OpenAI brought Codex Remote to general availability on June 25, 2026, opening phone-based control of long-running AI coding sessions to every paid ChatGPT subscriber — Plus, Pro, Business, Enterprise, and Education. The launch does more than extend a preview to a wider audience: it replaces the previous remote-shell connection approach with a purpose-built relay architecture designed to keep development machines inaccessible to the public internet while remaining reachable from anywhere a developer happens to be. For the more than 5 million developers who already use Codex each week, the practical effect is that approving an agent action, steering a long-running task, or reviewing a set of diffs no longer requires sitting at the machine where the code is running.

What Changes With General Availability

The shift from preview to GA comes with a significant security redesign. The previous approach to remote development — whether through VPN tunneling, SSH port forwarding, or cloud-hosted environments — required either exposing a network port, managing credential infrastructure, or moving the execution environment off the developer's own machine. OpenAI's relay architecture sidesteps all three. The Codex app on the host machine communicates outbound through a secure relay layer maintained by OpenAI, which syncs active session state to any authorized ChatGPT-signed-in device without advertising the host's address to the internet. No inbound ports are opened. The host machine's projects, credentials, plugins, and Model Context Protocol (MCP) servers stay local; the relay transmits only session messages — prompts, approvals, diffs, screenshots, and terminal output — between the phone and the host.

This matters because Codex authentication tokens have become high-value targets. A supply chain attack documented by Aikido Security researchers in May 2026 showed that a malicious npm package posing as a Codex remote UI accumulated more than 29,000 weekly downloads before it was identified as exfiltrating developer tokens to an attacker-controlled server. A stolen Codex refresh token, Aikido researcher Charlie Eriksen explained, grants persistent silent access to an account without needing a password — because the refresh token does not expire.

How QR Pairing Works

Rather than relying on a shared secret or an open listening port, the new connection model uses one-to-one authenticated QR pairing. Setup begins on the host machine: opening the Codex app's sidebar and selecting "Set up Codex mobile" starts the pairing flow and displays a QR code. Scanning that code with the ChatGPT mobile app opens a setup flow that requires confirming the same ChatGPT account and workspace and completing any required multi-factor authentication, single sign-on, or passkey steps. The pairing is specific — each phone must be paired with each host it is authorized to control, and each pairing is validated against the account's existing authentication framework.

Existing connections that have been used since June 8, 2026, carry over automatically after updating both the Codex desktop app and the ChatGPT mobile app to their latest versions. Connections that have not been used since June 8 require a fresh pairing. Signing out of ChatGPT disables remote control without removing existing pairings, which are restored when the user signs back in and re-enables remote control.

The QR pairing model is a meaningful departure from the industry patterns that came before it. Prior approaches to developer remote access — including VPN meshes, SSH port forwarding, and cloud-hosted development environments from providers such as Gitpod and GitHub Codespaces — either moved execution off the developer's machine, required network exposure, or depended on long-lived credentials that, once stolen, provided indefinite access. QR authentication encodes a session token that grants a specific device access through a time-limited handshake; it requires the developer's physical presence to initiate and binds the connection to the existing ChatGPT authentication chain rather than introducing a separate credential layer.

What Developers Can Do From a Phone

Once paired, the mobile interface provides access to the full state of a running Codex session. Developers can start new threads in existing host projects, send follow-up prompts, answer agent questions, approve or deny commands and other actions, and review diffs, test results, terminal output, and screenshots. Push notifications fire when Codex completes a task or needs input — a design that lets long-running work proceed without requiring the developer to poll for updates. The "steer" function allows injecting guidance into active work while it is still in progress, rather than queuing a follow-up prompt for after the current task finishes.

OpenAI's own framing of this capability — that it allows developers to "unblock" an agent when its judgment is needed — names the underlying design principle more precisely than convenience: the relay architecture exists to make human-in-the-loop oversight frictionless. AI safety researchers have documented a failure mode in agentic systems where human check-ins, when they are inconvenient or require physical presence at a specific machine, become cursory or are skipped entirely. Eliminating the geographic requirement for an approval is an architectural choice that keeps oversight substantive rather than ceremonial.

