Codex API Admin Guide

Complete Administrator's Guide for Managing the Codex API Service

🚀 Getting Started

Server-Specific Quick Setup Checklist

Install Dependencies - Python 3.8+, Node.js v24.10.0, and Codex CLI
Configure Environment - Set up .env in /var/www/api3 with proper variables
Set Up Authentication - Configure Codex CLI login for root user
Verify Codex Binary - Confirm binary exists at /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
Verify Service - Test API endpoints on port 5203
Configure Rate Limiting - Set to 120 requests per minute
Set Up Monitoring - Configure health checks

✅ Prerequisites Met? Ensure you have:

Docker installed (optional but recommended)
At least 2GB RAM available
Network access to OpenAI or your model provider
Administrative privileges on the host system

Server-Specific Installation Steps

1Clone Repository

cd /var/www
git clone https://github.com/your-org/codex-wrapper.git api3
cd api3

2Install Python Dependencies

cd /var/www/api3
pip install -r requirements.txt

3Install Codex CLI

⚠️ IMPORTANT: Understanding the Codex Installation

This server has Codex installed with two components:

NPM Wrapper: /root/.nvm/versions/node/v24.10.0/bin/codex (JavaScript wrapper script)
Real Binary: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex (native executable)

Verify both components exist:

# Check NPM wrapper exists
ls -la /root/.nvm/versions/node/v24.10.0/bin/codex

# Check real binary exists
ls -la /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex

# Check version (uses wrapper)
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"
/root/.nvm/versions/node/v24.10.0/bin/codex --version

# Expected output (example):
# codex version 0.63.0

📌 Note: Always use the NPM wrapper at /root/.nvm/versions/node/v24.10.0/bin/codex for operations. It will automatically call the real binary.

4Configure Environment

cd /var/www/api3
cp .env.example .env
# Edit .env with your settings

Verification Steps

After installation, verify everything is working:

Check NPM wrapper: /root/.nvm/versions/node/v24.10.0/bin/codex --version
Verify real binary exists: ls -la /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
Set environment variables: export CODEX_HOME=/opt/codex && export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"
Check authentication status: /root/.nvm/versions/node/v24.10.0/bin/codex login status
If not authenticated: /root/.nvm/versions/node/v24.10.0/bin/codex login or echo "sk-your-api-key" | /root/.nvm/versions/node/v24.10.0/bin/codex login --with-api-key
Test authentication: /root/.nvm/versions/node/v24.10.0/bin/codex whoami
Start the service: sudo systemctl start codex-wrapper-api3
Test API: curl http://localhost:5203/health

⚙️ Daily Operations

Starting the Service

Development Mode:

cd /var/www/api3
python -m uvicorn app.main:app --host 0.0.0.0 --port 5203 --reload

Production Mode (Systemd Service):

# Start the service
sudo systemctl start codex-wrapper-api3

# Check status
sudo systemctl status codex-wrapper-api3

# Enable on boot
sudo systemctl enable codex-wrapper-api3

Using Docker (Optional)

Quick Start with Docker Compose

cd /var/www/api3
docker-compose up -d

View Logs

docker-compose logs -f codex-api

Stop Service

docker-compose down

API Usage Workflow

1. List Available Models

GET http://localhost:5203/v1/models

Check which models are configured and available

2. Make a Chat Request

POST http://localhost:5203/v1/chat/completions

Send requests with proper authentication

📋 Available Models & Reasoning Control

✅ Working Base Models (5 Models)

🔥 Premium Codex Models

gpt-5.1-codex-max - Flagship, exceptional quality
gpt-5.1-codex - Recommended default, balanced
gpt-5.1-codex-mini - Fast, cost-effective

🤖 General Purpose Models

gpt-5.1 - Enhanced with high reasoning
gpt-5 - Previous generation, compatible

⚙️ Dynamic Reasoning Control

🎛️ Use x_codex Parameter for Reasoning Control

Instead of using separate model variants, control reasoning effort dynamically:

Reasoning Level	API Parameter	Speed	Best For
⚡ Low	`"reasoning_effort": "low"`	🏃 Fast (1-2s)	Quick fixes, simple scripts
⚙️ Medium	`"reasoning_effort": "medium"`	⚡ Balanced (2-3s)	Production code, daily tasks
🧠 High	`"reasoning_effort": "high"`	🐢 Slow (3-5s)	Complex algorithms, research

⚠️ Currently Unavailable

Extra High reasoning level (returns 400 errors)
Specialized model variants (e.g., gpt-5.1-codex-max-low, etc.)
Separate thinking levels (not supported with current account)

📚 Usage Examples

                        High Reasoning Example:

                        curl -X POST "https://api3.exploit.bot/v1/chat/completions" \

                          -H "Authorization: Bearer eric" \

                          -d '{"model": "gpt-5.1-codex", "x_codex": {"reasoning_effort": "high"}}'

                        Low Reasoning for Speed:

                        curl -X POST "https://api3.exploit.bot/v1/chat/completions" \

                          -H "Authorization: Bearer eric" \

                          -d '{"model": "gpt-5.1-codex-mini", "x_codex": {"reasoning_effort": "low"}}'

💡 Updated Recommendations:

Use gpt-5.1-codex with Medium reasoning for daily tasks
Use gpt-5.1-codex-max with High reasoning for production-critical code
Use gpt-5.1-codex-mini with Low reasoning for rapid prototyping
Use Low reasoning for simple debugging and quick fixes
Avoid unsupported models to prevent 400 errors

Daily Health Checks

Check service status: curl http://localhost:5203/health
Verify NPM wrapper: /root/.nvm/versions/node/v24.10.0/bin/codex --version
Verify real binary exists: ls -la /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
Verify authentication: /root/.nvm/versions/node/v24.10.0/bin/codex whoami
Check authentication status: /root/.nvm/versions/node/v24.10.0/bin/codex login status
Monitor resource usage: htop or docker stats
Review error logs: sudo journalctl -u codex-wrapper-api3 -f
Check rate limit usage: Monitor headers in responses

⚠️ Important Daily Tasks:

Rotate API keys if using key-based authentication
Check for Codex CLI updates: npm update -g @openai/codex (verify binary path doesn't change after update)
Monitor quota usage with your provider
Backup configuration files

🔐 Comprehensive Authentication Setup Guide

Overview of Authentication Layers

The Codex API uses a two-layer authentication system:

Proxy API Key: Authenticates clients to this API wrapper service
Codex CLI Authentication: Authenticates the wrapper service to the underlying Codex CLI

Both layers must be properly configured for the system to work.

