enterprise/admin-setup diff

enterprise/admin-setup.md +322 −82

Details

1# Admin Setup1# Admin Setup

2 2

3<div class="max-w-1xl mx-auto">

4 <img src="https://developers.openai.com/images/codex/codex_enterprise_admin.png"

5 alt="Codex enterprise admin toggle"

6 class="block w-full mx-auto rounded-lg"

7 />

8</div>

3This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.12This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.

4 13

5Use this page as the step-by-step rollout guide. It focuses on setup order and decision points. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Security](https://developers.openai.com/codex/security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).14Use this page as the step-by-step rollout guide. For detailed policy, configuration, automation, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).

6 15

7## Enterprise-grade security and privacy16## Enterprise-grade security and privacy

8 17

9Codex supports ChatGPT Enterprise security features, including:18Codex supports ChatGPT Enterprise security features, including:

10 19

11- No training on enterprise data20- No training on enterprise data

~~12- Zero data retention for the App, CLI, and IDE (code remains in developer environment)~~21- Zero data retention for the App, CLI, and IDE (code stays in the developer environment)

13- Residency and retention that follow ChatGPT Enterprise policies22- Residency and retention that follow ChatGPT Enterprise policies

14- Granular user access controls23- Granular user access controls

15- Data encryption at rest (AES-256) and in transit (TLS 1.2+)24- Data encryption at rest (AES-256) and in transit (TLS 1.2+)

25- Audit logging via the ChatGPT Compliance API

16 26

17For security controls and runtime protections, see [Security](https://developers.openai.com/codex/security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.27For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.

28For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

18 29

~~19## Local vs. cloud setup~~30## Pre-requisites: Determine owners and rollout strategy

20 31

~~21Codex operates in two environments: local and cloud.~~32During your rollout, team members may support different aspects of integrating Codex into your organization. Ensure you have the following owners:

~~231. **Codex local** includes the Codex app, CLI, and IDE extension. The agent runs on the developer’s computer in a sandbox.~~

242. **Codex cloud** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.

~~26You can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).~~

27 33

~~28## Step 0: Owners and rollout decision~~34- **ChatGPT Enterprise workspace owner:** required to configure Codex settings in your workspace.

35- **Security owner:** determines agent permissions settings for Codex.

36- **Analytics owner:** integrates analytics and compliance APIs into your data pipelines.

29 37

~~30Ensure you have the following owners:~~38Decide which Codex surfaces you will use:

31 39

~~32- Workspace owner with access to ChatGPT Enterprise~~40- **Codex local:** includes the Codex app, CLI, and IDE extension. The agent runs on the developer's computer in a sandbox.

~~33- IT management owner for managed configuration~~41- **Codex cloud:** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.

~~34- Governance owner for analytics / compliance review~~42- **Both:** use local + cloud together.

35 43

~~36A rollout decision:~~44You can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).

~~38- Codex local only (Codex app, CLI, and IDE extension)~~

~~39- Codex cloud only (Codex web, GitHub code review)~~

~~40- Both local + cloud~~

~~42Review [authentication](https://developers.openai.com/codex/auth) before rollout:~~

~~44- Codex local supports ChatGPT sign-in or API keys. Confirm MFA/SSO requirements and any managed login restrictions in authentication~~

~~45- Codex cloud requires ChatGPT sign-in~~

46 45

~~47## Step 1: Enable workspace toggles~~46## Step 1: Enable Codex in your workspace

48 47

~~49Turn on only the Codex features you plan to roll out in this phase.~~48You configure access to Codex in ChatGPT Enterprise workspace settings.

50 49

51Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).50Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).

52 51

53### Codex local52### Codex local

54 53

54Codex local is enabled by default for new ChatGPT Enterprise workspaces. If

55 you are not a ChatGPT workspace owner, you can test whether you have access by

56 [installing Codex](https://developers.openai.com/codex/quickstart) and logging in with your work email.

55Turn on **Allow members to use Codex Local**.58Turn on **Allow members to use Codex Local**.

56 59

57This enables use of the Codex app, CLI, and IDE extension for allowed users.60This enables use of the Codex app, CLI, and IDE extension for allowed users.

58 61

~~59If this toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”~~62If members need programmatic Codex local workflows, also turn on **Allow members to use Codex access tokens** or grant the access token permission through a custom role. For setup and permission details, see [Access tokens](https://developers.openai.com/codex/enterprise/access-tokens).

