Configuration Reference
Source URL: https://developers.openai.com/codex/config-reference
Configuration Reference
Section titled “Configuration Reference”Use this page as a searchable reference for Codex configuration files. For conceptual guidance and examples, start with Config basics and Advanced Config.
config.toml
Section titled “config.toml”User-level configuration lives in ~/.codex/config.toml. You can also add project-scoped overrides in .codex/config.toml files. Codex loads project-scoped config files only when you trust the project.
For sandbox and approval keys (approval_policy, sandbox_mode, and sandbox_workspace_write.*), pair this reference with Sandbox and approvals, Protected paths in writable roots, and Network access.
<ConfigTable options={[ { key: "model", type: "string", description: "Model to use (e.g., `gpt-5-codex`).", }, { key: "review_model", type: "string", description: "Optional model override used by `/review` (defaults to the current session model).", }, { key: "model_provider", type: "string", description: "Provider id from `model_providers` (default: `openai`).", }, { key: "model_context_window", type: "number", description: "Context window tokens available to the active model.", }, { key: "model_auto_compact_token_limit", type: "number", description: "Token threshold that triggers automatic history compaction (unset uses model defaults).", }, { key: "oss_provider", type: "lmstudio | ollama", description: "Default local provider used when running with `--oss` (defaults to prompting if unset).", }, { key: "approval_policy", type: "untrusted | on-request | never", description: "Controls when Codex pauses for approval before executing commands. `on-failure` is deprecated; use `on-request` for interactive runs or `never` for non-interactive runs.", }, { key: "sandbox_mode", type: "read-only | workspace-write | danger-full-access", description: "Sandbox policy for filesystem and network access during command execution.", }, { key: "sandbox_workspace_write.writable_roots", type: "array<string>", description: 'Additional writable roots when `sandbox_mode = "workspace-write"`.', }, { key: "sandbox_workspace_write.network_access", type: "boolean", description: "Allow outbound network access inside the workspace-write sandbox.", }, { key: "sandbox_workspace_write.exclude_tmpdir_env_var", type: "boolean", description: "Exclude `$TMPDIR` from writable roots in workspace-write mode.", }, { key: "sandbox_workspace_write.exclude_slash_tmp", type: "boolean", description: "Exclude `/tmp` from writable roots in workspace-write mode.", }, { key: "notify", type: "array<string>", description: "Command invoked for notifications; receives a JSON payload from Codex.", }, { key: "check_for_update_on_startup", type: "boolean", description: "Check for Codex updates on startup (set to false only when updates are centrally managed).", }, { key: "feedback.enabled", type: "boolean", description: "Enable feedback submission via `/feedback` across Codex surfaces (default: true).", }, { key: "instructions", type: "string", description: "Reserved for future use; prefer `model_instructions_file` or `AGENTS.md`.", }, { key: "developer_instructions", type: "string", description: "Additional developer instructions injected into the session (optional).", }, { key: "log_dir", type: "string (path)", description: "Directory where Codex writes log files (for example `codex-tui.log`); defaults to `$CODEX_HOME/log`.", }, { key: "compact_prompt", type: "string", description: "Inline override for the history compaction prompt.", }, { key: "model_instructions_file", type: "string (path)", description: "Replacement for built-in instructions instead of `AGENTS.md`.", }, { key: "personality", type: "none | friendly | pragmatic", description: "Default communication style for models that advertise `supportsPersonality`; can be overridden per thread/turn or via `/personality`.", }, { key: "experimental_compact_prompt_file", type: "string (path)", description: "Load the compaction prompt override from a file (experimental).", }, { key: "skills.config", type: "array<object>", description: "Per-skill enablement overrides stored in config.toml.", }, { key: "skills.config.<index>.path", type: "string (path)", description: "Path to a skill folder containing `SKILL.md`.", }, { key: "skills.config.