Codex UI in your browser. No drama. One command.
Yes, that is your Codex desktop app experience exposed over web UI. Yes, it runs cross-platform.
βββββββ βββββββ βββββββ βββββββββββ ββββββ ββββββ
ββββββββββββββββββββββββββββββββββββββββββββ ββββββ
βββ βββ ββββββ βββββββββ ββββββ βββ ββββββ
βββ βββ ββββββ βββββββββ ββββββ βββ ββββββ
βββββββββββββββββββββββββββββββββββββ βββββββββββββββ
βββββββ βββββββ βββββββ βββββββββββ βββ βββββββ βββ
codexapp is a lightweight bridge that gives you a browser-accessible UI for Codex app-server workflows.
You run one command. It starts a local web server. You open it from your machine, your LAN, or wherever your setup allows.
TL;DR π§ : Codex app UI, unlocked for Linux, Windows, and Termux-powered Android setups.
The main event.
# π Run instantly (recommended)
npx codexapp
# π Then open in browser
# http://localhost:5900If you are using a provider or AI gateway that is already authenticated and do not want codexapp to force codex login during startup, use:
npx codexapp --no-loginnode -v # should be 18+
npx codexappnode -v # 18+
npx codexapppkg update && pkg upgrade -y
pkg install nodejs -y
npx codexappAndroid background requirements:
- Keep
codexapprunning in the current Termux session (do not close it). - In Android settings, disable battery optimization for
Termux. - Keep the persistent Termux notification enabled so Android is less likely to kill it.
- Optional but recommended in Termux:
termux-wake-lock- Open the shown URL in your Android browser. If the app is killed, return to Termux and run
npx codexappagain.
codexapp can automatically start a Cloudflare Tunnel so you can reach the UI from any device without opening firewall ports.
- If a Tailscale IP is detected on your machine, the tunnel is disabled by default (Tailscale Serve is a better fit β see section below).
- If no Tailscale IP is detected and you do not pass
--no-tunnel, a quick tunnel is started automatically. - You can always override with
--tunnel(force on) or--no-tunnel(force off).
A quick tunnel gives you a randomly generated *.trycloudflare.com URL that is valid only while codexapp is running.
No Cloudflare account required.
npx codexapp --tunnelOn startup you will see:
Tunnel: https://random-words-here.trycloudflare.com
Tunnel QR code below
[QR code printed in terminal]
For a permanent, stable public URL tied to your own domain, use a named tunnel from the Cloudflare Zero Trust dashboard.
- In the dashboard: Networks β Tunnels β Create a tunnel β copy the tunnel token.
- Configure the public hostname in the dashboard (e.g.
myapp.example.com β localhost:<port>). - Run:
npx codexapp --tunnel-token <your-tunnel-token>
# Optionally supply the hostname for QR-code display:
npx codexapp --tunnel-token <your-tunnel-token> --tunnel-hostname myapp.example.comOr use environment variables instead of flags:
export CODEXUI_CLOUDFLARE_TUNNEL_TOKEN="<your-tunnel-token>"
export CODEXUI_CLOUDFLARE_TUNNEL_HOSTNAME="myapp.example.com" # optional
npx codexappWhen a named tunnel connects you will see:
[cloudflared] Named tunnel connected. Public hostname is configured in your Cloudflare dashboard.
(If --tunnel-hostname / CODEXUI_CLOUDFLARE_TUNNEL_HOSTNAME is also supplied, a QR code is printed for that hostname.)
npx codexapp --no-tunnelIf cloudflared is not found on Linux, codexapp will offer to download it automatically to ~/.local/bin/cloudflared (x64 and arm64 are supported).
On Windows, install cloudflared manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/
If you want to use codexUI from iPhone or iPad Safari, serving it over HTTPS is recommended.
