OpenAI's Codex CLI does not have a flag literally called --skip-permissions. The closest equivalent to Claude Code's --dangerously-skip-permissions is --dangerously-bypass-approvals-and-sandbox, which removes both the approval gate and the file/network sandbox at the same time. For most daily work, a softer combination is preferable, because Codex separates approvals, sandbox scope, and network access into three independent settings.
Quick answer: Run codex --dangerously-bypass-approvals-and-sandbox "your prompt" to disable all approval prompts and sandboxing. Use it only inside containers, VMs, disposable branches, or CI runners.
Codex permission model in one view
Codex CLI behavior is the product of three settings, not one switch. Looking only at the approval policy is the most common source of confusion, because --full-auto still blocks outbound network calls by default.
| Setting | Values | Controls |
|---|---|---|
approval_policy (-a) | untrusted, on-request, never | How often Codex asks before acting |
sandbox_mode (-s) | read-only, workspace-write, danger-full-access | What files and commands are allowed |
sandbox_workspace_write.network_access | true / false | Whether outbound network is allowed inside the sandbox |
Full bypass: --dangerously-bypass-approvals-and-sandbox
This is the literal "skip permissions" mode for Codex. It disables approval prompts and removes sandbox restrictions in one step, which is what people usually want when they automate long, unattended runs.
codex --dangerously-bypass-approvals-and-sandbox "Refactor the auth module and run tests"You can verify it is active because Codex stops asking before file writes, shell commands, and network calls. If a confirmation dialog still appears for an action, the flag is not in effect for that session, usually because a profile or config.toml setting overrode it.
Headless runs through codex exec accept the same flag, which makes it suitable for CI jobs and scripts where no human is available to click approve.
codex exec --dangerously-bypass-approvals-and-sandbox \
--cd /workspace \
-m gpt-5.4 \
"Apply the migration and commit the result"Note: An older alias, --yolo, maps to the same "no sandbox, no approvals" preset and still works in current builds. Prefer the long form in scripts so the intent is explicit.
Safer alternatives that still skip most prompts
Most users do not need a full bypass. The two patterns below cover almost every "stop interrupting me" use case while keeping at least one guardrail active.
Auto-approve inside the workspace, no network. The --full-auto shortcut combines on-request approvals with workspace-write, so Codex edits files and runs commands in your project directory without asking, but still prompts before stepping outside that scope.
codex --full-auto "Run unit tests and fix failures"Never ask, but keep the sandbox. Set the approval policy to never while leaving workspace-write on, and explicitly enable network if the task requires it.
codex -a never -s workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"Update dependencies and run the migration"Comparison of approval-skipping modes
| Goal | Command | Approvals | Sandbox | Network |
|---|---|---|---|---|
| Reduce prompts for daily work | codex --full-auto | On request | workspace-write | Off |
| Silent runs with file guardrails | codex -a never -s workspace-write | Never | workspace-write | Off (toggle separately) |
| Silent runs with network | -c 'sandbox_workspace_write.network_access=true' | Never | workspace-write | On |
| Full machine access, still tracked | codex -a never -s danger-full-access | Never | danger-full-access | On |
| Full bypass | codex --dangerously-bypass-approvals-and-sandbox | None | None | On |
Persisting the choice in config.toml
Passing flags on every run gets noisy. Codex reads ~/.codex/config.toml and supports named profiles, which lets you pin a default and switch with -p.
approval_policy = "on-request"
sandbox_mode = "workspace-write"
[profiles.networked]
approval_policy = "never"
sandbox_mode = "workspace-write"
[profiles.networked.sandbox_workspace_write]
network_access = true
[profiles.yolo]
approval_policy = "never"
sandbox_mode = "danger-full-access"Launch with the profile name when you need it.
codex -p networked "Update dependencies"
codex -p yolo "Non-interactive build"Resolution order is fixed: command-line flags beat the active profile, the profile beats config.toml defaults, and built-in defaults sit at the bottom. If a setting is not taking effect, check that a higher layer is not overriding it.
Changing modes mid-session
Inside an interactive Codex session, type /permissions to switch between Read-only, Auto, and Full Access without restarting the CLI. The new mode applies to the next action Codex takes. This is the safest way to grant temporary access for one risky step and then drop back to the default.
When the bypass flag is appropriate
Full bypass trades safety for throughput. It is reasonable in environments where the surrounding system is already a guardrail.
- Containers, devcontainers, or short-lived VMs
- CI runners where the workspace is wiped after each job
- Disposable Git branches that will be reviewed via diff before merge
- Long, repetitive lint, format, or test-fix loops on non-sensitive code
It is a poor fit for hosts with production credentials, repos that contain customer data or secrets, machines logged into cloud CLIs that can deploy or delete real resources, and any workspace where a destructive command would have lasting consequences.
Coming from Claude Code
The mental model differs slightly between the two tools. Claude Code bundles approval and sandbox behavior into a single permission mode, while Codex exposes them separately.
| Claude Code | Codex CLI equivalent |
|---|---|
claude --dangerously-skip-permissions | codex --dangerously-bypass-approvals-and-sandbox |
claude --permission-mode bypassPermissions | codex --dangerously-bypass-approvals-and-sandbox |
| Default Claude workflow | codex --full-auto |
| Read-only consultative use | codex -s read-only or /permissions → Read-only |
Common reasons the flag does not seem to work
- A profile is overriding it. A
-pargument or an active default profile inconfig.tomlcan pinapproval_policyback toon-request. Drop the profile or pass the bypass flag explicitly on the command line. - Network calls fail under
--full-auto. That preset keeps network off. Either switch to the full bypass flag or add-c 'sandbox_workspace_write.network_access=true'. - Linux user namespaces blocked. On some Ubuntu setups, the sandbox cannot start and Codex prompts to skip the sandbox for routine edits. Configuring an AppArmor profile that allows
usernsfor thecodexbinary is the documented workaround for that environment.
Treat the full bypass as the last setting you reach for, not the first. In most repositories --full-auto or -a never -s workspace-write with selective network access removes the prompts that interrupt you while keeping the boundary that prevents an unattended agent from touching parts of the system you did not intend to change.