64If the Codex Local toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”

60 65

61#### Enable device code authentication for Codex CLI66#### Enable device code authentication for Codex CLI

62 67

~~63Allow developers to sign in with device codes when using Codex CLI in a non-interactive environment. More details in [authentication](https://developers.openai.com/codex/auth/).~~68Allow developers to sign in with a device code when using Codex CLI in a non-interactive environment (for example, a remote development box). More details are in [authentication](https://developers.openai.com/codex/auth/).

64 69

~~65![Codex local toggle](/images/codex/enterprise/local-toggle-config.png)~~70<div class="max-w-1xl mx-auto py-1">

71 <img src="https://developers.openai.com/images/codex/enterprise/local-toggle-config.png"

72 alt="Codex local toggle"

73 class="block w-full mx-auto rounded-lg"

74 />

75</div>

66 76

67### Codex cloud77### Codex cloud

68 78

82 92

83Note that it may take up to 10 minutes for Codex to appear in ChatGPT.93Note that it may take up to 10 minutes for Codex to appear in ChatGPT.

84 94

~~85#### Allow members to administer Codex~~

87Allows users to view overall Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics), access [cloud-managed requirements](https://chatgpt.com/codex/settings/managed-configs), and manage Cloud environments (edit and delete).

~~89Codex cloud not required.~~

91#### Enable Codex Slack app to post answers on task completion95#### Enable Codex Slack app to post answers on task completion

92 96

93Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.97Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.

98 102

99By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.103By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.

100 104

101This setting enables users to use an allowlist for common software dependency domains, add more domains and trusted sites, and specify allowed HTTP methods.105This setting lets users use an allowlist for common software dependency domains, add domains and trusted sites, and specify allowed HTTP methods.

102 106

103For security implications of internet access and runtime controls, see [Security](https://developers.openai.com/codex/security).107For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

104 108

105![Codex cloud toggle](/images/codex/enterprise/cloud-toggle-config.png)109<div class="max-w-1xl mx-auto py-1">

110 <img src="https://developers.openai.com/images/codex/enterprise/cloud-toggle-config.png"

111 alt="Codex cloud toggle"

112 class="block w-full mx-auto rounded-lg"

113 />

114</div>

106 115

107## Step 2: Set up custom roles (RBAC)116## Step 2: Set up custom roles (RBAC)

108 117

109Use RBAC to control which users or groups can access Codex local and Codex cloud.118Use RBAC to control granular permissions for access Codex local and Codex cloud.

119

120<div class="max-w-1xl mx-auto">

121 <img src="https://developers.openai.com/images/codex/enterprise/rbac_custom_roles.png"

122 alt="Codex cloud toggle"

123 class="block w-full mx-auto rounded-lg"

124 />

125</div>

110 126

111### What RBAC lets you do127### What RBAC lets you do

112 128

113Workspace Owners can use RBAC in ChatGPT admin settings to:129Workspace Owners can use RBAC in ChatGPT admin settings to:

114 130

115- Set a default role for users who are not assigned any custom role131- Set a default role for users who aren't assigned any custom role

116- Create custom roles with granular permissions132- Create custom roles with granular permissions

117- Assign one or more custom roles to Groups (including SCIM-synced groups)133- Assign one or more custom roles to Groups

134- Automatically sync users into Groups via SCIM

118- Manage roles centrally from the Custom Roles tab135- Manage roles centrally from the Custom Roles tab

119 136

120Users can inherit multiple roles, and permissions resolve to the maximum allowed across those roles.137Users can inherit more than one role, and permissions resolve to the most permissive (least restrictive) access across those roles.

138

139### Create a Codex Admin group

140

141Set up a dedicated "Codex Admin" group rather than granting Codex administration to a broad audience.

142

143The **Allow members to administer Codex** toggle grants the Codex Admin role. Codex Admins can:

144

145- View Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics)

146- Open the Codex [Policies page](https://chatgpt.com/codex/settings/policies) to manage cloud-managed `requirements.toml` policies

147- Assign those managed policies to user groups or configure a default fallback policy

148- Manage Codex cloud environments, including editing and deleting environments

149

150Use this role for the small set of admins who own Codex rollout, policy management, and governance. It's not required for general Codex users. You don't need Codex cloud to enable this toggle.

121 151

122### Important behavior to plan for152Recommended rollout pattern:

123 153

124Users in any custom role group do not use the workspace default permissions.154- Create a "Codex Users" group for people who should use Codex

155- Create a separate "Codex Admin" group for the smaller set of people who should manage Codex settings and policies

156- Assign the custom role with **Allow members to administer Codex** enabled only to the "Codex Admin" group

157- Keep membership in the "Codex Admin" group limited to workspace owners or designated platform, IT, and governance operators

158- If you use SCIM, back the "Codex Admin" group with your identity provider so membership changes are auditable and centrally managed

125 159

126If you are gradually rolling out Codex, one suggestion is to have a “Codex Users” group and a second “Codex Admin” group that has the “Allow members to administer Codex” toggle enabled.160This separation makes it easier to roll out Codex while keeping analytics, environment management, and policy deployment limited to trusted admins. For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).