A practical private setup is to run codexUI locally and publish it inside your tailnet with Tailscale Serve:
npx codexapp --no-tunnel --port 5900
tailscale serve --bg 5900Then open:
https://<your-machine>.<your-tailnet>.ts.net
This setup worked well in practice for:
- iPhone Safari access
- Add to Home Screen
- the built-in dictation / transcription feature in the app
- viewing the same projects and conversations from the Windows host
Notes:
- Tailscale Serve keeps access private to your tailnet
- on iOS, HTTPS / secure context appears to be important for mobile browser access and dictation
- some minor mobile Safari CSS issues may still exist, but they do not prevent normal use
- depending on proxying details, authentication behavior may differ from direct remote access
- if conversations created in the web UI do not immediately appear in the Windows app, restarting the Windows app may refresh them
The payload.
- π One-command launch with
npx codexapp - π Cross-platform support for Linux, Windows, and Termux on Android
- π₯οΈ Browser-first Codex UI flow on
http://localhost:5900(default port) - π LAN-friendly access from other devices on the same network
- π§ͺ Remote/headless-friendly setup for server-based Codex usage
- π Works with reverse proxies and tunneling setups
- β‘ No global install required for quick experimentation
- ποΈ Built-in hold-to-dictate voice input with transcription to composer draft
- π€ Optional Telegram bot bridge: send messages to bot, forward into mapped thread, send assistant reply back to Telegram
- π Cloudflared quick-tunnel (temporary
*.trycloudflare.comURL) β starts automatically when no Tailscale IP is detected - π Named Cloudflare tunnel support via
--tunnel-token/CODEXUI_CLOUDFLARE_TUNNEL_TOKEN - π‘οΈ CSRF protection on all state-mutating endpoints (per-process token)
- π Filesystem path restriction: file access scoped to the launch project directory (or
$HOMEby default) - π Sensitive paths (
.ssh,.aws,.codex/auth.json, etc.) are blocked regardless of filesystem root
Set these environment variables before starting codexapp:
export TELEGRAM_BOT_TOKEN="<your-telegram-bot-token>"
export TELEGRAM_ALLOWED_USER_IDS="<your-telegram-user-id>,<optional-second-id>"
export TELEGRAM_DEFAULT_CWD="$PWD" # optional, defaults to current working directory
npx codexappTELEGRAM_ALLOWED_USER_IDS is required for safe access. Only allowlisted Telegram user IDs can use the bridge. If no allowed user IDs are configured, incoming Telegram messages are rejected.
To find your Telegram user ID:
- Send a message to your bot.
- Run
curl "https://api.telegram.org/bot<your-telegram-bot-token>/getUpdates". - Read
message.from.idfrom the returned update payload.
Bot commands:
/startshow quick help and thread picker/threadslist recent threads and pick one/newthreadcreate and map a new Codex thread for this Telegram chat/thread <threadId>map current Telegram chat to an existing thread/currentshow currently connected thread for this chat/historyshow recent history for current thread/statusshow bridge/mapping status/whoamishow your Telegram user/chat IDs and authorization state/helpshow command reference
Outgoing assistant messages are sent with Telegram parse_mode=HTML for formatting, with automatic plain-text fallback if HTML delivery fails.
Not just launch. Actual UX upgrades.
- π‘οΈ Security hardening: removed password-in-URL auth, dropped Firebase dependency, added CSRF protection on mutating endpoints, filesystem path restriction scoped to launch project /
$HOME, symlink bypass prevention, sensitive path denylist (.ssh,.aws,.codex/auth.json, β¦) - π Cloudflared quick-tunnel auto-starts when no Tailscale IP is detected (prints URL + QR code)
- π Named Cloudflare tunnel via
--tunnel-token/--tunnel-hostnameflags (or env vars) for stable custom hostnames - ποΈ Searchable project picker in new-thread flow
- β "Create Project" button next to "Select folder" with browser prompt
- π New projects get pinned to top automatically
- π§ Smart default new-project name suggestion via server-side free-directory scan (
New Project (N)) - π Project order persisted globally to workspace roots state
- 𧡠Optimistic in-progress threads preserved during refresh/poll cycles
