Direct answer
Codex CLI custom-provider setup usually requires a local config.toml for the OpenAI-compatible base URL and model settings plus auth.json for the delivered API key. The API key should be treated like a password, kept local, and never pasted into public issues, screenshots, support tickets, or repositories.
Canonical facts
| Windows config path | %USERPROFILE%\.codex\config.toml |
|---|---|
| Windows auth path | %USERPROFILE%\.codex\auth.json |
| macOS/Linux config path | ~/.codex/config.toml |
| macOS/Linux auth path | ~/.codex/auth.json |
| Key handling | The full delivered API key should stay local and private. |
| unlimitedcodex setup | Buyers receive setup files and support after manual delivery. |
What the two files do
config.toml tells Codex CLI which provider, base URL, model, reasoning settings, and feature flags to use. auth.json stores the API key that Codex sends as Bearer authentication.
If Codex CLI has not created these files yet, users should first sign in through the normal Codex flow so the local Codex directory exists, then edit the existing files instead of guessing hidden paths.
How unlimitedcodex delivery fits
unlimitedcodex customers receive the API key, base URL details, setup files, and package dates after manual setup. The customer setup kit includes Windows and macOS/Linux helpers plus manual copy-paste instructions for users who do not want to run a script.
The safest support path is to share error text, status codes, and non-secret config structure. Never send the full auth.json, raw key, private repo files, shell history, or screenshots that reveal secrets.
Verification checklist
Confirm the Codex CLI local directory exists before editing.
Put provider and base URL settings in config.toml.
Put only the delivered API key value in auth.json.
Restart Codex CLI after editing local config files.
Run a tiny request before long coding-agent work.