Default Permissions, Auto-review, and Full Access in Codex

Overview

Codex has several permission modes, including Default permissions, Auto-review, and Full access.

These modes are not just three levels of weak, medium, and strong. The main differences are how far Codex can operate, what happens when it needs to cross a boundary, and who reviews approval requests.

The easiest misunderstanding is Auto-review. Auto-review does not simply grant Codex more permission. It changes who reviews eligible approval requests.

Note: This article is based on Codex behavior and OpenAI documentation checked on May 16, 2026. Product screens, labels, and behavior may change over time.

Think of It as App-level Behavior

Codex permissions are easier to understand as Codex app-level behavior, not just a setting for one project.

A workspace or configuration file can still affect the details. But the mode selected in the app defines the general way Codex is allowed to work.

That matters across projects. If a broad mode is selected while working in one project, it can shape how Codex behaves when you move to another project too.

Default Permissions

Default permissions are the standard mode for local Codex work.

In this mode, Codex can read and edit files in the current workspace and run routine local commands. Normal coding work, article edits, tests, and diff checks can happen within this boundary.

When Codex needs network access, access outside the workspace, or a stronger permission, it asks for approval.

So default permissions are not a read-only mode. Codex can still work, but important boundary-crossing actions require approval.

Auto-review

Auto-review does not expand the permission boundary by itself.

It changes who reviews actions that require approval.

With default permissions, boundary-crossing actions are shown to the user. With Auto-review, eligible approval requests are reviewed by a separate reviewer agent.

This can make work stop less often, but it is not the same as Full access. The sandbox boundary still matters.

In short, Auto-review is a reviewer change, not a permission grant.

Full Access

Full access is a less restricted mode.

OpenAI's Codex documentation describes Full access as a configuration that runs without the usual sandbox restrictions and approval prompts.

Network use, broader file access, setup work, and operations across multiple areas can pass more freely.

The effect of a mistake can also become wider. Auto-review changes who reviews a request. Full access changes the boundary itself.

Permission Changes May Not Affect the Current Run

Changing permissions while Codex is already coding may not immediately affect the work currently in progress.

For example, if a task started under default permissions, switching the UI to Full access during that task may not change the permissions of the already-running execution environment.

This can make it look like the setting did not work. Codex may still ask for approval, or a command may still behave as if the previous mode is active.

Permission changes are easier to reason about when treated as settings for the next run, next request, or new session, rather than something guaranteed to rewrite a task already in progress.

Comparison

This table is not a recommendation by itself. The mode depends on the task, the files involved, and the amount of risk the user is willing to allow.

Summary

Default permissions let Codex work inside the current workspace while asking before crossing important boundaries.

Auto-review keeps the same basic boundary, but sends eligible approval requests to a reviewer agent instead of stopping for the user.

Full access removes much of the sandbox and approval structure, allowing broader operation while also expanding the possible impact of mistakes.

The important distinction is simple: Auto-review changes the reviewer. Full access changes the boundary.