<index>.enabled", type: "boolean", description: "Enable or disable the referenced skill.", }, { key: "apps.<id>.enabled", type: "boolean", description: "Enable or disable a specific app/connector by id (default: true).", }, { key: "apps.<id>.disabled_reason", type: "unknown | user", description: "Optional reason attached when an app/connector is disabled.", }, { key: "features.apps", type: "boolean", description: "Enable ChatGPT Apps/connectors support (experimental).", }, { key: "features.apps_mcp_gateway", type: "boolean", description: "Route Apps MCP calls through the OpenAI connectors MCP gateway (`https://api.openai.com/v1/connectors/mcp/`) instead of legacy routing (experimental).", }, { key: "mcp_servers.<id>.command", type: "string", description: "Launcher command for an MCP stdio server.", }, { key: "mcp_servers.<id>.args", type: "array<string>", description: "Arguments passed to the MCP stdio server command.", }, { key: "mcp_servers.<id>.env", type: "map<string,string>", description: "Environment variables forwarded to the MCP stdio server.", }, { key: "mcp_servers.<id>.env_vars", type: "array<string>", description: "Additional environment variables to whitelist for an MCP stdio server.", }, { key: "mcp_servers.<id>.cwd", type: "string", description: "Working directory for the MCP stdio server process.", }, { key: "mcp_servers.<id>.url", type: "string", description: "Endpoint for an MCP streamable HTTP server.", }, { key: "mcp_servers.<id>.bearer_token_env_var", type: "string", description: "Environment variable sourcing the bearer token for an MCP HTTP server.", }, { key: "mcp_servers.<id>.http_headers", type: "map<string,string>", description: "Static HTTP headers included with each MCP HTTP request.", }, { key: "mcp_servers.<id>.env_http_headers", type: "map<string,string>", description: "HTTP headers populated from environment variables for an MCP HTTP server.", }, { key: "mcp_servers.<id>.enabled", type: "boolean", description: "Disable an MCP server without removing its configuration.", }, { key: "mcp_servers.<id>.required", type: "boolean", description: "When true, fail startup/resume if this enabled MCP server cannot initialize.", }, { key: "mcp_servers.<id>.startup_timeout_sec", type: "number", description: "Override the default 10s startup timeout for an MCP server.", }, { key: "mcp_servers.<id>.startup_timeout_ms", type: "number", description: "Alias for `startup_timeout_sec` in milliseconds.", }, { key: "mcp_servers.<id>.tool_timeout_sec", type: "number", description: "Override the default 60s per-tool timeout for an MCP server.", }, { key: "mcp_servers.<id>.enabled_tools", type: "array<string>", description: "Allow list of tool names exposed by the MCP server.", }, { key: "mcp_servers.<id>.disabled_tools", type: "array<string>", description: "Deny list applied after `enabled_tools` for the MCP server.", }, { key: "agents.max_threads", type: "number", description: "Maximum number of agent threads that can be open concurrently.", }, { key: "agents.<name>.description", type: "string", description: "Role guidance shown to Codex when choosing and spawning that agent type.", }, { key: "agents.<name>.config_file", type: "string (path)", description: "Path to a TOML config layer for that role; relative paths resolve from the config file that declares the role.", }, { key: "features.unified_exec", type: "boolean", description: "Use the unified PTY-backed exec tool (beta).", }, { key: "features.shell_snapshot", type: "boolean", description: "Snapshot shell environment to speed up repeated commands (beta).", }, { key: "features.apply_patch_freeform", type: "boolean", description: "Expose the freeform `apply_patch` tool (experimental).", }, { key: "features.multi_agent", type: "boolean", description: "Enable multi-agent collaboration tools (`spawn_agent`, `send_input`, `resume_agent`, `wait`, and `close_agent`) (experimental; off by default).", }, { key: "features.personality", type: "boolean", description: "Enable personality selection controls (stable; on by default).", }, { key: "features.web_search", type: "boolean", description: "Deprecated legacy toggle; prefer the top-level `web_search` setting.", }, { key: "features.web_search_cached", type: "boolean", description: 'Deprecated legacy toggle. When `web_search` is unset, true maps to `web_search = "cached"`.', }, { key: "features.web_search_request", type: "boolean", description: 'Deprecated legacy toggle. When `web_search` is unset, true maps to `web_search = "live"`.', }, { key: "features.shell_tool", type: "boolean", description: "Enable the default `shell` tool for running commands (stable; on by default).", }, { key: "features.request_rule", type: "boolean", description: "Enable Smart approvals (`prefix_rule` suggestions on escalation requests; stable; on by default).", }, { key: "features.search_tool", type: "boolean", description: "Enable `search_tool_bm25` for Apps tool discovery before invoking app MCP tools (experimental).", }, { key: "features.collaboration_modes", type: "boolean", description: "Enable collaboration modes such as plan mode (stable; on by default).", }, { key: "features.use_linux_sandbox_bwrap", type: "boolean", description: "Use the bubblewrap-based Linux sandbox pipeline (experimental; off by default).", }, { key: "features.experimental_windows_sandbox", type: "boolean", description: "Run the Windows restricted-token sandbox (experimental).", }, { key: "features.elevated_windows_sandbox", type: "boolean", description: "Enable the elevated Windows sandbox pipeline (experimental).", }, { key: "features.remote_models", type: "boolean", description: "Refresh remote model list before showing readiness (experimental).", }, { key: "features.runtime_metrics", type: "boolean", description: "Show runtime metrics summary in TUI turn separators (experimental).", }, { key: "features.powershell_utf8", type: "boolean", description: "Force PowerShell UTF-8 output (defaults to true).", }, { key: "features.child_agents_md", type: "boolean", description: "Append AGENTS.md scope/precedence guidance even when no AGENTS.md is present (experimental).", }, { key: "suppress_unstable_features_warning", type: "boolean", description: "Suppress the warning that appears when under-development feature flags are enabled.", }, { key: "model_providers.<id>.name", type: "string", description: "Display name for a custom model provider.", }, { key: "model_providers.<id>.base_url", type: "string", description: "API base URL for the model provider.", }, { key: "model_providers.<id>.env_key", type: "string", description: "Environment variable supplying the provider API key.", }, { key: "model_providers.<id>.env_key_instructions", type: "string", description: "Optional setup guidance for the provider API key.", }, { key: "model_providers.<id>.experimental_bearer_token", type: "string", description: "Direct bearer token for the provider (discouraged; use `env_key`).", }, { key: "model_providers.<id>.requires_openai_auth", type: "boolean", description: "The provider uses OpenAI authentication (defaults to false).", }, { key: "model_providers.<id>.wire_api", type: "chat | responses", description: "Protocol used by the provider (defaults to `chat` if omitted).", }, { key: "model_providers.<id>.query_params", type: "map<string,string>", description: "Extra query parameters appended to provider requests.", }, { key: "model_providers.<id>.http_headers", type: "map<string,string>", description: "Static HTTP headers added to provider requests.", }, { key: "model_providers.<id>.env_http_headers", type: "map<string,string>", description: "HTTP headers populated from environment variables when present.", }, { key: "model_providers.<id>.request_max_retries", type: "number", description: "Retry count for HTTP requests to the provider (default: 4).", }, { key: "model_providers.<id>.stream_max_retries", type: "number", description: "Retry count for SSE streaming interruptions (default: 5).", }, { key: "model_providers.