How to log in to Codex with device authentication

Device authentication lets Codex sign in to ChatGPT from remote shells, SSH sessions, and other environments where opening a local browser window from the CLI is unreliable or unavailable.

The current Codex CLI starts the device code flow with codex login --device-auth, then prints the OpenAI device-login URL and a one-time code for the browser step. After the browser authorizes the session, Codex stores the login locally and reuses it in later CLI and IDE extension sessions.

Browser-based codex login remains the default when a normal local callback works. Device authentication is a beta fallback for headless or localhost-callback-blocked environments, and ChatGPT accounts that can use email/password must have MFA enabled before Codex access. Cached login details live in the OS credential store or in /~/.codex/auth.json when file-based storage is enabled.

Related: How to check Codex login status
Related: How to log in to Codex with an API key

Steps to log in to Codex with device authentication:

  1. Start the device authentication flow in the same terminal environment that will run Codex. 
    $ codex login --device-auth
Follow these steps to sign in with ChatGPT using device code authorization:

1. Open this link in your browser and sign in to your account
   https://auth.openai.com/codex/device

2. Enter this one-time code (expires in 15 minutes)
   ABCD-EFGHI

Device codes are a common phishing target. Never share this code.

    Use this flow when codex login cannot hand the OAuth result back through the normal localhost browser callback.

  2. Open the device-login page in a browser and enter the one-time code from the terminal. 
    https://auth.openai.com/codex/device

    The device code authorizes a real login while it is still valid, so do not paste it into tickets, chat, or shared notes.

  3. Finish the ChatGPT sign-in and any MFA or workspace selection steps in the browser.

    If the current environment requires a different login method, use How to log in to Codex with an API key or the standard browser-based codex login flow allowed by that workspace.

  4. Wait for Codex to store the local session and return control to the terminal.

    The CLI and IDE extension reuse the same cached ChatGPT login, so a later IDE session normally does not need another sign-in until the local session is removed or expires.

  5. Check that the local session is now authenticated before starting normal Codex work. 
    $ codex login status
Logged in using ChatGPT

    codex login status exits with code 0 when cached credentials are present, which is useful for shell checks and automation gates.

  6. Start a normal Codex session from the same environment after the login check succeeds. 
    $ codex