🚀 Part 1: Detailed Codex CLI Authorization Setup

⚠️ Before You Begin:

The systemd service runs as root user (not www-data, not ubuntu)
Ensure you have administrative access to this system
Choose your authentication method (OAuth or API Key)
For production, use API Key authentication

Step 1: Verify Codex CLI Installation

⚠️ VERIFYING THE EXACT INSTALLATION ON THIS SERVER:

# Check if NPM wrapper exists
ls -la /root/.nvm/versions/node/v24.10.0/bin/codex

# Check if real binary exists
ls -la /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex

# Verify version using NPM wrapper
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"
/root/.nvm/versions/node/v24.10.0/bin/codex --version

# Expected output:
# codex version 0.63.0

# Check Node.js version
node --version
# Expected: v24.10.0

✅ Installation Status:

Codex Version: 0.63.0
Node.js Version: v24.10.0
System Architecture: x86_64 Linux
NPM Wrapper: /root/.nvm/versions/node/v24.10.0/bin/codex
Real Binary: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex

Step 2: Service User Configuration

The service runs as root user. Check this:

# Check current user
whoami

# Check if service is running as root
ps aux | grep uvicorn | grep -v grep

✅ Service Configuration:

User: root
Group: root
Working Directory: /var/www/api3
Service Name: codex-wrapper-api3
Environment File: /var/www/api3/.env
Codex Real Binary: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
Codex NPM Wrapper: /root/.nvm/versions/node/v24.10.0/bin/codex
CODEX_PATH in .env: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
CODEX_BINARY_PATH in .env: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
CODEX_HOME: /opt/codex

Step 3: OAuth Authentication Method (ChatGPT Login)

Interactive Terminal Setup

For local development or when you can open a browser:

# Set environment variables
export CODEX_HOME=/opt/codex
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"

# Check current authentication status
/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login status

# If not authenticated, run interactive OAuth login
/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login

# Expected output:
# Opening browser to: https://chat.openai.com/auth/login
# Waiting for authentication...
# Success! You are now logged in as user@example.com
# Credentials saved to: /opt/codex/auth.json

# Alternative: Use NPM wrapper (recommended)
/root/.nvm/versions/node/v24.10.0/bin/codex login

What happens in detail:

Codex CLI starts a local web server on port 1455
Your browser opens to OpenAI's authentication page
You log in with your ChatGPT credentials
OpenAI redirects back to localhost:1455
The CLI receives and stores the authentication token
Token is saved to /opt/codex/auth.json

Remote/Headless Setup

For servers without GUI access:

# Method 1: SSH Port Forwarding
ssh -L 1455:localhost:1455 root@your-server

# Then on the server:
/root/.nvm/versions/node/v24.10.0/bin/codex login

# Method 2: Manual Token Transfer
# On a machine with browser:
/root/.nvm/versions/node/v24.10.0/bin/codex login --export-token > token.txt

# Transfer token.txt to server:
scp token.txt root@server:/tmp/

# On server:
/root/.nvm/versions/node/v24.10.0/bin/codex login --import-token /tmp/token.txt
rm /tmp/token.txt

Common Issues with OAuth:

Port 1455 blocked: Use port forwarding or different port
Browser blocked: Use manual token transfer
Corporate firewall: May need to allow chat.openai.com

Step 4: API Key Authentication Method (Production)

Setup with OpenAI API Key

Best for production environments, automation, and headless servers:

# Set up environment variables
export CODEX_HOME=/opt/codex
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"

# Method 1: Direct login with API key (using real binary)
/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login --with-api-key

# Then paste your API key when prompted, OR pipe it:
echo "sk-your-api-key-here" | /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login --with-api-key

# Method 2: Using NPM wrapper (recommended)
/root/.nvm/versions/node/v24.10.0/bin/codex login --api-key "sk-...your-api-key-here"

# Method 3: Environment variable (recommended for containers)
export OPENAI_API_KEY="sk-...your-api-key-here"
/root/.nvm/versions/node/v24.10.0/bin/codex login

# Method 4: Permanent configuration
mkdir -p /opt/codex
cat > /opt/codex/config.toml << EOF
[auth]
api_key = "sk-...your-api-key-here"
EOF

API Key Requirements:

Must have access to the Responses API (not just Chat API)
Should be scoped to your production environment
Create multiple keys for different services if needed
Set appropriate usage limits and quotas

Step 5: Verify Codex CLI Authentication

Test authentication immediately after setup:

# Set environment variables
export CODEX_HOME=/opt/codex
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"

# Check current authentication status (using real binary)
/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login status

# Or using NPM wrapper
/root/.nvm/versions/node/v24.10.0/bin/codex whoami

# Expected output for OAuth:
# You are logged in as: user@example.com
# Authentication method: OAuth
# Token expires: 2024-12-31

# Expected output for API key:
# You are logged in with API key
# Key ID: sk-...xxxx
# Authentication method: API Key

# If not authenticated, you'll see:
# Error: Not authenticated. Please run 'codex login' first.

# List available models (tests actual API access)
/root/.nvm/versions/node/v24.10.0/bin/codex models list

# Expected output:
# Available models:
# - gpt-5.1-codex-max
# - gpt-5.1-codex
# - gpt-5.1-codex-mini
# - gpt-5.1
# - gpt-5
# - codex-cli
# - gpt-5.1-codex low
# - gpt-5.1-codex medium
# - gpt-5.1-codex high
# - gpt-5.1-codex extra high
# (All 10 models are available)

If verification fails:

Error: Not authenticated - Run codex login again
Error: Invalid API key - Check key format and permissions
Error: No models available - Check account limits
Permission denied - Check file permissions on /opt/codex/

🔧 Part 2: Service Integration and Configuration

Step 6: Configure File Permissions and Ownership

Ensure the root user can access authentication files:

# Check current permissions
ls -la /opt/codex/

# Set proper ownership (already root:root)
sudo chown -R root:root /opt/codex/

# Set secure permissions
sudo chmod 700 /opt/codex/
sudo chmod 600 /opt/codex/auth.json
sudo chmod 600 /opt/codex/config.toml

# Verify
sudo -u root ls -la /opt/codex/

Permission Matrix:

/opt/codex/ - 700 (rwx------) - Owner only
auth.json - 600 (rw-------) - Owner read/write
config.toml - 600 (rw-------) - Owner read/write
NEVER use 777 or world-readable permissions

Step 7: Configure Environment Variables

Update your .env file with required variables:

