Fix Codex CLI “Network Access Restricted” in 2 Commands (2026)¶
✨ Updated for Codex CLI v0.102.0 (February 2026)
Latest model: GPT-5.3-Codex (Feb 5, 2026) and GPT-5.3-Codex-Spark (Feb 12, 2026) are now available via /model in Codex CLI. v0.93.0+ defaults to GPT-5.2-Codex (released Dec 18, 2025) which introduced context compaction, stronger performance on large code changes, improved Windows environment performance, enhanced cybersecurity capabilities, and SOCKS5 proxy support with policy enforcement. Network restriction configurations remain fully compatible across all models. v0.102.0 adds structured network approval prompts, making sandbox permission changes more explicit.
Sources: Introducing GPT-5.2-Codex | OpenAI · Codex CLI Changelog
Quick actions (v0.93.0+, field-proven)
- Run
/statusbefore every networked turn: confirmsandbox_mode: workspace-writeandnetwork_access: true. If not, reapply the network flags (see Key Points below). - For domain-level filtering (npm/GitHub only), use the Web (Cloud) Environment Internet Access settings. CLI network access is binary (on/off).
- If
codex re-connecting...appears, keep the network-enabled profile, restart using the reconnecting guide, and replay with--transcript ... --appendto prevent duplicate work.
🚨 Common Issue: "Cannot Access Internet with Codex"¶
A problem many new Codex CLI users encounter:
# npm package installation fails
codex run "npm install axios"
# Error: Network access is restricted
# Cannot access APIs
codex run "curl https://api.example.com"
# Error: Network request blocked by sandbox
Cause: Codex operates within a security sandbox by default, with internet access completely blocked.
Key Points: The 2 Commands¶
Audience: All levels — this is the fastest path to fixing the error.
Command 1 — add two lines to ~/.codex/config.toml (one-time):
[sandbox_workspace_write]
network_access = true
Command 2 — verify with any network command:
codex --sandbox workspace-write "curl -I https://registry.npmjs.org"
If you prefer a one-liner without editing files, pass the config inline:
# Referred to as "the network flags" in the rest of this article
codex --sandbox workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"npm install express"
That's it
For most users, the config.toml edit above is all you need. The rest of this article covers why it's restricted, alternative methods (Web UI, Docker), security best practices, and advanced troubleshooting.
Why Is It Restricted by Default?¶
OpenAI's Official Position¶
"Codex operates with network access disabled and file edits restricted to the current workspace by default" — OpenAI Codex Security Guide
Link verification note
The URL above is cited in official OpenAI documentation. If the link returns a 404, check the Codex GitHub Repository for the latest security documentation.
Main Security Risks¶
| Risk | Description | Severity |
|---|---|---|
| Prompt Injection | Malicious web content hijacking Codex behavior | High |
| Data Exfiltration | Code or API keys being sent externally | Critical |
| Malware Infiltration | Execution of untrusted packages or scripts | High |
| License Violations | Unauthorized use of restricted license code | Medium |
Web Search ≠ Network Access
Codex's built-in web_search tool uses a pre-cached index and does not require network_access = true. If you only need documentation lookups, no network config change is needed.
network_access = true is required only for live outbound connections (npm install, curl, API calls at runtime).
📋 Detailed Configuration Methods¶
Method 1: Codex CLI Command Line Configuration¶
Audience: CLI users (most readers of this article)
Configure network access using the official config.toml file or CLI flags.
Persistent Configuration (config.toml) — Recommended¶
Create or edit ~/.codex/config.toml:
# Enable network access for workspace-write sandbox mode
[sandbox_workspace_write]
network_access = true
After saving, all subsequent codex --sandbox workspace-write sessions will have network access enabled automatically.
macOS: config.toml Ignored by Seatbelt Sandbox (GitHub Issue #10390)
On macOS, network_access = true in config.toml is silently ignored by the Seatbelt sandbox (openai/codex#10390).
Workaround: Use --sandbox danger-full-access:
codex --sandbox danger-full-access "npm install express"
Linux (Landlock sandbox) reads config.toml correctly and is not affected.
Temporary Configuration (CLI Flags)¶
# Enable network access for a single session using -c flag (the "network flags")
codex --sandbox workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"npm install express"
# Verify current sandbox state
codex --sandbox workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"curl -I https://registry.npmjs.org"
Web vs CLI Settings
Web (Cloud) Environment: Use the ChatGPT interface's "Internet Access" settings (Method 2 below).