<id>.stream_idle_timeout_ms", type: "number", description: "Idle timeout for SSE streams in milliseconds (default: 300000).", }, { key: "model_reasoning_effort", type: "minimal | low | medium | high | xhigh", description: "Adjust reasoning effort for supported models (Responses API only; `xhigh` is model-dependent).", }, { key: "model_reasoning_summary", type: "auto | concise | detailed | none", description: "Select reasoning summary detail or disable summaries entirely.", }, { key: "model_verbosity", type: "low | medium | high", description: "Control GPT-5 Responses API verbosity (defaults to `medium`).", }, { key: "model_supports_reasoning_summaries", type: "boolean", description: "Force Codex to send or not send reasoning metadata.", }, { key: "shell_environment_policy.inherit", type: "all | core | none", description: "Baseline environment inheritance when spawning subprocesses.", }, { key: "shell_environment_policy.ignore_default_excludes", type: "boolean", description: "Keep variables containing KEY/SECRET/TOKEN before other filters run.", }, { key: "shell_environment_policy.exclude", type: "array<string>", description: "Glob patterns for removing environment variables after the defaults.", }, { key: "shell_environment_policy.include_only", type: "array<string>", description: "Whitelist of patterns; when set only matching variables are kept.", }, { key: "shell_environment_policy.set", type: "map<string,string>", description: "Explicit environment overrides injected into every subprocess.", }, { key: "shell_environment_policy.experimental_use_profile", type: "boolean", description: "Use the user shell profile when spawning subprocesses.", }, { key: "project_root_markers", type: "array<string>", description: "List of project root marker filenames; used when searching parent directories for the project root.", }, { key: "project_doc_max_bytes", type: "number", description: "Maximum bytes read from `AGENTS.md` when building project instructions.", }, { key: "project_doc_fallback_filenames", type: "array<string>", description: "Additional filenames to try when `AGENTS.md` is missing.", }, { key: "profile", type: "string", description: "Default profile applied at startup (equivalent to `--profile`).", }, { key: "profiles.<name>.*", type: "various", description: "Profile-scoped overrides for any of the supported configuration keys.", }, { key: "profiles.<name>.include_apply_patch_tool", type: "boolean", description: "Legacy name for enabling freeform apply_patch; prefer `[features].apply_patch_freeform`.", }, { key: "profiles.<name>.web_search", type: "disabled | cached | live", description: 'Profile-scoped web search mode override (default: `"cached"`).', }, { key: "profiles.<name>.personality", type: "none | friendly | pragmatic", description: "Profile-scoped communication style override for supported models.", }, { key: "profiles.<name>.experimental_use_unified_exec_tool", type: "boolean", description: "Legacy name for enabling unified exec; prefer `[features].unified_exec`.", }, { key: "profiles.<name>.experimental_use_freeform_apply_patch", type: "boolean", description: "Legacy name for enabling freeform apply_patch; prefer `[features].apply_patch_freeform`.", }, { key: "profiles.<name>.oss_provider", type: "lmstudio | ollama", description: "Profile-scoped OSS provider for `--oss` sessions.", }, { key: "history.persistence", type: "save-all | none", description: "Control whether Codex saves session transcripts to history.jsonl.", }, { key: "tool_output_token_limit", type: "number", description: "Token budget for storing individual tool/function outputs in history.", }, { key: "history.max_bytes", type: "number", description: "If set, caps the history file size in bytes by dropping oldest entries.", }, { key: "file_opener", type: "vscode | vscode-insiders | windsurf | cursor | none", description: "URI scheme used to open citations from Codex output (default: `vscode`).", }, { key: "otel.environment", type: "string", description: "Environment tag applied to emitted OpenTelemetry events (default: `dev`).", }, { key: "otel.exporter", type: "none | otlp-http | otlp-grpc", description: "Select the OpenTelemetry exporter and provide any endpoint metadata.", }, { key: "otel.trace_exporter", type: "none | otlp-http | otlp-grpc", description: "Select the OpenTelemetry trace exporter and provide any endpoint metadata.", }, { key: "otel.log_user_prompt", type: "boolean", description: "Opt in to exporting raw user prompts with OpenTelemetry logs.", }, { key: "otel.exporter.<id>.endpoint", type: "string", description: "Exporter endpoint for OTEL logs.", }, { key: "otel.exporter.<id>.protocol", type: "binary | json", description: "Protocol used by the OTLP/HTTP exporter.", }, { key: "otel.exporter.