enterprise/admin-setup.md +386 −88
1# Admin Setup1# Admin Setup
2 2
33Set up Codex for your ChatGPT Enterprise workspace<div class="max-w-1xl mx-auto">
4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"
5 alt="Codex enterprise admin toggle"
6 class="block w-full mx-auto rounded-lg"
7 />
8</div>
9
10
4 11
5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.
6 13
14Use this page as the step-by-step rollout guide. For detailed policy, configuration, automation, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).
15
7## Enterprise-grade security and privacy16## Enterprise-grade security and privacy
8 17
9Codex supports ChatGPT Enterprise security features, including:18Codex supports ChatGPT Enterprise security features, including:
10 19
11- No training on enterprise data20- No training on enterprise data
1221- Zero data retention for the CLI and IDE- Zero data retention for the App, CLI, and IDE (code stays in the developer environment)
1322- Residency and retention follow ChatGPT Enterprise policies- Residency and retention that follow ChatGPT Enterprise policies
14- Granular user access controls23- Granular user access controls
1524- Data encryption at rest (AES 256) and in transit (TLS 1.2+)- Data encryption at rest (AES-256) and in transit (TLS 1.2+)
25- Audit logging via the ChatGPT Compliance API
16 26
1727For more, see [Security](https://developers.openai.com/codex/security).For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.
28For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).
18 29
1930## Local vs. cloud setup## Pre-requisites: Determine owners and rollout strategy
20 31
2132Codex operates in two environments: local and cloud.During your rollout, team members may support different aspects of integrating Codex into your organization. Ensure you have the following owners:
22 33
23341. Local use includes the Codex app, CLI, and IDE extension. The agent runs on the developer’s computer in a sandbox.- **ChatGPT Enterprise workspace owner:** required to configure Codex settings in your workspace.
24352. Use in the cloud includes Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack). The agent runs remotely in a hosted container with your codebase.- **Security owner:** determines agent permissions settings for Codex.
36- **Analytics owner:** integrates analytics and compliance APIs into your data pipelines.
25 37
2638Use separate permissions and role-based access control (RBAC) to control access to local and cloud features. You can enable local, cloud, or both for all users or for specific groups.Decide which Codex surfaces you will use:
27 39
2840## Codex local setup- **Codex local:** includes the Codex app, CLI, and IDE extension. The agent runs on the developer's computer in a sandbox.
41- **Codex cloud:** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.
42- **Both:** use local + cloud together.
29 43
3044### Enable Codex app, CLI, and IDE extension in workspace settingsYou can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).
31 45
3246To enable Codex locally for workspace members, go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings). Turn on **Allow members to use Codex Local**. This setting doesn’t require the GitHub connector.## Step 1: Enable Codex in your workspace
33 47
3448After you turn this on, users can sign in to use the Codex app, CLI, and IDE extension with their ChatGPT account. If you turn off this setting, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”You configure access to Codex in ChatGPT Enterprise workspace settings.
35 49
3650## Team ConfigGo to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).
37 51
3852Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.### Codex local
39 53
4054| Type | Path | Use it to |Codex local is enabled by default for new ChatGPT Enterprise workspaces. If
4155| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- | you are not a ChatGPT workspace owner, you can test whether you have access by
4256| [Config basics](https://developers.openai.com/codex/config-basic) | `config.toml` | Set defaults for sandbox mode, approvals, model, reasoning effort, and more. | [installing Codex](https://developers.openai.com/codex/quickstart) and logging in with your work email.
43| [Rules](https://developers.openai.com/codex/rules) | `rules/` | Control which commands Codex can run outside the sandbox. |
44| [Skills](https://developers.openai.com/codex/skills) | `skills/` | Make shared skills available to your team. |
45 57
4658For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).Turn on **Allow members to use Codex Local**.
59
60This enables use of the Codex app, CLI, and IDE extension for allowed users.
61
62If members need programmatic Codex local workflows, also turn on **Allow members to use Codex access tokens** or grant the access token permission through a custom role. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).
63
64If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”
47 65
4866## Codex cloud setup#### Enable device code authentication for Codex CLI
67
68Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).
69
70<div class="max-w-1xl mx-auto py-1">
71 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"
72 alt="Codex local toggle"
73 class="block w-full mx-auto rounded-lg"
74 />
75</div>
76
77### Codex cloud
49 78
50### Prerequisites79### Prerequisites
51 80
59 88
60Start by turning on the ChatGPT GitHub Connector in the Codex section of [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).89Start by turning on the ChatGPT GitHub Connector in the Codex section of [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).
