ASK KNOX
beta
LESSON 525

Your OpenAI Account, API Keys, and Auth

Two paths into OpenAI — subscription sign-in or API key. Know which surface uses which, how to store credentials safely, and how to never leak a key.

8 min read·Getting Started with OpenAI Codex

Two Ways In

Getting started with OpenAI and Codex is not one decision — it is two. There are two distinct authentication paths, and both are valid for the Codex CLI. Knowing which one fits your situation is the most useful thing to settle up front.

Path A: ChatGPT account sign-in (recommended for most people). If you have a ChatGPT account — Codex is included on every plan from Free up (Free, Go, Plus, Pro, Business, Edu, and Enterprise), with usage limits that scale by tier — you can authenticate the CLI by signing in with that account. The first time you run codex, it prompts you to sign in with your ChatGPT account, opens a browser to confirm, and you are in. Your Codex usage is covered by your plan; there is no separate per-token API bill on this path.

Path B: API key from platform.openai.com. The alternative is an API key. This is the right path for headless or CI environments where a browser sign-in is impractical, for any direct/programmatic use of the OpenAI models (the SDK and the Responses API you will meet in the “The Responses API” lesson), and for pay-per-use billing. Create an account at platform.openai.com (separate from your ChatGPT account, though they can share an email), generate a key in the API Keys section, and store it in the OPENAI_API_KEY environment variable. When this variable is set, the CLI and the SDK both pick it up automatically.

Creating Your API Key

The rest of this lesson walks Path B — the API key. Even if you plan to drive the CLI with ChatGPT sign-in, you will need a key the moment you call the OpenAI models directly (the Responses API lessons later in this track), so it is worth setting one up now and learning to handle it safely.

Visit platform.openai.com and sign in. If you do not have a platform account, create one — it is free to create, though API usage is metered per token.

Navigate to the API Keys section (under your account settings or the left sidebar). Click "Create new secret key." Give it a descriptive name that tells you which project or environment it belongs to — for example: codex-dev-macbook or academy-tutorial-2026. Names make it easier to manage multiple keys and rotate them individually.

Copy the key immediately when it is shown. OpenAI displays the full key value only once. After you dismiss the dialog, only a truncated version is shown in the dashboard. If you lose it, you must generate a new key.

The key looks like sk-proj-... followed by a long random string. Newer project-scoped keys use the sk-proj- prefix. Older-format keys start with just sk-. Both are valid; the prefix style depends on when and how the key was generated.

Storing the Key Safely

Once you have the key, you have one job: do not leak it.

# Add to your shell profile (~/.zshrc or ~/.bashrc)
export OPENAI_API_KEY=sk-proj-...your-key-here...

Then restart your terminal or run source ~/.zshrc. The Codex CLI and the OpenAI SDK both read this variable automatically — you will not need to pass it explicitly in every command.

For team environments, use a secrets manager. Knox's infrastructure uses Doppler to inject environment variables into all services — no keys in .env files, no keys in shell profiles on shared machines. The key is a secret managed in one place, rotated there, and injected wherever it is needed. That is the production pattern. For local development on your own machine, your shell profile is fine.

Usage Dashboard and Spend Limits

Once your key is active and in use, monitor what it costs at platform.openai.com under Usage.

The dashboard shows token consumption broken down by model, time period, and (if you use project-scoped keys) by project. It is the earliest warning system for runaway usage — if you accidentally run an infinite loop that calls the API on every iteration, the dashboard will show it immediately.

Set a monthly spend limit before you start using the key in any automated context. This is a hard cap: once the limit is reached, API calls will fail with a rate-limit error rather than continuing to accumulate charges. For personal learning and experimentation, a limit of $5-20/month is usually more than enough. Scale it up as your actual usage patterns become clear.

The limit is not a substitute for understanding your costs — it is a safety net. The goal is to understand your call volume and token consumption well enough that you know when to raise the limit deliberately, not because you hit it unexpectedly.

What About Free Tier Access?

Platform.openai.com accounts created after a certain date may have limited or no free tier access — check the current state at platform.openai.com when you sign up, as availability and terms change. OpenAI provides documentation on free versus paid access in their pricing page. For this track, a modest paid tier with spend limits is the practical baseline.

BuildChallenge