# API Wrapper Configuration
# This is the key your API clients will use
PROXY_API_KEY=eric

# Codex CLI Configuration - EXACT PATHS FOR THIS SERVER
CODEX_HOME=/opt/codex
CODEX_WORKDIR=/workspace/codex-api3

# EXACT PATHS - DO NOT CHANGE
CODEX_PATH=/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
CODEX_BINARY_PATH=/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex

# Path to Codex CLI NPM wrapper
PATH=/root/.nvm/versions/node/v24.10.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NODE_PATH=/root/.nvm/versions/node/v24.10.0/lib/node_modules

# API Configuration
PORT=5203
HOST=0.0.0.0

# Rate Limiting
RATE_LIMIT_PER_MINUTE=120

# Optional: Default model
DEFAULT_MODEL=gpt-5.1-codex

# Optional: Maximum parallel requests
CODEX_MAX_PARALLEL_REQUESTS=4

# Optional: Request timeout in seconds
CODEX_TIMEOUT=120

# Security Settings
CODEX_SANDBOX_MODE=workspace-write
CODEX_ALLOW_DANGER_FULL_ACCESS=0

Important Notes:

PROXY_API_KEY is NOT your OpenAI API key
The exact API key for this deployment is: eric
Store .env securely and never commit to version control
Use different keys for dev/staging/prod environments

Step 8: Test the Complete Integration

Perform end-to-end testing:

# 1. Start the API service
cd /var/www/api3
sudo systemctl start codex-wrapper-api3

# 2. Check service status
sudo systemctl status codex-wrapper-api3

# 3. Test health endpoint
curl http://localhost:5203/health

# 4. Test with invalid proxy key (should fail)
curl -X POST http://localhost:5203/v1/chat/completions \
  -H "Authorization: Bearer invalid-key" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-5.1-codex", "messages": [{"role": "user", "content": "test"}]}'

# Expected: {"detail": "Invalid proxy API key"}

# 5. Test with valid proxy key
curl -X POST http://localhost:5203/v1/chat/completions \
  -H "Authorization: Bearer eric" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-5.1-codex", "messages": [{"role": "user", "content": "Hello"}]}'

# Expected: Successful response with message content

Step 9: Restart and Verify Service

Restart the systemd service:

# Systemd service restart
sudo systemctl restart codex-wrapper-api3
sudo systemctl status codex-wrapper-api3

# Check logs
sudo journalctl -u codex-wrapper-api3 -f

# Manual restart (if needed)
sudo pkill -f "uvicorn app.main:app"
cd /var/www/api3
nohup python -m uvicorn app.main:app --host 0.0.0.0 --port 5203 > /var/log/codex-api3.log 2>&1 &

# Verify it's running
ps aux | grep uvicorn
netstat -tulpn | grep 5203

🔒 Part 3: Security Best Practices

Credential Storage

Where credentials are stored:

Codex CLI auth: /opt/codex/auth.json (encrypted token)
Codex CLI config: /opt/codex/config.toml
API proxy key: /var/www/api3/.env file
OpenAI API key: In Codex auth file or config

Protection measures:

# Set file permissions
sudo chmod 600 /opt/codex/auth.json
sudo chmod 600 /opt/codex/config.toml
sudo chmod 600 /var/www/api3/.env

# Add to .gitignore
echo -e ".env\n/opt/codex/\n*.key\n*.pem" >> /var/www/api3/.gitignore

# Use system keyring (alternative)
# Store sensitive data in system keychain/keyring
# Reference via environment variables at runtime

Rotation Procedures

Regular rotation schedule:

Proxy API Key: Rotate every 90 days
OpenAI API Key: Rotate every 180 days
OAuth Tokens: Auto-rotate by OpenAI (~30 days)

Rotation process:

# Rotate proxy key
# 1. Generate new key
NEW_KEY=$(openssl rand -hex 32)

# 2. Update .env file
sudo sed -i "s/PROXY_API_KEY=.*/PROXY_API_KEY=$NEW_KEY/" /var/www/api3/.env

# 3. Restart service
sudo systemctl restart codex-wrapper-api3

# 4. Update all client applications with new key

# Rotate OpenAI API key
# 1. Generate new key in OpenAI dashboard
# 2. Re-login with new key
sudo su - root
cd /var/www/api3
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"
/root/.nvm/versions/node/v24.10.0/bin/codex login --api-key "sk-new-key-here"

# 3. Verify
/root/.nvm/versions/node/v24.10.0/bin/codex whoami
/root/.nvm/versions/node/v24.10.0/bin/codex models list

Backup and Recovery

Backup authentication data:

# Create backup script
cat > /var/www/api3/backup-codex-auth.sh << 'EOF'
#!/bin/bash
BACKUP_DIR="/backup/codex-auth/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# Backup Codex auth
cp -r /opt/codex $BACKUP_DIR/

# Backup environment
cp /var/www/api3/.env $BACKUP_DIR/.env.backup

# Encrypt backup
gpg --symmetric --cipher-algo AES256 --output $BACKUP_DIR.tar.gz.gpg $BACKUP_DIR/

# Cleanup unencrypted backup
rm -rf $BACKUP_DIR

echo "Backup created: $BACKUP_DIR.tar.gz.gpg"
EOF

chmod +x /var/www/api3/backup-codex-auth.sh

Recovery process:

# Recover from backup
gpg --decrypt backup.tar.gz.gpg | tar -xz
sudo cp -r extracted/.codex /opt/
sudo cp extracted/.env.backup /var/www/api3/.env

# Set proper permissions
sudo chmod 700 /opt/codex
sudo chmod 600 /opt/codex/*
sudo chmod 600 /var/www/api3/.env

🚨 Part 4: Troubleshooting Guide

Common Authentication Errors and Solutions

Error Message	Cause	Solution
`codex: command not found`	Codex CLI not installed or not in PATH	# Check npm global path export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH" # Reinstall if needed npm install -g @openai/codex
`Error: Not authenticated`	No valid auth token	sudo su - root cd /var/www/api3 /root/.nvm/versions/node/v24.10.0/bin/codex login # For API key: /root/.nvm/versions/node/v24.10.0/bin/codex login --api-key "sk-..."
`Permission denied`	Wrong file ownership/permissions	# Fix ownership sudo chown -R root:root /opt/codex # Fix permissions sudo chmod 700 /opt/codex sudo chmod 600 /opt/codex/*
`401 Unauthorized`	Invalid proxy API key	# Check .env file grep PROXY_API_KEY /var/www/api3/.env # Test with correct key
`403 Forbidden`	Codex CLI auth failed	# Check Codex auth sudo -u root /root/.nvm/versions/node/v24.10.0/bin/codex whoami # Re-authenticate if needed sudo -u root /root/.nvm/versions/node/v24.10.0/bin/codex login
`Model not found`	Wrong model name or auth issue	# List available models sudo -u root /root/.nvm/versions/node/v24.10.0/bin/codex models list # Use exact model name from output

