How to Log Out from Codex CLI: Complete Authentication Guide

Run codex logout in your terminal to immediately remove the stored authentication token from ~/.codex/config.toml and force the CLI to prompt for fresh credentials on the next command.

The OpenAI Codex CLI stores your API authentication token locally to streamline interactions with the Codex model. When you need to switch accounts, revoke access, or troubleshoot authentication issues, properly logging out ensures no sensitive credentials remain on the machine. This guide covers the terminal command, programmatic implementation, and the underlying source code mechanics in the openai/codex repository.

Understanding Codex CLI Authentication Storage

The Codex CLI persists your session in a TOML configuration file located at ~/.codex/config.toml. This file contains the auth_token field that the CLI injects into API requests. When you execute the login flow, the binary writes your token to this file; conversely, logging out simply clears this field and rewrites the configuration.

How to Log Out from Codex CLI Using the Terminal

The simplest way to log out from Codex CLI is through the built-in logout subcommand:

codex logout

Upon execution, the CLI performs three operations defined in the source:

1. Loads the configuration from ~/.codex/config.toml using the same Config::load() method employed during login.
2. Sets auth_token to None and persists the updated struct back to disk via cfg.save().
3. Emits a confirmation message indicating successful logout.

After running this command, any subsequent operation requiring authentication—such as codex chat or codex run—will prompt you to run codex login to obtain new credentials.

Programmatic Logout Implementation

If you are building a Rust application that embeds Codex CLI functionality, you can trigger a logout programmatically using the internal configuration API:

use codex_cli::config::Config;
use std::error::Error;

/// Clears stored Codex credentials from the local config.
fn logout_codex() -> Result<(), Box<dyn Error>> {
    // Load existing configuration from ~/.codex/config.toml
    let mut cfg = Config::load()?;
    
    // Clear the authentication token
    cfg.auth_token = None;
    
    // Persist the changes to disk
    cfg.save()?;
    
    println!("✅ Logged out successfully");
    Ok(())
}

This approach mirrors the behavior of the codex logout command and is useful when integrating Codex functionality into larger automation workflows or custom developer tools.

Verifying Logout Status

To confirm that you have successfully logged out and that no valid token remains in the configuration file, use the status command:

codex status

If the logout was successful, the CLI will report that you are not authenticated and suggest running codex login to establish a new session. You can also manually inspect the configuration file:

cat ~/.codex/config.toml

Ensure that the auth_token field is either absent or set to an empty value.

Key Source Files and Implementation Details

The logout functionality in the openai/codex repository is implemented across the following modules:

File	Purpose
codex-cli/src/config.rs	Defines the Config struct with load() and save() methods for reading and writing ~/.codex/config.toml, including the auth_token field.
codex-cli/src/commands/logout.rs	Implements the logout subcommand logic that instantiates the config, clears the token, and persists the change.
codex-cli/src/main.rs	Registers the logout subcommand in the CLI argument parser and dispatches execution to the logout handler.
docs/authentication.md	Documents the authentication flow, token storage location, and logout procedures for end users.

These files collectively ensure that the logout process is atomic—either the configuration is successfully updated with the token removed, or the operation fails without corrupting the config file.

Summary

• Run codex logout to remove the authentication token from ~/.codex/config.toml and terminate your session.
• The command clears the auth_token field via the Config struct in codex-cli/src/config.rs and saves the updated configuration.
• Verify logout by running codex status or inspecting the configuration file directly.
• For custom integrations, use the Rust Config::load() and Config::save() APIs to programmatically clear credentials.

Frequently Asked Questions

What file does Codex CLI store the authentication token in?

Codex CLI stores the authentication token in ~/.codex/config.toml on your local machine. This TOML file contains the auth_token field that the CLI reads during API requests. When you run codex logout, the binary clears this specific field while preserving other configuration settings.

Can I log out of Codex CLI programmatically from my Rust application?

Yes, you can programmatically log out by importing the codex_cli::config::Config module and calling Config::load() to read the existing configuration, setting cfg.auth_token = None, and then invoking cfg.save() to persist the changes. This approach mirrors the internal implementation found in codex-cli/src/commands/logout.rs.

How do I verify that I have successfully logged out from Codex CLI?

Run the codex status command in your terminal. If the logout was successful, the CLI will display a message indicating that you are not currently authenticated and will suggest running codex login to establish a new session. Alternatively, you can manually check that the auth_token field is empty or absent in ~/.codex/config.toml.

Is there a way to force Codex CLI to prompt for new credentials?

Yes, running codex logout effectively forces the CLI to prompt for new credentials on the next authenticated command. Once the token is cleared from ~/.codex/config.toml, any subsequent operation that requires API access—such as codex chat or codex run—will detect the missing authentication and prompt you to run codex login to provide fresh credentials.

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}