SpyBara
Go Premium Account

cli/reference.md Codex Docs, 2026-04-20 18:26 UTC → 2026-05-18 22:01 UTC

Inspect the documentation page or source diff for this selected snapshot comparison.

2026
20 Apr 2026, 18:26
19 May 2026, 11:58 18 May 2026, 22:01 14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
18 May 2026, 22:01
19 May 2026, 11:58 18 May 2026, 22:01 14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
Fri 1 18:29 Sat 2 00:48 Sat 2 06:45 Tue 5 23:00 Thu 7 17:08 Thu 7 20:02 Mon 11 18:00 Tue 12 01:59 Wed 13 00:57 Thu 14 07:00 Thu 14 21:00 Mon 18 22:01 Tue 19 11:58

After 2026-05-02 06:45 UTC, this monitor no longer uses markdownified HTML/MDX. Comparisons across that boundary can therefore show more extensive diffs.

cli/reference.md +968 −1458

Details

1# Command line options1# Command line options

2 2 

3## How to read this reference3export const globalFlagOptions = [

4 4 {

5This page catalogs every documented Codex CLI command and flag. Use the interactive tables to search by key or description. Each section indicates whether the option is stable or experimental and calls out risky combinations.5 key: "PROMPT",

6 6 type: "string",

7The CLI inherits most defaults from <code>~/.codex/config.toml</code>. Any7 description:

8 <code>-c key=value</code> overrides you pass at the command line take8 "Optional text instruction to start the session. Omit to launch the TUI without a pre-filled message.",

9 precedence for that invocation. See [Config9 },

10 basics](https://developers.openai.com/codex/config-basic#configuration-precedence) for more information.10 {

11 11 key: "--image, -i",

12## Global flags12 type: "path[,path...]",

13 13 description:

14| Key | Type / Values | Details |14 "Attach one or more image files to the initial prompt. Separate multiple paths with commas or repeat the flag.",

15| --- | --- | --- |15 },

16| `--add-dir` | `path` | Grant additional directories write access alongside the main workspace. Repeat for multiple paths. |16 {

17| `--ask-for-approval, -a` | `untrusted | on-request | never` | Control when Codex pauses for human approval before running a command. `on-failure` is deprecated; prefer `on-request` for interactive runs or `never` for non-interactive runs. |17 key: "--model, -m",

18| `--cd, -C` | `path` | Set the working directory for the agent before it starts processing your request. |18 type: "string",

19| `--config, -c` | `key=value` | Override configuration values. Values parse as JSON if possible; otherwise the literal string is used. |19 description:

20| `--dangerously-bypass-approvals-and-sandbox, --yolo` | `boolean` | Run every command without approvals or sandboxing. Only use inside an externally hardened environment. |20 "Override the model set in configuration (for example `gpt-5.4`).",

21| `--disable` | `feature` | Force-disable a feature flag (translates to `-c features.<name>=false`). Repeatable. |21 },

22| `--enable` | `feature` | Force-enable a feature flag (translates to `-c features.<name>=true`). Repeatable. |22 {

23| `--full-auto` | `boolean` | Shortcut for low-friction local work: sets `--ask-for-approval on-request` and `--sandbox workspace-write`. |23 key: "--oss",

24| `--image, -i` | `path[,path...]` | Attach one or more image files to the initial prompt. Separate multiple paths with commas or repeat the flag. |24 type: "boolean",

25| `--model, -m` | `string` | Override the model set in configuration (for example `gpt-5.4`). |25 defaultValue: "false",

26| `--no-alt-screen` | `boolean` | Disable alternate screen mode for the TUI (overrides `tui.alternate_screen` for this run). |26 description:

27| `--oss` | `boolean` | Use the local open source model provider (equivalent to `-c model_provider="oss"`). Validates that Ollama is running. |27 'Use the local open source model provider (equivalent to `-c model_provider="oss"`). Validates that Ollama is running.',

28| `--profile, -p` | `string` | Configuration profile name to load from `~/.codex/config.toml`. |28 },

29| `--remote` | `ws://host:port | wss://host:port` | Connect the interactive TUI to a remote app-server WebSocket endpoint. Supported for `codex`, `codex resume`, and `codex fork`; other subcommands reject remote mode. |29 {

30| `--remote-auth-token-env` | `ENV_VAR` | Read a bearer token from this environment variable and send it when connecting with `--remote`. Requires `--remote`; tokens are only sent over `wss://` URLs or `ws://` URLs whose host is `localhost`, `127.0.0.1`, or `::1`. |30 key: "--profile, -p",

31| `--sandbox, -s` | `read-only | workspace-write | danger-full-access` | Select the sandbox policy for model-generated shell commands. |31 type: "string",

32| `--search` | `boolean` | Enable live web search (sets `web_search = "live"` instead of the default `"cached"`). |32 description:

33| `PROMPT` | `string` | Optional text instruction to start the session. Omit to launch the TUI without a pre-filled message. |33 "Configuration profile name to load from `~/.codex/config.toml`.",

34 34 },

35Key35 {

36 36 key: "--sandbox, -s",

37`--add-dir`37 type: "read-only | workspace-write | danger-full-access",

38 38 description:

39Type / Values39 "Select the sandbox policy for model-generated shell commands.",

40 40 },

41`path`41 {

42 42 key: "--ask-for-approval, -a",

43Details43 type: "untrusted | on-request | never",

44 44 description:

45Grant additional directories write access alongside the main workspace. Repeat for multiple paths.45 "Control when Codex pauses for human approval before running a command. `on-failure` is deprecated; prefer `on-request` for interactive runs or `never` for non-interactive runs.",

46 46 },

47Key47 {

48 48 key: "--dangerously-bypass-approvals-and-sandbox, --yolo",

49`--ask-for-approval, -a`49 type: "boolean",

50 50 defaultValue: "false",

51Type / Values51 description:

52 52 "Run every command without approvals or sandboxing. Only use inside an externally hardened environment.",

53`untrusted | on-request | never`53 },

54 54 {

55Details55 key: "--cd, -C",

56 56 type: "path",

57Control when Codex pauses for human approval before running a command. `on-failure` is deprecated; prefer `on-request` for interactive runs or `never` for non-interactive runs.57 description:

58 58 "Set the working directory for the agent before it starts processing your request.",

59Key59 },

60 60 {

61`--cd, -C`61 key: "--search",

62 62 type: "boolean",

63Type / Values63 defaultValue: "false",

64 64 description:

65`path`65 'Enable live web search (sets `web_search = "live"` instead of the default `"cached"`).',

66 66 },

67Details67 {

68 68 key: "--add-dir",

69Set the working directory for the agent before it starts processing your request.69 type: "path",

70 70 description:

71Key71 "Grant additional directories write access alongside the main workspace. Repeat for multiple paths.",

72 72 },

73`--config, -c`73 {

74 74 key: "--no-alt-screen",

75Type / Values75 type: "boolean",

76 76 defaultValue: "false",

77`key=value`77 description:

78 78 "Disable alternate screen mode for the TUI (overrides `tui.alternate_screen` for this run).",

79Details79 },

80 80 {

81Override configuration values. Values parse as JSON if possible; otherwise the literal string is used.81 key: "--remote",

82 82 type: "ws://host:port | wss://host:port",

83Key83 description:

84 84 "Connect the interactive TUI to a remote app-server WebSocket endpoint. Supported for `codex`, `codex resume`, and `codex fork`; other subcommands reject remote mode.",

85`--dangerously-bypass-approvals-and-sandbox, --yolo`85 },

86 86 {

87Type / Values87 key: "--remote-auth-token-env",

88 88 type: "ENV_VAR",

89`boolean`89 description:

90 90 "Read a bearer token from this environment variable and send it when connecting with `--remote`. Requires `--remote`; tokens are only sent over `wss://` URLs or `ws://` URLs whose host is `localhost`, `127.0.0.1`, or `::1`.",

91Details91 },

92 92 {

93Run every command without approvals or sandboxing. Only use inside an externally hardened environment.93 key: "--enable",

94 94 type: "feature",

95Key95 description:

96 96 "Force-enable a feature flag (translates to `-c features.<name>=true`). Repeatable.",

97`--disable`97 },

98 98 {

99Type / Values99 key: "--disable",

100 100 type: "feature",

101`feature`101 description:

102 102 "Force-disable a feature flag (translates to `-c features.<name>=false`). Repeatable.",

103Details103 },

104 104 {

105Force-disable a feature flag (translates to `-c features.<name>=false`). Repeatable.105 key: "--config, -c",

106 106 type: "key=value",

107Key107 description:

108 108 "Override configuration values. Values parse as JSON if possible; otherwise the literal string is used.",

109`--enable`109 },

110 110];

111Type / Values111 

112 112export const commandOverview = [

113`feature`113 {

114 114 key: "codex",

115Details115 href: "/codex/cli/reference#codex-interactive",

116 116 type: "stable",

117Force-enable a feature flag (translates to `-c features.<name>=true`). Repeatable.117 description:

118 118 "Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments.",

119Key119 },

120 120 {

121`--full-auto`121 key: "codex app-server",

122 122 href: "/codex/cli/reference#codex-app-server",

123Type / Values123 type: "experimental",

124 124 description:

125`boolean`125 "Launch the Codex app server for local development or debugging over stdio, WebSocket, or a Unix socket.",