127 161

128For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).162## Step 3: Configure Codex local requirements

129 163

130## Step 3: Configure Codex local managed settings164Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

131 165

132For Codex local, set an admin-approved baseline for local behavior before broader rollout.166Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, network access requirements, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).

133 167

134### Use managed configuration for two different goals168<div class="max-w-1xl mx-auto py-1">

169 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"

170 alt="Codex policies and configurations page"

171 class="block w-full mx-auto rounded-lg"

172 />

173</div>

135 174

136- **Requirements** (`requirements.toml`): Admin-enforced constraints users cannot override175Recommended setup:

137- **Managed defaults** (`managed_config.toml`): Starting values applied when Codex launches

138 176

139### Team Config1771. Create a baseline policy for most users, then create stricter or more permissive variants only where needed.

1782. Assign each managed policy to a specific user group, and configure a default fallback policy for everyone else.

1793. Order group rules with care. If a user matches more than one group-specific rule, the first matching rule applies.

1804. Treat each policy as a complete profile for that group. Codex doesn't fill missing fields from later matching group rules.

181

182These cloud-managed policies apply across Codex local surfaces when users sign in with ChatGPT, including the Codex app, CLI, and IDE extension.

183

184### Example requirements.toml policies

185

186Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.

187

188<div class="max-w-1xl mx-auto py-1">

189 <img src="https://developers.openai.com/images/codex/enterprise/example_policy.png"

190 alt="Example managed requirements policy"

191 class="block w-full mx-auto rounded-lg"

192 />

193</div>

194

195Example: limit web search, sandbox mode, and approvals for a standard local rollout:

196

197```toml

198allowed_web_search_modes = ["disabled", "cached"]

199allowed_sandbox_modes = ["workspace-write"]

200allowed_approval_policies = ["on-request"]

201```

202

203Example: disable Browser Use, the in-app browser, and Computer Use:

204

205```toml

206[features]

207browser_use = false

208in_app_browser = false

209computer_use = false

210```

211

212Example: define administrator-owned network requirements:

213

214```toml

215experimental_network.enabled = true

216experimental_network.dangerously_allow_all_unix_sockets = true

217experimental_network.allow_local_binding = true

218experimental_network.allowed_domains = [

219 "api.openai.com",

220 "*.example.com",

221]

222experimental_network.denied_domains = [

223 "blocked.example.com",

224 "*.exfil.example.com",

225]

226```

227

228Example: add a restrictive command rule when you want admins to block or gate specific commands:

229

230```toml

231[rules]

232prefix_rules = [

233 { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before mutating remote history." },

234]

235```

236

237You can use any example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).

238

239### Checking user policies

240

241Use the policy lookup tools at the end of the workflow to confirm which managed policy applies to a user. You can check policy assignment by group or by entering a user email.

242

243<div class="max-w-1xl mx-auto py-1">

244 <img src="https://developers.openai.com/images/codex/enterprise/policy_lookup.png"

245 alt="Policy lookup by group or user email"

246 class="block w-full mx-auto rounded-lg"

247 />

248</div>

249

250If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

251

252## Step 4: Standardize local configuration with Team Config

140 253

141Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.254Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.

142 255

256You can check Team Config settings into the repository under the `.codex` directory. Codex automatically picks up Team Config settings when a user opens that repository.

257

258Start with Team Config for your highest-traffic repositories so teams get consistent behavior in the places they use Codex most.

259

144| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |261| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |

148 265

149For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).266For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).

150 267

151### Recommended first decisions for local rollout268## Step 5: Configure Codex cloud usage (if enabled)

~~152~~

153Define a baseline for your pilot:

~~154~~

155- Approval policy posture

156- Sandbox mode posture

157- Web search posture

158- MCP / connectors policy

159- Local logging and telemetry posture

~~160~~

161For exact keys, precedence, MDM deployment, and examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Security](https://developers.openai.com/codex/security).

~~162~~

163If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).

~~164~~

165## Step 4: Configure Codex cloud usage (if enabled)

166 269

167This step covers repository and environment setup after the Codex cloud workspace toggle is enabled.270This step covers repository and environment setup after you enable the Codex cloud workspace toggle.

