Skip to main content
The approval system gives you fine-grained control over when Codex can execute commands, modify files, or perform other sensitive operations without human oversight.

Approval policies

Codex supports four approval policies that determine when to prompt for permission:
On-request (recommended default):
  • Prompts when the agent needs to escape the sandbox
  • Auto-approves operations that stay within sandbox boundaries
  • Balances safety and productivity
Use for: General development work

Approval prompts

When approval is required, you’ll see an interactive prompt with details about the operation:

Command execution approval

File change approval

Approval decisions

When prompted, you can choose from several approval levels:
1

Accept once

Approve this specific operation only. The next similar operation will require approval again.
2

Accept for session

Approve this operation and automatically approve identical operations for the rest of this session. Resets when you restart Codex.
3

Accept and add to policy

Approve this operation and add an execpolicy rule so similar commands never require approval again (persists across sessions).
4

Decline

Reject this operation. The agent will receive an error and may try an alternative approach.
5

Cancel turn

Abort the entire current operation. The agent stops processing your request.

Execpolicy rules

Execpolicy is Codex’s policy engine for defining which commands are trusted. Rules are written in Starlark syntax and stored in .codex/execpolicy/ files.

Rule structure

Decision levels

  • allow - Auto-approve matching commands (no prompt)
  • prompt - Always prompt for approval
  • forbidden - Never allow (show justification to agent)

Pattern matching

Patterns match command prefixes in order:

Host executables

Constrain which absolute paths can match basename rules:
With this definition:
  • /usr/bin/git status can match ["git", "status"] rules
  • /usr/local/bin/git status cannot (not in allowed paths)

Testing rules

Add inline tests to validate your rules:

Checking rules

Test a command against your policies:
Output:

Configuration

Configure approval behavior in ~/.codex/config.toml:

Per-project configuration

Create project-specific rules in your repository:
Codex automatically loads rules from .codex/execpolicy/ in your working directory.

Convenience flags

Codex provides shortcuts for common approval configurations:

Full-auto mode

Combines --ask-for-approval on-request with --sandbox workspace-write:
This is ideal for:
  • Sandboxed CI/CD environments
  • Development tasks in trusted directories
  • Quick prototyping

YOLO mode (dangerous)

Completely bypasses approvals and sandboxing:
NEVER use --yolo on untrusted inputs or in production. This disables all safety checks. Only use in externally sandboxed environments.

Approval prompts in app-server

When using the app-server API, approval requests are JSON-RPC requests that clients must respond to:

Command approval request

Client response

Best practices

Start with on-request

Provides good balance between safety and usability

Build execpolicy rules incrementally

Add rules as you approve common operations

Review policy suggestions

Carefully examine suggested rules before accepting

Use unless-trusted for sensitive work

Maximum oversight for production or critical systems

Test rules before deploying

Use codex execpolicy check to validate rules

Document justifications

Add clear justifications to help future you understand rules

Advanced: Network approval

Codex can prompt for network access on a per-host basis:
Network approvals integrate with the same decision levels as command approvals.

Troubleshooting

Check your approval policy:
Or verify config:
Build execpolicy rules to auto-approve trusted commands:
  • Accept with [p] when prompted to create rules
  • Manually write rules in .codex/execpolicy/
  • Use --ask-for-approval on-request instead of unless-trusted
Test your rules explicitly:
Check pattern syntax and ensure prefixes match exactly.
Session approvals only last for the current thread. Use execpolicy rules for persistent approvals across sessions.

Next steps

Sandboxing

Understand how sandboxing complements approvals

Non-interactive mode

Use approvals in automation