{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreigclufin3kotywnxz6zw2jxoijkfbo2acvxo5ihsbofrpb4eyvyoy",
"uri": "at://did:plc:ws6dhxzqnqxu5aqxt4kd27oc/app.bsky.feed.post/3mktyz2an3rc2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiaxgtyw42hkndapzbyht2nhapydcy36ucuiwt7gcaq4nt2qmhlita"
},
"mimeType": "image/png",
"size": 1431766
},
"description": "The exact flags, profiles, and safer alternatives for running OpenAI's Codex CLI without approval prompts.",
"path": "/codex-cli-skip-permissions-how-to-bypass-approvals-and-sandbox/",
"publishedAt": "2026-05-02T06:23:50.000Z",
"site": "https://allthings.how",
"textContent": "OpenAI's Codex CLI does not have a flag literally called `--skip-permissions`. The closest equivalent to Claude Code's `--dangerously-skip-permissions` is `--dangerously-bypass-approvals-and-sandbox`, which removes both the approval gate and the file/network sandbox at the same time. For most daily work, a softer combination is preferable, because Codex separates approvals, sandbox scope, and network access into three independent settings.\n\n**Quick answer:** Run `codex --dangerously-bypass-approvals-and-sandbox \"your prompt\"` to disable all approval prompts and sandboxing. Use it only inside containers, VMs, disposable branches, or CI runners.\n\n* * *\n\n### Codex permission model in one view\n\nCodex CLI behavior is the product of three settings, not one switch. Looking only at the approval policy is the most common source of confusion, because `--full-auto` still blocks outbound network calls by default.\n\nSetting| Values| Controls\n---|---|---\n`approval_policy` (`-a`)| `untrusted`, `on-request`, `never`| How often Codex asks before acting\n`sandbox_mode` (`-s`)| `read-only`, `workspace-write`, `danger-full-access`| What files and commands are allowed\n`sandbox_workspace_write.network_access`| `true` / `false`| Whether outbound network is allowed inside the sandbox\n\n* * *\n\n### Full bypass: --dangerously-bypass-approvals-and-sandbox\n\nThis is the literal \"skip permissions\" mode for Codex. It disables approval prompts and removes sandbox restrictions in one step, which is what people usually want when they automate long, unattended runs.\n\n\n codex --dangerously-bypass-approvals-and-sandbox \"Refactor the auth module and run tests\"\n\nYou can verify it is active because Codex stops asking before file writes, shell commands, and network calls. If a confirmation dialog still appears for an action, the flag is not in effect for that session, usually because a profile or `config.toml` setting overrode it.\n\nHeadless runs through `codex exec` accept the same flag, which makes it suitable for CI jobs and scripts where no human is available to click approve.\n\n\n codex exec --dangerously-bypass-approvals-and-sandbox \\\n --cd /workspace \\\n -m gpt-5.4 \\\n \"Apply the migration and commit the result\"\n\nNote: An older alias, `--yolo`, maps to the same \"no sandbox, no approvals\" preset and still works in current builds. Prefer the long form in scripts so the intent is explicit.\n\n* * *\n\n### Safer alternatives that still skip most prompts\n\nMost users do not need a full bypass. The two patterns below cover almost every \"stop interrupting me\" use case while keeping at least one guardrail active.\n\n**Auto-approve inside the workspace, no network.** The `--full-auto` shortcut combines `on-request` approvals with `workspace-write`, so Codex edits files and runs commands in your project directory without asking, but still prompts before stepping outside that scope.\n\n\n codex --full-auto \"Run unit tests and fix failures\"\n\n**Never ask, but keep the sandbox.** Set the approval policy to `never` while leaving `workspace-write` on, and explicitly enable network if the task requires it.