Local CLI: Use config.toml or -c flags as shown here. These are separate configuration systems—changes in one do not affect the other.
Method 2: Codex Cloud Environment (ChatGPT Plus/Pro)¶
Audience: ChatGPT Plus/Pro subscribers using Codex through the web interface
CLI vs Cloud: Different Systems
The Codex Cloud Environment (web interface) and the Codex CLI (terminal) are separate systems with different configuration mechanisms. Settings changed in one do not affect the other. This section covers the Cloud Environment only.
Since June 2025, ChatGPT Plus/Pro users can control network access from environment settings.
- Open Environment Settings
- Start a Codex session in ChatGPT
- Click the settings icon in the top right
Select "Environment Settings"
Internet Access Toggle
Internet Access:
- Off # Default: No network access
- On # Enable outbound connections
- Domain Preset (when Internet Access is On)
Domain Preset:
- None # No pre-approved domains
- Common dependencies # npm, PyPI, GitHub, etc.
- All # Unrestricted (not recommended)
The Cloud Environment uses a two-step model: first toggle Internet Access on/off, then select a domain preset that controls which hosts the sandbox can reach.
Method 3: Safe Configuration in Docker/WSL Environment¶
Audience: DevOps / security-conscious teams
The safest approach is execution in an isolated environment:
# Dockerfile
FROM node:22
WORKDIR /app
# Install Codex CLI
RUN npm install -g @openai/codex
# Network policy configuration
COPY config.toml /root/.codex/config.toml
CMD ["codex"]
Unverified environment variables
The following environment variables (CODEX_SANDBOX_ENABLED, CODEX_NETWORK_MODE) are shown as examples but could not be verified in official Codex CLI documentation as of February 2026. Use config.toml or -c flags for guaranteed compatibility. If you rely on these variables, test them in your environment first.
# Docker launch script
docker build -t codex-secure .
docker run -it --network=bridge \
--cap-drop=ALL \
--security-opt=no-new-privileges \
codex-secure
🆕 Pre-flight Checklist (v0.93.0+)¶
Common support patterns include codex re-connecting… banners and VPN-bound curl calls failing even after enabling network access. Since v0.93.0 (GPT-5.2-Codex default) and further improved through v0.102.0, reliability has improved significantly. Run this pre-flight checklist before networked operations:
| Check | Command | Expected output |
|---|---|---|
| Sandbox state | /status | sandbox_mode: workspace-write + network_access: true |
| Real network reachability | codex --sandbox workspace-write -c 'sandbox_workspace_write.network_access=true' "curl -I https://pypi.org/simple/" | HTTP/2 200 (or your endpoint) |
| Audit trail | codex --full-auto --transcript analysis/20260217_network.log | JSONL transcript saved under analysis/ |
Additional reachability probes¶
# GitHub CLI auth + API ping (with the network flags)
codex --sandbox workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"gh auth status && gh api user"
# Python dependency dry run (no downloads)
codex --sandbox workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"python -m pip install requests --dry-run"
# DNS / proxy sanity check
codex --sandbox workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"nslookup api.openai.com"
- Healthy
gh auth statusoutput should sayLogged in to github.com as .... pip --dry-runmust finish withWould install ...and no TLS errors.nslookuphelps prove your VPN/proxy still resolves official endpoints.
If codex re-connecting… persists, it usually means the SSE stream—not the firewall—is the culprit. Restart the session following the reconnecting issue guide while keeping the same network-enabled profile active.
