Codex CLI for Web Developers.

Codex CLI is OpenAI's terminal-native coding agent, tuned for GPT-5.3 Codex and long tool-call loops.

# npm (macOS / Linux / WSL)
npm install -g @openai/codex

# Authenticate — ChatGPT Plus/Pro or API key
codex login

# Or set API key directly
export OPENAI_API_KEY="sk-..."

# Run from repo root
cd my-app && codex

Auth via ChatGPT Plus/Pro or an OpenAI API key. API usage is metered per token; subscription tiers may include a bundled allowance depending on plan. Before a week of heavy use, run your expected turn count through the session cost calculator with GPT-5.3 Codex selected.

Project config typically lives in AGENTS.md plus .codex/config.toml or codex.config.json depending on version. Same cross-vendor guidance as the AGENTS.md guide: one canonical context file, short and concrete.

Codex CLI indexes the working tree on launch. Treat the repo like you would for any agent: a tight AGENTS.md, an ignore file for paths the agent should never read, and explicit commands in the file map.

# build output
dist/
build/
.next/
out/
node_modules/

# secrets
.env
.env.*

# lockfiles (token bloat, low signal)
package-lock.json
pnpm-lock.yaml

# large assets
public/**/*.{mp4,webm,pdf}

Codex excels when the task has a clear done state: "add Playwright tests for every route under src/app/," "migrate all fetch calls to server actions," "upgrade Next 15 to 16 and fix breaking changes." Vague prompts produce vague diffs.

Goal mode (also called autonomous or batch mode in docs) is Codex CLI's killer feature: you describe an outcome, set constraints, and walk away. The agent plans sub-steps, executes tool calls, and reports when done or blocked.

When goal mode pays off for web dev:

• Scaffolding a full test suite from an existing app map
• Mechanical API renames across 40+ files
• Dependency major-version upgrades with fix-forward
• Generating missing TypeScript types from runtime schemas

When it doesn't:

• UI polish and spacing tweaks (you need to see pixels)
• Product copy and information architecture
• Anything requiring stakeholder taste calls mid-run

# Goal
Add Playwright e2e tests for every public route listed in AGENTS.md.

# Constraints
- Use existing `tests/e2e/` patterns (copy auth.setup.ts).
- Do not add new npm dependencies.
- Run `pnpm exec playwright test` after each route; fix failures before continuing.
- Stop and report if more than 3 routes fail for the same root cause.

# Done when
All routes have a spec file and the full suite is green.

Long runs burn tokens. Set a budget ceiling in your head (or in org policy) and use /compact or fresh sessions between unrelated goals. The model picker guide has GPT-5.3 Codex on the agentic tier for a reason.

Codex CLI has no dedicated security slash command like GitHub Copilot CLI's /security-review (see our Copilot CLI security review coverage). Instead, run a read-only audit via prompt plus the Security Review skill and the checklist in the securing AI-generated code guide.

Read-only security audit of the diff against `main`.

Use the review-security skill checklist. Report:
1. Critical (must fix before merge)
2. High (fix this sprint)
3. Medium (track)

Do not edit files. Cite file:line for every finding.
If you need to run commands, use read-only git and grep only.

Codex CLI loads MCP servers from project or user config. Same protocol, same servers as Claude Code and Cursor.

High-value pair for web teams:

1. Playwright MCP — verify UI changes during autonomous test generation.
2. GitHub MCP — read PR context, post review comments (with token scoped to repo).

{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": ["-y", "@playwright/mcp"]
    }
  },
  "model": "gpt-5.3-codex"
}

Honest comparison for web dev workflows. See also the OpenCode comparison table and the dedicated Claude Code guide.

Five questions about the task in front of you. Get a recommendation for Codex CLI, Claude Code, or Cursor. Runs entirely in your browser.