Complete Guide to Codex CLI 0.45 and 0.46 Major Updates

Codex CLI Complete Guide

Target Audience

• Intermediate to advanced developers using Codex CLI daily who want to leverage new features while maintaining compatibility with existing workflows

Key Points

Understand production-impacting changes in 0.45 and 0.46 Master security enhancements and MCP improvements Choose the right upgrade strategy for your workflow

Codex CLI versions 0.45 and 0.46 bring significant improvements in API authentication security, MCP (Model Context Protocol) server enhancements, and usability upgrades. This article provides a practical guide for developers already using Codex CLI, focusing on critical changes and safe upgrade procedures.

5-Minute Outcomes

1. Understand key changes and impact scope of 0.45 and 0.46
2. Learn authentication method changes due to security enhancements
3. Master implementation methods for improved MCP extensibility

Core Problem

Codex CLI 0.45 and 0.46 introduce major security and MCP integration improvements, but these changes may affect existing operational workflows. Specifically:

• API Key authentication method changes may break existing automation scripts
• Introduction of new MCP stack changes operational guarantees for existing MCP configurations
• Addition of OAuth MCP server authentication increases configuration complexity

Version 0.45 Key Changes

Security Enhancement: API Key Authentication Method Changes

Most Important Change: codex login --api-key has been deprecated and replaced with --with-api-key, which reads from standard input. This eliminates security risks of API keys being recorded in shell history or process lists.

# Old method (0.44 and earlier)
codex login --api-key sk-proj-xxxxx

# New method (0.45 and later)
printenv OPENAI_API_KEY | codex login --with-api-key

Critical Breaking Change in 0.45

Implicit reading of the OPENAI_API_KEY environment variable has been completely removed. You must explicitly authenticate with --with-api-key.

Experimental OAuth MCP Authentication Support

OAuth 2.0 authentication flow is now experimentally available for integration with enterprise APIs and SaaS tools (GitHub, JIRA, etc.), providing improved security over bearer tokens.

codex exec Output Optimization

Non-interactive execution (codex exec) now writes only the final message to standard output, simplifying result parsing in CI pipelines and scripts.

Other Improvements

• Default model changed to gpt-5 for Windows users
• experimental_use_rmcp_client flag no longer required for streaming HTTP MCP servers without OAuth
• Fixed color display when refocusing terminal after system theme updates

Version 0.46 Key Changes

Full Introduction of New MCP Stack

Enable new MCP client with experimental flag

# ~/.codex/config.toml
[mcp]
experimental_use_rmcp_client = true

This new stack improves:

• HTTP MCP server streaming stability
• Bearer token authentication header fixes (accurate Authorization: Bearer format transmission)
• OAuth authentication flow error handling improvements

Experimental Feature in 0.46

The new MCP stack is an experimental feature enabled with the experimental_use_rmcp_client = true flag. If issues occur, you can revert to the legacy stack by setting it to false.

Enhanced MCP Server Management

Addition of enabled configuration

[mcp.servers.my-server]
enabled = false  # Temporarily disable
command = "npx"
args = ["-y", "@example/mcp-server"]

Servers can be temporarily disabled without deletion, making configuration experimentation easier.

Authentication Status Visibility

MCP server authentication status (OAuth connection success/failure, token expiration, etc.) is now visible, streamlining troubleshooting.

UX Improvements

• Display hint memo on how to resume when exiting codex resume
• Fixed terminal color palette to xterm for consistent display
• Persistent display of context lines (current file information)

Other Fixes

• Fixed tab character transcript mode rendering issues
• Improved shimmer effect foreground/background color blending

Upgrade Strategies

Migrating from 0.44 → 0.45

Preparation Steps

1. Identify existing authentication scripts
2. Locate all --api-key usage
3. Confirm locations relying on implicit environment variable reading

Migration Procedure

# 1. Upgrade to 0.45
npm install -g @openai/codex@0.45.0

# 2. Login with new authentication method
printenv OPENAI_API_KEY | codex login --with-api-key

# 3. Verify operation
codex --version
codex exec "echo test"

Automation Script Modification Example

# Before (0.44 and earlier)
codex login --api-key $OPENAI_API_KEY

# After (0.45 and later)
echo $OPENAI_API_KEY | codex login --with-api-key

Migrating from 0.45 → 0.46

Preparation Steps

1. List MCP servers in use
2. Identify servers requiring OAuth authentication
3. Evaluate new MCP stack in test environment

