Codex CLI Common Errors & Troubleshooting

Error reference Updated 2026-05-28 ~6 min read

Hit an error? Match it in the table below and jump straight to the fix. Nearly every Codex CLI problem falls into one of three buckets: authentication, rate limiting, or config/network.

i

As of 2026, all error messages and fixes in this guide reflect the current Codex CLI release. For unlisted errors, run /feedback inside a session to capture diagnostics.

General triage — three questions

Before diving into specific errors, run through this 30-second check to narrow down the category:

  1. Read the error type. 401/403 = authentication; 429 = rate limit; os error/port conflicts = local environment; Reconnecting/stream disconnected = network.
  2. Test connectivity. Run curl -I https://api.openai.com/v1/models. A 401 response means the network is fine — the problem is auth. A timeout or connection refusal means a proxy/network issue (see the Reconnecting checklist).
  3. Collect diagnostics. Inside a Codex session, run /feedback to capture request IDs, error logs, and a connection snapshot — useful if you need to file a bug report.

Error lookup table

Error Cause Fix
401 Unauthorized Token expired or API key invalid codex logout then codex login; verify API key and account CLI access
429 Too Many Requests / rate limit Usage cap reached Wait for the reset time shown by the CLI; or upgrade your plan
Address in use (os error 98) Port 1455 already in use (e.g. SSH tunnel) during login Free port 1455 — close the tunnel or process — then retry login
Reconnecting loop / stream disconnected Network or proxy problem See the Reconnecting checklist
Headless / remote login fails Device Code auth disabled by workspace admin Ask admin to enable it; or copy auth.json; or use API key
Login stuck on "Sign in with ChatGPT" Browser callback to localhost didn't complete Ensure localhost callback is reachable; or fall back to API key login
Invalid model setting model field in config.toml is not a valid model name Remove the model line from config.toml to use the default
Sandbox blocking commands Sandbox mode or approval settings too restrictive Review sandbox/approval config — see Commands guide
Config file prevents startup ~/.codex/config.toml has a syntax error Rename the file; restart Codex with defaults
WSL: "migration N was previously applied but has been modified" WSL Codex shares CODEX_HOME with Windows Codex Set a separate CODEX_HOME for WSL

Authentication errors (401 / login failures / headless)

401 Unauthorized — token expired

401 Unauthorized means the server received your request but rejected your credentials — your login token has expired or your API key is invalid. Steps to fix:

  1. Log out and back in (ChatGPT account):
    Terminal
    $ codex logout
$ codex login
  2. If using an API key, verify the key is active and your account has CLI access enabled.
  3. Check for a stale OPENAI_API_KEY in your environment: env | grep OPENAI and unset it if needed.

Headless / remote server login failures

On machines without a browser (SSH servers, CI, Docker containers), Codex automatically switches to Device Code authentication. If the workspace admin has disabled Device Code auth, login will fail even for an authorized user — there is no error message that makes this obvious.

!

Enabling Device Code auth is an admin-level setting. Regular users cannot unblock this themselves — contact your workspace administrator.

While waiting for the admin to act, two workarounds are available:

  1. Copy auth.json. Complete the OAuth flow on a machine that has a browser, then copy ~/.codex/auth.json to the same path on the headless server.
  2. Use an API key. Run codex login --with-api-key — this bypasses the browser flow entirely.

Login stuck on the "Sign in with ChatGPT" screen

The OAuth flow requires the browser to call back to localhost after sign-in. If that callback is blocked by a firewall or corporate network policy, the browser page stays frozen.

  • Verify that the localhost callback port is not blocked by a firewall rule.
  • In restricted environments, codex login --with-api-key is the more reliable option.

Rate limiting — 429

When your request volume exceeds the limit for your current subscription plan, the CLI returns 429 Too Many Requests. The CLI will display the exact time your quota resets:

Wait until the reset time shown in the CLI — your quota restores automatically, no restart needed. If you hit the cap frequently, consider upgrading your plan in the OpenAI console.