61 90
6291To enable Codex cloud for your workspace, turn on **Allow members to use Codex cloud**.To enable Codex cloud for your workspace, turn on **Allow members to use Codex cloud**. Once enabled, users can access Codex directly from the left-hand navigation panel in ChatGPT.
63 92
6493Once enabled, users can access Codex directly from the left-hand navigation panel in ChatGPT.Note that it may take up to 10 minutes for Codex to appear in ChatGPT.
65 94
6695#### Enable Codex Slack app to post answers on task completion
67 96
6897After you turn on Codex in your Enterprise workspace settings, it may take upCodex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.
69to 10 minutes for Codex to appear in ChatGPT.
70 98
7199### Configure the GitHub Connector IP allow listTo learn more, see [Codex in Slack](https://developers.openai.com/codex/integrations/slack).
72 100
73101To control which IP addresses can connect to your ChatGPT GitHub connector, configure these IP ranges:#### Enable Codex agent to access the internet
74 102
75103- [ChatGPT egress IP ranges](https://openai.com/chatgpt-actions.json)By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.
76- [Codex container egress IP ranges](https://openai.com/chatgpt-agents.json)
77 104
78105These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.This setting lets users use an allowlist for common software dependency domains, add domains and trusted sites, and specify allowed HTTP methods.
79 106
80107### Allow members to administer CodexFor security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
81 108
82109This toggle allows users to view Codex workspace analytics and manage environments (edit and delete).<div class="max-w-1xl mx-auto py-1">
110 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"
111 alt="Codex cloud toggle"
112 class="block w-full mx-auto rounded-lg"
113 />
114</div>
83 115
84116Codex supports role-based access (see [Role-based access (RBAC)](#role-based-access-rbac)), so you can turn on this toggle for a specific subset of users.## Step 2: Set up custom roles (RBAC)
85 117
86118### Enable Codex Slack app to post answers on task completionUse RBAC to control granular permissions for access Codex local and Codex cloud.
87 119
88120Codex integrates with Slack. When a user mentions `@Codex` in Slack, Codex starts a cloud task, gets context from the Slack thread, and responds with a link to a PR to review in the thread.<div class="max-w-1xl mx-auto">
121 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"
122 alt="Codex cloud toggle"
123 class="block w-full mx-auto rounded-lg"
124 />
125</div>
89 126
90127To allow the Slack app to post answers on task completion, turn on **Allow Codex Slack app to post answers on task completion**. When enabled, Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.### What RBAC lets you do
91 128
92129To learn more, see [Codex in Slack](https://developers.openai.com/codex/integrations/slack).Workspace Owners can use RBAC in ChatGPT admin settings to:
93 130
94131### Enable Codex agent to access the internet- Set a default role for users who aren't assigned any custom role
132- Create custom roles with granular permissions
133- Assign one or more custom roles to Groups
134- Automatically sync users into Groups via SCIM
135- Manage roles centrally from the Custom Roles tab
95 136
96137By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.Users can inherit more than one role, and permissions resolve to the most permissive (least restrictive) access across those roles.
138
139### Create a Codex Admin group
140
141Set up a dedicated "Codex Admin" group rather than granting Codex administration to a broad audience.
142
143The **Allow members to administer Codex** toggle grants the Codex Admin role. Codex Admins can:
144
145- View Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics)
146- Open the Codex [Policies page](https://chatgpt.com/codex/settings/policies) to manage cloud-managed `requirements.toml` policies
147- Assign those managed policies to user groups or configure a default fallback policy
148- Manage Codex cloud environments, including editing and deleting environments
149
150Use this role for the small set of admins who own Codex rollout, policy management, and governance. It's not required for general Codex users. You don't need Codex cloud to enable this toggle.
151
152Recommended rollout pattern:
153
154- Create a "Codex Users" group for people who should use Codex
155- Create a separate "Codex Admin" group for the smaller set of people who should manage Codex settings and policies
156- Assign the custom role with **Allow members to administer Codex** enabled only to the "Codex Admin" group
157- Keep membership in the "Codex Admin" group limited to workspace owners or designated platform, IT, and governance operators
158- If you use SCIM, back the "Codex Admin" group with your identity provider so membership changes are auditable and centrally managed
159
160This separation makes it easier to roll out Codex while keeping analytics, environment management, and policy deployment limited to trusted admins. For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).
161
162## Step 3: Configure Codex local requirements
163
164Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).
165
166Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, network access requirements, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).
