OpenAI Codex

OpenAI Codex CLI is OpenAI’s command-line coding assistant. This guide shows how to route Codex’s MCP connections through Maybe Don’t.

Prerequisites

Maybe Don’t running (see MCP overview)
OpenAI Codex CLI installed
A GitHub Personal Access Token

Configure Codex

Codex uses TOML configuration at ~/.codex/config.toml. Add the MCP server configuration:

[mcp_servers.maybe-dont]
url = "http://localhost:8080/mcp"
env_http_headers = { "X-GitHub-Token" = "GITHUB_TOKEN" }

The env_http_headers field maps header names to environment variable names. Codex reads the value of GITHUB_TOKEN from your environment and sends it as the X-GitHub-Token header.

Set Environment Variables

Before starting Codex, set your GitHub token:

export GITHUB_TOKEN="ghp_your_token_here"

Start Codex

Start Codex normally:

codex

Verify the Connection

In your Codex session, try asking Codex to list its available MCP tools. You should see GitHub tools prefixed with github__.

Static Headers

If you prefer to hardcode the token (not recommended for secrets):

[mcp_servers.maybe-dont]
url = "http://localhost:8080/mcp"
http_headers = { "X-GitHub-Token" = "ghp_your_token_here" }

Security note: Prefer env_http_headers over http_headers for tokens and secrets. Static headers are stored in plain text.

What’s Happening

When Codex calls a tool:

Codex sends the request to localhost:8080/mcp with your GitHub token
The gateway validates the request using configured policies
If allowed, the gateway forwards to GitHub
All activity is logged to the audit log

Troubleshooting

Connection issues

Verify the gateway container is running:

docker ps | grep maybe-dont

Check the gateway logs for tool discovery messages or errors:

docker logs maybe-dont

Authentication errors

Verify your GitHub token works:

curl -H "Authorization: Bearer $GITHUB_TOKEN" \
  https://api.github.com/user

GitHub Copilot OpenHands