more image files to the initial prompt. Separate multiple paths with commas or repeat the flag. |23| `--image, -i` | `path[,path...]` | Attach one or more image files to the initial prompt. Separate multiple paths with commas or repeat the flag. |

27| `--model, -m` | `string` | Override the model set in configuration (for example `gpt-5-codex`). |24| `--model, -m` | `string` | Override the model set in configuration (for example `gpt-5.4`). |

28| `--no-alt-screen` | `boolean` | Disable alternate screen mode for the TUI (overrides `tui.alternate_screen` for this run). |25| `--no-alt-screen` | `boolean` | Disable alternate screen mode for the TUI (overrides `tui.alternate_screen` for this run). |

29| `--oss` | `boolean` | Use the local open source model provider (equivalent to `-c model_provider="oss"`). Validates that Ollama is running. |26| `--oss` | `boolean` | Use the local open source model provider (equivalent to `-c model_provider="oss"`). Validates that Ollama is running. |

30| `--profile, -p` | `string` | Configuration profile name to load from `~/.codex/config.toml`. |27| `--profile, -p` | `string` | Configuration profile name to load from `~/.codex/config.toml`. |

28| `--remote` | `ws://host:port | wss://host:port` | Connect the interactive TUI to a remote app-server WebSocket endpoint. Supported for `codex`, `codex resume`, and `codex fork`; other subcommands reject remote mode. |

29| `--remote-auth-token-env` | `ENV_VAR` | Read a bearer token from this environment variable and send it when connecting with `--remote`. Requires `--remote`; tokens are only sent over `wss://` URLs or `ws://` URLs whose host is `localhost`, `127.0.0.1`, or `::1`. |

31| `--sandbox, -s` | `read-only | workspace-write | danger-full-access` | Select the sandbox policy for model-generated shell commands. |30| `--sandbox, -s` | `read-only | workspace-write | danger-full-access` | Select the sandbox policy for model-generated shell commands. |

32| `--search` | `boolean` | Enable live web search (sets `web_search = "live"` instead of the default `"cached"`). |31| `--search` | `boolean` | Enable live web search (sets `web_search = "live"` instead of the default `"cached"`). |

33| `PROMPT` | `string` | Optional text instruction to start the session. Omit to launch the TUI without a pre-filled message. |32| `PROMPT` | `string` | Optional text instruction to start the session. Omit to launch the TUI without a pre-filled message. |

118 117 

119Key118Key

120 119 

121`--full-auto`

122 

123Type / Values

124 

125`boolean`

126 

127Details

128 

129Shortcut for low-friction local work: sets `--ask-for-approval on-request` and `--sandbox workspace-write`.

130 

131Key

132 

133`--image, -i`120`--image, -i`

134 121 

135Type / Values122Type / Values

150 137 

151Details138Details

152 139 

153Override the model set in configuration (for example `gpt-5-codex`).140Override the model set in configuration (for example `gpt-5.4`).

154 141 

155Key142Key

156 143 

190 177 

191Key178Key

192 179 

180`--remote`

181 

182Type / Values

183 

184`ws://host:port | wss://host:port`

185 

186Details

187 

188Connect the interactive TUI to a remote app-server WebSocket endpoint. Supported for `codex`, `codex resume`, and `codex fork`; other subcommands reject remote mode.

189 

190Key

191 

192`--remote-auth-token-env`

193 

194Type / Values

195 

196`ENV_VAR`

197 

198Details

199 

200Read a bearer token from this environment variable and send it when connecting with `--remote`. Requires `--remote`; tokens are only sent over `wss://` URLs or `ws://` URLs whose host is `localhost`, `127.0.0.1`, or `::1`.