168 271

169### Connect Codex cloud to repositories272### Connect Codex cloud to repositories

170 273

1711. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**2741. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**

1722. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT2752. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT

1733. Install or authorize the ChatGPT GitHub Connector2763. Install or connect the ChatGPT GitHub Connector

1744. Choose an installation target for the ChatGPT Connector (typically your main organization)2774. Choose an installation target for the ChatGPT Connector (typically your main organization)

1755. Allow the repositories you want to connect to Codex2785. Allow the repositories you want to connect to Codex

176 279

280For GitHub Enterprise Managed Users (EMU), an organization owner must install

281 the Codex GitHub App for the organization before users can connect

282 repositories in Codex cloud.

283

177For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).284For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).

178 285

179Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.286Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.

180 287

181### Configure IP addresses (as needed)288### Configure IP addresses

182 289

183Configure connector / IP allow lists if required by your network policy with these [egress IP ranges](https://openai.com/chatgpt-agents.json).290If your GitHub organization controls the IP addresses that apps use to connect, make sure to include these [egress IP ranges](https://openai.com/chatgpt-agents.json).

184 291

185These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.292These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.

186 293

188 295

189To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).296To allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).

190 297

191Code review can be configured at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details on [GitHub](https://developers.openai.com/codex/integrations/github) integration page.298You can configure code review at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details are on the [GitHub integration page](https://developers.openai.com/codex/integrations/github).

299

300Use the overview page to confirm your workspace has code review turned on and to see the available review controls.

301

302<div class="max-w-1xl mx-auto py-1">

303 <img src="https://developers.openai.com/images/codex/enterprise/code_review_settings_overview.png"

304 alt="Code review settings overview"

305 class="block w-full mx-auto rounded-lg"

306 />

307</div>

192 308

193Additional integration docs for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).309<div class="grid grid-cols-1 gap-4 py-1 md:grid-cols-2">

310 <div class="max-w-1xl mx-auto">

311 <p>

312 Use the auto review settings to decide whether Codex should review pull

313 requests automatically for connected repositories.

314 </p>

315 <img src="https://developers.openai.com/images/codex/enterprise/auto_code_review_settings.png"

316 alt="Automatic code review settings"

317 class="block w-full mx-auto rounded-lg"

318 />

319 </div>

320 <div class="max-w-1xl mx-auto">

321 <p>

322 Use review triggers to control which pull request events should start a

323 Codex review.

324 </p>

325 <img src="https://developers.openai.com/images/codex/enterprise/review_triggers.png"

326 alt="Code review trigger settings"

327 class="block w-full mx-auto rounded-lg"

328 />

329 </div>

330</div>

194 331

195## Step 5: Set up governance and observability332### Configure Codex security

196 333

197Codex gives enterprise teams several options for visibility into adoption and impact. Set up governance early so your team can monitor adoption, investigate issues, and support compliance workflows.334Codex Security helps engineering and security teams find, confirm, and remediate likely vulnerabilities in connected GitHub repositories.

335

336At a high level, Codex Security:

337

338- scans connected repositories commit by commit

339- ranks likely findings and confirms them when possible

340- shows structured findings with evidence, criticality, and suggested remediation

341- lets teams refine a repository threat model to improve prioritization and review quality

342

343For setup, scan creation, findings review, and threat model guidance, see [Codex Security setup](https://developers.openai.com/codex/security/setup). For a product overview, see [Codex Security](https://developers.openai.com/codex/security).

344

345Integration docs are also available for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).

346

347## Step 6: Set up governance and observability

348

349Codex gives enterprise teams options for visibility into adoption and impact. Set up governance early so your team can track adoption, investigate issues, and support compliance workflows.

198 350

199### Codex governance typically uses351### Codex governance typically uses

200 352

201- Analytics Dashboard for quick, self-serve visibility353- Analytics Dashboard for quick, self-serve visibility

202- Analytics API for programmatic reporting and BI integration354- Analytics API for programmatic reporting and business intelligence integration

203- Compliance API for audit and investigation workflows355- Compliance API for audit and investigation workflows

204 356

205### Recommended minimum setup357### Recommended baseline setup

206 358

207- Assign an owner for adoption reporting359- Assign an owner for adoption reporting

208- Assign an owner for audit and compliance review360- Assign an owner for audit and compliance review

209- Define a review cadence361- Define a review cadence

210- Decide what success looks like362- Decide what success looks like

211 363

212For details and examples, see [Governance](https://developers.openai.com/codex/enterprise/governance).364### Analytics API setup steps

365

366To set up the Analytics API key:

367

3681. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.

3692. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).