Real Engineering Constraints That Users Should Know

The relay architecture does not eliminate the need for a capable, available host. Remote access stops immediately if the host goes to sleep, loses its network connection, or closes the Codex app. On Mac laptops, remote access requires the lid to be open with power connected; closing the lid cuts the connection unless an external display is also connected. On Windows hosts, tasks that use Computer Use require the session to remain unlocked, because Computer Use on Windows runs in the foreground and requires an active desktop. Developers who want Codex to stay reachable for long-running overnight or background work are advised to use a dedicated always-on desktop machine rather than a laptop.

DigitalOcean Droplet Workspace Plugin

Alongside the Remote GA, OpenAI released a new DigitalOcean Droplet Workspace plugin that allows Codex to provision a cloud Droplet, configure SSH access to it, and connect it to the Codex app as a persistent remote workspace. The plugin addresses a specific friction point: developers who want to hand off heavy or long-duration tasks to a cloud machine without maintaining separate infrastructure can now do it directly from within Codex. Tasks running on a Droplet are not affected by host sleep or network interruptions on the developer's local machine, and the Droplet remains accessible through the same relay layer as any other paired host.

The Droplet plugin is part of a broader move by OpenAI toward cloud-resident agent execution. OpenAI's June 11, 2026 announcement of its acquisition of Ona (formerly Gitpod) — whose platform runs AI coding agents in persistent cloud sandboxes — signals that the longer-term architecture for Codex involves agents that continue working even after a developer closes their laptop, not just agents that can be supervised from a phone.

Is Codex Remote Security Tested Independently?

OpenAI has not published an independent third-party security audit specifically of the relay architecture or the QR pairing implementation. What is publicly documented is the track record of vulnerability disclosure and remediation on the broader Codex platform: a command injection flaw in GitHub branch-name handling, discovered by BeyondTrust Phantom Labs researcher Tyler Jespersen and reported to OpenAI in December 2025, was patched by February 5, 2026; a covert DNS-based data exfiltration path in the ChatGPT code execution environment was patched by February 20, 2026. The supply chain attack on codexui-android demonstrated that the Codex ecosystem is an active target for credential theft, and the QR pairing model's one-to-one binding and multi-factor authentication requirement are the structural controls OpenAI has put in place.

Developers in enterprise environments should confirm with their workspace administrator that Remote Control access has been enabled in workspace permissions before expecting the pairing to succeed.

Getting Started

Codex Remote is available today on every paid ChatGPT plan. Users should update both the Codex desktop app and the ChatGPT mobile app to their latest versions before pairing. Setup begins on the host machine from the sidebar menu. Full documentation is available at the Codex Remote connections page.

Frequently Asked Questions

Does Codex code actually run on my phone when using Codex Remote?

No. The code, file system, credentials, plugins, and agent execution all remain on the host machine — the Mac or Windows desktop where the Codex app is running. The phone sends prompts, approvals, and steering messages through OpenAI's relay layer, and receives session output — diffs, screenshots, terminal output, and notifications — in return. Nothing from the codebase or its credentials is stored on or transmitted to the phone itself.

How does the QR pairing model protect my development machine from unauthorized remote access?

The QR code encodes a session handshake token specific to one pairing attempt. Completing the pairing requires scanning the code with a device already signed into the same ChatGPT account and workspace, and passing any configured multi-factor authentication, single sign-on, or passkey step. Because the pairing is account-bound and requires physical access to the host machine to initiate, it is resistant to the remote credential-theft attacks that have targeted Codex tokens through third-party packages. The relay layer keeps the host's address off the public internet entirely.

What happens to my agentic coding workflow if my host machine goes to sleep?

Remote access stops immediately when the host machine sleeps, loses network connectivity, or closes the Codex app. On Mac laptops, the lid must remain open with power connected — or an external display must be attached — for access to stay available. Windows hosts running Computer Use must remain unlocked. For long-running work, OpenAI recommends using a dedicated always-on desktop as the host machine, or a DigitalOcean Droplet provisioned through the new workspace plugin.

Why does OpenAI describe the mobile control feature as supporting better human oversight of AI agents?

Agentic coding workflows involve long-running autonomous tasks where the AI makes consequential decisions — writing code, running tests, opening pull requests — with minimal human input. When checking in requires a developer to be physically at their machine, those check-ins tend to become less frequent. The relay-based phone access is designed to keep human oversight practical and low-friction at any point during a task, not just when a developer happens to be at their desk.