Debug Commands

Comprehensive debugging checklist:

# 1. Check system information
echo "Current user: $(whoami)"
echo "Home directory: $HOME"
echo "PATH: $PATH"
echo "Codex location: $(/root/.nvm/versions/node/v24.10.0/bin/codex --version)"

# 2. Check Codex installation
/root/.nvm/versions/node/v24.10.0/bin/codex --version
/root/.nvm/versions/node/v24.10.0/bin/codex --help

# 3. Check authentication
/root/.nvm/versions/node/v24.10.0/bin/codex whoami
echo "Codex home: ${CODEX_HOME:-/opt/codex}"
ls -la ${CODEX_HOME:-/opt/codex}/

# 4. Check network connectivity
curl -I https://api.openai.com/v1/models
telnet api.openai.com 443

# 5. Check service status
sudo systemctl status codex-wrapper-api3
ps aux | grep uvicorn
netstat -tulpn | grep 5203

# 6. Check environment
sudo cat /var/www/api3/.env | grep -v "PROXY_API_KEY"

# 7. Test minimal request
curl -v http://localhost:5203/health

# 8. Test with debug logging
cd /var/www/api3
export LOG_LEVEL=DEBUG
python -m uvicorn app.main:app --host 0.0.0.0 --port 5203 --log-level debug

Network and Firewall Issues

Common network problems:

Port 1455 blocked: Required for OAuth callback
Port 5203 blocked: Required for API access
HTTPS blocked: Required for API communication
DNS issues: Can't resolve api.openai.com
Corporate proxy: May need configuration

Solutions:

# Check if ports are blocked
# For OAuth port
nc -zv localhost 1455

# For API port
nc -zv localhost 5203

# For API access
nc -zv api.openai.com 443

# If using corporate proxy
export https_proxy=http://proxy.company.com:8080
export http_proxy=http://proxy.company.com:8080

# Check DNS
nslookup api.openai.com
dig api.openai.com

# Test connectivity
ping -c 3 api.openai.com
curl -I https://api.openai.com

✅ Verification Complete Checklist

Codex NPM wrapper exists at /root/.nvm/versions/node/v24.10.0/bin/codex
Codex real binary exists at /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
Codex version 0.63.0 confirmed with Node.js v24.10.0
Authentication configured (OAuth or API Key) for root user
/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login status shows authenticated
codex whoami shows successful authentication
codex models list shows available models
CODEX_PATH and CODEX_BINARY_PATH correctly set in /var/www/api3/.env
File permissions set correctly on /opt/codex/ (700)
PROXY_API_KEY configured in /var/www/api3/.env
API service starts on port 5203 without errors
Health endpoint responds correctly at http://localhost:5203/health
Chat completions work with proxy key
Service logs show no authentication errors

⚠️ Important Security Reminders

Never share your PROXY_API_KEY with external users
Keep OpenAI API keys confidential and rotate regularly
Monitor API usage for unauthorized access
Use different credentials for different environments
Enable audit logging for production deployments
Consider using a secrets management system for production

📋 Common Administrative Tasks

Rate Limiting Configuration

Setting Rate Limits

Add to /var/www/api3/.env:

# Requests per minute per client (configured for this server)
RATE_LIMIT_PER_MINUTE=120

# Burst capacity (optional)
RATE_LIMIT_BURST=10

Rate limit headers are included in API responses:

X-RateLimit-Limit: 120
X-RateLimit-Remaining: 119
X-RateLimit-Reset: 1638360000

Model Selection and Configuration

Listing Available Models

# Via API
curl -H "Authorization: Bearer eric" \
     http://localhost:5203/v1/models

# Via Codex CLI (using NPM wrapper)
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"
/root/.nvm/versions/node/v24.10.0/bin/codex models list

# Or using real binary directly
/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex models list

Configuring Model Providers

Edit /opt/codex/config.toml:

[model_providers.openai]
type = "openai"
api_key = "${OPENAI_API_KEY}"
base_url = "https://api.openai.com/v1"

# For local models
[model_providers.local]
type = "openai"
base_url = "http://localhost:8080/v1"

Reasoning Effort Control

Four reasoning effort levels available:

low - Fast responses, minimal overhead
medium - Balanced reasoning (default)
high - Deep analysis for complex tasks
extra high - Maximum reasoning for the most challenging tasks

Method 1: Environment Variable

# Add to /var/www/api3/.env
CODEX_REASONING_EFFORT=high  # Options: low, medium, high, extra high

Method 2: Request Header

curl -H "x_codex.reasoning_effort: extra high" \
     -H "Authorization: Bearer eric" \
     -d '{"model": "gpt-5.1-codex", ...}' \
     http://localhost:5203/v1/chat/completions

Method 3: Use Fixed-Effort Models

# Choose a model with built-in reasoning level:
"model": "gpt-5.1-codex low"       # Fast
"model": "gpt-5.1-codex medium"    # Balanced
"model": "gpt-5.1-codex high"      # Deep
"model": "gpt-5.1-codex extra high" # Maximum

Sandbox Configuration

Available Modes

read-only - No file access
workspace-write - Write to workspace only
danger-full-access - Full system access

Configuration

# In /var/www/api3/.env
CODEX_SANDBOX_MODE=workspace-write

# Allow danger mode
CODEX_ALLOW_DANGER_FULL_ACCESS=1

Performance Tuning

Parallel Request Handling (Latest Updates)

✅ Session 5 Enhancements Applied (2025-12-02)

Connection pooling and timeout issues have been resolved with the following improvements:

# Current Production Configuration (/var/www/api3/.env)
# Maximum parallel Codex processes - INCREASED
CODEX_MAX_PARALLEL_REQUESTS=5  # Updated: Default was 2, now 5 (+150% capacity)

# Request timeout (seconds) - OPTIMIZED
CODEX_TIMEOUT=120  # Stable timeout with proper cleanup

# Service environment paths - FIXED
PATH=/usr/bin:/usr/local/bin:/home/eric/.nvm/versions/node/v25.2.1/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin
CODEX_PATH=/home/eric/.nvm/versions/node/v25.2.1/bin/codex
CODEX_HOME=/opt/codex