201 

202Key

203 

193`--sandbox, -s`204`--sandbox, -s`

194 205 

195Type / Values206Type / Values

238| Key | Maturity | Details |249| Key | Maturity | Details |

239| --- | --- | --- |250| --- | --- | --- |

240| [`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive) | Stable | Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments. |251| [`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive) | Stable | Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments. |

241| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS, optionally opening a specific workspace path. |252| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open. |

242| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging. |253| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging. |

243| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |254| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |

244| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |255| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |

245| [`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion) | Stable | Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell. |256| [`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion) | Stable | Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell. |

246| [`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2) | Experimental | Debug app-server by sending a single V2 message through the built-in test client. |257| [`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2) | Experimental | Debug app-server by sending a single V2 message through the built-in test client. |

258| [`codex debug models`](https://developers.openai.com/codex/cli/reference#codex-debug-models) | Experimental | Print the raw model catalog Codex sees, including an option to inspect only the bundled catalog. |

247| [`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec) | Stable | Run Codex non-interactively. Alias: `codex e`. Stream results to stdout or JSONL and optionally resume previous sessions. |259| [`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec) | Stable | Run Codex non-interactively. Alias: `codex e`. Stream results to stdout or JSONL and optionally resume previous sessions. |

248| [`codex execpolicy`](https://developers.openai.com/codex/cli/reference#codex-execpolicy) | Experimental | Evaluate execpolicy rule files and see whether a command would be allowed, prompted, or blocked. |260| [`codex execpolicy`](https://developers.openai.com/codex/cli/reference#codex-execpolicy) | Experimental | Evaluate execpolicy rule files and see whether a command would be allowed, prompted, or blocked. |

249| [`codex features`](https://developers.openai.com/codex/cli/reference#codex-features) | Stable | List feature flags and persistently enable or disable them in `config.toml`. |261| [`codex features`](https://developers.openai.com/codex/cli/reference#codex-features) | Stable | List feature flags and persistently enable or disable them in `config.toml`. |

252| [`codex logout`](https://developers.openai.com/codex/cli/reference#codex-logout) | Stable | Remove stored authentication credentials. |264| [`codex logout`](https://developers.openai.com/codex/cli/reference#codex-logout) | Stable | Remove stored authentication credentials. |

253| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |265| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |

254| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |266| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |

267| [`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace) | Experimental | Add, upgrade, or remove plugin marketplaces from Git or local sources. |

255| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |268| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |

256| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS seatbelt or Linux sandboxes (Landlock by default, optional bubblewrap pipeline). |269| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS, Linux, or Windows sandboxes. |

270| [`codex update`](https://developers.openai.com/codex/cli/reference#codex-update) | Stable | Check for and apply a Codex CLI update when the installed release supports self-update. |

257 271 

258Key272Key

259 273 

277 291 

278Details292Details

279 293 

280Launch the Codex desktop app on macOS, optionally opening a specific workspace path.294Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open.

281 295 

282Key296Key

283 297 

341 355 

342Key356Key

343 357 

358[`codex debug models`](https://developers.openai.com/codex/cli/reference#codex-debug-models)

359 

360Maturity

361 

362Experimental

363 

364Details

365 

366Print the raw model catalog Codex sees, including an option to inspect only the bundled catalog.

367 

368Key

369 

344[`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec)370[`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec)

345 371 

346Maturity372Maturity

437 463 

438Key464Key

439 465 

466[`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace)

467 

468Maturity

469 

470Experimental

471 

472Details

473 

474Add, upgrade, or remove plugin marketplaces from Git or local sources.

475 

476Key

477 

440[`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume)478[`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume)

441 479 

442Maturity480Maturity

457 495 

458Details496Details

459 497 

460Run arbitrary commands inside Codex-provided macOS seatbelt or Linux sandboxes (Landlock by default, optional bubblewrap pipeline).498Run arbitrary commands inside Codex-provided macOS, Linux, or Windows sandboxes.

499 

500Key

501 

502[`codex update`](https://developers.openai.com/codex/cli/reference#codex-update)

503 

504Maturity

505 

506Stable

507 

508Details

509 

510Check for and apply a Codex CLI update when the installed release supports self-update.

