Codex’s New Pricing and Browser-State Docs Make the Real Platform Boundary Visible

Codex pricing looks like a billing page. It is actually an architecture diagram with dollar signs attached. OpenAI’s fresh Codex docs make the platform boundary clearer than any launch post: Codex is not merely a CLI or an IDE helper. It is a metered agent runtime that spans local messages, cloud tasks, GitHub code review, Slack integration, browser automation, enterprise logs, approval policy, MCP context, and signed-in browser state.

That matters because coding agents are no longer constrained by whether they can edit a file. They can. The relevant question is what ambient authority they inherit while doing it — repo context, tool descriptions, browser cookies, internal URLs, uploaded files, memories, history, approvals, network access, and audit logs. The new Codex pricing and browser-state documentation make that boundary visible because OpenAI now has to explain how all of those pieces are counted, controlled, and observed.

The headline numbers are straightforward enough. Plus includes Codex on web, CLI, IDE extension, and iOS; cloud integrations like automatic code review and Slack; current models including GPT-5.5, GPT-5.4, and GPT-5.3-Codex; GPT-5.4-mini for higher routine-message limits; and credit-based usage extensions. Pro offers 5x, 10x, or 20x more Codex usage than Plus, with the $100 tier temporarily doubled through May 31, 2026, and the $200 tier carrying 20x Plus ongoing, with a temporary 25x five-hour limit through the same date.

The usage table is more revealing. Local-message windows are listed as GPT-5.5 at 15–80 messages per five hours, GPT-5.4 at 20–100, GPT-5.4-mini at 60–350, and GPT-5.3-Codex at 30–150. Cloud tasks are only listed for GPT-5.3-Codex at 10–60, and GitHub code reviews at 20–50 per five-hour window. Token/credit mapping for newer rates puts GPT-5.5 at 125 credits per 1M input tokens, 12.50 per 1M cached input tokens, and 750 per 1M output tokens; GPT-5.4 is half that at 62.50, 6.250, and 375. Image generations can consume included limits roughly 3–5x faster.

Agent configuration is now a cost surface

The most useful line on the pricing page is not the promo. It is OpenAI telling users to reduce AGENTS.md size, limit MCP servers, and switch to smaller models to stretch usage. That is unusually direct, and it is the kind of thing platform teams should read twice. Agent instructions are not free. Tool inventories are not free. Oversized repo guidance, always-on MCP schemas, long context windows, browser screenshots, and multi-step tasks all become metered runtime.

This is a useful corrective to the way teams often talk about agent setup files. A bloated AGENTS.md does not just make the model “more informed.” It makes every interaction heavier, increases the chance that stale guidance competes with current task context, and quietly eats into the usage window. Likewise, enabling every MCP server because it might be useful is the agent equivalent of giving a junior engineer production admin rights because someday they may need to restart a service.

For practitioners, the move is boring and important: treat agent configuration like production code. Keep instructions short, scoped, and reviewed. Split project-specific guidance from personal preferences. Disable MCP servers unless the workflow needs them. Track which tools are available in which environment. Measure token growth after adding instructions instead of waiting for the bill or usage limit to explain it. “More context” is not a strategy; it is an expense with failure modes.

Browser state is where the security model gets real

The browser documentation is the sharper story. OpenAI now describes a split between the in-app browser and the Chrome extension. The in-app browser is the safer default for local dev servers, file-backed previews, and public unauthenticated pages. Chrome is for workflows that require signed-in state, cookies, extensions, or a real browser profile — LinkedIn, Salesforce, Gmail, internal tools, and similar systems.

That split is the right one because logged-in browser state is not “web browsing.” It is delegated user authority. The Chrome extension docs say Codex can use signed-in browser state, run Chrome tasks in tab groups, and ask before interacting with each new website by host. OpenAI also labels browser history as elevated risk because it may include internal URLs, search terms, and activity from signed-in devices. The permission prompt may include access to the page debugger, read/change access across websites, browsing history, downloads, bookmarks, notifications, native applications, and tab groups. Those permissions are broad because browser automation is broad.

The danger is assuming the Chrome permission prompt is governance. It is not. A browser prompt is a human speed bump. Governance is policy, least privilege, traceability, and review. OpenAI says Codex layers its own confirmations, allowlists, blocklists, and data controls on top of browser permissions, which is necessary. But teams rolling this into engineering workflows need their own rules: no always-allow browser content for sensitive hosts, no browser history access unless there is a specific reason, no signed-in production consoles unless the agent action is auditable, and no treating “the user clicked allow” as equivalent to a policy decision.

The fact that browser history has no always-allow option is a good default. It acknowledges that history is not just a convenience feature; it is a map of intent, internal systems, customer work, and private context. If an agent needs that, the user should make a fresh decision every time. Better still, most coding workflows should not need it at all.

The runtime boundary is approvals plus evidence

OpenAI’s security docs describe local Codex using OS-enforced sandboxing, cloud Codex using isolated containers, network access off by default, and a cloud setup phase that can access the network before an offline-by-default agent phase. Secrets configured for cloud environments are available only during setup and removed before the agent phase. The “Running Codex safely” material says Codex can export OpenTelemetry logs for user prompts, tool approval decisions, tool execution results, MCP server usage, and network proxy allow/deny events, and that OpenAI uses those logs with an AI-powered security triage agent.

That is the right shape of a platform: sandbox, approvals, network policy, secrets lifecycle, and evidence. The weakness will be in how teams configure it. If approvals are noisy, users will approve everything. If network policy is too broad, the sandbox becomes decorative. If logs are exported but nobody reads them, observability becomes compliance theater. If MCP servers are treated as harmless context instead of executable capability, the agent’s authority will exceed the team’s mental model.

The product-positioning signal is also worth noting. Cloud tasks and GitHub code review remain tied to GPT-5.3-Codex, while local messages can use newer models like GPT-5.5. That suggests OpenAI is still separating interactive/local reasoning from cloud automation and review workflows. Teams comparing Codex with Claude Code, Gemini CLI, OpenCode, or internal runners should evaluate by workflow shape, not the flashiest model name. A fast local coding loop, a cloud PR reviewer, and a browser agent have different costs, risks, and approval needs.

The practical checklist is now clear. Keep AGENTS.md small. Disable unused MCP servers. Prefer the in-app browser for localhost and public UI checks. Use Chrome only when signed-in state is essential. Treat browser history as sensitive data. Export OpenTelemetry logs before standardizing Codex across a team. Model five-hour windows and credit consumption against real workflows instead of assuming “20x” means 20x useful output. It never does; validation remains the bottleneck.

The Codex story is no longer “OpenAI has a coding agent.” It is that Codex is becoming a full engineering runtime whose real boundaries are cost, browser state, MCP context, approvals, sandboxing, and audit logs. That is where teams will either get leverage or build a very expensive RPA incident with better autocomplete.

Sources: OpenAI Codex pricing, OpenAI Codex changelog, Codex Chrome extension docs, Codex in-app browser docs, Codex approvals and security docs, OpenAI: Running Codex safely, openai/codex release rust-v0.131.0-alpha.18