# How to Log Out from Codex CLI: Complete Authentication Guide

> Learn how to log out from Codex CLI with this guide. Run codex logout to remove your token and secure your account. Essential for managing authentication.

- Repository: [OpenAI/codex](https://github.com/openai/codex)
- Tags: how-to-guide
- Published: 2026-03-06

---

**Run `codex logout` in your terminal to immediately remove the stored authentication token from `~/.codex/config.toml` and force the CLI to prompt for fresh credentials on the next command.**

The OpenAI Codex CLI stores your API authentication token locally to streamline interactions with the Codex model. When you need to switch accounts, revoke access, or troubleshoot authentication issues, properly logging out ensures no sensitive credentials remain on the machine. This guide covers the terminal command, programmatic implementation, and the underlying source code mechanics in the `openai/codex` repository.

## Understanding Codex CLI Authentication Storage

The Codex CLI persists your session in a TOML configuration file located at `~/.codex/config.toml`. This file contains the `auth_token` field that the CLI injects into API requests. When you execute the login flow, the binary writes your token to this file; conversely, logging out simply clears this field and rewrites the configuration.

## How to Log Out from Codex CLI Using the Terminal

The simplest way to log out from Codex CLI is through the built-in logout subcommand:

```bash
codex logout

```

Upon execution, the CLI performs three operations defined in the source:

1. **Loads the configuration** from `~/.codex/config.toml` using the same `Config::load()` method employed during login.
2. **Sets `auth_token` to `None`** and persists the updated struct back to disk via `cfg.save()`.
3. **Emits a confirmation message** indicating successful logout.

After running this command, any subsequent operation requiring authentication—such as `codex chat` or `codex run`—will prompt you to run `codex login` to obtain new credentials.

## Programmatic Logout Implementation

If you are building a Rust application that embeds Codex CLI functionality, you can trigger a logout programmatically using the internal configuration API:

```rust
use codex_cli::config::Config;
use std::error::Error;

/// Clears stored Codex credentials from the local config.
fn logout_codex() -> Result<(), Box<dyn Error>> {
    // Load existing configuration from ~/.codex/config.toml
    let mut cfg = Config::load()?;
    
    // Clear the authentication token
    cfg.auth_token = None;
    
    // Persist the changes to disk
    cfg.save()?;
    
    println!("✅ Logged out successfully");
    Ok(())
}

```

This approach mirrors the behavior of the `codex logout` command and is useful when integrating Codex functionality into larger automation workflows or custom developer tools.

## Verifying Logout Status

To confirm that you have successfully logged out and that no valid token remains in the configuration file, use the status command:

```bash
codex status

```

If the logout was successful, the CLI will report that you are not authenticated and suggest running `codex login` to establish a new session. You can also manually inspect the configuration file:

```bash
cat ~/.codex/config.toml

```

Ensure that the `auth_token` field is either absent or set to an empty value.

## Key Source Files and Implementation Details

The logout functionality in the `openai/codex` repository is implemented across the following modules:

| File | Purpose |
|------|---------|
| [`codex-cli/src/config.rs`](https://github.com/openai/codex/blob/main/codex-cli/src/config.rs) | Defines the `Config` struct with `load()` and `save()` methods for reading and writing `~/.codex/config.toml`, including the `auth_token` field. |
| [`codex-cli/src/commands/logout.rs`](https://github.com/openai/codex/blob/main/codex-cli/src/commands/logout.rs) | Implements the `logout` subcommand logic that instantiates the config, clears the token, and persists the change. |
| [`codex-cli/src/main.rs`](https://github.com/openai/codex/blob/main/codex-cli/src/main.rs) | Registers the `logout` subcommand in the CLI argument parser and dispatches execution to the logout handler. |
| [`docs/authentication.md`](https://github.com/openai/codex/blob/main/docs/authentication.md) | Documents the authentication flow, token storage location, and logout procedures for end users. |

These files collectively ensure that the logout process is atomic—either the configuration is successfully updated with the token removed, or the operation fails without corrupting the config file.

## Summary

- **Run `codex logout`** to remove the authentication token from `~/.codex/config.toml` and terminate your session.
- The command clears the `auth_token` field via the `Config` struct in [`codex-cli/src/config.rs`](https://github.com/openai/codex/blob/main/codex-cli/src/config.rs) and saves the updated configuration.
- **Verify logout** by running `codex status` or inspecting the configuration file directly.
- For custom integrations, use the Rust `Config::load()` and `Config::save()` APIs to programmatically clear credentials.

## Frequently Asked Questions

### What file does Codex CLI store the authentication token in?

Codex CLI stores the authentication token in `~/.codex/config.toml` on your local machine. This TOML file contains the `auth_token` field that the CLI reads during API requests. When you run `codex logout`, the binary clears this specific field while preserving other configuration settings.

### Can I log out of Codex CLI programmatically from my Rust application?

Yes, you can programmatically log out by importing the `codex_cli::config::Config` module and calling `Config::load()` to read the existing configuration, setting `cfg.auth_token = None`, and then invoking `cfg.save()` to persist the changes. This approach mirrors the internal implementation found in [`codex-cli/src/commands/logout.rs`](https://github.com/openai/codex/blob/main/codex-cli/src/commands/logout.rs).

### How do I verify that I have successfully logged out from Codex CLI?

Run the `codex status` command in your terminal. If the logout was successful, the CLI will display a message indicating that you are not currently authenticated and will suggest running `codex login` to establish a new session. Alternatively, you can manually check that the `auth_token` field is empty or absent in `~/.codex/config.toml`.

### Is there a way to force Codex CLI to prompt for new credentials?

Yes, running `codex logout` effectively forces the CLI to prompt for new credentials on the next authenticated command. Once the token is cleared from `~/.codex/config.toml`, any subsequent operation that requires API access—such as `codex chat` or `codex run`—will detect the missing authentication and prompt you to run `codex login` to provide fresh credentials.