Performance Impact Summary

Configuration	Previous	Current	Impact
Parallel Requests	2	5	🚀 +150% throughput
Timeout Handling	Basic	120s with cleanup	✅ More reliable
Memory Usage	Variable	Stable 34MB	📊 Consistent performance
Service Startup	Failing	Fast init	🔧 Fixed issues

Real-World Validation Results

# Performance Test - Korean UTF-8 Streaming
curl -X POST https://api3.exploit.bot/v1/chat/completions \
  -H "Authorization: Bearer eric" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-5.1-codex",
    "messages": [{"role": "user", "content": "한국어로 인사해주세요"}],
    "stream": true
  }' \
  --max-time 30

# Results:
# ✅ Perfect UTF-8 encoding for international characters
# ✅ Token-by-token streaming (not 32-byte chunks)
# ✅ No connection timeouts or hanging
# ✅ Proper Unicode boundary detection
# ✅ Enhanced parallel request handling

Worker Configuration

For production deployment:

# Gunicorn with multiple workers
cd /var/www/api3
gunicorn app.main:app \
  -w $(nproc) \
  -k uvicorn.workers.UvicornWorker \
  --bind 0.0.0.0:5203 \
  --timeout 300 \
  --keep-alive 2

🛡️ Security Best Practices

API Key Management

🔒 Security Essentials:

Never commit API keys to version control
Use environment variables or secret management
Rotate keys regularly (recommended every 90 days)
Use different keys for development and production

Secure Key Storage

# Use a secrets manager (example with HashiCorp Vault)
export PROXY_API_KEY=$(vault kv get -field=api-key secret/codex/prod)

# Or use Docker secrets (in docker-compose.yml)
services:
  codex-api:
    environment:
      PROXY_API_KEY: /run/secrets/proxy_api_key
    secrets:
      - proxy_api_key

Network Security

Firewall Configuration

Restrict access to the API endpoint on port 5203:

# UFW example
sudo ufw allow from 10.0.0.0/8 to any port 5203
sudo ufw deny 5203

# iptables example
sudo iptables -A INPUT -p tcp --dport 5203 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5203 -j DROP

SSL/TLS Configuration

Always use HTTPS in production:

# Using nginx as reverse proxy
server {
    listen 443 ssl;
    server_name api3.exploit.bot;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://localhost:5203;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Sandbox Security

Default Secure Settings

# Recommended for production
CODEX_SANDBOX_MODE=read-only
CODEX_ALLOW_DANGER_FULL_ACCESS=0
CODEX_LOCAL_ONLY=1

Docker Security

# Run as root (as configured)
USER root

# Read-only filesystem
--read-only --tmpfs /tmp

# Drop capabilities
--cap-drop ALL

Access Control

IP Whitelisting

# Middleware example for IP whitelisting
ALLOWED_IPS = ["10.0.0.0/8", "192.168.0.0/16"]

@app.middleware("http")
async def ip_whitelist(request: Request, call_next):
    client_ip = request.client.host
    if not any(ipaddress.ip_address(client_ip) in ipaddress.ip_network(allowed)
               for allowed in ALLOWED_IPS):
        raise HTTPException(status_code=403, detail="IP not allowed")
    return await call_next(request)

Monitoring and Auditing

Security Monitoring Checklist:

Log all API requests with timestamps and IP addresses
Monitor for unusual request patterns
Set up alerts for authentication failures
Regular security audits of access logs
Monitor rate limit violations

📊 Monitoring the Service

Health Check Endpoints

Basic Health Check

GET http://localhost:5203/health

curl http://localhost:5203/health

Returns: {"status": "healthy"}

Detailed Health Check

GET http://localhost:5203/health/detailed

curl http://localhost:5203/health/detailed

Returns service status, Codex CLI status, and system info

Log Monitoring

Access Logs

# Real-time log monitoring (systemd)
sudo journalctl -u codex-wrapper-api3 -f

# Docker logs
docker-compose logs -f codex-api

# Filter by error level
sudo journalctl -u codex-wrapper-api3 | grep "ERROR"

# Custom log file (if configured)
tail -f /var/log/codex-api3.log

Log Format

# JSON log format example
{
  "timestamp": "2024-01-15T10:30:45Z",
  "level": "INFO",
  "message": "Request completed",
  "request_id": "req_123456",
  "method": "POST",
  "path": "/v1/chat/completions",
  "status_code": 200,
  "duration_ms": 1250,
  "client_ip": "10.0.0.100"
}

Performance Metrics

Key Metrics to Monitor

Request Rate: Requests per second
Response Time: P50, P95, P99 latency
Error Rate: 4xx and 5xx responses
Codex Queue Length: Pending requests
CPU/Memory Usage: Resource utilization
Rate Limit Hits: Throttled requests (120/min)

Prometheus Integration

# Add to requirements.txt
prometheus-client

# Metrics endpoint
GET http://localhost:5203/metrics

# Example metrics
codex_api_requests_total{method="POST",status="200"}
codex_api_request_duration_seconds_bucket{le="1.0"}
codex_api_active_connections

Monitoring Dashboard

Grafana Dashboard Components:

API request rate and response times
Error rate breakdown
Codex CLI execution metrics
System resource usage
Rate limit utilization (120/min limit)
Active model distribution

Alerting Setup

Configure alerts for:

Service downtime (health check failures)
High error rate (>5%)
Elevated response times (P99 > 10s)
Codex CLI authentication failures
Rate limit exhaustion (approaching 120/min)
Disk space > 80% used

🔧 Maintenance Tasks

Service Management

Restarting the Service

# Docker Compose
docker-compose restart codex-api

# Systemd service (configured for this server)
sudo systemctl restart codex-wrapper-api3

# Check status
sudo systemctl status codex-wrapper-api3

# Direct process
pkill -f "uvicorn app.main:app"
cd /var/www/api3
nohup python -m uvicorn app.main:app --host 0.0.0.0 --port 5203 > /var/log/codex-api3.log 2>&1 &

Zero-Downtime Deployment

# Using blue-green deployment
docker-compose up -d --scale codex-api=2
# Wait for new container to be healthy
docker-compose up -d --scale codex-api=1 --no-deps codex-api

Updating Components

Update Codex CLI

# Check current version (NPM wrapper)
/root/.nvm/versions/node/v24.10.0/bin/codex --version

# Current expected version: 0.63.0

# Update to latest
npm update -g @openai/codex

# Verify update didn't change binary path
ls -la /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex

# If binary path changed after update, update .env file
# Edit /var/www/api3/.env and update CODEX_PATH and CODEX_BINARY_PATH

