If Codex asks for a phone number or verification code, treat it as an OpenAI account, API, MFA, or device-login check until you identify where the prompt appeared. The safest first move is not to keep pressing resend; it is to choose the matching surface, take one reversible action, verify what changed, and stop before temporary numbers or token sharing make account recovery harder.
As of May 21, 2026, OpenAI Help says ordinary ChatGPT usage and new OpenAI account creation no longer require phone verification, while creating a first API key on the API Platform can still require phone verification. OpenAI's login and MFA help pages also describe extra checks for new devices, unusual locations, sensitive updates, and enabled MFA methods. That is why "Codex phone verification" is usually a surface problem, not one single Codex-only SMS system.
Start with this board before trying fixes:
| Where the prompt appeared | Likely owner | First safe action | Verify | Stop rule |
|---|---|---|---|---|
| Codex app, IDE, or CLI browser login | OpenAI account login security or MFA | Finish the official sign-in flow and use another enabled method if offered | You can sign in and Codex stops asking again | Stop repeated resend attempts; collect prompt text, device, location, and time |
| API Platform while creating the first key | API first-key phone verification | Follow the current OpenAI phone-verification flow with a durable number you control | The first API key is created or the number-limit message is clear | Do not use a disposable number for a main account |
| SMS or WhatsApp code never arrives | Delivery, method, or throttling branch | Pause, check the surface, try another enabled method, confirm number format, then wait | A code arrives or the same failure repeats with cleaner evidence | Stop back-to-back resend loops |
| Phone number already used or at limit | Account ownership and phone-number reuse | Use another long-term number or regain access to the previous account tied to that number | The account or number state is clear | Do not cycle through rented or shared numbers |
| Mobile QR or device-code setup | Device login plus account MFA | Complete the device-code or QR flow on a trusted session | The device stays connected and Codex can use the host | Restart the flow only after the old code expires |
| CLI automation or CI | API-key auth surface | Use CODEX_API_KEY only when API billing and capability differences are acceptable | codex login status or a small CLI test succeeds | Do not treat API-key auth as a fix for ChatGPT-login access |
| New machine or cleared local data | Cached credential branch | Sign in again through the official flow and let Codex store credentials safely | The prompt disappears and the session works | Do not paste or share ~/.codex/auth.json, OTPs, or access tokens |
If one branch gives evidence, stay on that branch. If all safe options fail, escalate with a concise support packet: where the prompt appeared, exact wording with personal data removed, method used, when it started, what changed recently, and what you already tried.
Identify the surface before you retry
The phrase "Codex asks for phone verification" hides several different products and account paths. Codex can send you through a ChatGPT account login, a browser OAuth flow, a device-code flow, cached local credentials, or an API-key route. Each path can surface an OpenAI verification step, but the fix changes with the path.
The first diagnostic question is where the prompt appeared. If it appeared at platform.openai.com while you were creating the first API key, treat it as API Platform phone verification. If it appeared in a browser after codex login, treat it as account login or MFA until proven otherwise. If it appeared while pairing a phone or mobile app, treat the phone as a device in a QR or device-code flow, not automatically as a phone-number requirement.
The second question is what changed. New device, cleared browser data, sign-out, changed network, different country, new organization, new API key, or a reinstalled CLI can all move you into a different verification surface. Do not try to fix all of those at once. Change one variable, then check whether the prompt disappeared or changed wording.
The third question is whether you are trying to use Codex interactively or automate it. A human using Codex in ChatGPT, an IDE, or an app normally wants the interactive account flow. A CI job, agent runner, or script should usually use API-key auth instead. Those paths are both legitimate, but they are not interchangeable.
If it happened while creating your first API key
OpenAI's Help Center page on phone number requirements for new API keys is the most important boundary for this branch. Checked on May 21, 2026, it separates ordinary ChatGPT usage from API Platform first-key generation: ChatGPT usage no longer needs phone verification, but the first API key can.
That means a prompt during first-key creation is not a Codex-specific failure. It belongs to the API Platform account setup path. If you are setting up Codex CLI with an API key, complete that Platform requirement with a number you control long term. If the number belongs to a colleague, a shared inbox, a rented SMS service, or a one-time provider, you may get through today's code and still weaken future recovery.