126 126 },

127Details127 {

128 128 key: "codex remote-control",

129Shortcut for low-friction local work: sets `--ask-for-approval on-request` and `--sandbox workspace-write`.129 href: "/codex/cli/reference#codex-remote-control",

130 130 type: "experimental",

131Key131 description:

132 132 "Ensure the local app-server daemon is running with remote-control support enabled.",

133`--image, -i`133 },

134 134 {

135Type / Values135 key: "codex app",

136 136 href: "/codex/cli/reference#codex-app",

137`path[,path...]`137 type: "stable",

138 138 description:

139Details139 "Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open.",

140 140 },

141Attach one or more image files to the initial prompt. Separate multiple paths with commas or repeat the flag.141 {

142 142 key: "codex debug app-server send-message-v2",

143Key143 href: "/codex/cli/reference#codex-debug-app-server-send-message-v2",

144 144 type: "experimental",

145`--model, -m`145 description:

146 146 "Debug app-server by sending a single V2 message through the built-in test client.",

147Type / Values147 },

148 148 {

149`string`149 key: "codex debug models",

150 150 href: "/codex/cli/reference#codex-debug-models",

151Details151 type: "experimental",

152 152 description:

153Override the model set in configuration (for example `gpt-5.4`).153 "Print the raw model catalog Codex sees, including an option to inspect only the bundled catalog.",

154 154 },

155Key155 {

156 156 key: "codex apply",

157`--no-alt-screen`157 href: "/codex/cli/reference#codex-apply",

158 158 type: "stable",

159Type / Values159 description:

160 160 "Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`.",

161`boolean`161 },

162 162 {

163Details163 key: "codex cloud",

164 164 href: "/codex/cli/reference#codex-cloud",

165Disable alternate screen mode for the TUI (overrides `tui.alternate_screen` for this run).165 type: "experimental",

166 166 description:

167Key167 "Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`.",

168 168 },

169`--oss`169 {

170 170 key: "codex completion",

171Type / Values171 href: "/codex/cli/reference#codex-completion",

172 172 type: "stable",

173`boolean`173 description:

174 174 "Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell.",

175Details175 },

176 176 {

177Use the local open source model provider (equivalent to `-c model_provider="oss"`). Validates that Ollama is running.177 key: "codex features",

178 178 href: "/codex/cli/reference#codex-features",

179Key179 type: "stable",

180 180 description:

181`--profile, -p`181 "List feature flags and persistently enable or disable them in `config.toml`.",

182 182 },

183Type / Values183 {

184 184 key: "codex exec",

185`string`185 href: "/codex/cli/reference#codex-exec",

186 186 type: "stable",

187Details187 description:

188 188 "Run Codex non-interactively. Alias: `codex e`. Stream results to stdout or JSONL and optionally resume previous sessions.",

189Configuration profile name to load from `~/.codex/config.toml`.189 },

190 190 {

191Key191 key: "codex execpolicy",

192 192 href: "/codex/cli/reference#codex-execpolicy",

193`--remote`193 type: "experimental",

194 194 description:

195Type / Values195 "Evaluate execpolicy rule files and see whether a command would be allowed, prompted, or blocked.",

196 196 },

197`ws://host:port | wss://host:port`197 {

198 198 key: "codex login",

199Details199 href: "/codex/cli/reference#codex-login",

200 200 type: "stable",

201Connect the interactive TUI to a remote app-server WebSocket endpoint. Supported for `codex`, `codex resume`, and `codex fork`; other subcommands reject remote mode.201 description:

202 202 "Authenticate Codex using ChatGPT OAuth, device auth, an API key, or an access token piped over stdin.",

203Key203 },

204 204 {

205`--remote-auth-token-env`205 key: "codex logout",

206 206 href: "/codex/cli/reference#codex-logout",

207Type / Values207 type: "stable",

208 208 description: "Remove stored authentication credentials.",

209`ENV_VAR`209 },

210 210 {

211Details211 key: "codex mcp",

212 212 href: "/codex/cli/reference#codex-mcp",

213Read a bearer token from this environment variable and send it when connecting with `--remote`. Requires `--remote`; tokens are only sent over `wss://` URLs or `ws://` URLs whose host is `localhost`, `127.0.0.1`, or `::1`.213 type: "experimental",

214 214 description:

215Key215 "Manage Model Context Protocol servers (list, add, remove, authenticate).",

216 216 },

217`--sandbox, -s`217 {

218 218 key: "codex plugin marketplace",

219Type / Values219 href: "/codex/cli/reference#codex-plugin-marketplace",

220 220 type: "experimental",

221`read-only | workspace-write | danger-full-access`221 description:

222 222 "Add, upgrade, or remove plugin marketplaces from Git or local sources.",

223Details223 },

224 224 {

225Select the sandbox policy for model-generated shell commands.225 key: "codex mcp-server",

226 226 href: "/codex/cli/reference#codex-mcp-server",

227Key227 type: "experimental",

228 228 description:

229`--search`229 "Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex.",

230 230 },

231Type / Values231 {

232 232 key: "codex resume",

233`boolean`233 href: "/codex/cli/reference#codex-resume",

234 234 type: "stable",

235Details235 description:

236 236 "Continue a previous interactive session by ID or resume the most recent conversation.",

237Enable live web search (sets `web_search = "live"` instead of the default `"cached"`).237 },

238 238 {

239Key239 key: "codex fork",

240 240 href: "/codex/cli/reference#codex-fork",

241`PROMPT`241 type: "stable",

242 242 description:

243Type / Values243 "Fork a previous interactive session into a new thread, preserving the original transcript.",

244 244 },

245`string`245 {

246 246 key: "codex sandbox",

247Details247 href: "/codex/cli/reference#codex-sandbox",

248 248 type: "experimental",

249Optional text instruction to start the session. Omit to launch the TUI without a pre-filled message.249 description:

250 250 "Run arbitrary commands inside Codex-provided macOS, Linux, or Windows sandboxes.",

251Expand to view all251 },

252 252 {

253These options apply to the base `codex` command and propagate to each subcommand unless a section below specifies otherwise.253 key: "codex update",

254When you run a subcommand, place global flags after it (for example, `codex exec --oss ...`) so Codex applies them as intended.254 href: "/codex/cli/reference#codex-update",

255 255 type: "stable",

256## Command overview256 description:

257 257 "Check for and apply a Codex CLI update when the installed release supports self-update.",

258The Maturity column uses feature maturity labels such as Experimental, Beta,258 },

259 and Stable. See [Feature Maturity](https://developers.openai.com/codex/feature-maturity) for how to259];

260 interpret these labels.260 

261 261export const execOptions = [

262| Key | Maturity | Details |262 {

263| --- | --- | --- |263 key: "PROMPT",

264| [`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive) | Stable | Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments. |264 type: "string | - (read stdin)",

265| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS, optionally opening a specific workspace path. |265 description:

266| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging. |266 "Initial instruction for the task. Use `-` to pipe the prompt from stdin.",

267| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |267 },

268| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |268 {

269| [`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion) | Stable | Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell. |269 key: "--image, -i",

270| [`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2) | Experimental | Debug app-server by sending a single V2 message through the built-in test client. |270 type: "path[,path...]",

271| [`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec) | Stable | Run Codex non-interactively. Alias: `codex e`. Stream results to stdout or JSONL and optionally resume previous sessions. |271 description:

272| [`codex execpolicy`](https://developers.openai.com/codex/cli/reference#codex-execpolicy) | Experimental | Evaluate execpolicy rule files and see whether a command would be allowed, prompted, or blocked. |272 "Attach images to the first message. Repeatable; supports comma-separated lists.",

273| [`codex features`](https://developers.openai.com/codex/cli/reference#codex-features) | Stable | List feature flags and persistently enable or disable them in `config.toml`. |273 },

274| [`codex fork`](https://developers.openai.com/codex/cli/reference#codex-fork) | Stable | Fork a previous interactive session into a new thread, preserving the original transcript. |274 {

275| [`codex login`](https://developers.openai.com/codex/cli/reference#codex-login) | Stable | Authenticate Codex using ChatGPT OAuth, device auth, or an API key piped over stdin. |275 key: "--model, -m",

276| [`codex logout`](https://developers.openai.com/codex/cli/reference#codex-logout) | Stable | Remove stored authentication credentials. |276 type: "string",

277| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |277 description: "Override the configured model for this run.",

278| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |278 },

279| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |279 {

280| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS seatbelt or Linux bubblewrap sandboxes. |280 key: "--oss",

281 281 type: "boolean",

282Key282 defaultValue: "false",

283 283 description:

284[`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive)284 "Use the local open source provider (requires a running Ollama instance).",

285 285 },

286Maturity286 {

287 287 key: "--sandbox, -s",

288Stable288 type: "read-only | workspace-write | danger-full-access",

289 289 description:

290Details290 "Sandbox policy for model-generated commands. Defaults to configuration.",

291 291 },

292Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments.292 {

293 293 key: "--profile, -p",

294Key294 type: "string",

295 295 description: "Select a configuration profile defined in config.toml.",

296[`codex app`](https://developers.openai.com/codex/cli/reference#codex-app)296 },

297 297 {

298Maturity298 key: "--full-auto",

299 299 type: "boolean",

300Stable300 defaultValue: "false",

301 301 description:

302Details302 "Deprecated compatibility flag. Prefer `--sandbox workspace-write`; Codex prints a warning when this flag is used.",

303 303 },

304Launch the Codex desktop app on macOS, optionally opening a specific workspace path.304 {

305 305 key: "--dangerously-bypass-approvals-and-sandbox, --yolo",

306Key306 type: "boolean",

307 307 defaultValue: "false",

308[`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server)308 description:

309 309 "Bypass approval prompts and sandboxing. Dangerous—only use inside an isolated runner.",

310Maturity310 },

311 311 {

312Experimental312 key: "--cd, -C",

313 313 type: "path",

314Details314 description: "Set the workspace root before executing the task.",

315 315 },

316Launch the Codex app server for local development or debugging.316 {

317 317 key: "--skip-git-repo-check",

318Key318 type: "boolean",

319 319 defaultValue: "false",

320[`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply)320 description:

321 321 "Allow running outside a Git repository (useful for one-off directories).",

322Maturity322 },

323 323 {

324Stable324 key: "--ephemeral",

325 325 type: "boolean",

326Details326 defaultValue: "false",

327 327 description: "Run without persisting session rollout files to disk.",

328Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`.328 },

329 329 {

330Key330 key: "--ignore-user-config",

331 331 type: "boolean",

332[`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud)332 defaultValue: "false",

333 333 description:

334Maturity334 "Do not load `$CODEX_HOME/config.toml`. Authentication still uses `CODEX_HOME`.",

335 335 },

336Experimental336 {

337 337 key: "--ignore-rules",

338Details338 type: "boolean",

339 339 defaultValue: "false",

340Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`.340 description:

341 341 "Do not load user or project execpolicy `.rules` files for this run.",

342Key342 },

343 343 {

344[`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion)344 key: "--output-schema",

345 345 type: "path",

346Maturity346 description:

347 347 "JSON Schema file describing the expected final response shape. Codex validates tool output against it.",

348Stable348 },

349 349 {

350Details350 key: "--color",

351 351 type: "always | never | auto",

352Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell.352 defaultValue: "auto",

353 353 description: "Control ANSI color in stdout.",

354Key354 },

355 355 {

356[`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2)356 key: "--json, --experimental-json",

357 357 type: "boolean",

358Maturity358 defaultValue: "false",

359 359 description:

360Experimental360 "Print newline-delimited JSON events instead of formatted text.",

361 361 },

362Details362 {

363 363 key: "--output-last-message, -o",

364Debug app-server by sending a single V2 message through the built-in test client.364 type: "path",

365 365 description:

366Key366 "Write the assistant’s final message to a file. Useful for downstream scripting.",

367 367 },

368[`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec)368 {

369 369 key: "Resume subcommand",

370Maturity370 type: "codex exec resume [SESSION_ID]",

371 371 description:

372Stable372 "Resume an exec session by ID or add `--last` to continue the most recent session from the current working directory. Add `--all` to consider sessions from any directory. Accepts an optional follow-up prompt.",

373 373 },

374Details374 {

375 375 key: "-c, --config",

376Run Codex non-interactively. Alias: `codex e`. Stream results to stdout or JSONL and optionally resume previous sessions.376 type: "key=value",

377 377 description:

378Key378 "Inline configuration override for the non-interactive run (repeatable).",

379 379 },

380[`codex execpolicy`](https://developers.openai.com/codex/cli/reference#codex-execpolicy)380];

381 381 

382Maturity382export const appServerOptions = [

383 383 {

384Experimental384 key: "--listen",

385 385 type: "stdio:// | ws://IP:PORT | unix:// | unix://PATH | off",

386Details386 defaultValue: "stdio://",

387 387 description:

388Evaluate execpolicy rule files and see whether a command would be allowed, prompted, or blocked.388 "Transport listener URL. Use `stdio://` for JSONL, `ws://IP:PORT` for a TCP WebSocket endpoint, `unix://` for the default Unix socket, `unix://PATH` for a custom Unix socket, or `off` to disable the local transport.",

389 389 },

390Key390 {

391 391 key: "--ws-auth",

392[`codex features`](https://developers.openai.com/codex/cli/reference#codex-features)392 type: "capability-token | signed-bearer-token",

393 393 description:

394Maturity394 "Authentication mode for app-server WebSocket clients. If omitted, WebSocket auth is disabled; non-local listeners warn during startup.",

395 395 },

396Stable396 {

397 397 key: "--ws-token-file",

398Details398 type: "absolute path",

399 399 description:

400List feature flags and persistently enable or disable them in `config.toml`.400 "File containing the shared capability token. Required with `--ws-auth capability-token`.",

401 401 },

402Key402 {

403 403 key: "--ws-shared-secret-file",

404[`codex fork`](https://developers.openai.com/codex/cli/reference#codex-fork)404 type: "absolute path",

405 405 description:

406Maturity406 "File containing the HMAC shared secret used to validate signed JWT bearer tokens. Required with `--ws-auth signed-bearer-token`.",

407 407 },

408Stable408 {

409 409 key: "--ws-issuer",

410Details410 type: "string",

411 411 description:

412Fork a previous interactive session into a new thread, preserving the original transcript.412 "Expected `iss` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.",

413 413 },

414Key414 {

415 415 key: "--ws-audience",

416[`codex login`](https://developers.openai.com/codex/cli/reference#codex-login)416 type: "string",

417 417 description:

418Maturity418 "Expected `aud` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.",

419 419 },

420Stable420 {

421 421 key: "--ws-max-clock-skew-seconds",

422Details422 type: "number",

423 423 defaultValue: "30",

424Authenticate Codex using ChatGPT OAuth, device auth, or an API key piped over stdin.424 description:

425 425 "Clock skew allowance when validating signed bearer token `exp` and `nbf` claims. Requires `--ws-auth signed-bearer-token`.",

426Key426 },

427 427 {

428[`codex logout`](https://developers.openai.com/codex/cli/reference#codex-logout)428 key: "--analytics-default-enabled",

429 429 type: "boolean",

430Maturity430 defaultValue: "false",

431 431 description:

432Stable432 "Defaults analytics to enabled for first-party app-server clients unless the user opts out in config.",

433 433 },

434Details434];

435 435 

436Remove stored authentication credentials.436export const appOptions = [

437 437 {

438Key438 key: "PATH",

439 439 type: "path",

440[`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp)440 defaultValue: ".",

441 441 description:

442Maturity442 "Workspace path for Codex Desktop. On macOS, Codex opens this path; on Windows, Codex prints the path.",

443 443 },

444Experimental444 {

445 445 key: "--download-url",

446Details446 type: "url",

447 447 description:

448Manage Model Context Protocol servers (list, add, remove, authenticate).448 "Advanced override for the Codex desktop installer URL used during install.",

449 449 },

450Key450];

451 451 

452[`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server)452export const debugAppServerSendMessageV2Options = [

453 453 {

454Maturity454 key: "USER_MESSAGE",

455 455 type: "string",

456Experimental456 description:

457 457 "Message text sent to app-server through the built-in V2 test-client flow.",

458Details458 },

459 459];

460Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex.460 

461 461export const debugModelsOptions = [

462Key462 {

463 463 key: "--bundled",

464[`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume)464 type: "boolean",

465 465 defaultValue: "false",

466Maturity466 description:

467 467 "Skip refresh and print only the model catalog bundled with the current Codex binary.",

468Stable468 },

469 469];

470Details470 

471 471export const resumeOptions = [

472Continue a previous interactive session by ID or resume the most recent conversation.472 {

473 473 key: "SESSION_ID",

474Key474 type: "uuid",

475 475 description:

476[`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox)476 "Resume the specified session. Omit and use `--last` to continue the most recent session.",

477 477 },

478Maturity478 {

479 479 key: "--last",

480Experimental480 type: "boolean",

481 481 defaultValue: "false",

482Details482 description:

483 483 "Skip the picker and resume the most recent conversation from the current working directory.",

484Run arbitrary commands inside Codex-provided macOS seatbelt or Linux bubblewrap sandboxes.484 },

485 485 {

486Expand to view all486 key: "--all",

487 487 type: "boolean",

488## Command details488 defaultValue: "false",

489 489 description:

490### `codex` (interactive)490 "Include sessions outside the current working directory when selecting the most recent session.",

491 491 },

492Running `codex` with no subcommand launches the interactive terminal UI (TUI). The agent accepts the global flags above plus image attachments. Web search defaults to cached mode; use `--search` to switch to live browsing and `--full-auto` to let Codex run most commands without prompts.492];

493 493 

494Use `--remote ws://host:port` or `--remote wss://host:port` to connect the TUI to an app server started with `codex app-server --listen ws://IP:PORT`. Add `--remote-auth-token-env <ENV_VAR>` when the server requires a bearer token for WebSocket authentication. See [Codex CLI features](https://developers.openai.com/codex/cli/features#connect-the-tui-to-a-remote-app-server) for setup examples and authentication guidance.494export const featuresOptions = [

495 495 {

496### `codex app-server`496 key: "List subcommand",

497 497 type: "codex features list",

498Launch the Codex app server locally. This is primarily for development and debugging and may change without notice.498 description:

499 499 "Show known feature flags, their maturity stage, and their effective state.",