Migration Procedure

# 1. Upgrade to 0.46
npm install -g @openai/codex@0.46.0

# 2. Enable new MCP stack (optional)
echo 'experimental_use_rmcp_client = true' >> ~/.codex/config.toml

# 3. Verify MCP server operation
codex mcp list
codex  # Try MCP tools in interactive mode

If Issues Occur

# ~/.codex/config.toml
[mcp]
# Revert to legacy stack
experimental_use_rmcp_client = false

Decisions by Operational Profile

Stable Operations Priority - Recommendation: Wait at 0.45, migrate after 0.46 MCP new stack stabilizes - Reason: Benefit from authentication improvements while avoiding experimental features

MCP-Heavy Usage - Recommendation: Migrate to 0.46 promptly and enable new stack - Reason: Major benefits from OAuth support, streaming improvements, and authentication status visibility

Heavy Automation Script Usage - Recommendation: Batch modify and test authentication scripts during 0.45 migration - Reason: --with-api-key change has the largest impact, requiring careful migration

Important Note

From 0.45 onwards, implicit reading of the OPENAI_API_KEY environment variable has been removed. You must explicitly authenticate with --with-api-key.

0.45 Authentication Script Modification Examples

CI/CD Pipeline (GitHub Actions) Modification

# Before (0.44 and earlier)
- name: Codex Login
  run: codex login --api-key ${{ secrets.OPENAI_API_KEY }}

# After (0.45 and later)
- name: Codex Login
  run: echo "${{ secrets.OPENAI_API_KEY }}" | codex login --with-api-key

Shell Script Modification

# Before
#!/bin/bash
codex login --api-key "$OPENAI_API_KEY"
codex exec "npm test"

# After
#!/bin/bash
echo "$OPENAI_API_KEY" | codex login --with-api-key
codex exec "npm test"

0.46 MCP OAuth Configuration Example

When using OAuth authentication for integration with enterprise GitHub or JIRA:

1. Enable new stack

   # ~/.codex/config.toml
   [mcp]
   experimental_use_rmcp_client = true
   

2. Add OAuth-capable MCP server

   codex mcp add github-enterprise \
     --url https://mcp.example.com/github \
     --oauth
   

3. Complete authentication flow

4. Authentication screen opens in browser
5. Login via enterprise SSO

6. Token automatically saved

7. Check authentication status

   codex  # Start interactive mode
   /mcp   # Display MCP status
   

Common Issues and Solutions

0.45 Specific Issues

Symptom	Cause	Solution
Error with codex login --api-key	Deprecated in 0.45	Change to printenv OPENAI_API_KEY \| codex login --with-api-key
Can't read API Key from environment variable	Implicit reading removed	Explicitly pass with --with-api-key
CI/CD pipeline fails	Authentication command changed	Batch modify scripts to new method

0.46 Specific Issues

Symptom	Cause	Solution
Existing MCP servers don't work	Incompatibility with new stack	Revert to legacy stack with experimental_use_rmcp_client = false
OAuth MCP authentication infinite loop	Experimental feature instability	Report issue on GitHub and temporarily switch to bearer token
Bearer token authentication rejected	0.46 header format fix	Upgrade to 0.46 for automatic resolution

Summary

0.45 Key Points

• Major security enhancement for API authentication (--with-api-key standard input authentication)
• Experimental OAuth MCP authentication support begins
• codex exec output optimization simplifies CI integration

0.46 Key Points

• New MCP stack improves connection stability and OAuth support
• Flexible MCP server management (enabled field, authentication status visibility)
• UX improvements (codex resume memo, color palette fixes)

Recommended Upgrade Path

1. First adopt 0.45 authentication method changes and modify automation scripts
2. After verification, evaluate 0.46 MCP new features in test environment
3. Gradually deploy to production if no issues

Next Steps

• Codex CLI Official Documentation - Detailed latest features
• MCP Server Integration Guide - OAuth configuration in practice
• Codex CLI GitHub Releases - Latest release notes

References

• OpenAI Codex Changelog
• Codex CLI 0.39→0.44 Complete Update Guide