Step-by-step help for account access issues — password reset, SSO setup, 2FA recovery, and CLI authentication. Everything you need to get back to building.
Code with Confidence
Account access issues interrupt the flow state that developers depend on. This guide covers every sign-in scenario — password recovery, SSO troubleshooting, 2FA device replacement, CLI authentication — with clear, actionable steps that get you back into your workflow in minutes, not hours.
Forgotten your Codex password? The self-service reset process takes under two minutes — no support ticket required.
From the Codex sign-in page, click the "Forgot password?" link below the password field. Enter the email address associated with your Codex account and click "Send Reset Link." Within 60 seconds, you will receive an email from no-reply@codex.gr.com with the subject line "Codex Password Reset." If the email does not appear in your inbox, check your spam or promotions folder — some corporate email filters flag automated password reset emails. The reset link expires after 30 minutes for security; if it expires, simply request a new one from the sign-in page.
When you click the reset link, you will be taken to a page where you can set a new password. Codex enforces a minimum password strength policy: 12 characters minimum, at least one uppercase letter, one lowercase letter, one number, and one special character. The password cannot contain your name, username, or the word "codex." After setting and confirming your new password, you will be redirected to the sign-in page. All existing sessions on other devices are automatically invalidated when you change your password — you will need to sign in again on each device.
If you do not receive the reset email after checking spam and waiting five minutes, verify that you are entering the correct email address. The email address must match exactly the one on your Codex account. If you registered with a typo in your email address or no longer have access to the email account, contact support@codex.gr.com for manual account recovery. Support will ask for account verification information — typically the date of account creation, a recent invoice number, or the last four digits of the payment method on file.
Lost your 2FA device? Recovery codes, email-based identity verification, and support-assisted recovery provide three separate paths back into your account.
When you first enable two-factor authentication on your Codex account, the platform generates ten one-time recovery codes. These were displayed once and prompted for download — if you saved them, use one now. On the 2FA prompt screen, click "Use a recovery code instead," enter one of your saved codes, and you will be signed in. Each recovery code works exactly once; after use, it is permanently invalidated. You should then navigate to Account Settings → Security to re-enable 2FA on your new device and generate a fresh set of recovery codes.
If you did not save your recovery codes, click "I cannot access my 2FA device" on the 2FA prompt screen. This initiates an account recovery flow that uses your account email for identity verification. A recovery link is sent to your email address — the same flow as password reset, but this link disables 2FA on your account rather than changing your password. Once you regain access, re-enable 2FA immediately in Account Settings and store the new recovery codes in a password manager or secure physical location.
If you have lost both your 2FA device and access to your account email, recovery requires support intervention. Email support@codex.gr.com from any accessible email address with the subject "2FA Account Recovery." Include your Codex account email (even if you cannot access it), the approximate date of account creation, and any identifying information — recent activity, team name, billing details — that can help verify ownership. Support will guide you through an identity verification process. For Enterprise plan accounts, your organization's Codex admin can also disable 2FA on your account from the team management dashboard.
Codex supports SAML 2.0, OpenID Connect (OIDC), and SCIM for automated user provisioning — configured by your organization's Codex administrator.
If your organization uses single sign-on, you should sign in through your identity provider rather than entering credentials directly on the Codex sign-in page. Click "Sign in with SSO" and enter your organization's Codex domain (e.g., your-company.codex.gr.com). This redirects you to your identity provider's login flow. After successful authentication, you are redirected back to Codex and signed in automatically. The "Invalid credentials" error on the standard sign-in form often means your account is SSO-enforced — switch to the SSO sign-in flow instead.
SSO configuration issues typically fall into three categories. First, certificate expiration: SAML identity providers use X.509 certificates that expire periodically — your Codex admin must upload the renewed certificate in Team Settings → Authentication before the old one expires. Second, assertion misconfiguration: the SAML assertion must include the user's email address in the NameID field and map the email attribute. Third, clock skew: SAML assertions are time-limited; if your identity provider's clock and Codex servers drift by more than five minutes, assertions are rejected. Your admin can check the SSO error log in Team Settings → Authentication → Diagnostics for detailed error messages and suggested fixes. SCIM provisioning for automated user lifecycle management is documented in the API reference under the Identity Provider Integration section.
Authenticate the Codex CLI in one command: run codex login, complete the browser-based flow, and your encrypted token is stored for all future sessions.
The CLI authentication flow works as follows: running codex login opens your default browser to the Codex authorization page. Sign in using your normal credentials (or SSO if your organization uses it). After successful authentication, the browser displays a confirmation message and the CLI receives an encrypted token that is stored in your user configuration directory. On macOS, this is ~/.config/codex/auth.json; on Windows, %APPDATA%\Codex\auth.json; on Linux, ~/.config/codex/auth.json. The token is encrypted with a key derived from your operating system's credential store.
Common CLI authentication issues include: the browser failing to open (use codex login --no-browser to get a URL you can open manually), the token not being saved due to filesystem permissions (check that your config directory is writable), and token expiration (tokens are valid for 30 days by default; run codex login again to refresh). If you use multiple Codex accounts (e.g., a personal account and a work account), you can switch between them with codex profile switch <profile-name> after configuring profiles. For CI/CD environments, use a service account API key set via the CODEX_API_KEY environment variable instead of the interactive login flow.
