config-sample.md Codex Docs, 2026-04-07 00:40 UTC → 2026-04-13 18:37 UTC

109# - never: never prompt (risky)109# - never: never prompt (risky)

110# - { granular = { ... } }: allow or auto-reject selected prompt categories110# - { granular = { ... } }: allow or auto-reject selected prompt categories

111approval_policy = "on-request"111approval_policy = "on-request"

112# Who reviews eligible approval prompts: user (default) | guardian_subagent

113# approvals_reviewer = "user"

114 

112# Example granular policy:115# Example granular policy:

113# approval_policy = { granular = {116# approval_policy = { granular = {

114# sandbox_approval = true,117# sandbox_approval = true,

127# - workspace-write130# - workspace-write

128# - danger-full-access (no sandbox; extremely risky)131# - danger-full-access (no sandbox; extremely risky)

129sandbox_mode = "read-only"132sandbox_mode = "read-only"

133# Named permissions profile to apply by default. Required before using [permissions.<name>].

134# default_permissions = "workspace"

130 135 

131################################################################################136################################################################################

132# Authentication & Login137# Authentication & Login

274# Managed network proxy settings279# Managed network proxy settings

275################################################################################280################################################################################

276 281 

277[permissions.network]282# Set `default_permissions = "workspace"` before enabling this profile.

283# [permissions.workspace.network]

278# enabled = true284# enabled = true

279# proxy_url = "http://127.0.0.1:43128"285# proxy_url = "http://127.0.0.1:43128"

280# admin_url = "http://127.0.0.1:43129"286# admin_url = "http://127.0.0.1:43129"

286# dangerously_allow_non_loopback_admin = false292# dangerously_allow_non_loopback_admin = false

287# dangerously_allow_all_unix_sockets = false293# dangerously_allow_all_unix_sockets = false

288# mode = "limited" # limited | full294# mode = "limited" # limited | full

289# allowed_domains = ["api.openai.com"]

290# denied_domains = ["example.com"]

291# allow_unix_sockets = ["/var/run/docker.sock"]

292# allow_local_binding = false295# allow_local_binding = false

296#

297# [permissions.workspace.network.domains]

298# "api.openai.com" = "allow"

299# "example.com" = "deny"

300#

301# [permissions.workspace.network.unix_sockets]

302# "/var/run/docker.sock" = "allow"

293 303 

294################################################################################304################################################################################

295# History (table)305# History (table)

327# Set to [] to hide the footer.337# Set to [] to hide the footer.

328# status_line = ["model", "context-remaining", "git-branch"]338# status_line = ["model", "context-remaining", "git-branch"]

329 339 

340# Ordered list of terminal window/tab title item IDs. When unset, Codex uses:

341# ["spinner", "project"]. Set to [] to clear the title.

342# Available IDs include app-name, project, spinner, status, thread, git-branch, model,

343# and task-progress.

344# terminal_title = ["spinner", "project"]

345 

330# Syntax-highlighting theme (kebab-case). Use /theme in the TUI to preview and save.346# Syntax-highlighting theme (kebab-case). Use /theme in the TUI to preview and save.

331# You can also add custom .tmTheme files under $CODEX_HOME/themes.347# You can also add custom .tmTheme files under $CODEX_HOME/themes.

332# theme = "catppuccin-mocha"348# theme = "catppuccin-mocha"

350# hide_rate_limit_model_nudge = true366# hide_rate_limit_model_nudge = true

351# hide_gpt5_1_migration_prompt = true367# hide_gpt5_1_migration_prompt = true

352# "hide_gpt-5.1-codex-max_migration_prompt" = true368# "hide_gpt-5.1-codex-max_migration_prompt" = true

353# model_migrations = { "gpt-4.1" = "gpt-5.1" }369# model_migrations = { "gpt-5.3-codex" = "gpt-5.4" }

354 370 

355################################################################################371################################################################################

356# Centralized Feature Flags (preferred)372# Centralized Feature Flags (preferred)

416# - openai432# - openai

417# - ollama433# - ollama

418# - lmstudio434# - lmstudio

435# These IDs are reserved. Use a different ID for custom providers.

419 436 

420[model_providers]437[model_providers]

421 438 

424# name = "OpenAI Data Residency"441# name = "OpenAI Data Residency"

425# base_url = "https://us.api.openai.com/v1" # example with 'us' domain prefix442# base_url = "https://us.api.openai.com/v1" # example with 'us' domain prefix

426# wire_api = "responses" # only supported value443# wire_api = "responses" # only supported value

427# # requires_openai_auth = true # built-in OpenAI defaults to true444# # requires_openai_auth = true # use only for providers backed by OpenAI auth

428# # request_max_retries = 4 # default 4; max 100445# # request_max_retries = 4 # default 4; max 100

429# # stream_max_retries = 5 # default 5; max 100446# # stream_max_retries = 5 # default 5; max 100

430# # stream_idle_timeout_ms = 300000 # default 300_000 (5m)447# # stream_idle_timeout_ms = 300000 # default 300_000 (5m)

443# env_key_instructions = "Set AZURE_OPENAI_API_KEY in your environment"460# env_key_instructions = "Set AZURE_OPENAI_API_KEY in your environment"

444# # supports_websockets = false461# # supports_websockets = false

445 462 

463# --- Example: command-backed bearer token auth ---

464# [model_providers.proxy]

465# name = "OpenAI using LLM proxy"

466# base_url = "https://proxy.example.com/v1"

467# wire_api = "responses"

468#

469# [model_providers.proxy.auth]

470# command = "/usr/local/bin/fetch-codex-token"

471# args = ["--audience", "codex"]

472# timeout_ms = 5000

473# refresh_interval_ms = 300000

474 

446# --- Example: Local OSS (e.g., Ollama-compatible) ---475# --- Example: Local OSS (e.g., Ollama-compatible) ---

447# [model_providers.ollama]476# [model_providers.local_ollama]

448# name = "Ollama"477# name = "Ollama"

449# base_url = "http://localhost:11434/v1"478# base_url = "http://localhost:11434/v1"

450# wire_api = "responses"479# wire_api = "responses"

471# enabled = false500# enabled = false

472# approval_mode = "approve"501# approval_mode = "approve"

473 502 

503# Optional tool suggestion allowlist for connectors or plugins Codex can offer to install.

504# [tool_suggest]

505# discoverables = [

506# { type = "connector", id = "gmail" },

507# { type = "plugin", id = "figma@openai-curated" },

508# ]

509 

474################################################################################510################################################################################

475# Profiles (named presets)511# Profiles (named presets)

476################################################################################512################################################################################