July 9, 2026
Posted by Refael Angel
OpenAI Codex can plan, write, test, and run code on a developer’s behalf. While that makes it highly useful, it also means Codex often needs access to the databases, APIs, cloud services, Kubernetes clusters, GitHub workflows, and deployment pipelines that developers use. That creates a security problem because application credentials often sit in.env files, shell exports, local configs, or source code. Such credentials are easy to exfiltrate, difficult to rotate, and nearly impossible to audit.
Akeyless is changing that model. With codex-akeyless-mcp, an open-source MCP server, Akeyless becomes the trusted access layer for OpenAI Codex. The operating principle is simple: Codex orchestrates, and Akeyless holds the secrets. Secret values never enter the model context. Codex sees the names, paths, and redacted results it needs; Akeyless governs access and injects secrets only when needed.
The integration is available at https://github.com/akeyless-community/codex-akeyless-mcp.
Why Coding Agents Change the Secrets Problem
Development secrets were already hard to manage when every action was driven by a human at a keyboard. Database URLs, API keys, cloud credentials, and service tokens had to be kept out of repositories, logs, tickets, and local files.
Coding agents exponentially increase the risk because they can read and act across the same workspace. When Codex runs tests, starts an app, calls an API, or debugs a deployment, it may encounter credentials in.env files, scripts, shell history, config files, or command output.
If a secret is visible to the agent, it can be exposed through the agent. It may appear in generated code, logs, terminal output, copied files, or model context. It may also be used in ways the developer did not intend, especially when an agent is operating across tools and systems.
That is why coding agent access needs a different pattern: keep secret values outside the agent’s context from the start, while still giving the agent a controlled way to complete the task. OpenAI Codex should be able to orchestrate the work. It should not become another place where credentials live.
How the Akeyless MCP Server Works
The integration runs as a local MCP server between OpenAI Codex and Akeyless. Codex does not fetch secrets directly. Instead, it calls the Akeyless MCP server, which handles the access path, uses Akeyless as the system of record, and returns only the information Codex needs to continue.
That creates a clean boundary: Codex can work with environment variable names, Akeyless paths, command results, and redacted output. The actual secret values stay in Akeyless and are only used by the MCP server or, for infrastructure actions, by the Akeyless Gateway.
A Typical Workflow
- A developer asks Codex to perform a task
For example: “Run the test suite with the correct local environment.” - Codex discovers the available environment
Codex calls the MCP server to list the variables for the project. It sees names and Akeyless paths, not values. - Codex requests execution
When Codex needs to runnpm test,npm start, a migration, or another command, it invokes the MCP server instead of handling credentials itself. - Akeyless supplies the secret values outside the model context
The MCP server fetches the needed values from Akeyless and injects them into the child process environment just in time. - The command runs with the required access
The application, test, or build process receives the secrets as environment variables. Codex does not. - Output is returned with secrets redacted
The MCP server redacts injected values from stdout and stderr before returning results to Codex.
The result is a different access pattern for AI-assisted development: Codex can complete the workflow, but credentials do not sit in prompts, files, generated code, or model-visible output.

Figure: How Akeyless keeps secrets out of the Codex model context
What Codex Sees vs. What Akeyless Controls
The integration is designed around a narrow exchange of information. Codex gets enough context to plan and complete the workflow, but not enough to expose the underlying credentials.
| Codex Sees | Akeyless Controls |
| Environment variable names | Secret values |
| Akeyless paths | Access policy and RBAC |
| Redacted command output | Just-in-time secret injection |
| Query or action results | Gateway-mediated infrastructure access |
| Redacted secret scan findings | Storage, audit, and governance |
This distinction matters because it keeps the coding agent useful without making it a new credential store. Codex can decide what to do next. Akeyless controls whether the access is allowed, how credentials are used, and what evidence is recorded.
Where This Helps Developers and Security Teams
For developers, the integration removes a common source of friction: getting the right credentials into the right workflow without copying secrets into local files, prompts, or repositories. Codex can help bootstrap an environment, run tests, start an application, or scan for exposed secrets while Akeyless controls how the underlying credentials are used.
For security teams, the value is control without blocking adoption. OpenAI Codex supports MCP servers for connecting to external tools and context, which makes governed integrations important when the connected systems involve credentials or infrastructure access. With Akeyless, secrets remain centrally managed, access can be scoped through policy, and activity can be audited instead of disappearing into local developer workflows.
In practice, teams can use the integration to:
- Run commands with just-in-time secret injection
- Replace plaintext
.envfiles with Akeyless-managed references - Scan repositories for exposed secrets
- Move discovered secrets into Akeyless
- Keep Codex useful without turning it into another place where secrets live
Secretless Infrastructure Access With Runtime Authority
Some workflows need more than application secrets. A coding agent may need to query a database, inspect a cloud resource, check Kubernetes state, or take action in GitHub. Those operations carry more risk because the credential is not just configuration; it is authority over live systems.
For those cases, the Akeyless integration can use Runtime Authority through the Akeyless Gateway. Instead of sending credentials to Codex or placing them on the developer’s machine, the request is brokered through the Gateway, which uses the appropriate credential server-side and returns only the result.
That means Codex can request an approved action, such as querying PostgreSQL or executing a cloud operation, without receiving the database password, cloud key, Kubernetes credential, or GitHub token. Codex gets results; Akeyless controls access to the credential and target system.
This matters when teams want to use Codex beyond local development. They can support AI-assisted operational workflows without moving standing credentials into the agent, local files, or model context.
Getting Started
The integration is open source and available on GitHub, where you'll find installation instructions, configuration guidance, and examples for connecting Akeyless to OpenAI Codex using the Model Context Protocol (MCP).
Once connected, developers can use natural language to work with secrets and infrastructure. For example, they can:
- Run applications and test suites with secrets injected at runtime
- Scan repositories for exposed secrets and migrate them to Akeyless
- Query databases and perform approved infrastructure actions through Runtime Authority
The repository also includes guidance for configuring authentication, environment organization, RBAC, and approval settings for production deployments.
Secure AI Agent Access With Akeyless
Codex is one example of a broader shift: AI agents are becoming active participants in software delivery and operations. They need access to systems, data, and tools, but they should not hold credentials, inherit standing privileges, or operate outside governance.
Akeyless gives organizations a way to secure that shift with runtime-governed access for AI agents, machines, and human users. Access can be tied to identity, scoped by policy, enforced at runtime, and recorded for audit.
Book a demo to see how Akeyless secures AI agent access.