Update Python Dependencies

cd /var/www/api3
# Update all packages
pip install -r requirements.txt --upgrade

# Check for outdated packages
pip list --outdated

Backup Procedures

Daily Backup Script

#!/bin/bash
# backup-codex.sh

BACKUP_DIR="/backup/codex"
DATE=$(date +%Y%m%d_%H%M%S)

# Create backup directory
mkdir -p $BACKUP_DIR

# Backup configurations
tar -czf $BACKUP_DIR/config_$DATE.tar.gz \
    /opt/codex/ \
    /var/www/api3/.env \
    /workspace/codex-api3/

# Backup logs
tar -czf $BACKUP_DIR/logs_$DATE.tar.gz \
    /var/log/codex-api3/

# Cleanup old backups (keep 30 days)
find $BACKUP_DIR -name "*.tar.gz" -mtime +30 -delete

echo "Backup completed: $DATE"

Configuration Backup

# Version control for configs
git init /etc/codex-config
cd /etc/codex-config
git add .
git commit -m "Config backup $(date)"
git push origin main

Regular Maintenance Tasks

Weekly Tasks:

Review and rotate API keys
Check for security updates
Analyze performance metrics
Clean old log files
Verify backup integrity

Monthly Tasks:

Update all dependencies
Review rate limiting effectiveness (120/min limit)
Audit user access patterns
Test disaster recovery procedures
Review and update documentation

Database Maintenance (if applicable)

# Clear old session data
find /tmp/codex-sessions -name "*" -mtime +7 -delete

# Optimize PostgreSQL (if used)
psql -d codex_db -c "VACUUM ANALYZE;"

# Rotate logs
logrotate /etc/logrotate.d/codex-api3

🔍 Troubleshooting Guide

Service Issues

Service Won't Start

Checklist:

Verify Python version: python --version (need 3.8+)
Check dependencies: pip list
Verify .env file exists and is valid at /var/www/api3/.env
Check port 5203 is not in use: netstat -tulpn | grep 5203
Verify NPM wrapper exists: ls -la /root/.nvm/versions/node/v24.10.0/bin/codex
Verify real binary exists: ls -la /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
Check Codex CLI version: /root/.nvm/versions/node/v24.10.0/bin/codex --version (should be 0.63.0)
Verify paths in .env: Check CODEX_PATH and CODEX_BINARY_PATH match the actual binary location

Authentication Problems

Error Cause Solution

401 Unauthorized Missing/invalid PROXY_API_KEY Check /var/www/api3/.env file, verify key in request header

Codex auth failed

Codex CLI not logged in

Error	Cause	Solution
401 Unauthorized	Missing/invalid PROXY_API_KEY	Check /var/www/api3/.env file, verify key in request header
Codex auth failed	Codex CLI not logged in	# Set environment variables export CODEX_HOME=/opt/codex export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH" # Check status /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login status # OAuth login /root/.nvm/versions/node/v24.10.0/bin/codex login # OR API key login echo "sk-your-api-key" \| /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login --with-api-key
Permission denied	Wrong file permissions	Check /opt/codex/ permissions: `sudo chmod 700 /opt/codex`

# Set environment variables
export CODEX_HOME=/opt/codex
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"

# Check status
/root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login status

# OAuth login
/root/.nvm/versions/node/v24.10.0/bin/codex login

# OR API key login
echo "sk-your-api-key" | /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login --with-api-key

Permission denied Wrong file permissions Check /opt/codex/ permissions: sudo chmod 700 /opt/codex

Performance Issues

Slow Response Times

Diagnostics:

Check system resources: htop
Monitor Codex queue: ps aux | grep codex
Check network latency to model provider
Review request complexity and token count

Solutions:

Increase CODEX_MAX_PARALLEL_REQUESTS in /var/www/api3/.env
Adjust CODEX_TIMEOUT if needed
Implement caching for repeated requests
Use faster models for simpler tasks

Memory Issues

Out of Memory Errors

Symptoms: Container restarts, OOM killer messages

# Check OOM events
sudo dmesg | grep -i "killed process"

# Monitor memory usage
watch -n 1 'free -h; ps aux --sort=-%mem | head -10'

Solutions:

Increase available RAM (minimum 2GB recommended)
Reduce parallel requests: CODEX_MAX_PARALLEL_REQUESTS=1
Add swap space: sudo fallocate -l 2G /swapfile
Enable memory optimization in docker-compose.yml

Common Error Messages

"codex: command not found"

Fix:

# Add NPM wrapper to PATH
export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"

# Verify wrapper exists
ls -la /root/.nvm/versions/node/v24.10.0/bin/codex

# Verify real binary exists
ls -la /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex

# Use full path to NPM wrapper
/root/.nvm/versions/node/v24.10.0/bin/codex --version

"Model not found"

Fix:

# List available models
curl http://localhost:5203/v1/models

# Check config.toml
sudo cat /opt/codex/config.toml

Debug Mode

Enable Debug Logging

Add to /var/www/api3/.env:

LOG_LEVEL=DEBUG
CODEX_DEBUG=1

Or use environment variable:

cd /var/www/api3
export LOG_LEVEL=DEBUG
python -m uvicorn app.main:app --host 0.0.0.0 --port 5203 --log-level debug

Getting Help

Resources:

Check application logs: sudo journalctl -u codex-wrapper-api3 -f
Review docs/ENV.md for configuration options
Check GitHub Issues for known problems
Enable debug mode for detailed output
Collect system information for bug reports

💡 Usage Examples

cURL Examples

Basic Chat Request

curl -X POST "http://localhost:5203/v1/chat/completions" \
  -H "Authorization: Bearer eric" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-5.1-codex",
    "messages": [
      {"role": "system", "content": "You are a helpful assistant."},
      {"role": "user", "content": "Explain quantum computing"}
    ],
    "max_tokens": 500
  }'

Streaming Response

curl -X POST "http://localhost:5203/v1/chat/completions" \
  -H "Authorization: Bearer eric" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-5.1-codex",
    "messages": [{"role": "user", "content": "Write a poem"}],
    "stream": true
  }'

Python Examples

import requests
import json

# Configuration
API_URL = "http://localhost:5203/v1/chat/completions"
API_KEY = "eric"

def chat_completion(message, model="gpt-5.1-codex", stream=False):
    headers = {
        "Authorization": f"Bearer {API_KEY}",
        "Content-Type": "application/json"
    }

    payload = {
        "model": model,
        "messages": [{"role": "user", "content": message}],
        "stream": stream
    }

    response = requests.post(API_URL, headers=headers, json=payload)

    if stream:
        for line in response.iter_lines():
            if line:
                line = line.decode('utf-8')
                if line.startswith('data: '):
                    data = line[6:]
                    if data != '[DONE]':
                        yield json.loads(data)
    else:
        return response.json()

