> ## Documentation Index
> Fetch the complete documentation index at: https://authsome.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Codex

> Use authsome from OpenAI's Codex CLI. Run agents under the auth proxy so credentials never enter the agent's environment.

OpenAI's [Codex CLI](https://github.com/openai/codex) is a coding agent that runs locally and shells out to other tools. Authsome plugs in cleanly: wrap the agent invocation with `authsome run --` and the proxy injects fresh credentials for every service the agent calls.

<Note>
  **The agent drives login.** When Codex hits a missing credential it runs `authsome login <provider>` itself, opens a browser on your machine for OAuth consent, and picks up from there. Don't paste keys into prompts and don't pre-run login commands unless you're seeding a credential ahead of time.
</Note>

<Prompt description="**Run Codex under the auth proxy.** Paste this to set up the wrapper." icon="terminal" iconType="solid" actions={["copy"]}>
  Set me up to run Codex under authsome's auth proxy so my OpenAI key and GitHub token are injected at request time instead of sitting in my environment.

  1. Run `authsome login openai` and `authsome login github` if I'm not already logged in.
  2. Launch Codex with `authsome run -- codex`.
  3. After Codex starts, verify the env is clean by running `env | grep -E "OPENAI|GITHUB"` in the agent's shell. The values should read `authsome-proxy-managed`.
  4. Make one real API call (a quick `gh api user` or an OpenAI chat completion) to confirm the proxy is injecting the real credentials.
</Prompt>

## What you get

* One login per service. Codex never sees raw `client_secret`s, tokens, or API keys.
* Automatic refresh. OAuth tokens stay fresh between Codex sessions.
* Multi-account support. Run Codex against your work GitHub one minute, personal the next.
* The same vault. Connections created from Codex live alongside connections from the regular CLI.

## Recommended pattern: run Codex under the proxy

```bash theme={null}
authsome login github
authsome login openai
authsome run -- codex
```

Inside Codex:

* `OPENAI_API_KEY=authsome-proxy-managed` is set in Codex's environment, so its SDK initializes.
* Outbound HTTPS calls to `api.openai.com`, `api.github.com`, and any other matched provider are intercepted and authenticated at the proxy layer.
* Codex's own subprocess calls inherit the same `HTTP_PROXY` / `HTTPS_PROXY` variables, so tools Codex spawns are also covered.

## Alternative: env export before launch

If Codex is running in an environment where the proxy CA cannot be trusted, fall back to env-var export:

```bash theme={null}
eval "$(authsome export openai --format env)"
eval "$(authsome export github --format env)"
codex
```

The variables persist for the shell session. Codex (and anything it spawns) reads them as it normally would. Re-run `eval` after token refresh, or use the proxy pattern above to avoid that step.

## Multiple accounts

```bash theme={null}
authsome login github --connection personal
authsome login github --connection work
authsome login github --connection work --force   # switch default to work
authsome run -- codex
```

The proxy uses each provider's default connection. To target a non-default connection in a single Codex session, set it as the default with `--force` first. See [Multiple connections per provider](/guides/multiple-connections).

## Embedding the library

If you're orchestrating Codex from a larger Python program and need explicit per-call control, drop below the proxy into the library:

```bash theme={null}
authsome run -- python my_agent.py
# or: eval "$(authsome export <provider> --format env)"
```

This pattern is cleaner than passing keys through prompts or hardcoding them into `.env` files. See [Python library](/reference/python-library).

## Troubleshooting

| Symptom                                                         | Fix                                                                                        |
| --------------------------------------------------------------- | ------------------------------------------------------------------------------------------ |
| Codex starts but every API call fails with TLS errors           | The mitmproxy CA isn't trusted. See [Proxy networking](/troubleshooting/proxy-networking). |
| Codex doesn't see the env var even though `authsome run` set it | Verify with `authsome run -- env \| grep OPENAI`.                                          |
| Authsome login hangs                                            | `authsome doctor` and check port 7998 availability.                                        |

## What's next

<Columns cols={2}>
  <Card title="Run agents with the proxy" icon="shield-halved" href="/guides/run-agents-with-proxy">
    The injection model in detail.
  </Card>

  <Card title="OpenAI integration" icon="key" href="/integrations/api-key/openai">
    Set up the OpenAI key Codex will use.
  </Card>
</Columns>
