← All integrations
Codex CLI Integration

Codex CLI: governed once. Every project on this machine.

Codex reads its MCP config from ~/.codex/config.toml — one file, every project on the machine. Register AgentValet once and every Codex run on this laptop is governed: scoped credentials, audit log, no .env exports per repo.

Setup

One command. Configured once, works in every Codex session.

The AgentValet CLI signs you in via your browser, generates an RS256 keypair, registers your Codex session as an agent, and writes the MCP entry to ~/.codex/config.toml. Codex's config is global by design - so this single setup applies to every project on this machine.

terminal 
# Anywhere on your machine
npx @agentvalet/register

# Browser opens. Sign in. Done.
# The CLI writes:
#   ~/.codex/config.toml   - global MCP entry
#   ./AGENTS.md            - project-level governance notes
1
Run npx @agentvalet/register.
2
Your browser opens to AgentValet. Sign in (or sign up - it's free). The CLI auto-completes registration when you authorize.
3
Approve platforms in the AgentValet dashboard. Set what each agent can call.
4
Run codex normally. AgentValet shows up in the tool list any time the agent needs to call a platform. No keys in your shell - all calls proxied and logged.
One config, every project - because Codex reads MCP servers from ~/.codex/config.toml, you set this up once on a machine and every Codex session inherits it. No per-repo config to commit, no per-clone setup, no .gitignore dance.
Prefer to wire it up by hand?

The CLI is the recommended path. If you'd rather edit the TOML yourself, here's the equivalent block. You can also use codex mcp add agentvalet … from the Codex CLI:

~/.codex/config.toml 
[mcp_servers.agentvalet]
command = "npx"
args    = ["-y", "@agentvalet/register", "mcp-server"]

You'll still want to run npx @agentvalet/register once so the CLI can store your agent's private key on this machine - the MCP server reads it at startup.

Alternative: Connect over OAuth

Two commands. Browser consent. No token in your config.

Codex supports Streamable HTTP MCP servers with OAuth. Add AgentValet's URL with codex mcp add, then run codex mcp login. A browser tab opens for OAuth consent. The agent is provisioned a signing identity. AgentValet implements Dynamic Client Registration, which is what Codex's OAuth requires.

terminal 
# Register AgentValet as a Streamable HTTP MCP server
codex mcp add agentvalet --url https://api.agentvalet.ai/mcp/v1/<your-owner-id>

# Open the browser OAuth flow
codex mcp login agentvalet
1
Sign in at app.agentvalet.ai and copy your owner id from the dashboard.
2
Run codex mcp add agentvalet --url https://api.agentvalet.ai/mcp/v1/<your-owner-id> to register the server.
3
Run codex mcp login agentvalet. A browser tab opens for OAuth consent. Approve it and the agent is provisioned its signing identity.
4
Approve platforms in the AgentValet dashboard. Every Codex session on this machine inherits governance automatically.
Identity, not credentials. Codex's OAuth connect requires the MCP server to implement Dynamic Client Registration. AgentValet does. The agent gets a signing identity through the consent flow, not a raw credential sitting in ~/.codex/config.toml.
What changes

Terminal agent, governed platform access

No keys in env vars
Codex agents no longer need GITHUB_TOKEN or SLACK_TOKEN in your shell. AgentValet handles credential injection at call time.
Permission matrix
Each platform call is validated against the permission matrix you set in the dashboard - deny-by-default, explicit allow required per scope.
Append-only audit log
Every call logged in append-only storage: which agent, which platform, which action, exact timestamp.
Circuit breaker
Three auth failures or five API errors auto-suspend the agent. You're notified and can investigate before re-enabling.

Ship governed Codex in under 5 minutes.

One command. The browser does the rest. Free to start, no credit card.

Connect AgentValet to Codex →