# Usage
if __name__ == "__main__":
    # Non-streaming
    response = chat_completion("Hello, how are you?")
    print(response['choices'][0]['message']['content'])

    # Streaming
    for chunk in chat_completion("Count to 10", stream=True):
        if 'delta' in chunk['choices'][0]:
            print(chunk['choices'][0]['delta'].get('content', ''), end='')

JavaScript Examples

// Node.js example
const axios = require('axios');

class CodexAPI {
    constructor(apiKey, baseURL = 'http://localhost:5203') {
        this.apiKey = apiKey;
        this.baseURL = baseURL;
    }

    async chatCompletion(messages, model = 'gpt-5.1-codex', stream = false) {
        try {
            const response = await axios.post(`${this.baseURL}/v1/chat/completions`, {
                model,
                messages,
                stream
            }, {
                headers: {
                    'Authorization': `Bearer ${this.apiKey}`,
                    'Content-Type': 'application/json'
                }
            });

            return response.data;
        } catch (error) {
            console.error('API Error:', error.response?.data || error.message);
            throw error;
        }
    }

    async streamChatCompletion(messages, model = 'gpt-5.1-codex', onChunk) {
        try {
            const response = await axios.post(`${this.baseURL}/v1/chat/completions`, {
                model,
                messages,
                stream: true
            }, {
                headers: {
                    'Authorization': `Bearer ${this.apiKey}`,
                    'Content-Type': 'application/json'
                },
                responseType: 'stream'
            });

            response.data.on('data', (chunk) => {
                const lines = chunk.toString().split('\n');
                for (const line of lines) {
                    if (line.startsWith('data: ')) {
                        const data = line.slice(6);
                        if (data !== '[DONE]') {
                            onChunk(JSON.parse(data));
                        }
                    }
                }
            });
        } catch (error) {
            console.error('Streaming Error:', error.message);
            throw error;
        }
    }
}

// Usage
const api = new CodexAPI('eric');

// Simple chat
api.chatCompletion([
    { role: 'user', content: 'What is the capital of France?' }
]).then(response => {
    console.log(response.choices[0].message.content);
});

// Streaming chat
api.streamChatCompletion(
    [{ role: 'user', content: 'Tell me a story' }],
    'gpt-5.1-codex',
    (chunk) => {
        const content = chunk.choices[0]?.delta?.content;
        if (content) process.stdout.write(content);
    }
);

Go Examples

package main

import (
    "bytes"
    "encoding/json"
    "fmt"
    "io"
    "net/http"
)

type CodexClient struct {
    BaseURL string
    APIKey  string
    Client  *http.Client
}

type Message struct {
    Role    string `json:"role"`
    Content string `json:"content"`
}

type ChatRequest struct {
    Model    string    `json:"model"`
    Messages []Message `json:"messages"`
    Stream   bool      `json:"stream,omitempty"`
}

type ChatResponse struct {
    Choices []struct {
        Message struct {
            Content string `json:"content"`
        } `json:"message"`
        Delta struct {
            Content string `json:"content"`
        } `json:"delta,omitempty"`
    } `json:"choices"`
}

func NewCodexClient(apiKey, baseURL string) *CodexClient {
    return &CodexClient{
        BaseURL: baseURL,
        APIKey:  apiKey,
        Client:  &http.Client{},
    }
}

func (c *CodexClient) ChatCompletion(messages []Message, model string) (*ChatResponse, error) {
    reqBody := ChatRequest{
        Model:    model,
        Messages: messages,
    }

    jsonData, err := json.Marshal(reqBody)
    if err != nil {
        return nil, err
    }

    req, err := http.NewRequest("POST", c.BaseURL+"/v1/chat/completions", bytes.NewBuffer(jsonData))
    if err != nil {
        return nil, err
    }

    req.Header.Set("Authorization", "Bearer "+c.APIKey)
    req.Header.Set("Content-Type", "application/json")

    resp, err := c.Client.Do(req)
    if err != nil {
        return nil, err
    }
    defer resp.Body.Close()

    var result ChatResponse
    err = json.NewDecoder(resp.Body).Decode(&result)
    return &result, err
}

func main() {
    client := NewCodexClient("eric", "http://localhost:5203")

    messages := []Message{
        {Role: "user", Content: "Explain Go concurrency"},
    }

    response, err := client.ChatCompletion(messages, "gpt-5.1-codex")
    if err != nil {
        fmt.Printf("Error: %v\n", err)
        return
    }

    if len(response.Choices) > 0 {
        fmt.Println(response.Choices[0].Message.Content)
    }
}

Advanced Examples

Batch Processing

import asyncio
import aiohttp

async def batch_process(prompts, max_concurrent=5):
    semaphore = asyncio.Semaphore(max_concurrent)

    async def process(prompt):
        async with semaphore:
            async with aiohttp.ClientSession() as session:
                async with session.post(
                    "http://localhost:5203/v1/chat/completions",
                    headers={"Authorization": "Bearer eric"},
                    json={
                        "model": "gpt-5.1-codex",
                        "messages": [{"role": "user", "content": prompt}]
                    }
                ) as resp:
                    return await resp.json()

    tasks = [process(prompt) for prompt in prompts]
    return await asyncio.gather(*tasks)

# Usage
prompts = ["Task 1", "Task 2", "Task 3", "Task 4", "Task 5"]
results = asyncio.run(batch_process(prompts))

❓ Frequently Asked Questions

Q: How do I switch between different models?

A: Use the model parameter in your API request. First, list available models:

curl -H "Authorization: Bearer eric" http://localhost:5203/v1/models

Then use the exact model name in your request:

{"model": "gpt-5.1-codex", "messages": [...]}

Q: What's the difference between CODEX_LOCAL_ONLY and regular mode?

A: When CODEX_LOCAL_ONLY=1, the API will only accept requests for local model providers. This prevents the API from making requests to remote APIs like OpenAI, keeping all processing local. Set to 0 to allow remote providers.

Q: How can I increase the request timeout?

A: Set the CODEX_TIMEOUT environment variable in /var/www/api3/.env:

# In /var/www/api3/.env file
CODEX_TIMEOUT=300  # 5 minutes

Q: Can I use custom system prompts or instructions?

A: Yes! Create an AGENTS.md file in your workspace directory:

# Create AGENTS.md in workspace
mkdir -p /workspace/codex-api3
echo "You are a Python programming expert..." > /workspace/codex-api3/AGENTS.md

Codex will automatically merge these instructions with each request.

