Codex CLI: ChatGPT Device-Code Sign-In in App-Server TUI
CodexCodex CLI 0.116.0 brings ChatGPT device-code authentication to the app-server TUI, enabling sign-in during onboarding and token refresh without a browser window. This resolves a critical pain point for developers running Codex in headless environments β remote servers, CI machines, Docker containers, and SSH sessions β where browser-based OAuth flows are unavailable or blocked. The feature directly addresses multiple long-standing community issues and extends device-code support, previously available only in the main CLI, to the app-server layer where plugins, filesystem RPCs, and multi-agent orchestration live.
Sources & Mentions
5 external resources covering this update
Releases - openai/codex (rust-v0.116.0)
GitHub
Codex CLI cannot log in on headless environments unless Device Code auth is enabled - Issue #9253
GitHub
Enable Headless or Command-line Authentication for Codex CLI - Issue #3820
GitHub
Support remote / headless OAuth sign-in - Issue #2798
GitHub
Codex by OpenAI - Release Notes - March 2026
Releasebot
Headless Authentication for the App-Server TUI
Codex CLI 0.116.0 extends device-code ChatGPT authentication to the app-server TUI. The app-server is the backend layer powering Codex's richer integrations β including plugin management, filesystem RPCs, and multi-agent orchestration. Until now, signing into ChatGPT within this context required a browser-based OAuth flow, which fails in headless environments.
What Changed
The app-server TUI now supports two key authentication improvements:
- Device-code sign-in during onboarding: When a developer launches the app-server TUI without an active session, it can now present a device-code flow β displaying a short code and a URL the user visits on any browser-capable device to complete authentication. No local browser or localhost callback required.
- Token refresh: Existing ChatGPT sessions can now be refreshed through the TUI as well, preventing sessions from expiring silently and forcing full re-authentication in environments where that is disruptive.
Why This Matters for Developers
Headless authentication has been one of the most-requested issues in the Codex CLI repository. GitHub issues #9253, #3820, and #2798 all document variations of the same problem: developers running Codex on remote development boxes, in Docker containers, or through SSH tunnels could not complete the standard OAuth flow because it requires a local browser and a working localhost callback port.
The device-code flow sidesteps this entirely. It is a standard OAuth 2.0 extension (RFC 8628) in which the client obtains a device code and instructs the user to authenticate on a separate, browser-capable device. Once authentication completes, the CLI polls and receives the token automatically. No port forwarding or server-side browser installation required.
Enterprise Relevance
For enterprise environments, device-code authentication is particularly significant. Corporate deployments often restrict developer machines to headless CI/CD environments or maintain VPN configurations that block localhost OAuth callbacks. With device-code support now reaching the app-server layer, teams can fully leverage the richer app-server features β plugins, filesystem RPCs, multi-agent workflows β without maintaining workarounds like tunneled browser sessions or pre-shared API keys.
The app-server's growing feature surface (filesystem RPCs in 0.115.0, plugin lifecycle in 0.113.0, streaming TTY/PTY in 0.113.0) makes authenticated access to it increasingly important. This release closes a meaningful gap between what the CLI could do and what the app-server layer could access.