Device authentication lets Codex sign in to ChatGPT from remote shells, SSH sessions, and other environments where opening a local browser window from the CLI is unreliable or unavailable.
The current Codex CLI starts the device code flow with codex login --device-auth, then prints the OpenAI device-login URL and a one-time code for the browser step. After the browser authorizes the session, Codex stores the login locally and reuses it in later CLI and IDE extension sessions.
Browser-based codex login remains the default when a normal local callback works. Device authentication is a beta fallback for headless or localhost-callback-blocked environments, and ChatGPT accounts that can use email/password must have MFA enabled before Codex access. Cached login details live in the OS credential store or in /~/.codex/auth.json when file-based storage is enabled.
Related: How to check Codex login status
Related: How to log in to Codex with an API key
Steps to log in to Codex with device authentication:
- Start the device authentication flow in the same terminal environment that will run Codex.
$ codex login --device-auth Follow these steps to sign in with ChatGPT using device code authorization: 1. Open this link in your browser and sign in to your account https://auth.openai.com/codex/device 2. Enter this one-time code (expires in 15 minutes) ABCD-EFGHI Device codes are a common phishing target. Never share this code.
Use this flow when codex login cannot hand the OAuth result back through the normal localhost browser callback.
- Open the device-login page in a browser and enter the one-time code from the terminal.
https://auth.openai.com/codex/device
The device code authorizes a real login while it is still valid, so do not paste it into tickets, chat, or shared notes.
- Finish the ChatGPT sign-in and any MFA or workspace selection steps in the browser.
If the current environment requires a different login method, use How to log in to Codex with an API key or the standard browser-based codex login flow allowed by that workspace.
- Wait for Codex to store the local session and return control to the terminal.
The CLI and IDE extension reuse the same cached ChatGPT login, so a later IDE session normally does not need another sign-in until the local session is removed or expires.
- Check that the local session is now authenticated before starting normal Codex work.
$ codex login status Logged in using ChatGPT
codex login status exits with code 0 when cached credentials are present, which is useful for shell checks and automation gates.
- Start a normal Codex session from the same environment after the login check succeeds.
$ codex
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