461 511 

462Expand to view all512Expand to view all

463 513 

465 515 

466### `codex` (interactive)516### `codex` (interactive)

467 517 

468Running `codex` with no subcommand launches the interactive terminal UI (TUI). The agent accepts the global flags above plus image attachments. Web search defaults to cached mode; use `--search` to switch to live browsing and `--full-auto` to let Codex run most commands without prompts.518Running `codex` with no subcommand launches the interactive terminal UI (TUI). The agent accepts the global flags above plus image attachments. Web search defaults to cached mode; use `--search` to switch to live browsing. For low-friction local work, use `--sandbox workspace-write --ask-for-approval on-request`.

519 

520Use `--remote ws://host:port` or `--remote wss://host:port` to connect the TUI to an app server started with `codex app-server --listen ws://IP:PORT`. Add `--remote-auth-token-env <ENV_VAR>` when the server requires a bearer token for WebSocket authentication. See [Codex CLI features](https://developers.openai.com/codex/cli/features#connect-the-tui-to-a-remote-app-server) for setup examples and authentication guidance.

469 521 

470### `codex app-server`522### `codex app-server`

471 523 

473 525 

474| Key | Type / Values | Details |526| Key | Type / Values | Details |

475| --- | --- | --- |527| --- | --- | --- |

476| `--listen` | `stdio:// | ws://IP:PORT` | Transport listener URL. `ws://` is experimental and intended for development/testing. |528| `--listen` | `stdio:// | ws://IP:PORT` | Transport listener URL. Use `ws://IP:PORT` to expose a WebSocket endpoint for remote clients. |

529| `--ws-audience` | `string` | Expected `aud` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`. |

530| `--ws-auth` | `capability-token | signed-bearer-token` | Authentication mode for app-server WebSocket clients. If omitted, WebSocket auth is disabled; non-local listeners warn during startup. |

531| `--ws-issuer` | `string` | Expected `iss` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`. |

532| `--ws-max-clock-skew-seconds` | `number` | Clock skew allowance when validating signed bearer token `exp` and `nbf` claims. Requires `--ws-auth signed-bearer-token`. |

533| `--ws-shared-secret-file` | `absolute path` | File containing the HMAC shared secret used to validate signed JWT bearer tokens. Required with `--ws-auth signed-bearer-token`. |

534| `--ws-token-file` | `absolute path` | File containing the shared capability token. Required with `--ws-auth capability-token`. |

477 535 

478Key536Key

479 537 

485 543 

486Details544Details

487 545 

488Transport listener URL. `ws://` is experimental and intended for development/testing.546Transport listener URL. Use `ws://IP:PORT` to expose a WebSocket endpoint for remote clients.

547 

548Key

549 

550`--ws-audience`

551 

552Type / Values

553 

554`string`

555 

556Details

557 

558Expected `aud` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.

559 

560Key

561 

562`--ws-auth`

563 

564Type / Values

565 

566`capability-token | signed-bearer-token`

567 

568Details

569 

570Authentication mode for app-server WebSocket clients. If omitted, WebSocket auth is disabled; non-local listeners warn during startup.

571 

572Key

573 

574`--ws-issuer`

575 

576Type / Values

577 

578`string`

579 

580Details

581 

582Expected `iss` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.

583 

584Key

585 

586`--ws-max-clock-skew-seconds`

587 

588Type / Values

589 

590`number`

591 

592Details

593 

594Clock skew allowance when validating signed bearer token `exp` and `nbf` claims. Requires `--ws-auth signed-bearer-token`.

595 

596Key

597 

598`--ws-shared-secret-file`

599 

600Type / Values

601 

602`absolute path`

603 

604Details

605 

606File containing the HMAC shared secret used to validate signed JWT bearer tokens. Required with `--ws-auth signed-bearer-token`.

