noninteractive.md Codex Docs, 2026-04-13 00:44 UTC → 2026-05-14 07:00 UTC

50 50 

51By default, `codex exec` runs in a read-only sandbox. In automation, set the least permissions needed for the workflow:51By default, `codex exec` runs in a read-only sandbox. In automation, set the least permissions needed for the workflow:

52 52 

53- Allow edits: `codex exec --full-auto "<task>"`53- Allow edits: `codex exec --sandbox workspace-write "<task>"`

54- Allow broader access: `codex exec --sandbox danger-full-access "<task>"`54- Allow broader access: `codex exec --sandbox danger-full-access "<task>"`

55 55 

56Use `danger-full-access` only in a controlled environment (for example, an isolated CI runner or container).56Use `danger-full-access` only in a controlled environment (for example, an isolated CI runner or container).

57 57 

58Codex keeps `codex exec --full-auto` as a deprecated compatibility flag and prints a warning. Prefer the explicit `--sandbox workspace-write` flag in new scripts.

59 

60Use `--ignore-user-config` when you need a run that doesn't load `$CODEX_HOME/config.toml`, and `--ignore-rules` when you need to skip user and project execpolicy `.rules` files for a controlled automation environment.

61 

58If you configure an enabled MCP server with `required = true` and it fails to initialize, `codex exec` exits with an error instead of continuing without that server.62If you configure an enabled MCP server with `required = true` and it fails to initialize, `codex exec` exits with an error instead of continuing without that server.

59 63 

60## Make output machine-readable64## Make output machine-readable

76{"type":"turn.started"}80{"type":"turn.started"}

77{"type":"item.started","item":{"id":"item_1","type":"command_execution","command":"bash -lc ls","status":"in_progress"}}81{"type":"item.started","item":{"id":"item_1","type":"command_execution","command":"bash -lc ls","status":"in_progress"}}

78{"type":"item.completed","item":{"id":"item_3","type":"agent_message","text":"Repo contains docs, sdk, and examples directories."}}82{"type":"item.completed","item":{"id":"item_3","type":"agent_message","text":"Repo contains docs, sdk, and examples directories."}}

79{"type":"turn.completed","usage":{"input_tokens":24763,"cached_input_tokens":24448,"output_tokens":122}}83{"type":"turn.completed","usage":{"input_tokens":24763,"cached_input_tokens":24448,"output_tokens":122,"reasoning_output_tokens":0}}

80```84```

81 85 

82If you only need the final message, write it to a file with `-o <path>`/`--output-last-message <path>`. This writes the final message to the file and still prints it to `stdout` (see [`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec) for details).86If you only need the final message, write it to a file with `-o <path>`/`--output-last-message <path>`. This writes the final message to the file and still prints it to `stdout` (see [`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec) for details).

137 141 

138`CODEX_API_KEY` is only supported in `codex exec`.142`CODEX_API_KEY` is only supported in `codex exec`.

139 143 

140Use ChatGPT-managed auth in CI/CD (advanced)144<ToggleSection title="Use ChatGPT-managed auth in CI/CD (advanced)">

141 

142Read this if you need to run CI/CD jobs with a Codex user account instead of an145Read this if you need to run CI/CD jobs with a Codex user account instead of an

143API key, such as enterprise teams using ChatGPT-managed Codex access on trusted146API key, such as enterprise teams using ChatGPT-managed Codex access on trusted

144runners or users who need ChatGPT/Codex rate limits instead of API key usage.147runners or users who need ChatGPT/Codex rate limits instead of API key usage.

157 160 

158See [Maintain Codex account auth in CI/CD (advanced)](https://developers.openai.com/codex/auth/ci-cd-auth).161See [Maintain Codex account auth in CI/CD (advanced)](https://developers.openai.com/codex/auth/ci-cd-auth).

159 162 

163</ToggleSection>

164 

160## Resume a non-interactive session165## Resume a non-interactive session

161 166 

162If you need to continue a previous run (for example, a two-stage pipeline), use the `resume` subcommand:167If you need to continue a previous run (for example, a two-stage pipeline), use the `resume` subcommand:

230 235 

231 - name: Run Codex236 - name: Run Codex

232 run: |237 run: |

233 codex exec --full-auto --sandbox workspace-write \238 codex exec --sandbox workspace-write \

234 "Read the repository, run the test suite, identify the minimal change needed to make all tests pass, implement only that change, and stop. Do not refactor unrelated files."239 "Read the repository, run the test suite, identify the minimal change needed to make all tests pass, implement only that change, and stop. Do not refactor unrelated files."

235 240 

236 - name: Verify tests241 - name: Verify tests

263 | tee test-summary.md268 | tee test-summary.md

264```269```

265 270 

266More prompt-plus-stdin examples271<ToggleSection title="More prompt-plus-stdin examples">

267 272 

268### Summarize logs273### Summarize logs

269 274 

297 | gh pr comment 789 --body-file -302 | gh pr comment 789 --body-file -

298```303```

299 304 

305</ToggleSection>

306 

300### Use `codex exec -` when stdin is the prompt307### Use `codex exec -` when stdin is the prompt

301 308 

302If you omit the prompt argument, Codex reads the prompt from stdin. Use `codex exec -` when you want to force that behavior explicitly.309If you omit the prompt argument, Codex reads the prompt from stdin. Use `codex exec -` when you want to force that behavior explicitly.