500| Key | Type / Values | Details |500 },

501| --- | --- | --- |501 {

502| `--listen` | `stdio:// | ws://IP:PORT` | Transport listener URL. Use `ws://IP:PORT` to expose a WebSocket endpoint for remote clients. |502 key: "Enable subcommand",

503| `--ws-audience` | `string` | Expected `aud` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`. |503 type: "codex features enable <feature>",

504| `--ws-auth` | `capability-token | signed-bearer-token` | Authentication mode for app-server WebSocket clients. If omitted, WebSocket auth is disabled; non-local listeners warn during startup. |504 description:

505| `--ws-issuer` | `string` | Expected `iss` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`. |505 "Persistently enable a feature flag in `config.toml`. Respects the active `--profile` when provided.",

506| `--ws-max-clock-skew-seconds` | `number` | Clock skew allowance when validating signed bearer token `exp` and `nbf` claims. Requires `--ws-auth signed-bearer-token`. |506 },

507| `--ws-shared-secret-file` | `absolute path` | File containing the HMAC shared secret used to validate signed JWT bearer tokens. Required with `--ws-auth signed-bearer-token`. |507 {

508| `--ws-token-file` | `absolute path` | File containing the shared capability token. Required with `--ws-auth capability-token`. |508 key: "Disable subcommand",

509 509 type: "codex features disable <feature>",

510Key510 description:

511 511 "Persistently disable a feature flag in `config.toml`. Respects the active `--profile` when provided.",

512`--listen`512 },

513 513];

514Type / Values514 

515 515export const execResumeOptions = [

516`stdio:// | ws://IP:PORT`516 {

517 517 key: "SESSION_ID",

518Details518 type: "uuid",

519 519 description:

520Transport listener URL. Use `ws://IP:PORT` to expose a WebSocket endpoint for remote clients.520 "Resume the specified session. Omit and use `--last` to continue the most recent session.",

521 521 },

522Key522 {

523 523 key: "--last",

524`--ws-audience`524 type: "boolean",

525 525 defaultValue: "false",

526Type / Values526 description:

527 527 "Resume the most recent conversation from the current working directory.",

528`string`528 },

529 529 {

530Details530 key: "--all",

531 531 type: "boolean",

532Expected `aud` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.532 defaultValue: "false",

533 533 description:

534Key534 "Include sessions outside the current working directory when selecting the most recent session.",

535 535 },

536`--ws-auth`536 {

537 537 key: "--image, -i",

538Type / Values538 type: "path[,path...]",

539 539 description:

540`capability-token | signed-bearer-token`540 "Attach one or more images to the follow-up prompt. Separate multiple paths with commas or repeat the flag.",

541 541 },

542Details542 {

543 543 key: "PROMPT",

544Authentication mode for app-server WebSocket clients. If omitted, WebSocket auth is disabled; non-local listeners warn during startup.544 type: "string | - (read stdin)",

545 545 description:

546Key546 "Optional follow-up instruction sent immediately after resuming.",

547 547 },

548`--ws-issuer`548];

549 549 

550Type / Values550export const forkOptions = [

551 551 {

552`string`552 key: "SESSION_ID",

553 553 type: "uuid",

554Details554 description:

555 555 "Fork the specified session. Omit and use `--last` to fork the most recent session.",

556Expected `iss` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.556 },

557 557 {

558Key558 key: "--last",

559 559 type: "boolean",

560`--ws-max-clock-skew-seconds`560 defaultValue: "false",

561 561 description:

562Type / Values562 "Skip the picker and fork the most recent conversation automatically.",

563 563 },

564`number`564 {

565 565 key: "--all",

566Details566 type: "boolean",

567 567 defaultValue: "false",

568Clock skew allowance when validating signed bearer token `exp` and `nbf` claims. Requires `--ws-auth signed-bearer-token`.568 description:

569 569 "Show sessions beyond the current working directory in the picker.",

570Key570 },

571 571];

572`--ws-shared-secret-file`572 

573 573export const execpolicyOptions = [

574Type / Values574 {

575 575 key: "--rules, -r",

576`absolute path`576 type: "path (repeatable)",

577 577 description:

578Details578 "Path to an execpolicy rule file to evaluate. Provide multiple flags to combine rules across files.",

579 579 },

580File containing the HMAC shared secret used to validate signed JWT bearer tokens. Required with `--ws-auth signed-bearer-token`.580 {

581 581 key: "--pretty",

582Key582 type: "boolean",

583 583 defaultValue: "false",

584`--ws-token-file`584 description: "Pretty-print the JSON result.",

585 585 },

586Type / Values586 {

587 587 key: "COMMAND...",

588`absolute path`588 type: "var-args",

589 589 description: "Command to be checked against the specified policies.",

590Details590 },

591 591];

592File containing the shared capability token. Required with `--ws-auth capability-token`.592 

593 593export const loginOptions = [

594`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior. `--listen ws://IP:PORT` enables WebSocket transport for app-server clients. The server accepts `ws://` listen URLs; use TLS termination or a secure proxy when clients connect with `wss://`. If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.594 {

595 595 key: "--with-api-key",

596### `codex app`596 type: "boolean",

597 597 description:

598Launch Codex Desktop from the terminal on macOS and optionally open a specific workspace path.598 "Read an API key from stdin (for example `printenv OPENAI_API_KEY | codex login --with-api-key`).",

599 599 },

600| Key | Type / Values | Details |600 {

601| --- | --- | --- |601 key: "--with-access-token",

602| `--download-url` | `url` | Advanced override for the Codex desktop DMG download URL used during install. |602 type: "boolean",

603| `PATH` | `path` | Workspace path to open in Codex Desktop (`codex app` is available on macOS only). |603 description:

604 604 "Read an access token from stdin (for example `printenv CODEX_ACCESS_TOKEN | codex login --with-access-token`).",

605Key605 },

606 606 {

607`--download-url`607 key: "--device-auth",

608 608 type: "boolean",

609Type / Values609 description:

610 610 "Use OAuth device code flow instead of launching a browser window.",

611`url`611 },

612 612 {

613Details613 key: "status subcommand",

614 614 type: "codex login status",

615Advanced override for the Codex desktop DMG download URL used during install.615 description:

616 616 "Print the active authentication mode and exit with 0 when logged in.",

617Key617 },

618 618];

619`PATH`619 

620 620export const applyOptions = [

621Type / Values621 {

622 622 key: "TASK_ID",

623`path`623 type: "string",

624 624 description:

625Details625 "Identifier of the Codex Cloud task whose diff should be applied.",

626 626 },

627Workspace path to open in Codex Desktop (`codex app` is available on macOS only).627];

628 628 

629`codex app` installs/opens the desktop app on macOS, then opens the provided workspace path. This subcommand is macOS-only.629export const sandboxMacOptions = [

630 630 {

631### `codex debug app-server send-message-v2`631 key: "--permissions-profile",

632 632 type: "NAME",

633Send one message through app-server's V2 thread/turn flow using the built-in app-server test client.633 description:

634 634 "Apply a named permissions profile from the active configuration stack.",

635| Key | Type / Values | Details |635 },

636| --- | --- | --- |636 {

637| `USER_MESSAGE` | `string` | Message text sent to app-server through the built-in V2 test-client flow. |637 key: "--cd, -C",

638 638 type: "DIR",

639Key639 description:

640 640 "Working directory used for profile resolution and command execution. Requires `--permissions-profile`.",

641`USER_MESSAGE`641 },

642 642 {

643Type / Values643 key: "--include-managed-config",

644 644 type: "boolean",

645`string`645 defaultValue: "false",

646 646 description:

647Details647 "Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.",

648 648 },

649Message text sent to app-server through the built-in V2 test-client flow.649 {

650 650 key: "--allow-unix-socket",

651This debug flow initializes with `experimentalApi: true`, starts a thread, sends a turn, and streams server notifications. Use it to reproduce and inspect app-server protocol behavior locally.651 type: "path",

652 652 description:

653### `codex apply`653 "Allow the sandboxed command to bind or connect Unix sockets rooted at this path. Repeat to allow multiple paths.",

654 654 },

655Apply the most recent diff from a Codex cloud task to your local repository. You must authenticate and have access to the task.655 {

656 656 key: "--log-denials",

657| Key | Type / Values | Details |657 type: "boolean",

658| --- | --- | --- |658 defaultValue: "false",

659| `TASK_ID` | `string` | Identifier of the Codex Cloud task whose diff should be applied. |659 description:

660 660 "Capture macOS sandbox denials with `log stream` while the command runs and print them after exit.",

661Key661 },

662 662 {

663`TASK_ID`663 key: "--config, -c",

664 664 type: "key=value",

665Type / Values665 description:

666 666 "Pass configuration overrides into the sandboxed run (repeatable).",

667`string`667 },

668 668 {

669Details669 key: "COMMAND...",

670 670 type: "var-args",

671Identifier of the Codex Cloud task whose diff should be applied.671 description:

672 672 "Shell command to execute under macOS Seatbelt. Everything after `--` is forwarded.",

673Codex prints the patched files and exits non-zero if `git apply` fails (for example, due to conflicts).673 },

674 674];

675### `codex cloud`675 

676 676export const sandboxLinuxOptions = [

677Interact with Codex cloud tasks from the terminal. The default command opens an interactive picker; `codex cloud exec` submits a task directly, and `codex cloud list` returns recent tasks for scripting or quick inspection.677 {