<id>.headers", type: "map<string,string>", description: "Static headers included with OTEL exporter requests.", }, { key: "otel.trace_exporter.<id>.endpoint", type: "string", description: "Trace exporter endpoint for OTEL logs.", }, { key: "otel.trace_exporter.<id>.protocol", type: "binary | json", description: "Protocol used by the OTLP/HTTP trace exporter.", }, { key: "otel.trace_exporter.<id>.headers", type: "map<string,string>", description: "Static headers included with OTEL trace exporter requests.", }, { key: "otel.exporter.<id>.tls.ca-certificate", type: "string", description: "CA certificate path for OTEL exporter TLS.", }, { key: "otel.exporter.<id>.tls.client-certificate", type: "string", description: "Client certificate path for OTEL exporter TLS.", }, { key: "otel.exporter.<id>.tls.client-private-key", type: "string", description: "Client private key path for OTEL exporter TLS.", }, { key: "otel.trace_exporter.<id>.tls.ca-certificate", type: "string", description: "CA certificate path for OTEL trace exporter TLS.", }, { key: "otel.trace_exporter.<id>.tls.client-certificate", type: "string", description: "Client certificate path for OTEL trace exporter TLS.", }, { key: "otel.trace_exporter.<id>.tls.client-private-key", type: "string", description: "Client private key path for OTEL trace exporter TLS.", }, { key: "tui", type: "table", description: "TUI-specific options such as enabling inline desktop notifications.", }, { key: "tui.notifications", type: "boolean | array<string>", description: "Enable TUI notifications; optionally restrict to specific event types.", }, { key: "tui.notification_method", type: "auto | osc9 | bel", description: "Notification method for unfocused terminal notifications (default: auto).", }, { key: "tui.animations", type: "boolean", description: "Enable terminal animations (welcome screen, shimmer, spinner) (default: true).", }, { key: "tui.alternate_screen", type: "auto | always | never", description: "Control alternate screen usage for the TUI (default: auto; auto skips it in Zellij to preserve scrollback).", }, { key: "tui.show_tooltips", type: "boolean", description: "Show onboarding tooltips in the TUI welcome screen (default: true).", }, { key: "tui.status_line", type: "array<string> | null", description: "Ordered list of TUI footer status-line item identifiers. `null` disables the status line.", }, { key: "hide_agent_reasoning", type: "boolean", description: "Suppress reasoning events in both the TUI and `codex exec` output.", }, { key: "show_raw_agent_reasoning", type: "boolean", description: "Surface raw reasoning content when the active model emits it.", }, { key: "disable_paste_burst", type: "boolean", description: "Disable burst-paste detection in the TUI.", }, { key: "windows_wsl_setup_acknowledged", type: "boolean", description: "Track Windows onboarding acknowledgement (Windows only).", }, { key: "chatgpt_base_url", type: "string", description: "Override the base URL used during the ChatGPT login flow.", }, { key: "cli_auth_credentials_store", type: "file | keyring | auto", description: "Control where the CLI stores cached credentials (file-based auth.json vs OS keychain).", }, { key: "mcp_oauth_credentials_store", type: "auto | file | keyring", description: "Preferred store for MCP OAuth credentials.", }, { key: "mcp_oauth_callback_port", type: "integer", description: "Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS.", }, { key: "experimental_use_unified_exec_tool", type: "boolean", description: "Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`.", }, { key: "experimental_use_freeform_apply_patch", type: "boolean", description: "Legacy name for enabling freeform apply_patch; prefer `[features].apply_patch_freeform` or `codex --enable apply_patch_freeform`.", }, { key: "include_apply_patch_tool", type: "boolean", description: "Legacy name for enabling freeform apply_patch; prefer `[features].apply_patch_freeform`.", }, { key: "tools.web_search", type: "boolean", description: "Deprecated legacy toggle for web search; prefer the top-level `web_search` setting.", }, { key: "web_search", type: "disabled | cached | live", description: 'Web search mode (default: `"cached"`; cached uses an OpenAI-maintained index and does not fetch live pages; if you use `--yolo` or another full access sandbox setting, it defaults to `"live"`). Use `"live"` to fetch the most recent data from the web, or `"disabled"` to remove the tool.', }, { key: "projects.