One Account, One Container: How Codex Hosted Isolation Works
Device-code sign-in, no password custody, one isolated container per ChatGPT account, never pooled, AES-256-GCM for stored keys. The Codex Hosted security model, explained.
The Codex Hosted security model fits in one sentence: one ChatGPT account, one isolated container, signed in by you through OpenAI’s device-code flow, never pooled, never shared, disconnectable at any time. We never hold your password, and stored fallback keys are encrypted with AES-256-GCM. This page unpacks each clause, because trust claims are only useful when you can check them against a mechanism. For the product overview first, see what is Codex Hosted?
Why isolation is the design center
OpenAI’s Terms of Use are precise about accounts: you may not share credentials or make your account available to anyone else, and you are responsible for activity under your account. The gray market fails exactly here. Resellers pool bulk accounts and sell slices of them, which is the behavior the terms name.
Codex Hosted is built as the counter-model. Your subscription serves you, full stop. With no pooling there is no shared-capacity engine to optimize, no incentive to blend traffic, and nothing to resell. One account, one container is the only mode we run. The account clauses, quoted and read closely, are in sharing an OpenAI account: what the terms say.
Sign-in without password custody
Connecting an account uses OpenAI’s device-code flow, the documented auth path for machines without a browser (developers.openai.com/codex/auth):
1. Your dashboard requests a device code from OpenAI.
2. You open the verification link and approve the code at chatgpt.com,
signed in as yourself, on any device you trust.
3. OpenAI issues the session directly into your container.At no point does a password cross our systems. There is no password field anywhere in this flow, so there is nothing for us to store, mishandle, or leak. The session OpenAI issues lands inside your container and works only there.
What runs inside your container
Each container runs the official, unmodified Codex CLI under your ChatGPT session, plus the queue that serializes your requests. It accepts work only from requests authenticated with your ProxyLLM keys. Connect a second account you own and it gets a second, equally isolated container; the gateway treats the two as ordered fallback lanes, never as a blended pool.
Credential custody, in one table
| Credential | Where it lives | What we can do with it |
|---|---|---|
| ChatGPT password | with you and OpenAI only | nothing; it never reaches us |
| Codex session | inside your container | run your requests on your plan |
| Fallback API keys | encrypted at rest, AES-256-GCM | decrypted only to serve your requests |
| ProxyLLM API keys | issued by us, scoped to your account | authenticate your apps at the gateway |
What never happens
- Your account joining a pool that serves other customers.
- Capacity from your plan being resold to anyone.
- Another customer’s request running in your container, or yours in theirs.
- A ProxyLLM page asking for your OpenAI password. If you ever see one, you are not on our flow; close it.
Disconnecting is always available
Disconnect an account in the dashboard at any time: the container shuts down and the session goes with it. You can also sign the session out from your own OpenAI account, which kills it from OpenAI’s side. Reconnecting later is the same one-minute device-code flow described in the setup guide.
Where the terms fit
Isolation is an engineering choice in service of a policy stance. Programmatic Codex use through codex exec is documented, intended functionality, and device-code sign-in for remote machines is documented too. OpenAI’s terms still govern your account, and OpenAI has the final call on its services. We keep the design inside the documented account rules, and our terms commit to complying immediately if OpenAI directs a change. The complete reading is in is Codex Hosted against OpenAI’s terms?
The standard we hold ourselves to: trust should be verifiable rather than promised. The device-code screen shows you exactly what you are authorizing, the request log shows every call your container served, and disconnect is a button, not a support ticket.
If the model holds up to your read, Codex Hosted takes about five minutes to try, and disconnecting takes one click if it does not fit.
Frequently asked questions
Does ProxyLLM see my ChatGPT password?
No. Sign-in uses OpenAI's device-code flow: you approve a code at chatgpt.com while signed in as yourself, and OpenAI issues the session directly into your container. Your password travels between you and OpenAI only.
Are ChatGPT accounts ever pooled or shared on ProxyLLM?
Never. Each connected account runs in its own isolated container that serves only your workloads. We do not pool capacity across customers, resell access, or route anyone else's traffic through your session.
How does ProxyLLM store API keys?
Fallback API keys are encrypted at rest with AES-256-GCM and decrypted only to serve your own requests. Your ChatGPT password is never stored because it never reaches us.
Can I disconnect my ChatGPT account from Codex Hosted?
Yes, anytime. Disconnecting shuts down the container and the session with it, and you can also sign that session out from your own OpenAI account.
Why one container per account?
Because OpenAI's terms prohibit sharing an account or making it available to others. Isolation keeps each subscription serving its owner only, which is the account shape the terms describe. OpenAI retains discretion over its services regardless.