167
168<div class="max-w-1xl mx-auto py-1">
169 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"
170 alt="Codex policies and configurations page"
171 class="block w-full mx-auto rounded-lg"
172 />
173</div>
174
175Recommended setup:
176
1771. Create a baseline policy for most users, then create stricter or more permissive variants only where needed.
1782. Assign each managed policy to a specific user group, and configure a default fallback policy for everyone else.
1793. Order group rules with care. If a user matches more than one group-specific rule, the first matching rule applies.
1804. Treat each policy as a complete profile for that group. Codex doesn't fill missing fields from later matching group rules.
181
182These cloud-managed policies apply across Codex local surfaces when users sign in with ChatGPT, including the Codex app, CLI, and IDE extension.
183
184### Example requirements.toml policies
185
186Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.
187
188<div class="max-w-1xl mx-auto py-1">
189 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"
190 alt="Example managed requirements policy"
191 class="block w-full mx-auto rounded-lg"
192 />
193</div>
194
195Example: limit web search, sandbox mode, and approvals for a standard local rollout:
196
197```toml
198allowed_web_search_modes = ["disabled", "cached"]
199allowed_sandbox_modes = ["workspace-write"]
200allowed_approval_policies = ["on-request"]
201```
202
203Example: disable Browser Use, the in-app browser, and Computer Use:
204
205```toml
206[features]
207browser_use = false
208in_app_browser = false
209computer_use = false
210```
211
212Example: define administrator-owned network requirements:
213
214```toml
215experimental_network.enabled = true
216experimental_network.dangerously_allow_all_unix_sockets = true
217experimental_network.allow_local_binding = true
218experimental_network.allowed_domains = [
219 "api.openai.com",
220 "*.example.com",
221]
222experimental_network.denied_domains = [
223 "blocked.example.com",
224 "*.exfil.example.com",
225]
226```
227
228Example: add a restrictive command rule when you want admins to block or gate specific commands:
229
230```toml
231[rules]
232prefix_rules = [
233 { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before mutating remote history." },
234]
235```
236
237You can use any example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
238
239### Checking user policies
97 240
98241As an admin, you can allow users to enable agent internet access in their environments. To enable it, turn on **Allow Codex agent to access the internet**.Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.
99 242
100243When this setting is on, users can use an allow list for common software dependency domains, add more domains and trusted sites, and specify allowed HTTP methods.<div class="max-w-1xl mx-auto py-1">
244 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"
245 alt="Policy lookup by group or user email"
246 class="block w-full mx-auto rounded-lg"
247 />
248</div>
249
250If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).
251
252## Step 4: Standardize local configuration with Team Config
253
254Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.
255
256You can check Team Config settings into the repository under the `.codex` directory. Codex automatically picks up Team Config settings when a user opens that repository.
257
258Start with Team Config for your highest-traffic repositories so teams get consistent behavior in the places they use Codex most.
259
260| Type | Path | Use it to |
261| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |
262| [Config basics](https://developers.openai.com/codex/config-basic) | `config.toml` | Set defaults for sandbox mode, approvals, model, reasoning effort, and more. |
263| [Rules](https://developers.openai.com/codex/rules) | `rules/` | Control which commands Codex can run outside the sandbox. |
264| [Skills](https://developers.openai.com/codex/skills) | `skills/` | Make shared skills available to your team. |
265
266For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).
267
268## Step 5: Configure Codex cloud usage (if enabled)
269
270This step covers repository and environment setup after you enable the Codex cloud workspace toggle.
271
272### Connect Codex cloud to repositories
273
2741. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**
2752. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT
2763. Install or connect the ChatGPT GitHub Connector
2774. Choose an installation target for the ChatGPT Connector (typically your main organization)
2785. Allow the repositories you want to connect to Codex
279
280For GitHub Enterprise Managed Users (EMU), an organization owner must install
281 the Codex GitHub App for the organization before users can connect
282 repositories in Codex cloud.
283
284For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).
285
286Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.
287
288### Configure IP addresses
289
290If your GitHub organization controls the IP addresses that apps use to connect, make sure to include these [egress IP ranges](https://openai.com/chatgpt-agents.json).
291
292These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.
101 293
102### Enable code review with Codex cloud294### Enable code review with Codex cloud
103 295
104296To allow Codex to do code reviews, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).
297
298You can configure code review at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details are on the [GitHub integration page](https://developers.openai.com/codex/integrations/github).
299
300Use the overview page to confirm your workspace has code review turned on and to see the available review controls.