607 

608Key

609 

610`--ws-token-file`

611 

612Type / Values

613 

614`absolute path`

615 

616Details

617 

618File containing the shared capability token. Required with `--ws-auth capability-token`.

489 619 

490`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior. `--listen ws://IP:PORT` enables WebSocket transport (experimental). If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.620`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior. `--listen ws://IP:PORT` enables WebSocket transport for app-server clients. The server accepts `ws://` listen URLs; use TLS termination or a secure proxy when clients connect with `wss://`. If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.

491 621 

492### `codex app`622### `codex app`

493 623 

494Launch Codex Desktop from the terminal on macOS and optionally open a specific workspace path.624Launch Codex Desktop from the terminal on macOS or Windows. On macOS, Codex can open a specific workspace path; on Windows, Codex prints the path to open.

495 625 

496| Key | Type / Values | Details |626| Key | Type / Values | Details |

497| --- | --- | --- |627| --- | --- | --- |

498| `--download-url` | `url` | Advanced override for the Codex desktop DMG download URL used during install. |628| `--download-url` | `url` | Advanced override for the Codex desktop installer URL used during install. |

499| `PATH` | `path` | Workspace path to open in Codex Desktop (`codex app` is available on macOS only). |629| `PATH` | `path` | Workspace path for Codex Desktop. On macOS, Codex opens this path; on Windows, Codex prints the path. |

500 630 

501Key631Key

502 632 

508 638 

509Details639Details

510 640 

511Advanced override for the Codex desktop DMG download URL used during install.641Advanced override for the Codex desktop installer URL used during install.

512 642 

513Key643Key

514 644 

520 650 

521Details651Details

522 652 

523Workspace path to open in Codex Desktop (`codex app` is available on macOS only).653Workspace path for Codex Desktop. On macOS, Codex opens this path; on Windows, Codex prints the path.

524 654 

525`codex app` installs/opens the desktop app on macOS, then opens the provided workspace path. This subcommand is macOS-only.655`codex app` opens an installed Codex Desktop app, or starts the installer when

656the app is missing. On macOS, Codex opens the provided workspace path; on

657Windows, it prints the path to open after installation.

526 658 

527### `codex debug app-server send-message-v2`659### `codex debug app-server send-message-v2`

528 660 

546 678 

547This debug flow initializes with `experimentalApi: true`, starts a thread, sends a turn, and streams server notifications. Use it to reproduce and inspect app-server protocol behavior locally.679This debug flow initializes with `experimentalApi: true`, starts a thread, sends a turn, and streams server notifications. Use it to reproduce and inspect app-server protocol behavior locally.

548 680 

681### `codex debug models`

682 

683Print the raw model catalog Codex sees as JSON.

684 

685| Key | Type / Values | Details |

686| --- | --- | --- |

687| `--bundled` | `boolean` | Skip refresh and print only the model catalog bundled with the current Codex binary. |

688 

689Key

690 

691`--bundled`

692 

693Type / Values

694 

695`boolean`

696 

697Details

698 

699Skip refresh and print only the model catalog bundled with the current Codex binary.

700 

701Use `--bundled` when you want to inspect only the catalog bundled with the current binary, without refreshing from the remote models endpoint.

702 

549### `codex apply`703### `codex apply`

550 704 

551Apply the most recent diff from a Codex cloud task to your local repository. You must authenticate and have access to the task.705Apply the most recent diff from a Codex cloud task to your local repository. You must authenticate and have access to the task.