678 678 key: "--permissions-profile",

679| Key | Type / Values | Details |679 type: "NAME",

680| --- | --- | --- |680 description:

681| `--attempts` | `1-4` | Number of assistant attempts (best-of-N) Codex Cloud should run. |681 "Apply a named permissions profile from the active configuration stack.",

682| `--env` | `ENV_ID` | Target Codex Cloud environment identifier (required). Use `codex cloud` to list options. |682 },

683| `QUERY` | `string` | Task prompt. If omitted, Codex prompts interactively for details. |683 {

684 684 key: "--cd, -C",

685Key685 type: "DIR",

686 686 description:

687`--attempts`687 "Working directory used for profile resolution and command execution. Requires `--permissions-profile`.",

688 688 },

689Type / Values689 {

690 690 key: "--include-managed-config",

691`1-4`691 type: "boolean",

692 692 defaultValue: "false",

693Details693 description:

694 694 "Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.",

695Number of assistant attempts (best-of-N) Codex Cloud should run.695 },

696 696 {

697Key697 key: "--config, -c",

698 698 type: "key=value",

699`--env`699 description:

700 700 "Configuration overrides applied before launching the sandbox (repeatable).",

701Type / Values701 },

702 702 {

703`ENV_ID`703 key: "COMMAND...",

704 704 type: "var-args",

705Details705 description:

706 706 "Command to execute under Landlock + seccomp. Provide the executable after `--`.",

707Target Codex Cloud environment identifier (required). Use `codex cloud` to list options.707 },

708 708];

709Key709 

710 710export const sandboxWindowsOptions = [

711`QUERY`711 {

712 712 key: "--permissions-profile",

713Type / Values713 type: "NAME",

714 714 description:

715`string`715 "Apply a named permissions profile from the active configuration stack.",

716 716 },

717Details717 {

718 718 key: "--cd, -C",

719Task prompt. If omitted, Codex prompts interactively for details.719 type: "DIR",

720 720 description:

721Authentication follows the same credentials as the main CLI. Codex exits non-zero if the task submission fails.721 "Working directory used for profile resolution and command execution. Requires `--permissions-profile`.",

722 722 },

723#### `codex cloud list`723 {

724 724 key: "--include-managed-config",

725List recent cloud tasks with optional filtering and pagination.725 type: "boolean",

726 726 defaultValue: "false",

727| Key | Type / Values | Details |727 description:

728| --- | --- | --- |728 "Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.",

729| `--cursor` | `string` | Pagination cursor returned by a previous request. |729 },

730| `--env` | `ENV_ID` | Filter tasks by environment identifier. |730 {

731| `--json` | `boolean` | Emit machine-readable JSON instead of plain text. |731 key: "--config, -c",

732| `--limit` | `1-20` | Maximum number of tasks to return. |732 type: "key=value",

733 733 description:

734Key734 "Configuration overrides applied before launching the sandbox (repeatable).",

735 735 },

736`--cursor`736 {

737 737 key: "COMMAND...",

738Type / Values738 type: "var-args",

739 739 description:

740`string`740 "Command to execute under the native Windows sandbox. Provide the executable after `--`.",

741 741 },

742Details742];

743 743 

744Pagination cursor returned by a previous request.744export const completionOptions = [

745 745 {

746Key746 key: "SHELL",

747 747 type: "bash | zsh | fish | power-shell | elvish",

748`--env`748 defaultValue: "bash",

749 749 description: "Shell to generate completions for. Output prints to stdout.",

750Type / Values750 },

751 751];

752`ENV_ID`752 

753 753export const cloudExecOptions = [

754Details754 {

755 755 key: "QUERY",

756Filter tasks by environment identifier.756 type: "string",

757 757 description:

758Key758 "Task prompt. If omitted, Codex prompts interactively for details.",

759 759 },

760`--json`760 {

761 761 key: "--env",

762Type / Values762 type: "ENV_ID",

763 763 description:

764`boolean`764 "Target Codex Cloud environment identifier (required). Use `codex cloud` to list options.",

765 765 },

766Details766 {

767 767 key: "--attempts",

768Emit machine-readable JSON instead of plain text.768 type: "1-4",

769 769 defaultValue: "1",

770Key770 description:

771 771 "Number of assistant attempts (best-of-N) Codex Cloud should run.",

772`--limit`772 },

773 773];

774Type / Values774 

775 775export const cloudListOptions = [

776`1-20`776 {

777 777 key: "--env",

778Details778 type: "ENV_ID",

779 779 description: "Filter tasks by environment identifier.",

780Maximum number of tasks to return.780 },

781 781 {

782Plain-text output prints a task URL followed by status details. Use `--json` for automation. The JSON payload contains a `tasks` array plus an optional `cursor` value. Each task includes `id`, `url`, `title`, `status`, `updated_at`, `environment_id`, `environment_label`, `summary`, `is_review`, and `attempt_total`.782 key: "--limit",

783 783 type: "1-20",

784### `codex completion`784 defaultValue: "20",

785 785 description: "Maximum number of tasks to return.",

786Generate shell completion scripts and redirect the output to the appropriate location, for example `codex completion zsh > "${fpath[1]}/_codex"`.786 },

787 787 {

788| Key | Type / Values | Details |788 key: "--cursor",

789| --- | --- | --- |789 type: "string",

790| `SHELL` | `bash | zsh | fish | power-shell | elvish` | Shell to generate completions for. Output prints to stdout. |790 description: "Pagination cursor returned by a previous request.",

791 791 },

792Key792 {

793 793 key: "--json",

794`SHELL`794 type: "boolean",

795 795 defaultValue: "false",

796Type / Values796 description: "Emit machine-readable JSON instead of plain text.",

797 797 },

798`bash | zsh | fish | power-shell | elvish`798];

799 799 

800Details800export const mcpCommands = [

801 801 {

802Shell to generate completions for. Output prints to stdout.802 key: "list",

803 803 type: "--json",

804### `codex features`804 description:

805 805 "List configured MCP servers. Add `--json` for machine-readable output.",

806Manage feature flags stored in `~/.codex/config.toml`. The `enable` and `disable` commands persist changes so they apply to future sessions. When you launch with `--profile`, Codex writes to that profile instead of the root configuration.806 },

807 807 {

808| Key | Type / Values | Details |808 key: "get <name>",

809| --- | --- | --- |809 type: "--json",

810| `Disable subcommand` | `codex features disable <feature>` | Persistently disable a feature flag in `config.toml`. Respects the active `--profile` when provided. |810 description:

811| `Enable subcommand` | `codex features enable <feature>` | Persistently enable a feature flag in `config.toml`. Respects the active `--profile` when provided. |811 "Show a specific server configuration. `--json` prints the raw config entry.",

812| `List subcommand` | `codex features list` | Show known feature flags, their maturity stage, and their effective state. |812 },

813 813 {

814Key814 key: "add <name>",

815 815 type: "-- <command...> | --url <value>",

816`Disable subcommand`816 description:

817 817 "Register a server using a stdio launcher command or a streamable HTTP URL. Supports `--env KEY=VALUE` for stdio transports.",

818Type / Values818 },

819 819 {

820`codex features disable <feature>`820 key: "remove <name>",

821 821 description: "Delete a stored MCP server definition.",

822Details822 },

823 823 {

824Persistently disable a feature flag in `config.toml`. Respects the active `--profile` when provided.824 key: "login <name>",

825 825 type: "--scopes scope1,scope2",

826Key826 description:

827 827 "Start an OAuth login for a streamable HTTP server (servers that support OAuth only).",

828`Enable subcommand`828 },

829 829 {

830Type / Values830 key: "logout <name>",

831 831 description:

832`codex features enable <feature>`832 "Remove stored OAuth credentials for a streamable HTTP server.",

833 833 },

834Details834];

835 835 

836Persistently enable a feature flag in `config.toml`. Respects the active `--profile` when provided.836export const mcpAddOptions = [

837 837 {

838Key838 key: "COMMAND...",

839 839 type: "stdio transport",

840`List subcommand`840 description:

841 841 "Executable plus arguments to launch the MCP server. Provide after `--`.",

842Type / Values842 },

843 843 {

844`codex features list`844 key: "--env KEY=VALUE",

845 845 type: "repeatable",

846Details846 description:

847 847 "Environment variable assignments applied when launching a stdio server.",

848Show known feature flags, their maturity stage, and their effective state.848 },

849 849 {

850### `codex exec`850 key: "--url",

851 851 type: "https://…",

852Use `codex exec` (or the short form `codex e`) for scripted or CI-style runs that should finish without human interaction.852 description:

853 853 "Register a streamable HTTP server instead of stdio. Mutually exclusive with `COMMAND...`.",

854| Key | Type / Values | Details |854 },

855| --- | --- | --- |855 {

856| `--cd, -C` | `path` | Set the workspace root before executing the task. |856 key: "--bearer-token-env-var",

857| `--color` | `always | never | auto` | Control ANSI color in stdout. |857 type: "ENV_VAR",

858| `--dangerously-bypass-approvals-and-sandbox, --yolo` | `boolean` | Bypass approval prompts and sandboxing. Dangerous—only use inside an isolated runner. |858 description:

859| `--ephemeral` | `boolean` | Run without persisting session rollout files to disk. |859 "Environment variable whose value is sent as a bearer token when connecting to a streamable HTTP server.",

860| `--full-auto` | `boolean` | Apply the low-friction automation preset (`workspace-write` sandbox and `on-request` approvals). |860 },

861| `--image, -i` | `path[,path...]` | Attach images to the first message. Repeatable; supports comma-separated lists. |861];

862| `--json, --experimental-json` | `boolean` | Print newline-delimited JSON events instead of formatted text. |862 

863| `--model, -m` | `string` | Override the configured model for this run. |863export const marketplaceCommands = [

864| `--oss` | `boolean` | Use the local open source provider (requires a running Ollama instance). |864 {

865| `--output-last-message, -o` | `path` | Write the assistant’s final message to a file. Useful for downstream scripting. |865 key: "add <source>",

866| `--output-schema` | `path` | JSON Schema file describing the expected final response shape. Codex validates tool output against it. |866 type: "[--ref REF] [--sparse PATH]",

867| `--profile, -p` | `string` | Select a configuration profile defined in config.toml. |867 description:

868| `--sandbox, -s` | `read-only | workspace-write | danger-full-access` | Sandbox policy for model-generated commands. Defaults to configuration. |868 "Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated.",

869| `--skip-git-repo-check` | `boolean` | Allow running outside a Git repository (useful for one-off directories). |869 },

870| `-c, --config` | `key=value` | Inline configuration override for the non-interactive run (repeatable). |870 {

871| `PROMPT` | `string | - (read stdin)` | Initial instruction for the task. Use `-` to pipe the prompt from stdin. |871 key: "upgrade [marketplace-name]",

872| `Resume subcommand` | `codex exec resume [SESSION_ID]` | Resume an exec session by ID or add `--last` to continue the most recent session from the current working directory. Add `--all` to consider sessions from any directory. Accepts an optional follow-up prompt. |872 description:

873 873 "Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided.",

874Key874 },

875 875 {

876`--cd, -C`876 key: "remove <marketplace-name>",

877 877 description: "Remove a configured plugin marketplace.",

878Type / Values878 },

879 879];

880`path`

881 

882Details

883 

884Set the workspace root before executing the task.

885 

886Key

887 

888`--color`

889 

890Type / Values

891 

892`always | never | auto`

893 

894Details

895 

896Control ANSI color in stdout.

897 

898Key

899 

900`--dangerously-bypass-approvals-and-sandbox, --yolo`

901 

902Type / Values

903 

904`boolean`

905 

906Details

907 

908Bypass approval prompts and sandboxing. Dangerous—only use inside an isolated runner.

909 

910Key

911 880 

912`--ephemeral`881## How to read this reference

913 

914Type / Values

915 

916`boolean`

917 

918Details

919 

920Run without persisting session rollout files to disk.

921 

922Key

923 

924`--full-auto`

925 

926Type / Values

927 

928`boolean`

929 

930Details

931 

932Apply the low-friction automation preset (`workspace-write` sandbox and `on-request` approvals).

933 

934Key

935 

936`--image, -i`

937 

938Type / Values

939 

940`path[,path...]`

941 

942Details

943 

944Attach images to the first message. Repeatable; supports comma-separated lists.

945 

946Key

947 

948`--json, --experimental-json`

949 

950Type / Values

951 

952`boolean`

953 

954Details

955 

956Print newline-delimited JSON events instead of formatted text.

957 

958Key

959 

960`--model, -m`

961 

962Type / Values

963 

964`string`

965 

966Details

967 

968Override the configured model for this run.

969 

970Key

971 

972`--oss`

973 

974Type / Values

975 

976`boolean`

977 882 

978Details883This page catalogs every documented Codex CLI command and flag. Use the interactive tables to search by key or description. Each section indicates whether the option is stable or experimental and calls out risky combinations.

979 884 

980Use the local open source provider (requires a running Ollama instance).885The CLI inherits most defaults from <code>~/.codex/config.toml</code>. Any

886 <code>-c key=value</code> overrides you pass at the command line take

887 precedence for that invocation. See [Config

888 basics](https://developers.openai.com/codex/config-basic#configuration-precedence) for more information.

981 889 

982Key890## Global flags

983 891 

984`--output-last-message, -o`892<ConfigTable client:load options={globalFlagOptions} />

985 893 

986Type / Values894These options apply to the base `codex` command and propagate to each subcommand unless a section below specifies otherwise.

895When you run a subcommand, place global flags after it (for example, `codex exec --oss ...`) so Codex applies them as intended.

987 896 

988`path`897## Command overview

989 898 

990Details899The Maturity column uses feature maturity labels such as Experimental, Beta,

900 and Stable. See [Feature Maturity](https://developers.openai.com/codex/feature-maturity) for how to

901 interpret these labels.

991 902 

992Write the assistant’s final message to a file. Useful for downstream scripting.903<ConfigTable

904 client:load

905 options={commandOverview}

906 secondColumnTitle="Maturity"

907 secondColumnVariant="maturity"

908/>

993 909 

994Key910## Command details

995 911 

996`--output-schema`912### `codex` (interactive)

997 913 

998Type / Values914Running `codex` with no subcommand launches the interactive terminal UI (TUI). The agent accepts the global flags above plus image attachments. Web search defaults to cached mode; use `--search` to switch to live browsing. For low-friction local work, use `--sandbox workspace-write --ask-for-approval on-request`.

999 915 

1000`path`916Use `--remote ws://host:port` or `--remote wss://host:port` to connect the TUI to an app server started with `codex app-server --listen ws://IP:PORT`. Add `--remote-auth-token-env <ENV_VAR>` when the server requires a bearer token for WebSocket authentication.

1001 917 

1002Details918### `codex app-server`

1003 919 

1004JSON Schema file describing the expected final response shape. Codex validates tool output against it.920Launch the Codex app server locally. This is primarily for development and debugging and may change without notice.

1005 921 

1006Key922<ConfigTable client:load options={appServerOptions} />

1007 923 

1008`--profile, -p`924`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior. `--listen ws://IP:PORT` enables WebSocket transport for app-server clients. The server accepts `ws://` listen URLs; use TLS termination or a secure proxy when clients connect with `wss://`. Use `--listen unix://` to accept WebSocket handshakes on Codex's default Unix socket, or `--listen unix:///absolute/path.sock` to choose a socket path. If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.

1009 925 

1010Type / Values926### `codex remote-control`

1011 927 

1012`string`928Ensure the app-server daemon is running with remote-control support enabled.

929Managed remote-control clients and SSH remote workflows use this command; it's

930not a replacement for `codex app-server --listen` when you are building a local

931protocol client.

1013 932 

1014Details933### `codex app`

1015 934 

1016Select a configuration profile defined in config.toml.935Launch Codex Desktop from the terminal on macOS or Windows. On macOS, Codex can open a specific workspace path; on Windows, Codex prints the path to open.

1017 936 

1018Key937<ConfigTable client:load options={appOptions} />

1019 938 

1020`--sandbox, -s`939`codex app` opens an installed Codex Desktop app, or starts the installer when

940the app is missing. On macOS, Codex opens the provided workspace path; on

941Windows, it prints the path to open after installation.

1021 942 

1022Type / Values943### `codex debug app-server send-message-v2`

1023 944 

1024`read-only | workspace-write | danger-full-access`945Send one message through app-server's V2 thread/turn flow using the built-in app-server test client.

1025 946 

1026Details947<ConfigTable client:load options={debugAppServerSendMessageV2Options} />

1027 948 

1028Sandbox policy for model-generated commands. Defaults to configuration.949This debug flow initializes with `experimentalApi: true`, starts a thread, sends a turn, and streams server notifications. Use it to reproduce and inspect app-server protocol behavior locally.

1029 950 

1030Key951### `codex debug models`

1031 952 

1032`--skip-git-repo-check`953Print the raw model catalog Codex sees as JSON.

1033 954 

1034Type / Values955<ConfigTable client:load options={debugModelsOptions} />

1035 956 

1036`boolean`957Use `--bundled` when you want to inspect only the catalog bundled with the current binary, without refreshing from the remote models endpoint.

1037 958 

1038Details959### `codex apply`

1039 960 

1040Allow running outside a Git repository (useful for one-off directories).961Apply the most recent diff from a Codex cloud task to your local repository. You must authenticate and have access to the task.

1041 962 

1042Key963<ConfigTable client:load options={applyOptions} />

1043 964 

1044`-c, --config`965Codex prints the patched files and exits non-zero if `git apply` fails (for example, due to conflicts).

1045 966 

1046Type / Values967### `codex cloud`

1047 968 

1048`key=value`969Interact with Codex cloud tasks from the terminal. The default command opens an interactive picker; `codex cloud exec` submits a task directly, and `codex cloud list` returns recent tasks for scripting or quick inspection.

1049 970 

1050Details971<ConfigTable client:load options={cloudExecOptions} />

1051 972 

1052Inline configuration override for the non-interactive run (repeatable).973Authentication follows the same credentials as the main CLI. Codex exits non-zero if the task submission fails.

1053 974 

1054Key975#### `codex cloud list`

1055 976 

1056`PROMPT`977List recent cloud tasks with optional filtering and pagination.

