Codex Auth: API Key vs ChatGPT Sign-In, Compared
ChatGPT sign-in bills Codex to your flat plan with usage windows. An API key bills per token with per-minute limits. How to choose, and when to run both as lanes.
Codex accepts two credentials, and they buy two different deals. ChatGPT sign-in bills work to your flat subscription, with usage governed by plan windows; it is the path OpenAI’s README recommends. An API key bills per token with no windows and no ceiling beyond your budget. The short decision: your own daily and bulk work on the plan, shared CI on a key, and high-volume setups run both in order.
If you are setting up the CLI for the first time, the getting-started guide covers installation; this page is just the auth decision.
How each path signs in
# Plan-backed: sign in with your ChatGPT account
codex login # opens a browser
codex login --device-auth # headless: approve a code at chatgpt.com
# Metered: authenticate with an OpenAI API key
codex login --api-key # or set OPENAI_API_KEY for scripted setupsChatGPT sign-in is OpenAI’s device-code or browser OAuth flow; the resulting session lives in auth.json under your Codex home directory. The headless variant is documented for servers (developers.openai.com/codex/auth), and we walk it step by step in codex login without a browser. An API key is the same credential you would use with the OpenAI API directly: created in the platform dashboard, scoped to a project, revocable in one click.
Billing: a flat window vs a running meter
This is the real difference. On ChatGPT sign-in, the subscription price is the entire bill for that lane. OpenAI’s planning estimates, and ours, look like this (estimates, not guarantees):
| Plan | Price | API-equivalent capacity per month (estimate) |
|---|---|---|
| Plus | $20/mo | ~$700 |
| Pro 5x | $100/mo | ~$3,500 |
| Pro 20x | $200/mo | ~$14,000 |
On an API key, the same work meters out token by token. A workload that would cost about $3,500/month at API rates fits inside a Pro 5x subscription at $100, capacity permitting. A ChatGPT plan makes Codex a fixed cost; an API key makes it a meter. The full cost comparison runs this math against concrete workloads.
The meter has one advantage worth naming: it never says no. If a job must run right now regardless of price, a key always answers.
Limits: calendar windows vs per-minute throttles
The two lanes fail differently, and knowing the failure shape matters more than the price for production work.
Plan limits are windows: an hours-scale rolling window, plus a weekly component on paid plans. What a window holds varies by plan and model, and the numbers drift, so check OpenAI’s pricing page rather than any blog post, including this one. When a window exhausts, no retry policy helps; capacity returns when the window resets.
API-key limits are throttles: requests and tokens per minute, set by your API tier. Exceed them and you get a 429, which backs off and retries cleanly. There is no calendar; the only hard stop is your spending limit.
Where each fits
| Scenario | Pick | Why |
|---|---|---|
| Daily coding on your machine | ChatGPT sign-in | Included in the plan you already pay for |
| Your own agents, cron, batch jobs | ChatGPT sign-in | Bulk work at a flat price |
| Shared team CI runners | API key | A repo secret is auditable, revocable, and impersonal |
| Overflow beyond plan windows | API key | The meter absorbs what windows cannot |
Shared CI deserves the extra sentence. OpenAI’s official GitHub Action is documented with API-key secrets, and that is the right call: a personal plan session in a pipeline that teammates trigger blurs the one-user-one-account line OpenAI’s terms draw. Shared CI belongs on an API key; your own bulk work belongs on your plan. The full reasoning is in can GitHub Actions use your ChatGPT plan.
Running both as ordered lanes
The CLI makes you choose per session. A gateway does not. Codex Hosted keeps your ChatGPT account signed in inside an isolated container and serves it as an OpenAI-compatible endpoint; your API key sits behind it as a fallback lane. Requests run flat until a window exhausts, overflow runs metered, and the request log shows which lane served each call. One honest caveat: responses on the Codex lane arrive complete rather than streamed, while key-backed lanes stream normally.
That ordering turns the auth decision from either-or into a sequence: plan first because it is already paid for, key second because it never says no.
If you want the decision in dollars instead of principles, the calculator maps your current usage to a plan tier in under a minute.
Frequently asked questions
Should I use an API key or ChatGPT sign-in for Codex?
ChatGPT sign-in for your own work: usage bills to the flat plan price, and OpenAI's README recommends it. An API key for shared environments like team CI: it is metered per token, revocable as a secret, and not tied to anyone's personal account.
Does Codex cost extra with ChatGPT sign-in?
Codex is included in ChatGPT Free, Go, Plus, Pro, Business, Edu, and Enterprise plans, subject to each plan's usage limits. On that lane the subscription is the whole bill; there is no per-token charge. OpenAI's pricing page lists what each plan includes.
What changes when Codex runs on an API key?
Billing becomes per-token at OpenAI's API rates, plan usage windows stop applying, and per-minute request and token limits for your API tier govern throughput instead. Cost scales with usage rather than stopping at a subscription price.
Can I use both auth methods at once?
Not in a single CLI session; Codex uses one credential at a time. You can keep both configured and switch, or run them as ordered lanes through a gateway: the subscription serves requests until a window exhausts, then the API key absorbs overflow.