753| `--color` | `always | never | auto` | Control ANSI color in stdout. |907| `--color` | `always | never | auto` | Control ANSI color in stdout. |

754| `--dangerously-bypass-approvals-and-sandbox, --yolo` | `boolean` | Bypass approval prompts and sandboxing. Dangerous—only use inside an isolated runner. |908| `--dangerously-bypass-approvals-and-sandbox, --yolo` | `boolean` | Bypass approval prompts and sandboxing. Dangerous—only use inside an isolated runner. |

755| `--ephemeral` | `boolean` | Run without persisting session rollout files to disk. |909| `--ephemeral` | `boolean` | Run without persisting session rollout files to disk. |

756| `--full-auto` | `boolean` | Apply the low-friction automation preset (`workspace-write` sandbox and `on-request` approvals). |910| `--full-auto` | `boolean` | Deprecated compatibility flag. Prefer `--sandbox workspace-write`; Codex prints a warning when this flag is used. |

911| `--ignore-rules` | `boolean` | Do not load user or project execpolicy `.rules` files for this run. |

912| `--ignore-user-config` | `boolean` | Do not load `$CODEX_HOME/config.toml`. Authentication still uses `CODEX_HOME`. |

757| `--image, -i` | `path[,path...]` | Attach images to the first message. Repeatable; supports comma-separated lists. |913| `--image, -i` | `path[,path...]` | Attach images to the first message. Repeatable; supports comma-separated lists. |

758| `--json, --experimental-json` | `boolean` | Print newline-delimited JSON events instead of formatted text. |914| `--json, --experimental-json` | `boolean` | Print newline-delimited JSON events instead of formatted text. |

759| `--model, -m` | `string` | Override the configured model for this run. |915| `--model, -m` | `string` | Override the configured model for this run. |

825 981 

826Details982Details

827 983 

828Apply the low-friction automation preset (`workspace-write` sandbox and `on-request` approvals).984Deprecated compatibility flag. Prefer `--sandbox workspace-write`; Codex prints a warning when this flag is used.

985 

986Key

987 

988`--ignore-rules`

989 

990Type / Values

991 

992`boolean`

993 

994Details

995 

996Do not load user or project execpolicy `.rules` files for this run.

997 

998Key

999 

1000`--ignore-user-config`

1001 

1002Type / Values

1003 

1004`boolean`

1005 

1006Details

1007 

1008Do not load `$CODEX_HOME/config.toml`. Authentication still uses `CODEX_HOME`.

829 1009 

830Key1010Key

831 1011 

1277 1457 

1278OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).1458OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).

1279 1459 

1460### `codex plugin marketplace`

1461 

1462Manage plugin marketplace sources that Codex can browse and install from.

1463 

1464| Key | Type / Values | Details |

1465| --- | --- | --- |

1466| `add <source>` | `[--ref REF] [--sparse PATH]` | Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated. |

1467| `remove <marketplace-name>` | | Remove a configured plugin marketplace. |

1468| `upgrade [marketplace-name]` | | Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided. |

1469 

1470Key

1471 

1472`add <source>`

1473 

1474Type / Values

1475 

1476`[--ref REF] [--sparse PATH]`

1477 

1478Details

1479 

1480Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated.

1481 

1482Key

1483 

1484`remove <marketplace-name>`

1485 

1486Details

1487 

1488Remove a configured plugin marketplace.

1489 

1490Key

1491 

1492`upgrade [marketplace-name]`

1493 

1494Details

1495 

1496Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided.

1497 

1498`codex plugin marketplace add` accepts GitHub shorthand such as `owner/repo` or

1499`owner/repo@ref`, HTTP or HTTPS Git URLs, SSH Git URLs, and local marketplace

1500root directories. Use `--ref` to pin a Git ref, and repeat `--sparse PATH` to

1501use a sparse checkout for Git-backed marketplace repositories.

1502 

1280### `codex mcp-server`1503### `codex mcp-server`

1281 1504 

1282Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.1505Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.