Q: How do I handle rate limiting?

A: Configure rate limiting in your /var/www/api3/.env file:

# 120 requests per minute per client (configured for this server)
RATE_LIMIT_PER_MINUTE=120

# Unlimited (0)
RATE_LIMIT_PER_MINUTE=0

The API returns rate limit headers in each response to monitor usage.

Q: What's the maximum number of parallel requests?

A: Configure with CODEX_MAX_PARALLEL_REQUESTS in /var/www/api3/.env:

# Default is 2, increase for better throughput
CODEX_MAX_PARALLEL_REQUESTS=4

# Set to 1 for serial processing
CODEX_MAX_PARALLEL_REQUESTS=1

Q: How do I enable debug logging?

A: Set the log level in /var/www/api3/.env:

# In /var/www/api3/.env
LOG_LEVEL=DEBUG

# Or as environment variable
export LOG_LEVEL=DEBUG

Q: Can I run this behind a reverse proxy?

A: Yes! Here's a sample nginx configuration for port 5203:

server {
    listen 443 ssl;
    server_name your-domain.com;

    location / {
        proxy_pass http://localhost:5203;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # For streaming
        proxy_buffering off;
        proxy_cache off;
    }
}

Q: How do I backup my configuration?

A: Back up these important files:

/opt/codex/ - Codex CLI configuration and auth
/var/www/api3/.env - Environment variables
/workspace/codex-api3/ - Custom AGENTS.md files

tar -czf codex-backup.tar.gz /opt/codex /var/www/api3/.env /workspace/codex-api3/

Q: What should I do if I get "Model not found" error?

A: Try these steps:

List available models: curl http://localhost:5203/v1/models
Check your /opt/codex/config.toml
Set environment variables: export CODEX_HOME=/opt/codex && export PATH="/root/.nvm/versions/node/v24.10.0/bin:$PATH"
Verify Codex CLI authentication: /root/.nvm/versions/node/v24.10.0/bin/codex whoami
Check authentication status: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex login status
Check if the model provider is configured correctly

Q: How can I monitor API usage and costs?

A: Monitor these metrics:

Request count via /metrics endpoint (if enabled)
Log files for detailed request information
Your model provider's dashboard for costs
Custom monitoring with Prometheus/Grafana

Q: What are the exact server paths and configurations?

A: Here are the exact server-specific details:

Service Configuration:

User: root
Group: root
Working Directory: /var/www/api3
Service Name: codex-wrapper-api3
Environment File: /var/www/api3/.env

Codex CLI Exact Paths:

NPM Wrapper: /root/.nvm/versions/node/v24.10.0/bin/codex
Real Binary: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
CODEX_HOME: /opt/codex
Working Directory: /workspace/codex-api3
Authentication File: /opt/codex/auth.json
Version: 0.63.0
Node.js Version: v24.10.0
Architecture: x86_64 Linux

API Configuration:

API Key: eric
Port: 5203
Rate Limit: 120 requests per minute

Environment Variables in .env:

CODEX_PATH: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
CODEX_BINARY_PATH: /root/.nvm/versions/node/v24.10.0/lib/node_modules/@openai/codex/vendor/x86_64-unknown-linux-musl/codex/codex
CODEX_HOME: /opt/codex

🚀 Async Job Management (NEW)

Overview

For long-running operations that may exceed timeout limits, the API now supports asynchronous job execution. Jobs run in the background while you can poll for results or stream progress in real-time.

Benefits

No Timeouts: Jobs run in background, HTTP connection closes immediately
Resume on Disconnect: Results retrievable even if connection drops
Progress Monitoring: Stream real-time progress via Server-Sent Events
Better Error Handling: Failed jobs tracked with detailed error messages

Configuration

Add these variables to your .env file:

# Job storage backend: memory, sqlite, or auto
JOB_STORAGE_TYPE=sqlite

# Job lifetime in seconds (default: 1 hour)
JOB_DEFAULT_TTL=3600

# SQLite database path
JOB_SQLITE_PATH=/var/www/api3/data/codex_jobs.db

Usage Examples

1. Submit Async Job

curl -X POST "https://api3.exploit.bot/v1/chat/completions?async=true" \
  -H "Authorization: Bearer YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-5.1-codex",
    "messages": [{"role": "user", "content": "Long task..."}]
  }'

# Returns immediately with job ID
{
  "id": "98b2945f-0be2-4ac6-b1b4-cfde9b85a8eb",
  "object": "job",
  "status": "queued",
  "created_at": 1764743637,
  "request_type": "chat_completion"
}

2. Check Job Status

curl "https://api3.exploit.bot/v1/jobs/98b2945f-0be2-4ac6-b1b4-cfde9b85a8eb" \
  -H "Authorization: Bearer YOUR_KEY"

3. Stream Progress (Real-time)

curl -N "https://api3.exploit.bot/v1/jobs/98b2945f.../stream" \
  -H "Authorization: Bearer YOUR_KEY"

4. List All Jobs

curl "https://api3.exploit.bot/v1/jobs?limit=10" \
  -H "Authorization: Bearer YOUR_KEY"

5. Cancel Running Job

curl -X DELETE "https://api3.exploit.bot/v1/jobs/98b2945f..." \
  -H "Authorization: Bearer YOUR_KEY"

Job Statuses

queued - Job waiting to start
running - Job currently executing
completed - Job finished successfully (result available)
failed - Job failed (error details available)
cancelled - Job was cancelled by user

When to Use Async Mode

Use async mode when:

Operations expected to take > 30 seconds
Complex reasoning tasks with high effort settings
Network connection stability is a concern
Batch processing multiple requests

Use sync mode when:

Quick, simple queries (< 10 seconds expected)
Real-time interactive chat
Testing/development with fast operations

Monitoring Jobs

Check job database:

sqlite3 /var/www/api3/data/codex_jobs.db "SELECT job_id, status, created_at FROM jobs ORDER BY created_at DESC LIMIT 10;"

View API logs:

tail -f /tmp/api3_new.log

Troubleshooting

Job stays in "queued" status:

Check API server logs
Verify CODEX_MAX_PARALLEL_REQUESTS setting
Ensure no jobs are stuck in "running" state

Job fails immediately:

Check job error message: GET /v1/jobs/{job_id}
Verify Codex CLI authentication
Check model name is valid

Can't find job:

Jobs expire after TTL (default 1 hour)
Check JOB_DEFAULT_TTL setting
Jobs are cleaned up every 5 minutes