- π± Mobile drawer sidebar in desktop layout (teleported overlay + swipe-friendly structure)
- ποΈ Skills Hub mobile-friendly spacing/toolbar layout improvements
- πͺ Skill detail modal tuned for mobile sheet-style behavior
- π§ͺ Skills Hub event typing fix for
SkillCardselect emit compatibility - ποΈ Voice dictation flow in composer (
hold to dictate-> transcribe -> append text)
| Flag | Default | Description |
|---|---|---|
[projectPath] |
β | Project directory to open on launch |
--open-project <path> |
β | Add a project to the sidebar without starting the server |
-p, --port <port> |
5900 |
Port to listen on (auto-increments if busy) |
--password <pass> |
auto-generated | Set a specific password |
--no-password |
β | Disable password protection |
--tunnel |
auto | Force-enable cloudflared tunnel |
--no-tunnel |
β | Disable cloudflared tunnel |
--tunnel-token <token> |
β | Named tunnel token from Cloudflare Zero Trust dashboard |
--tunnel-hostname <host> |
β | Public hostname for the named tunnel (for QR display) |
--open / --no-open |
--open |
Open browser on startup |
--login / --no-login |
--login |
Run codex login bootstrap if not already authenticated |
--sandbox-mode <mode> |
β | read-only, workspace-write, or danger-full-access |
--approval-policy <policy> |
β | untrusted, on-failure, on-request, or never |
| Variable | Description |
|---|---|
CODEXUI_CLOUDFLARE_TUNNEL_TOKEN |
Named-tunnel token (same as --tunnel-token) |
CODEXUI_CLOUDFLARE_TUNNEL_HOSTNAME |
Public hostname for display/QR (same as --tunnel-hostname) |
CODEX_HOME |
Override Codex home directory (default: ~/.codex) |
TELEGRAM_BOT_TOKEN |
Telegram bot token for the bot bridge |
TELEGRAM_ALLOWED_USER_IDS |
Comma-separated allowlisted Telegram user IDs |
TELEGRAM_DEFAULT_CWD |
Default working directory for Telegram-initiated threads |
| π₯ Use Case | π₯ What You Get |
|---|---|
| π» Linux workstation | Run Codex UI in browser without depending on desktop shell |
| πͺ Windows machine | Launch web UI and access from Chrome/Edge quickly |
| π± Termux on Android | Start service in Termux and control from mobile browser |
| π§ͺ Remote dev box | Keep Codex process on server, view UI from client device |
| π LAN sharing | Open UI from another device on same network |
| π§° Headless workflows | Keep terminal + browser split for productivity |
| π Custom routing | Put behind reverse proxy/tunnel if needed |
| β‘ Fast experiments | npx run without full global setup |
βββββββββββββββββββββββββββββββ
β Browser (Desktop/Mobile) β
ββββββββββββββββ¬βββββββββββββββ
β HTTP/WebSocket
ββββββββββββββββΌβββββββββββββββ
β codexapp β
β (Express + Vue UI bridge) β
ββββββββββββββββ¬βββββββββββββββ
β RPC/Bridge calls
ββββββββββββββββΌβββββββββββββββ
β Codex App Server β
βββββββββββββββββββββββββββββββ
- β
Node.js
18+ - β Codex app-server environment available
- β Browser access to host/port
- β Microphone permission (only for voice dictation)
| β Problem | β Fix |
|---|---|
| Port already in use | Run on a free port or stop old process |
npx fails |
Update npm/node, then retry |
| Termux install fails | pkg update && pkg upgrade then reinstall nodejs |
| Canβt open from other device | Check firewall, bind address, and LAN routing |
| Tunnel URL never prints | Check if cloudflared is installed; run with --no-tunnel to skip |
| Named tunnel doesnβt connect | Verify token from Cloudflare Zero Trust dashboard and that the tunnel is active there |
cloudflared install prompt not shown |
Non-interactive terminal or already prompted once β install manually from https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/ |
| βPath is outside the permitted filesystem rootβ | File is outside the launch project directory β start with a broader projectPath or omit it to default to $HOME |
| βAccess to this path is not allowedβ | Requested path matches the sensitive-path denylist (.ssh, .aws, .codex/auth.json, etc.) β this is intentional |
Issues and PRs are welcome.
Bring bug reports, platform notes, and setup improvements.
If you believe Codex UI should be accessible from any machine, any OS, any screen, star this project and share it. β
Built for speed, portability, and a little bit of chaos π
Forked from pavel-voronin/codex-web-local by Pavel Voronin.