1381 1604 

1382| Key | Type / Values | Details |1605| Key | Type / Values | Details |

1383| --- | --- | --- |1606| --- | --- | --- |

1607| `--allow-unix-socket` | `path` | Allow the sandboxed command to bind or connect Unix sockets rooted at this path. Repeat to allow multiple paths. |

1608| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

1384| `--config, -c` | `key=value` | Pass configuration overrides into the sandboxed run (repeatable). |1609| `--config, -c` | `key=value` | Pass configuration overrides into the sandboxed run (repeatable). |

1385| `--full-auto` | `boolean` | Grant write access to the current workspace and `/tmp` without approvals. |1610| `--include-managed-config` | `boolean` | Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`. |

1611| `--log-denials` | `boolean` | Capture macOS sandbox denials with `log stream` while the command runs and print them after exit. |

1612| `--permissions-profile` | `NAME` | Apply a named permissions profile from the active configuration stack. |

1386| `COMMAND...` | `var-args` | Shell command to execute under macOS Seatbelt. Everything after `--` is forwarded. |1613| `COMMAND...` | `var-args` | Shell command to execute under macOS Seatbelt. Everything after `--` is forwarded. |

1387 1614 

1388Key1615Key

1389 1616 

1617`--allow-unix-socket`

1618 

1619Type / Values

1620 

1621`path`

1622 

1623Details

1624 

1625Allow the sandboxed command to bind or connect Unix sockets rooted at this path. Repeat to allow multiple paths.

1626 

1627Key

1628 

1629`--cd, -C`

1630 

1631Type / Values

1632 

1633`DIR`

1634 

1635Details

1636 

1637Working directory used for profile resolution and command execution. Requires `--permissions-profile`.

1638 

1639Key

1640 

1390`--config, -c`1641`--config, -c`

1391 1642 

1392Type / Values1643Type / Values

1399 1650 

1400Key1651Key

1401 1652 

1402`--full-auto`1653`--include-managed-config`

1654 

1655Type / Values

1656 

1657`boolean`

1658 

1659Details

1660 

1661Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.

1662 

1663Key

1664 

1665`--log-denials`

1403 1666 

1404Type / Values1667Type / Values

1405 1668 

1407 1670 

1408Details1671Details

1409 1672 

1410Grant write access to the current workspace and `/tmp` without approvals.1673Capture macOS sandbox denials with `log stream` while the command runs and print them after exit.

1674 

1675Key

1676 

1677`--permissions-profile`

1678 

1679Type / Values

1680 

1681`NAME`

1682 

1683Details

1684 

1685Apply a named permissions profile from the active configuration stack.

1411 1686 

1412Key1687Key

1413 1688 

1425 1700 

1426| Key | Type / Values | Details |1701| Key | Type / Values | Details |

1427| --- | --- | --- |1702| --- | --- | --- |

1703| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

1428| `--config, -c` | `key=value` | Configuration overrides applied before launching the sandbox (repeatable). |1704| `--config, -c` | `key=value` | Configuration overrides applied before launching the sandbox (repeatable). |

1429| `--full-auto` | `boolean` | Grant write access to the current workspace and `/tmp` inside the Landlock sandbox. |1705| `--include-managed-config` | `boolean` | Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`. |

1706| `--permissions-profile` | `NAME` | Apply a named permissions profile from the active configuration stack. |

1430| `COMMAND...` | `var-args` | Command to execute under Landlock + seccomp. Provide the executable after `--`. |1707| `COMMAND...` | `var-args` | Command to execute under Landlock + seccomp. Provide the executable after `--`. |

1431 1708 

1432Key1709Key

1433 1710 

1711`--cd, -C`

1712 

1713Type / Values

1714 

1715`DIR`

1716 

1717Details

1718 

1719Working directory used for profile resolution and command execution. Requires `--permissions-profile`.

1720 

1721Key

1722 

1434`--config, -c`1723`--config, -c`

1435 1724 

1436Type / Values1725Type / Values

1443 1732 

1444Key1733Key

1445 1734 

1446`--full-auto`1735`--include-managed-config`

1447 1736 

1448Type / Values1737Type / Values

1449 1738 

1451 1740 

1452Details1741Details

1453 1742 

1454Grant write access to the current workspace and `/tmp` inside the Landlock sandbox.1743Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.

1744 

1745Key

1746 

1747`--permissions-profile`

1748 

1749Type / Values

1750 

1751`NAME`

1752 

1753Details

1754 

1755Apply a named permissions profile from the active configuration stack.