1057 978 

1058Type / Values979<ConfigTable client:load options={cloudListOptions} />

1059 980 

1060`string | - (read stdin)`981Plain-text output prints a task URL followed by status details. Use `--json` for automation. The JSON payload contains a `tasks` array plus an optional `cursor` value. Each task includes `id`, `url`, `title`, `status`, `updated_at`, `environment_id`, `environment_label`, `summary`, `is_review`, and `attempt_total`.

1061 982 

1062Details983### `codex completion`

1063 984 

1064Initial instruction for the task. Use `-` to pipe the prompt from stdin.985Generate shell completion scripts and redirect the output to the appropriate location, for example `codex completion zsh > "${fpath[1]}/_codex"`.

1065 986 

1066Key987<ConfigTable client:load options={completionOptions} />

1067 988 

1068`Resume subcommand`989### `codex features`

1069 990 

1070Type / Values991Manage feature flags stored in `~/.codex/config.toml`. The `enable` and `disable` commands persist changes so they apply to future sessions. When you launch with `--profile`, Codex writes to that profile instead of the root configuration.

1071 992 

1072`codex exec resume [SESSION_ID]`993<ConfigTable client:load options={featuresOptions} />

1073 994 

1074Details995### `codex exec`

1075 996 

1076Resume an exec session by ID or add `--last` to continue the most recent session from the current working directory. Add `--all` to consider sessions from any directory. Accepts an optional follow-up prompt.997Use `codex exec` (or the short form `codex e`) for scripted or CI-style runs that should finish without human interaction.

1077 998 

1078Expand to view all999<ConfigTable client:load options={execOptions} />

1079 1000 

1080Codex writes formatted output by default. Add `--json` to receive newline-delimited JSON events (one per state change). The optional `resume` subcommand lets you continue non-interactive tasks. Use `--last` to pick the most recent session from the current working directory, or add `--all` to search across all sessions:1001Codex writes formatted output by default. Add `--json` to receive newline-delimited JSON events (one per state change). The optional `resume` subcommand lets you continue non-interactive tasks. Use `--last` to pick the most recent session from the current working directory, or add `--all` to search across all sessions:

1081 1002 

1082| Key | Type / Values | Details |1003<ConfigTable client:load options={execResumeOptions} />

1083| --- | --- | --- |

1084| `--all` | `boolean` | Include sessions outside the current working directory when selecting the most recent session. |

1085| `--image, -i` | `path[,path...]` | Attach one or more images to the follow-up prompt. Separate multiple paths with commas or repeat the flag. |

1086| `--last` | `boolean` | Resume the most recent conversation from the current working directory. |

1087| `PROMPT` | `string | - (read stdin)` | Optional follow-up instruction sent immediately after resuming. |

1088| `SESSION_ID` | `uuid` | Resume the specified session. Omit and use `--last` to continue the most recent session. |

1089 

1090Key

1091 

1092`--all`

1093 

1094Type / Values

1095 

1096`boolean`

1097 

1098Details

1099 

1100Include sessions outside the current working directory when selecting the most recent session.

1101 

1102Key

1103 

1104`--image, -i`

1105 

1106Type / Values

1107 

1108`path[,path...]`

1109 

1110Details

1111 

1112Attach one or more images to the follow-up prompt. Separate multiple paths with commas or repeat the flag.

1113 

1114Key

1115 

1116`--last`

1117 

1118Type / Values

1119 

1120`boolean`

1121 

1122Details

1123 

1124Resume the most recent conversation from the current working directory.

1125 

1126Key

1127 

1128`PROMPT`

1129 

1130Type / Values

1131 

1132`string | - (read stdin)`

1133 

1134Details

1135 

1136Optional follow-up instruction sent immediately after resuming.

1137 

1138Key

1139 

1140`SESSION_ID`

1141 

1142Type / Values

1143 

1144`uuid`

1145 

1146Details

1147 

1148Resume the specified session. Omit and use `--last` to continue the most recent session.

1149 1004 

1150### `codex execpolicy`1005### `codex execpolicy`

1151 1006 

1152Check `execpolicy` rule files before you save them. `codex execpolicy check` accepts one or more `--rules` flags (for example, files under `~/.codex/rules`) and emits JSON showing the strictest decision and any matching rules. Add `--pretty` to format the output. The `execpolicy` command is currently in preview.1007Check `execpolicy` rule files before you save them. `codex execpolicy check` accepts one or more `--rules` flags (for example, files under `~/.codex/rules`) and emits JSON showing the strictest decision and any matching rules. Add `--pretty` to format the output. The `execpolicy` command is currently in preview.

1153 1008 

1154| Key | Type / Values | Details |1009<ConfigTable client:load options={execpolicyOptions} />

1155| --- | --- | --- |

1156| `--pretty` | `boolean` | Pretty-print the JSON result. |

1157| `--rules, -r` | `path (repeatable)` | Path to an execpolicy rule file to evaluate. Provide multiple flags to combine rules across files. |

1158| `COMMAND...` | `var-args` | Command to be checked against the specified policies. |

1159 

1160Key

1161 

1162`--pretty`

1163 

1164Type / Values

1165 

1166`boolean`

1167 

1168Details

1169 

1170Pretty-print the JSON result.

1171 

1172Key

1173 

1174`--rules, -r`

1175 

1176Type / Values

1177 

1178`path (repeatable)`

1179 

1180Details

1181 

1182Path to an execpolicy rule file to evaluate. Provide multiple flags to combine rules across files.

1183 

1184Key

1185 

1186`COMMAND...`

1187 

1188Type / Values

1189 

1190`var-args`

1191 

1192Details

1193 

1194Command to be checked against the specified policies.

1195 1010 

1196### `codex login`1011### `codex login`

1197 1012 

1198Authenticate the CLI with a ChatGPT account or API key. With no flags, Codex opens a browser for the ChatGPT OAuth flow.1013Authenticate the CLI with a ChatGPT account, API key, or access token. With no flags, Codex opens a browser for the ChatGPT OAuth flow.

1199 

1200| Key | Type / Values | Details |

1201| --- | --- | --- |

1202| `--device-auth` | `boolean` | Use OAuth device code flow instead of launching a browser window. |

1203| `--with-api-key` | `boolean` | Read an API key from stdin (for example `printenv OPENAI_API_KEY | codex login --with-api-key`). |

1204| `status subcommand` | `codex login status` | Print the active authentication mode and exit with 0 when logged in. |

1205 

1206Key

1207 

1208`--device-auth`

1209 

1210Type / Values

1211 

1212`boolean`

1213 

1214Details

1215 

1216Use OAuth device code flow instead of launching a browser window.

1217 

1218Key

1219 

1220`--with-api-key`

1221 

1222Type / Values

1223 

1224`boolean`

1225 

1226Details

1227 1014 

1228Read an API key from stdin (for example `printenv OPENAI_API_KEY | codex login --with-api-key`).1015<ConfigTable client:load options={loginOptions} />

1229 

1230Key

1231 

1232`status subcommand`

1233 

1234Type / Values

1235 

1236`codex login status`

1237 

1238Details

1239 

1240Print the active authentication mode and exit with 0 when logged in.

1241 1016 

1242`codex login status` exits with `0` when credentials are present, which is helpful in automation scripts.1017`codex login status` exits with `0` when credentials are present, which is helpful in automation scripts.

1243 1018 

1249 1024 

1250Manage Model Context Protocol server entries stored in `~/.codex/config.toml`.1025Manage Model Context Protocol server entries stored in `~/.codex/config.toml`.

1251 1026 

1252| Key | Type / Values | Details |1027<ConfigTable client:load options={mcpCommands} />

1253| --- | --- | --- |

1254| `add <name>` | `-- <command...> | --url <value>` | Register a server using a stdio launcher command or a streamable HTTP URL. Supports `--env KEY=VALUE` for stdio transports. |

1255| `get <name>` | `--json` | Show a specific server configuration. `--json` prints the raw config entry. |

1256| `list` | `--json` | List configured MCP servers. Add `--json` for machine-readable output. |

1257| `login <name>` | `--scopes scope1,scope2` | Start an OAuth login for a streamable HTTP server (servers that support OAuth only). |

1258| `logout <name>` | | Remove stored OAuth credentials for a streamable HTTP server. |

1259| `remove <name>` | | Delete a stored MCP server definition. |

1260 

1261Key

1262 

1263`add <name>`

1264 

1265Type / Values

1266 

1267`-- <command...> | --url <value>`

1268 

1269Details

1270 

1271Register a server using a stdio launcher command or a streamable HTTP URL. Supports `--env KEY=VALUE` for stdio transports.

1272 

1273Key

1274 

1275`get <name>`

1276 

1277Type / Values

1278 

1279`--json`

1280 

1281Details

1282 

1283Show a specific server configuration. `--json` prints the raw config entry.

1284 

1285Key

1286 

1287`list`

1288 

1289Type / Values

1290 

1291`--json`

1292 

1293Details

1294 

1295List configured MCP servers. Add `--json` for machine-readable output.

1296 

1297Key

1298 

1299`login <name>`

1300 

1301Type / Values

1302 

1303`--scopes scope1,scope2`

1304 

1305Details

1306 

1307Start an OAuth login for a streamable HTTP server (servers that support OAuth only).

