Hi maintainers, I found a reproducible problem in the Codex installation guide that currently leads to an unusable remote-server config.
Summary
In docs/installation-guides/install-codex.md, the manual TOML example correctly includes:
bearer_token_env_var = "GITHUB_PAT_TOKEN"
But the CLI example immediately below it is currently:
codex mcp add github --url https://api.githubcopilot.com/mcp/
That command creates a config with only the URL and does not configure any bearer token source, so the resulting remote MCP server entry is unauthenticated by default.
Why This Matters
The current page reads as if the CLI command is an equivalent alternative to the TOML snippet, but it is not.
A user who follows the CLI path exactly ends up with a config that looks valid but cannot authenticate to the hosted GitHub MCP server.
Since this is the official Codex install guide for the hosted server, it is easy to end up in a confusing "configured but still 401" state.
Repro
1. Run the CLI command from the docs
HOME=/tmp/codex-docs-repro-home codex mcp add github --url https://api.githubcopilot.com/mcp/
2. Inspect the generated config
Result:
[mcp_servers.github]
url = "https://api.githubcopilot.com/mcp/"
No bearer_token_env_var is added.
3. Verify the hosted server requires auth
Unauthenticated request:
curl -i https://api.githubcopilot.com/mcp/
Result:
HTTP/2 401
...
bad request: missing required Authorization header
4. Confirm the working Codex CLI form
If I run:
HOME=/tmp/codex-docs-repro-home-fixed codex mcp add github --url https://api.githubcopilot.com/mcp/ --bearer-token-env-var GITHUB_PAT_TOKEN
then the generated config becomes:
[mcp_servers.github]
url = "https://api.githubcopilot.com/mcp/"
bearer_token_env_var = "GITHUB_PAT_TOKEN"
which matches the TOML example earlier in the same guide.
Suggested Fix
Update the CLI example in install-codex.md to include the token binding, for example:
codex mcp add github --url https://api.githubcopilot.com/mcp/ --bearer-token-env-var GITHUB_PAT_TOKEN
Optionally, it may also help to add one short sentence saying that codex mcp add --url ... alone only stores the server URL and is not sufficient for PAT-authenticated access to the hosted GitHub MCP server.
Hi maintainers, I found a reproducible problem in the Codex installation guide that currently leads to an unusable remote-server config.
Summary
In
docs/installation-guides/install-codex.md, the manual TOML example correctly includes:But the CLI example immediately below it is currently:
That command creates a config with only the URL and does not configure any bearer token source, so the resulting remote MCP server entry is unauthenticated by default.
Why This Matters
The current page reads as if the CLI command is an equivalent alternative to the TOML snippet, but it is not.
A user who follows the CLI path exactly ends up with a config that looks valid but cannot authenticate to the hosted GitHub MCP server.
Since this is the official Codex install guide for the hosted server, it is easy to end up in a confusing "configured but still 401" state.
Repro
1. Run the CLI command from the docs
2. Inspect the generated config
Result:
No
bearer_token_env_varis added.3. Verify the hosted server requires auth
Unauthenticated request:
Result:
4. Confirm the working Codex CLI form
If I run:
then the generated config becomes:
which matches the TOML example earlier in the same guide.
Suggested Fix
Update the CLI example in
install-codex.mdto include the token binding, for example:Optionally, it may also help to add one short sentence saying that
codex mcp add --url ...alone only stores the server URL and is not sufficient for PAT-authenticated access to the hosted GitHub MCP server.