1455 1756 

1456Key1757Key

1457 1758 

1465 1766 

1466Command to execute under Landlock + seccomp. Provide the executable after `--`.1767Command to execute under Landlock + seccomp. Provide the executable after `--`.

1467 1768 

1769#### Windows

1770 

1771| Key | Type / Values | Details |

1772| --- | --- | --- |

1773| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

1774| `--config, -c` | `key=value` | Configuration overrides applied before launching the sandbox (repeatable). |

1775| `--include-managed-config` | `boolean` | Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`. |

1776| `--permissions-profile` | `NAME` | Apply a named permissions profile from the active configuration stack. |

1777| `COMMAND...` | `var-args` | Command to execute under the native Windows sandbox. Provide the executable after `--`. |

1778 

1779Key

1780 

1781`--cd, -C`

1782 

1783Type / Values

1784 

1785`DIR`

1786 

1787Details

1788 

1789Working directory used for profile resolution and command execution. Requires `--permissions-profile`.

1790 

1791Key

1792 

1793`--config, -c`

1794 

1795Type / Values

1796 

1797`key=value`

1798 

1799Details

1800 

1801Configuration overrides applied before launching the sandbox (repeatable).

1802 

1803Key

1804 

1805`--include-managed-config`

1806 

1807Type / Values

1808 

1809`boolean`

1810 

1811Details

1812 

1813Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.

1814 

1815Key

1816 

1817`--permissions-profile`

1818 

1819Type / Values

1820 

1821`NAME`

1822 

1823Details

1824 

1825Apply a named permissions profile from the active configuration stack.

1826 

1827Key

1828 

1829`COMMAND...`

1830 

1831Type / Values

1832 

1833`var-args`

1834 

1835Details

1836 

1837Command to execute under the native Windows sandbox. Provide the executable after `--`.

1838 

1839### `codex update`

1840 

1841Check for and apply a Codex CLI update when the installed release supports self-update. Debug builds print a message telling you to install a release build instead.

1842 

1468## Flag combinations and safety tips1843## Flag combinations and safety tips

1469 1844 

1470- Set `--full-auto` for unattended local work, but avoid combining it with `--dangerously-bypass-approvals-and-sandbox` unless you are inside a dedicated sandbox VM.1845- Use `--sandbox workspace-write` for unattended local work that can stay inside the workspace, and avoid `--dangerously-bypass-approvals-and-sandbox` unless you are inside a dedicated sandbox VM.

1471- When you need to grant Codex write access to more directories, prefer `--add-dir` rather than forcing `--sandbox danger-full-access`.1846- When you need to grant Codex write access to more directories, prefer `--add-dir` rather than forcing `--sandbox danger-full-access`.

1472- Pair `--json` with `--output-last-message` in CI to capture machine-readable progress and a final natural-language summary.1847- Pair `--json` with `--output-last-message` in CI to capture machine-readable progress and a final natural-language summary.

1473 1848 

1477- [Config basics](https://developers.openai.com/codex/config-basic): persist defaults like the model and provider.1852- [Config basics](https://developers.openai.com/codex/config-basic): persist defaults like the model and provider.

1478- [Advanced Config](https://developers.openai.com/codex/config-advanced): profiles, providers, sandbox tuning, and integrations.1853- [Advanced Config](https://developers.openai.com/codex/config-advanced): profiles, providers, sandbox tuning, and integrations.

1479- [AGENTS.md](https://developers.openai.com/codex/guides/agents-md): conceptual overview of Codex agent capabilities and best practices.1854- [AGENTS.md](https://developers.openai.com/codex/guides/agents-md): conceptual overview of Codex agent capabilities and best practices.

1480 

1481[Previous

1482 

1483Features](https://developers.openai.com/codex/cli/features)[Next

1484 

1485Slash commands](https://developers.openai.com/codex/cli/slash-commands)