API-key login gives Codex a local OpenAI Platform credential for private runners, remote shells, and terminal automation where browser-based ChatGPT sign-in would put a personal or workspace session on that machine. The CLI imports the key once, stores a local Codex login, and later starts can use the cached API-key profile without leaving the raw key in the shell environment.
OpenAI Codex supports ChatGPT sign-in for subscription access and API-key sign-in for usage-based access. Plain codex login starts the default ChatGPT browser path when no valid session exists, while codex login --with-api-key reads a Platform API key from standard input. The CLI and IDE extension share cached local login details.
API-key usage is billed through the OpenAI Platform account at standard API rates, follows the API organization's retention and data-sharing settings, and does not use included ChatGPT plan credits. Features that rely on ChatGPT workspace access or cloud services can be limited or unavailable with API-key authentication, and Codex cloud still requires ChatGPT sign-in. If the CLI stores credentials in auth.json under CODEX_HOME instead of an operating-system credential store, treat that file like password material.
Related: How to check Codex login status
Related: How to log in to Codex with device authentication
Related: How to log out of Codex
Steps to log in to Codex with an API key:
- Check the current Codex login state in the same shell that will store the new API-key session.
$ codex login status Not logged in
If the output shows an unexpected account or sign-in method, log out before loading the new API key.
Related: How to log out of Codex - Create or copy a secret API key from the OpenAI dashboard.
https://platform.openai.com/api-keys
Treat the key like a password and keep it out of tickets, screenshots, logs, and committed files.
- Load the secret into the current shell as OPENAI_API_KEY.
$ export OPENAI_API_KEY="sk-proj-REPLACE_WITH_REAL_KEY"
A literal export can be saved in shell history, so use a protected secret-loading method on shared systems. CODEX_API_KEY is a separate inline credential path for single codex exec runs, not the persistent login input.
- Pipe the API key to Codex and let the CLI cache the local login.
$ printenv OPENAI_API_KEY | codex login --with-api-key Reading API key from stdin... Successfully logged in
--with-api-key reads the secret from stdin. If OPENAI_API_KEY is unset or was not exported, the command reports that no API key was provided.
- Confirm the cached profile shows API-key authentication.
$ codex login status Logged in using an API key - sk-proj-***ABCD1
The masked suffix will differ for each key. Look for an API-key authentication line before starting the Codex session or automation that depends on this login.
- Remove the key from the current shell if it was loaded only for the login command.
$ unset OPENAI_API_KEY
Unsetting the environment variable does not log Codex out because the CLI already cached the authenticated session locally.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