301
302<div class="max-w-1xl mx-auto py-1">
303 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"
304 alt="Code review settings overview"
305 class="block w-full mx-auto rounded-lg"
306 />
307</div>
308
309<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">
310 <div class="max-w-1xl mx-auto">
311 <p>
312 Use the auto review settings to decide whether Codex should review pull
313 requests automatically for connected repositories.
314 </p>
315 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"
316 alt="Automatic code review settings"
317 class="block w-full mx-auto rounded-lg"
318 />
319 </div>
320 <div class="max-w-1xl mx-auto">
321 <p>
322 Use review triggers to control which pull request events should start a
323 Codex review.
324 </p>
325 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"
326 alt="Code review trigger settings"
327 class="block w-full mx-auto rounded-lg"
328 />
329 </div>
330</div>
331
332### Configure Codex security
333
334Codex Security helps engineering and security teams find, confirm, and remediate likely vulnerabilities in connected GitHub repositories.
335
336At a high level, Codex Security:
337
338- scans connected repositories commit by commit
339- ranks likely findings and confirms them when possible
340- shows structured findings with evidence, criticality, and suggested remediation
341- lets teams refine a repository threat model to improve prioritization and review quality
342
343For setup, scan creation, findings review, and threat model guidance, see [Codex Security setup](https://developers.openai.com/codex/security/setup). For a product overview, see [Codex Security](https://developers.openai.com/codex/security).
344
345Integration docs are also available for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).
346
347## Step 6: Set up governance and observability
348
349Codex gives enterprise teams options for visibility into adoption and impact. Set up governance early so your team can track adoption, investigate issues, and support compliance workflows.
350
351### Codex governance typically uses
352
353- Analytics Dashboard for quick, self-serve visibility
354- Analytics API for programmatic reporting and business intelligence integration
355- Compliance API for audit and investigation workflows
356
357### Recommended baseline setup
358
359- Assign an owner for adoption reporting
360- Assign an owner for audit and compliance review
361- Define a review cadence
362- Decide what success looks like
363
364### Analytics API setup steps
365
366To set up the Analytics API key:
367
3681. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.
3692. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).
3703. Create a new secret key dedicated to Codex Analytics, and give it a descriptive name such as Codex Analytics API.
3714. Select the appropriate project for your organization. If you only have one project, the default project is fine.
3725. Set the key permissions to Read only, since this API only retrieves analytics data.
3736. Copy the key value and store it securely, because you can only view it once.
3747. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.
375
376<div class="not-prose max-w-md mx-auto py-1">
377 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"
378 alt="Codex analytics key creation"
379 class="block w-full mx-auto rounded-lg"
380 />
381</div>
382
383To use the Analytics API key:
384
3851. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.
3862. Call the Analytics API at `https://api.chatgpt.com/v1/analytics/codex` using your Platform API key, and include your `workspace_id` in the path.
3873. Choose the endpoint you want to query:
388
389- /workspaces/`{workspace_id}`/usage
390- /workspaces/`{workspace_id}`/code_reviews
391- /workspaces/`{workspace_id}`/code_review_responses
392
3934. Set a reporting date range with `start_time` and `end_time` if needed.
3945. Retrieve the next page of results with `next_page` if the response spans more than one page.
105 395
106396Users can specify whether they want Codex to review their pull requests. Users can also configure whether code review runs for all contributors to a repository.Example curl command to retrieve workspace usage:
107 397
108398Codex supports two types of code reviews:```bash
399curl -H "Authorization: Bearer YOUR_PLATFORM_API_KEY" \
400 "https://api.chatgpt.com/v1/analytics/codex/workspaces/WORKSPACE_ID/usage"
401```
109 402
1104031. Automatically triggered code reviews when a user opens a PR for review.For more details on the Analytics API, see [Analytics API](https://developers.openai.com/codex/enterprise/governance#analytics-api).
1112. Reactive code reviews when a user mentions @Codex to look at issues. For example, “@Codex fix this CI error” or “@Codex address that feedback.”
112 404
113405## Role-based access (RBAC)### Compliance API setup steps
114 406
115407Codex supports role-based access. RBAC is a security and permissions model used to control access to systems or resources based on a user’s role assignments.To set up the Compliance API key:
116 408
117409To enable RBAC for Codex, navigate to Settings & Permissions → Custom Roles in [ChatGPT’s admin page](https://chatgpt.com/admin/settings) and assign roles to groups created in the Groups tab.1. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.
4102. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).
4113. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.
