Use KeyLore with Codex

Why this setup matters

Codex should ask KeyLore for access, not read your token directly.

With Codex, the main goal is to stop treating the process environment as the default secret interface. KeyLore gives Codex a narrower, more intentional path: search metadata first, then request brokered access only when the task actually requires a credential.

# ~/.codex/config.toml
[mcp_servers.keylore]
command = "keylore-stdio"

Recommended flow

How to use Codex with KeyLore.

Install and start KeyLore locally, then add the credentials Codex may need.
Write metadata that clearly distinguishes services, environments, and intended use cases.
Connect Codex through the local KeyLore workflow or MCP-compatible path used in your setup.
Test a task that requires authenticated access and confirm Codex can complete it without being given the raw token value.

Prompt example

What to ask Codex first.

Find the credential metadata for the GitHub API token intended for repository read/write tasks in my local development environment, then use brokered access for the operation instead of asking me to paste the token.