Port conflict — Address in use (os error 98 / port 1455)

During login, Codex binds to port 1455 on localhost to receive the OAuth callback. If another process already holds that port — most commonly an SSH port-forwarding tunnel — login fails with Address in use (os error 98).

  1. Identify and stop the process using port 1455:
    macOS / Linux
    # Find which process holds port 1455
$ lsof -i :1455
# Or with ss (Linux)
$ ss -tlnp | grep 1455
  2. If it is an SSH tunnel, close that connection or change the tunnel's forwarded port number.
  3. Once the port is free, run codex login again.
i

If you permanently need port 1455 for an SSH tunnel, use codex login --with-api-key instead — it requires no local port listener.

Config and sandbox issues

Invalid model setting

If the model field in ~/.codex/config.toml references a model name that does not exist, Codex will refuse to start. The simplest fix is to remove that line and let the CLI fall back to its built-in default:

~/.codex/config.toml — remove or comment out the model line
# Delete or comment out the line below
# model = "some-nonexistent-model"

Broken config file

If config.toml has a TOML syntax error (often from manual edits), Codex cannot parse it and refuses to start. The quickest recovery is to rename the file as a backup and let Codex regenerate a fresh one:

Terminal
$ mv ~/.codex/config.toml ~/.codex/config.toml.bak
$ codex

Sandbox blocking commands

Codex's sandbox mode and approval settings control which shell commands the agent is allowed to run. If a command is unexpectedly blocked, review your sandbox and approvals configuration in config.toml or your launch flags — see the Commands guide for details.

WSL migration conflict

When running Codex on both Windows and WSL, if both environments point to the same CODEX_HOME (typically ~/.codex), the internal database migration history becomes inconsistent and you'll see the error migration N was previously applied but has been modified. Fix it by giving the WSL instance its own home directory:

WSL ~/.bashrc or ~/.zshrc
export CODEX_HOME="$HOME/.codex-wsl"

Logs and the /feedback command

Codex writes diagnostic logs locally (as of 2026). For hard-to-reproduce issues, the fastest path is the built-in feedback command, run from inside an active Codex session:

Inside a Codex session
 /feedback

/feedback automatically bundles:

  • The current session's request IDs (for OpenAI-side tracing)
  • Recent error log excerpts
  • A snapshot of the connection state

Include the /feedback output when filing a GitHub issue or contacting support — it dramatically speeds up diagnosis and avoids rounds of follow-up questions.

Frequently asked questions

What is the difference between a 401 and a Reconnecting loop?

401 is an authentication rejection at the API layer — the server received your request but refused it, and you get a clear error code. A Reconnecting loop is a transport-layer failure — the request never reaches the server, or the connection drops mid-stream, with no business-level error code. Quick test: run curl -I https://api.openai.com/v1/models. A 401 response means the network is fine (auth issue); a timeout or connection refusal means a proxy/network problem.

Can I use an API key and ChatGPT login at the same time?

You should not. Having both present simultaneously is unstable and can trigger seemingly random Reconnecting errors or spurious 401s. Pick one: either codex login (OAuth) or codex login --with-api-key. Before switching, run codex logout and unset OPENAI_API_KEY to clean up.

How can I tell which auth method Codex is currently using?

Inspect ~/.codex/auth.json — an accessToken field indicates OAuth; API-key login stores key-related data instead. Also check your environment: echo $OPENAI_API_KEY — if it is set, that key is active alongside whatever is in the file.

Does quota automatically restore after a 429?

Yes. The CLI shows the exact reset timestamp. Once that time passes your quota is restored automatically — no restart or re-login needed. If you frequently hit the cap, upgrading your OpenAI plan is the permanent solution.

My error is not in the table. What next?

Run /feedback to capture logs, then search for the raw error message plus "codex" — official GitHub Issues and the community forum usually have prior discussions. For Reconnecting problems see the dedicated checklist; for proxy setup behind firewalls see the Proxy guide.