Device authentication signs the Codex CLI into a ChatGPT account without placing an API key in a terminal session, which is ideal for headless or remote environments.

The flow follows an OAuth 2.0-style device authorization pattern: Codex prints a verification URL and a short code, then the browser returns an access token to the CLI after approval. The cached login is shared between the CLI and IDE extension, so signing in once covers both clients.

Device code login is marked experimental/beta and must be enabled in ChatGPT security settings (personal accounts) or workspace permissions (admin-managed). Device codes expire quickly, so complete the browser step immediately and in the correct account.

Steps to log in to Codex with device auth:

  1. Enable device code login in ChatGPT security settings or workspace permissions.

    Workspace admins control whether device code auth is allowed for managed accounts.

  2. Start the device authentication flow.
    $ codex login --device-auth
    Open the following URL and enter the code to continue:
    https://www.openai.com/device
    Code: ABCD-EFGH
    Waiting for authorization...

    Anyone with the device code can approve the login, so avoid posting terminal output in tickets, chat rooms, or screenshots.

  3. Open the verification URL shown by the CLI in a browser.

    The browser can run on a different machine than the terminal session.

  4. Enter the device code and click Continue.

    If the page reports an expired or invalid code, restart the flow in the terminal to generate a new code.

  5. Sign in to the intended ChatGPT account when prompted.

    Use a private/incognito window when multiple accounts are already signed in to avoid approving the wrong account.

  6. Approve the device authentication request.
  7. Verify the login state once the browser flow completes.
    $ codex login status
    Logged in using ChatGPT
  8. Run a simple request to confirm the new session is usable.
    $ codex exec "Return OK."
    OK