1308 

1309Key

1310 

1311`logout <name>`

1312 

1313Details

1314 

1315Remove stored OAuth credentials for a streamable HTTP server.

1316 

1317Key

1318 

1319`remove <name>`

1320 

1321Details

1322 

1323Delete a stored MCP server definition.

1324 1028 

1325The `add` subcommand supports both stdio and streamable HTTP transports:1029The `add` subcommand supports both stdio and streamable HTTP transports:

1326 1030 

1327| Key | Type / Values | Details |1031<ConfigTable client:load options={mcpAddOptions} />

1328| --- | --- | --- |

1329| `--bearer-token-env-var` | `ENV_VAR` | Environment variable whose value is sent as a bearer token when connecting to a streamable HTTP server. |

1330| `--env KEY=VALUE` | `repeatable` | Environment variable assignments applied when launching a stdio server. |

1331| `--url` | `https://…` | Register a streamable HTTP server instead of stdio. Mutually exclusive with `COMMAND...`. |

1332| `COMMAND...` | `stdio transport` | Executable plus arguments to launch the MCP server. Provide after `--`. |

1333 

1334Key

1335 

1336`--bearer-token-env-var`

1337 

1338Type / Values

1339 

1340`ENV_VAR`

1341 

1342Details

1343 

1344Environment variable whose value is sent as a bearer token when connecting to a streamable HTTP server.

1345 

1346Key

1347 

1348`--env KEY=VALUE`

1349 

1350Type / Values

1351 

1352`repeatable`

1353 1032 

1354Details1033OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).

1355 

1356Environment variable assignments applied when launching a stdio server.

1357 

1358Key

1359 

1360`--url`

1361 

1362Type / Values

1363 

1364`https://…`

1365 

1366Details

1367 

1368Register a streamable HTTP server instead of stdio. Mutually exclusive with `COMMAND...`.

1369 

1370Key

1371 

1372`COMMAND...`

1373 

1374Type / Values

1375 1034 

1376`stdio transport`1035### `codex plugin marketplace`

1377 1036 

1378Details1037Manage plugin marketplace sources that Codex can browse and install from.

1379 1038 

1380Executable plus arguments to launch the MCP server. Provide after `--`.1039<ConfigTable client:load options={marketplaceCommands} />

1381 1040 

1382OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).1041`codex plugin marketplace add` accepts GitHub shorthand such as `owner/repo` or

1042`owner/repo@ref`, HTTP or HTTPS Git URLs, SSH Git URLs, and local marketplace

1043root directories. Use `--ref` to pin a Git ref, and repeat `--sparse PATH` to

1044use a sparse checkout for Git-backed marketplace repositories.

1383 1045 

1384### `codex mcp-server`1046### `codex mcp-server`

1385 1047 

1389 1051 

1390Continue an interactive session by ID or resume the most recent conversation. `codex resume` scopes `--last` to the current working directory unless you pass `--all`. It accepts the same global flags as `codex`, including model and sandbox overrides.1052Continue an interactive session by ID or resume the most recent conversation. `codex resume` scopes `--last` to the current working directory unless you pass `--all`. It accepts the same global flags as `codex`, including model and sandbox overrides.

1391 1053 

1392| Key | Type / Values | Details |1054<ConfigTable client:load options={resumeOptions} />

1393| --- | --- | --- |

1394| `--all` | `boolean` | Include sessions outside the current working directory when selecting the most recent session. |

1395| `--last` | `boolean` | Skip the picker and resume the most recent conversation from the current working directory. |

1396| `SESSION_ID` | `uuid` | Resume the specified session. Omit and use `--last` to continue the most recent session. |

1397 

1398Key

1399 

1400`--all`

1401 

1402Type / Values

1403 

1404`boolean`

1405 

1406Details

1407 

1408Include sessions outside the current working directory when selecting the most recent session.

1409 

1410Key

1411 

1412`--last`

1413 

1414Type / Values

1415 

1416`boolean`

1417 

1418Details

1419 

1420Skip the picker and resume the most recent conversation from the current working directory.

1421 

1422Key

1423 

1424`SESSION_ID`

1425 

1426Type / Values

1427 

1428`uuid`

1429 

1430Details

1431 

1432Resume the specified session. Omit and use `--last` to continue the most recent session.

1433 1055 

1434### `codex fork`1056### `codex fork`

1435 1057 

1436Fork a previous interactive session into a new thread. By default, `codex fork` opens the session picker; add `--last` to fork your most recent session instead.1058Fork a previous interactive session into a new thread. By default, `codex fork` opens the session picker; add `--last` to fork your most recent session instead.

1437 1059 

1438| Key | Type / Values | Details |1060<ConfigTable client:load options={forkOptions} />

1439| --- | --- | --- |

1440| `--all` | `boolean` | Show sessions beyond the current working directory in the picker. |

1441| `--last` | `boolean` | Skip the picker and fork the most recent conversation automatically. |

1442| `SESSION_ID` | `uuid` | Fork the specified session. Omit and use `--last` to fork the most recent session. |

1443 

1444Key

1445 

1446`--all`

1447 

1448Type / Values

1449 

1450`boolean`

1451 

1452Details

1453 

1454Show sessions beyond the current working directory in the picker.

1455 

1456Key

1457 

1458`--last`

1459 

1460Type / Values

1461 

1462`boolean`

1463 

1464Details

1465 

1466Skip the picker and fork the most recent conversation automatically.

1467 

1468Key

1469 

1470`SESSION_ID`

1471 

1472Type / Values

1473 

1474`uuid`

1475 

1476Details

1477 

1478Fork the specified session. Omit and use `--last` to fork the most recent session.

1479 1061 

1480### `codex sandbox`1062### `codex sandbox`

1481 1063 

1483 1065 

1484#### macOS seatbelt1066#### macOS seatbelt

1485 1067 

1486| Key | Type / Values | Details |1068<ConfigTable client:load options={sandboxMacOptions} />

1487| --- | --- | --- |

1488| `--config, -c` | `key=value` | Pass configuration overrides into the sandboxed run (repeatable). |

1489| `--full-auto` | `boolean` | Grant write access to the current workspace and `/tmp` without approvals. |

1490| `COMMAND...` | `var-args` | Shell command to execute under macOS Seatbelt. Everything after `--` is forwarded. |

1491 

1492Key

1493 

1494`--config, -c`

1495 

1496Type / Values

1497 

1498`key=value`

1499 

1500Details

1501 

1502Pass configuration overrides into the sandboxed run (repeatable).

1503 

1504Key

1505 

1506`--full-auto`

1507 

1508Type / Values

1509 

1510`boolean`

1511 

1512Details

1513 

1514Grant write access to the current workspace and `/tmp` without approvals.

1515 

1516Key

1517 

1518`COMMAND...`

1519 

1520Type / Values

1521 

1522`var-args`

1523 

1524Details

1525 

1526Shell command to execute under macOS Seatbelt. Everything after `--` is forwarded.

1527 1069 

1528#### Linux Landlock1070#### Linux Landlock

1529 1071 

1530| Key | Type / Values | Details |1072<ConfigTable client:load options={sandboxLinuxOptions} />

1531| --- | --- | --- |

1532| `--config, -c` | `key=value` | Configuration overrides applied before launching the sandbox (repeatable). |

1533| `--full-auto` | `boolean` | Grant write access to the current workspace and `/tmp` inside the Landlock sandbox. |

1534| `COMMAND...` | `var-args` | Command to execute under Landlock + seccomp. Provide the executable after `--`. |

1535 

1536Key

1537 

1538`--config, -c`

1539 

1540Type / Values

1541 

1542`key=value`

1543 

1544Details

1545 

1546Configuration overrides applied before launching the sandbox (repeatable).

1547 

1548Key

1549 

1550`--full-auto`

1551 

1552Type / Values

1553 

1554`boolean`

1555 

1556Details

1557 

1558Grant write access to the current workspace and `/tmp` inside the Landlock sandbox.

1559 

1560Key

1561 

1562`COMMAND...`

1563 1073 

1564Type / Values1074#### Windows

1565 1075 

1566`var-args`1076<ConfigTable client:load options={sandboxWindowsOptions} />

1567 1077 

1568Details1078### `codex update`

1569 1079 

1570Command to execute under Landlock + seccomp. Provide the executable after `--`.1080Check for and apply a Codex CLI update when the installed release supports self-update. Debug builds print a message telling you to install a release build instead.

1571 1081 

1572## Flag combinations and safety tips1082## Flag combinations and safety tips

1573 1083 

1574- Set `--full-auto` for unattended local work, but avoid combining it with `--dangerously-bypass-approvals-and-sandbox` unless you are inside a dedicated sandbox VM.1084- Use `--sandbox workspace-write` for unattended local work that can stay inside the workspace, and avoid `--dangerously-bypass-approvals-and-sandbox` unless you are inside a dedicated sandbox VM.

1575- When you need to grant Codex write access to more directories, prefer `--add-dir` rather than forcing `--sandbox danger-full-access`.1085- When you need to grant Codex write access to more directories, prefer `--add-dir` rather than forcing `--sandbox danger-full-access`.

1576- Pair `--json` with `--output-last-message` in CI to capture machine-readable progress and a final natural-language summary.1086- Pair `--json` with `--output-last-message` in CI to capture machine-readable progress and a final natural-language summary.

1577 1087