4124. Choose All permissions.
4135. Copy the key value and store it securely, because you can only view it once.
4146. Send an email to support@openai.com with:
118 415
119416This simplifies permission management for Codex and improves security in your ChatGPT workspace. To learn more, see the [Help Center article](https://help.openai.com/en/articles/11750701-rbac).- the last 4 digits of the API key
417- the key name
418- the created-by name
419- the scope needed: `read`, `delete`, or both
120 420
121421## Set up your first Codex cloud environment7. Wait for OpenAI to confirm your API key has Compliance API access.
122 422
1234231. Go to Codex cloud and select **Get started**.To use the Compliance API key:
1242. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven’t already connected GitHub to ChatGPT.
125 - Allow the ChatGPT Connector for your account.
126 - Choose an installation target for the ChatGPT Connector (typically your main organization).
127 - Allow the repositories you want to connect to Codex (a GitHub admin may need to approve this).
1283. Create your first environment by selecting the repository most relevant to your developers, then select **Create environment**.
129 - Add the email addresses of any environment collaborators to give them edit access.
1304. Start a few starter tasks (for example, writing tests, fixing bugs, or exploring code).
131 424
132425You have now created your first environment. Users who connect to GitHub can create tasks using this environment. Users who have access to the repository can also push pull requests generated from their tasks.1. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.
4262. Use the Compliance API at `https://api.chatgpt.com/v1/`
4273. Pass your Compliance API key in the Authorization header as a Bearer token.
4284. For Codex-related compliance data, use these endpoints:
133 429
134430### Environment management- /compliance/workspaces/`{workspace_id}`/logs
431- /compliance/workspaces/`{workspace_id}`/logs/`{log_file_id}`
432- /compliance/workspaces/`{workspace_id}`/codex_tasks
433- /compliance/workspaces/`{workspace_id}`/codex_environments
135 434
136435As a ChatGPT workspace administrator, you can edit and delete Codex environments in your workspace.5. For most Codex compliance integrations, start with the logs endpoint and request Codex event types such as CODEX_LOG or CODEX_SECURITY_LOG.
4366. Use /logs to list available Codex compliance log files, then /logs/`{log_file_id}` to download a specific file.
137 437
138438### Connect more GitHub repositories with Codex cloudExample curl command to list compliance log files:
139 439
1404401. Select **Environments**, or open the environment selector and select **Manage Environments**.```bash
1414412. Select **Create Environment**.curl -L -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \
1424423. Select the repository you want to connect. "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/logs?event_type=CODEX_LOG&after=2026-03-01T00:00:00Z"
1434434. Enter a name and description.```
1445. Select the environment visibility.
1456. Select **Create Environment**.
146 444
147445Codex automatically optimizes your environment setup by reviewing your codebase. Avoid advanced environment configuration until you observe specific performance issues. For more, see [Codex cloud](https://developers.openai.com/codex/cloud).Example curl command to list Codex tasks:
148 446
149447### Share setup instructions with users```bash
448curl -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \
449 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/codex_tasks"
450```
150 451
151452You can share these steps with end users:For more details on the Compliance API, see [Compliance API](https://developers.openai.com/codex/enterprise/governance#compliance-api).
152 453
1534541. Go to [Codex](https://chatgpt.com/codex) in the left-hand panel of ChatGPT.## Step 7: Confirm and verify setup
1542. Select **Connect to GitHub** in the prompt composer if you’re not already connected.
155 - Sign in to GitHub.
1563. You can now use shared environments with your workspace or create your own environment.
1574. Try a task in both Ask and Code mode. For example:
158 - Ask: Find bugs in this codebase.
159 - Write code: Improve test coverage following the existing test patterns.
160 455
161456## Track Codex usage### What to verify
162 457
163458- For workspaces with rate limits, use [Settings → Usage](https://chatgpt.com/codex/settings/usage) to view workspace metrics for Codex.- Users can sign in to Codex local (ChatGPT or API key)
164459- For more detail on enterprise governance, refer to the [Governance](https://developers.openai.com/codex/enterprise/governance) page.- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)
165460- For enterprise workspaces with flexible pricing, you can see credit usage in the ChatGPT workspace billing console.- MFA and SSO requirements match your enterprise security policy
461- RBAC and workspace toggles produce the expected access behavior
462- Managed configuration applies for users
463- Governance data is visible for admins
166 464
167465## Zero data retention (ZDR)For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).
168 466
169467Codex supports OpenAI organizations with [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) enabled.Once your team is confident with setup, you can roll Codex out to more teams and organizations.