🛡️ Security Best Practices¶
Do's ✅¶
- Principle of Least Privilege
- Allow only necessary domains
Start with GET method and expand gradually
Environment Isolation
- Run in separate environment from production code
Recommend using WSL/Docker/VM
Audit Log Review
# Use transcripts for audit trail codex --full-auto --transcript analysis/network_audit.jsonl "your command" # Review logs in ~/.codex/log/
Don'ts ❌¶
- Using
Unrestrictedmode in production - Opening network for projects with sensitive information
- Allowing access to unverified domains
🔗 Related Resources¶
Official Documentation¶
- OpenAI Codex Security Guide - Comprehensive security practices and sandbox configuration
- Codex GitHub Repository - Official CLI source code and issues
Related Codex CLI Guides¶
- Codex CLI Auto Approve: Skip All Prompts — Configure
-a neverand sandbox modes - Fix Codex CLI "Re-connecting" Loop — 5 workarounds for connection issues
- Codex Plan Mode Guide — Plan→Execute workflow to prevent code drift
- Codex CLI Logs: Location & Debug — Find log files and enable debug logging
- Codex CLI vs Claude Code Benchmark — Side-by-side comparison
Troubleshooting¶
Common Error Messages & Quick Fixes¶
| Error Message | Cause | Solution |
|---|---|---|
Network access is restricted | Default sandbox policy | Add network_access = true to config.toml (see Key Points) |
codex re-connecting... | SSE stream interrupted | Check reconnecting guide |
npm ERR! network timeout | Network access disabled | Enable network via config.toml or the network flags |
curl: (6) Could not resolve host | DNS blocked in sandbox | Enable network + check proxy settings |
network_access = true set but connections still fail on macOS | macOS Seatbelt sandbox ignores config.toml (#10390) | Use --sandbox danger-full-access; see macOS warning above |
npm Package Installation¶
# With config.toml already set, simply:
codex --sandbox workspace-write "npm install express axios dotenv"
# Or bulk installation from package.json
codex --sandbox workspace-write "npm ci"
Staging Environment API Testing¶
# With config.toml set:
codex --sandbox workspace-write "npm run test:integration"
Domain-level restrictions
For domain-level whitelisting, use the Web (Cloud) Environment settings in ChatGPT (Method 2). The CLI's network_access setting is binary (enabled/disabled) and does not support per-domain filtering.
Network access doesn't work after changing settings¶
# Verify config.toml settings
cat ~/.codex/config.toml
# Test with explicit flags
codex --sandbox workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"curl -I https://example.com"
# If still failing, check proxy/VPN settings
Only specific npm packages fail to install¶
Private registries require authentication configuration:
# Configure .npmrc first
echo "//registry.company.com/:_authToken=${NPM_TOKEN}" > .npmrc
# Then run with network access enabled
codex --sandbox workspace-write "npm install @company/package"
Errors occur during GitHub Actions automation¶
Unverified environment variables
The environment variables below (CODEX_NETWORK_MODE, CODEX_ALLOWED_DOMAINS, CODEX_SANDBOX_ENABLED) are shown as a conceptual example. These were not confirmed in official Codex CLI documentation as of February 2026. Verify support in the Codex CLI repository before using in production CI/CD pipelines.
# .github/workflows/codex.yml (conceptual example — verify env var support)
env:
CODEX_NETWORK_MODE: limited
CODEX_ALLOWED_DOMAINS: "registry.npmjs.org,github.com"
CODEX_SANDBOX_ENABLED: true
Quick FAQ (v0.93.0+)¶
How do I confirm the profile keeps network access after a reconnect?
Run /status immediately after the reconnect banner. If network_access flipped back to false, restart with the network flags and replay the last turn with --transcript ... --append for auditability. Reconnection stability has improved significantly since v0.93.0.
What is the safest way to allow GitHub + npm only?
For CLI, set network_access = true in config.toml to enable network access. For domain-level filtering (GitHub + npm only), use the Web (Cloud) Environment settings in ChatGPT's Internet Access configuration. The CLI sandbox provides binary network access control, not domain-level whitelisting.
How can I prove to stakeholders that networked runs are logged?
Start Codex with --transcript analysis/<date>_network.jsonl --append, and include /status plus the first successful curl/gh api output in the same log.
Does GPT-5.3-Codex improve network reliability?
GPT-5.2-Codex (released Dec 18, 2025, default in CLI v0.93.0+) introduced improved event streams and better handling of network operations. GPT-5.3-Codex (Feb 5, 2026) and GPT-5.3-Codex-Spark (Feb 12, 2026) continue these improvements. Windows users particularly benefit from enhanced PowerShell parsing and ConPty integration. Update to v0.102.0+ for best results.
Conclusion¶
Codex network restrictions are an important security feature. When removing them:
- Understand the risks
- Start with minimal permissions
- Expand gradually
This approach allows you to achieve necessary functionality while maintaining security.
💡 Next Steps: Learn more advanced configurations and workflows in Codex CLI Best Practices.