<path>.trust_level", type: "string", description: 'Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers.', }, { key: "notice.hide_full_access_warning", type: "boolean", description: "Track acknowledgement of the full access warning prompt.", }, { key: "notice.hide_world_writable_warning", type: "boolean", description: "Track acknowledgement of the Windows world-writable directories warning.", }, { key: "notice.hide_rate_limit_model_nudge", type: "boolean", description: "Track opt-out of the rate limit model switch reminder.", }, { key: "notice.hide_gpt5_1_migration_prompt", type: "boolean", description: "Track acknowledgement of the GPT-5.1 migration prompt.", }, { key: "notice.hide_gpt-5.1-codex-max_migration_prompt", type: "boolean", description: "Track acknowledgement of the gpt-5.1-codex-max migration prompt.", }, { key: "notice.model_migrations", type: "map<string,string>", description: "Track acknowledged model migrations as old->new mappings.", }, { key: "forced_login_method", type: "chatgpt | api", description: "Restrict Codex to a specific authentication method.", }, { key: "forced_chatgpt_workspace_id", type: "string (uuid)", description: "Limit ChatGPT logins to a specific workspace identifier.", }, ]} client:load/>You can find the latest JSON schema for config.toml here.
To get autocompletion and diagnostics when editing config.toml in VS Code or Cursor, you can install the Even Better TOML extension and add this line to the top of your config.toml:
#:schema https://developers.openai.com/codex/config-schema.jsonNote: Rename experimental_instructions_file to model_instructions_file. Codex deprecates the old key; update existing configs to the new name.
requirements.toml
Section titled “requirements.toml”requirements.toml is an admin-enforced configuration file that constrains security-sensitive settings users can’t override. For details, locations, and examples, see Admin-enforced requirements.
For ChatGPT Business and Enterprise users, Codex can also apply cloud-fetched requirements. See the security page for precedence details.
<ConfigTable options={[ { key: "allowed_approval_policies", type: "array<string>", description: "Allowed values for `approval_policy`.", }, { key: "allowed_sandbox_modes", type: "array<string>", description: "Allowed values for `sandbox_mode`.", }, { key: "allowed_web_search_modes", type: "array<string>", description: "Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`.", }, { key: "mcp_servers", type: "table", description: "Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled.", }, { key: "mcp_servers.<id>.identity", type: "table", description: "Identity rule for a single MCP server. Set either `command` (stdio) or `url` (streamable HTTP).", }, { key: "mcp_servers.<id>.identity.command", type: "string", description: "Allow an MCP stdio server when its `mcp_servers.<id>.command` matches this command.", }, { key: "mcp_servers.<id>.identity.url", type: "string", description: "Allow an MCP streamable HTTP server when its `mcp_servers.<id>.url` matches this URL.", }, { key: "rules", type: "table", description: "Admin-enforced command rules merged with `.rules` files. Requirements rules must be restrictive.", }, { key: "rules.prefix_rules", type: "array<table>", description: "List of enforced prefix rules. Each rule must include `pattern` and `decision`.", }, { key: "rules.prefix_rules[].pattern", type: "array<table>", description: "Command prefix expressed as pattern tokens. Each token sets either `token` or `any_of`.", }, { key: "rules.prefix_rules[].pattern[].token", type: "string", description: "A single literal token at this position.", }, { key: "rules.prefix_rules[].pattern[].any_of", type: "array<string>", description: "A list of allowed alternative tokens at this position.", }, { key: "rules.prefix_rules[].decision", type: "prompt | forbidden", description: "Required. Requirements rules can only prompt or forbid (not allow).", }, { key: "rules.prefix_rules[].justification", type: "string", description: "Optional non-empty rationale surfaced in approval prompts or rejection messages.", }, ]} client:load/>