\n\n\n codex -a never -s workspace-write \\\n -c 'sandbox_workspace_write.network_access=true' \\\n \"Update dependencies and run the migration\"\n\n* * *\n\n### Comparison of approval-skipping modes\n\nGoal| Command| Approvals| Sandbox| Network\n---|---|---|---|---\nReduce prompts for daily work| `codex --full-auto`| On request| workspace-write| Off\nSilent runs with file guardrails| `codex -a never -s workspace-write`| Never| workspace-write| Off (toggle separately)\nSilent runs with network| `-c 'sandbox_workspace_write.network_access=true'`| Never| workspace-write| On\nFull machine access, still tracked| `codex -a never -s danger-full-access`| Never| danger-full-access| On\nFull bypass| `codex --dangerously-bypass-approvals-and-sandbox`| None| None| On\n\n* * *\n\n### Persisting the choice in config.toml\n\nPassing flags on every run gets noisy. Codex reads `~/.codex/config.toml` and supports named profiles, which lets you pin a default and switch with `-p`.\n\n\n approval_policy = \"on-request\"\n sandbox_mode = \"workspace-write\"\n\n [profiles.networked]\n approval_policy = \"never\"\n sandbox_mode = \"workspace-write\"\n\n [profiles.networked.sandbox_workspace_write]\n network_access = true\n\n [profiles.yolo]\n approval_policy = \"never\"\n sandbox_mode = \"danger-full-access\"\n\nLaunch with the profile name when you need it.\n\n\n codex -p networked \"Update dependencies\"\n codex -p yolo \"Non-interactive build\"\n\nResolution order is fixed: command-line flags beat the active profile, the profile beats `config.toml` defaults, and built-in defaults sit at the bottom. If a setting is not taking effect, check that a higher layer is not overriding it.\n\n* * *\n\n### Changing modes mid-session\n\nInside an interactive Codex session, type `/permissions` to switch between Read-only, Auto, and Full Access without restarting the CLI. The new mode applies to the next action Codex takes. This is the safest way to grant temporary access for one risky step and then drop back to the default.\n\n* * *\n\n### When the bypass flag is appropriate\n\nFull bypass trades safety for throughput. It is reasonable in environments where the surrounding system is already a guardrail.\n\n * Containers, devcontainers, or short-lived VMs\n * CI runners where the workspace is wiped after each job\n * Disposable Git branches that will be reviewed via diff before merge\n * Long, repetitive lint, format, or test-fix loops on non-sensitive code\n\n\n\nIt is a poor fit for hosts with production credentials, repos that contain customer data or secrets, machines logged into cloud CLIs that can deploy or delete real resources, and any workspace where a destructive command would have lasting consequences.\n\n* * *\n\n### Coming from Claude Code\n\nThe mental model differs slightly between the two tools. Claude Code bundles approval and sandbox behavior into a single permission mode, while Codex exposes them separately.\n\nClaude Code| Codex CLI equivalent\n---|---\n`claude --dangerously-skip-permissions`| `codex --dangerously-bypass-approvals-and-sandbox`\n`claude --permission-mode bypassPermissions`| `codex --dangerously-bypass-approvals-and-sandbox`\nDefault Claude workflow| `codex --full-auto`\nRead-only consultative use| `codex -s read-only` or `/permissions` → Read-only\n\n* * *\n\n### Common reasons the flag does not seem to work\n\n * **A profile is overriding it.** A `-p` argument or an active default profile in `config.toml` can pin `approval_policy` back to `on-request`. Drop the profile or pass the bypass flag explicitly on the command line.\n * **Network calls fail under`--full-auto`.** That preset keeps network off. Either switch to the full bypass flag or add `-c 'sandbox_workspace_write.network_access=true'`.\n * **Linux user namespaces blocked.** On some Ubuntu setups, the sandbox cannot start and Codex prompts to skip the sandbox for routine edits. Configuring an AppArmor profile that allows `userns` for the `codex` binary is the documented workaround for that environment.\n\n\n\nTreat the full bypass as the last setting you reach for, not the first. In most repositories `--full-auto` or `-a never -s workspace-write` with selective network access removes the prompts that interrupt you while keeping the boundary that prevents an unattended agent from touching parts of the system you did not intend to change.",
"title": "Codex CLI Skip Permissions: How to Bypass Approvals and Sandbox",
"updatedAt": "2026-05-02T06:23:52.323Z"
}