3703. Create a new secret key dedicated to Codex Analytics, and give it a descriptive name such as Codex Analytics API.

3714. Select the appropriate project for your organization. If you only have one project, the default project is fine.

3725. Set the key permissions to Read only, since this API only retrieves analytics data.

3736. Copy the key value and store it securely, because you can only view it once.

3747. Email support@openai.com to have that key scoped to `codex.enterprise.analytics.read` only. Wait for OpenAI to confirm your API key has Codex Analytics API access.

375

376<div class="not-prose max-w-md mx-auto py-1">

377 <img src="https://developers.openai.com/images/codex/codex_analytics_key.png"

378 alt="Codex analytics key creation"

379 class="block w-full mx-auto rounded-lg"

380 />

381</div>

382

383To use the Analytics API key:

384

3851. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.

3862. Call the Analytics API at `https://api.chatgpt.com/v1/analytics/codex` using your Platform API key, and include your `workspace_id` in the path.

3873. Choose the endpoint you want to query:

388

389- /workspaces/`{workspace_id}`/usage

390- /workspaces/`{workspace_id}`/code_reviews

391- /workspaces/`{workspace_id}`/code_review_responses

392

3934. Set a reporting date range with `start_time` and `end_time` if needed.

3945. Retrieve the next page of results with `next_page` if the response spans more than one page.

395

396Example curl command to retrieve workspace usage:

397

398```bash

399curl -H "Authorization: Bearer YOUR_PLATFORM_API_KEY" \

400 "https://api.chatgpt.com/v1/analytics/codex/workspaces/WORKSPACE_ID/usage"

401```

402

403For more details on the Analytics API, see [Analytics API](https://developers.openai.com/codex/enterprise/governance#analytics-api).

404

405### Compliance API setup steps

406

407To set up the Compliance API key:

408

4091. Sign in to the [OpenAI API Platform Portal](https://platform.openai.com) as an owner or admin, and select the correct organization.

4102. Go to the [API keys page](https://platform.openai.com/settings/organization/api-keys).

4113. Create a new secret key dedicated to Compliance API and select the appropriate project for your organization. If you only have one project, the default project is fine.

4124. Choose All permissions.

4135. Copy the key value and store it securely, because you can only view it once.

4146. Send an email to support@openai.com with:

415

416- the last 4 digits of the API key

417- the key name

418- the created-by name

419- the scope needed: `read`, `delete`, or both

420

4217. Wait for OpenAI to confirm your API key has Compliance API access.

422

423To use the Compliance API key:

424

4251. Find your `workspace_id` in the [ChatGPT Admin console](https://chatgpt.com/admin) under Workspace details.

4262. Use the Compliance API at `https://api.chatgpt.com/v1/`

4273. Pass your Compliance API key in the Authorization header as a Bearer token.

4284. For Codex-related compliance data, use these endpoints:

429

430- /compliance/workspaces/`{workspace_id}`/logs

431- /compliance/workspaces/`{workspace_id}`/logs/`{log_file_id}`

432- /compliance/workspaces/`{workspace_id}`/codex_tasks

433- /compliance/workspaces/`{workspace_id}`/codex_environments

434

4355. For most Codex compliance integrations, start with the logs endpoint and request Codex event types such as CODEX_LOG or CODEX_SECURITY_LOG.

4366. Use /logs to list available Codex compliance log files, then /logs/`{log_file_id}` to download a specific file.

437

438Example curl command to list compliance log files:

439

440```bash

441curl -L -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \

442 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/logs?event_type=CODEX_LOG&after=2026-03-01T00:00:00Z"

443```

444

445Example curl command to list Codex tasks:

446

447```bash

448curl -H "Authorization: Bearer YOUR_COMPLIANCE_API_KEY" \

449 "https://api.chatgpt.com/v1/compliance/workspaces/WORKSPACE_ID/codex_tasks"

450```

451

452For more details on the Compliance API, see [Compliance API](https://developers.openai.com/codex/enterprise/governance#compliance-api).

213 453

214## Step 6: Confirm and validate setup454## Step 7: Confirm and verify setup

215 455

216### What to verify456### What to verify

217 457

219- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)459- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)

220- MFA and SSO requirements match your enterprise security policy460- MFA and SSO requirements match your enterprise security policy

221- RBAC and workspace toggles produce the expected access behavior461- RBAC and workspace toggles produce the expected access behavior

222- Managed configuration is applied for users462- Managed configuration applies for users

223- Governance data is visible for admins463- Governance data is visible for admins

224 464

225For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).465For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).

226 466

227Once your team is confident with setup, you can confidently roll Codex out to additional teams and organizations.467Once your team is confident with setup, you can roll Codex out to more teams and organizations.

enterprise/admin-setup.md Codex Docs, 2026-03-05 18:41 UTC → 2026-05-18 22:01 UTC