Most sign-in problems have straightforward fixes. Start with the issue that matches your symptom — each entry includes a diagnosis step and resolution.
| Symptom | Likely Cause | Solution |
|---|---|---|
| "Invalid credentials" despite correct password | Caps Lock on, SSO-enforced account, or account locked | Check Caps Lock; if SSO, use "Sign in with SSO"; wait 15 min if locked |
| No password reset email received | Wrong email, spam filter, or email provider delay | Check spam/promotions; verify exact email; wait 5 min; contact support |
| Lost 2FA device, no recovery codes | Device lost or replaced without saving codes | Use email recovery flow; contact support if email also unavailable |
| SSO redirect loops back to sign-in | Expired SAML certificate or clock skew | Admin: check certificate validity; verify IdP server time sync |
CLI codex login fails to open browser |
No default browser set or headless environment | Use codex login --no-browser; or set CODEX_API_KEY env var |
| Account locked after multiple failed attempts | Brute-force protection triggered | Wait 15 minutes for automatic unlock; reset password if needed |
| SCIM provisioning fails for new users | Attribute mapping misconfiguration | Admin: verify SCIM attribute map in Team Settings → Provisioning |
| Token expired on CLI | Default 30-day token lifetime exceeded | Run codex login to refresh; Enterprise can configure longer TTL |
Click 'Forgot password?' on the sign-in page, enter your email, and use the reset link sent to your inbox. The link expires after 30 minutes.
The self-service password reset process is designed to be completed in under two minutes without any support involvement. From the sign-in page at codex.gr.com, click "Forgot password?" below the password field. Enter the email address exactly as registered on your account. A reset email from no-reply@codex.gr.com arrives within 60 seconds — check your spam or promotions folder if it does not appear in your primary inbox. The link in the email expires after 30 minutes. When creating a new password, the minimum requirement is 12 characters with at least one uppercase letter, one lowercase letter, one number, and one special character. After changing your password, all existing sessions on other devices are terminated for security.
Use one of your backup recovery codes, or click 'I cannot access my 2FA device' to initiate account recovery via your account email address.
When you first enabled 2FA, Codex generated ten one-time recovery codes. If you saved them — in a password manager, printed document, or secure file — use one now by clicking "Use a recovery code instead" on the 2FA prompt. Each code works once. If you did not save recovery codes, click "I cannot access my 2FA device" to start the email-based recovery flow. A recovery link is sent to your account email; clicking it disables 2FA on your account. Sign in, then immediately re-enable 2FA in Account Settings → Security and store the new recovery codes securely. If you have lost both your 2FA device and access to your account email, email support@codex.gr.com for manual identity verification.
Codex supports SAML 2.0, OpenID Connect, and SCIM for automated provisioning. An organization admin configures the identity provider connection in the team settings dashboard.
SSO is available on Professional and Enterprise plans. An organization admin navigates to Team Settings → Authentication and selects the identity provider type (SAML or OIDC). For SAML, the admin provides the IdP metadata URL or uploads the metadata XML file, and Codex generates the ACS URL and entity ID to register in the IdP. For OIDC, the admin provides the client ID, client secret, and discovery URL. SCIM provisioning is configured separately in Team Settings → Provisioning, enabling automated user creation, updates, and deactivation synchronized from the identity provider. The full configuration guide, including attribute mapping tables and troubleshooting steps, is available in the documentation. Once SSO is configured, team members sign in by clicking "Sign in with SSO" and entering the organization's Codex domain.
Common causes include: Caps Lock enabled, SSO-enforced account (sign in via your organization's identity provider instead), or your account being locked after multiple failed attempts.
This error can be frustrating when you are confident the password is correct. Run through this checklist: first, verify Caps Lock is off — the password field is case-sensitive. Second, if your organization uses SSO, your account may be SSO-enforced, meaning direct password sign-in is disabled — use the "Sign in with SSO" button instead. Third, after six consecutive failed sign-in attempts, Codex locks the account for 15 minutes as a brute-force protection measure; wait 15 minutes and try again. Fourth, if you recently changed your password on another device, your current browser may have cached the old password — clear the saved password in your browser's password manager and type it manually. If none of these resolve the issue, use the password reset flow to set a known-good password.
Run 'codex login' in your terminal. This opens a browser window for authentication. Once complete, the CLI stores an encrypted token locally for subsequent sessions.
The CLI uses OAuth 2.0 device authorization with PKCE. Running codex login opens your default browser to the Codex authorization page. Sign in normally (or via SSO), and the browser displays a confirmation. The CLI receives an encrypted token stored at the platform-specific config path. For headless environments, use codex login --no-browser to get a URL you open on another device. For CI/CD, set the CODEX_API_KEY environment variable with a service account API key instead of using interactive login. Tokens expire after 30 days by default; run codex login again to refresh. Enterprise administrators can configure longer token lifetimes in the security settings. Multiple profiles for different accounts are managed with codex profile subcommands.
Sign in issues are rare and usually resolved in under five minutes with the steps above. Once you are back in, the platform picks up right where you left off.
Download Codex FreeReview authentication security, encryption standards, and access control architecture.
Reach support if the self-service steps above do not resolve your issue.
Install and configure the Codex CLI, including authentication setup.
Access documentation, API references, and community troubleshooting threads.
Learn about our founding, mission, and engineering philosophy.
This sign-in help guide covers every aspect of Codex account access, from basic CLI authentication to enterprise SSO configuration for organizations with hundreds of developers. Password reset and 2FA recovery are self-service operations designed to complete in under two minutes — no support ticket needed. If your organization is evaluating Codex, the contact page lists sales channels for scheduling a walkthrough that covers authentication architecture alongside the rest of the platform.
For teams implementing identity provider integration, the API reference documents the SCIM provisioning endpoints and attribute mapping specifications. Integration guides for CI/CD environments cover service account setup and API key management for non-interactive authentication. The developer resource hub includes the full authentication configuration documentation, community troubleshooting threads, and a changelog tracking authentication-related platform updates. Platform-level security documentation, including encryption standards and audit logging for authentication events, is available on the security and compliance page. General questions about the platform are covered on the about page.