How to log in to Codex with an API key

API key login keeps Codex usable in CI jobs, remote shells, and other programmatic terminal workflows where browser-based ChatGPT sign-in is not the right fit. It also routes usage to an OpenAI Platform account instead of a ChatGPT subscription.

Current OpenAI Codex authentication supports both ChatGPT and API-key sign-in for the CLI and IDE extension. When an API key is imported, Codex caches the login locally and reuses it on later starts, and the CLI and IDE extension share the same cached login.

API-key sessions are billed at standard API rates and do not include ChatGPT-credit features such as fast mode. Protect both the API key and the cached login because Codex stores credentials either in the OS credential store or in /~/.codex/auth.json when file-based storage is enabled.

Steps to log in to Codex with an API key:

Check whether Codex is already using another cached login.
```
$ codex login status
Not logged in
```
If the output shows a different account or sign-in method, run How to log out of Codex before loading the new API key.
Create or copy a secret API key from the OpenAI dashboard.
```
https://platform.openai.com/api-keys
```
Treat the key like a password and keep it out of tickets, screenshots, and committed files.
Load the secret into the current shell as OPENAI_API_KEY.
```
$ export OPENAI_API_KEY="sk-proj-REPLACE_WITH_REAL_KEY"
```
Literal exports can be written to shell history, so use a history-safe shell or another protected secret-loading method on shared systems.
Pipe the API key to Codex and let the CLI cache the login.
```
$ printenv OPENAI_API_KEY | codex login --with-api-key
Reading API key from stdin...
Successfully logged in
```
--with-api-key reads the secret from stdin; plain codex login follows the default ChatGPT sign-in path when no valid session is cached.
Confirm the cached profile now shows API-key authentication.
```
$ codex login status
Logged in using an API key - sk-proj-***4M9ZQ
```
The status command is the decisive success check for the login step.
Remove the key from the current shell if it was loaded only for the login command.
```
$ unset OPENAI_API_KEY
```
Unsetting the environment variable does not log Codex out because the CLI already cached the authenticated session locally.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.