OpenAI also documents a phone-number reuse limit for the first API-key verification flow. Checked on May 21, 2026, the phone-number reuse page says the same number can be used up to three times for that verification. If you see a number-limit message, do not keep cycling attempts on the same number. Use another durable number you control, or recover the previous account tied to that number.
This branch does not prove Codex access after the key is created. API-key Codex usage has its own billing, quota, model, and organization context. Treat successful phone verification as "the API key setup moved forward," not as a promise that every Codex surface is now available.
If ChatGPT works but Codex still asks
This is the confusing branch: you can open ChatGPT normally, yet Codex asks again during login or device setup. The practical explanation is that "ChatGPT works" and "this Codex login flow is trusted" are not the same signal.
OpenAI's Help page on login verification says extra verification can appear for reasons such as a new or unrecognized device, unusual location, sensitive account update, or a security check. If you just changed machines, cleared cookies, changed network, reinstalled Codex, or moved between app/CLI/IDE surfaces, the additional prompt may be part of account protection.
MFA adds another layer. OpenAI's MFA help page says MFA applies across OpenAI services, and available methods can include authenticator app, push notification, SMS or WhatsApp text message, and passkey depending on account, device, country, tier, and route. If the prompt offers another method, use a method you already control instead of forcing SMS repeatedly.
When this branch fails, write down the exact prompt wording and where it appeared. "Phone number required," "enter the code we sent," "approve on your mobile device," "try another method," "number already used," and "device code expired" are different support facts. A screenshot is useful only after you remove personal information, full phone numbers, OTPs, and tokens.
If the code never arrives
When an SMS, WhatsApp, or other code does not arrive, the natural impulse is to press resend. That is also the easiest way to lose the cleanest evidence. Back-to-back resend requests can create delays, throttling, or multiple active codes that make the next step harder to reason about.
Pause first. Confirm the surface: API first key, interactive account login, MFA, mobile device code, or CLI automation. Then check whether OpenAI offers another enabled method. In some flows, email, authenticator app, push, passkey, backup code, or WhatsApp may be available. Do not assume every method exists for every account. Use the options shown in the official prompt.
If the only visible path is SMS or WhatsApp, check the basics once: country code, no extra spaces, active mobile service, reachable device, stable network, and device time. Then wait long enough to avoid stacking requests. If the code still does not arrive, collect evidence rather than continuing a resend loop.
The support packet should be simple: prompt surface, exact wording with personal data redacted, method used, time and timezone, device and browser/app/CLI surface, what changed recently, and what you have already tried. Do not include OTP codes, full phone numbers, access tokens, API keys, auth.json, billing details, or screenshots with secrets.
If the number is already used or at the limit
A number-limit message is not a delivery problem. Treat it as an account ownership and reuse problem. OpenAI's reuse guidance for first API-key phone verification is explicit enough to change the action: if the number is at its limit, another resend will not fix the branch.
First, check whether the number belongs to another account you control. If it does, recovering or using that account may be cleaner than trying to attach the same number again. If the number belongs to an old team member, customer, temporary SMS provider, or shared admin process, stop before adding more accounts to the same fragile identity path.
Second, use a durable number if OpenAI asks for one. "Durable" means you can receive future recovery messages, prove ownership if support asks, and keep the account story simple. A one-time number can appear attractive during a deadline, but it creates a long-term account-recovery trap.
Third, separate this from Codex entitlement. A verified number does not decide whether your workspace, plan, organization, or region has the Codex feature you expected. After verification, still check the actual Codex access surface and account context.
If you only need Codex CLI or automation today
Codex CLI gives you more than one authentication route. The Codex CLI reference documents codex login with ChatGPT account login, API key, or access token. The Codex non-interactive guide recommends CODEX_API_KEY for CI-style automation because API keys are easier to provision and rotate.
That makes API-key auth a real workaround only for the right job. If your current task is a CI agent, build job, internal tool, or non-interactive script, an API key can be the cleaner path. Create the key through the official API Platform route, store it in a secret manager, rotate it when needed, and test with a small Codex CLI command.
It is not a magic repair for ChatGPT-login Codex. API usage has API billing and capability boundaries. Interactive Codex access inside ChatGPT, a mobile app, or a product account may still depend on the ChatGPT account flow, MFA, plan, organization, and feature availability. If you need that experience, fixing the account login branch matters.
Access tokens are even more sensitive. Use them only when the official docs or your environment requires them, and never paste them into support chats, issue trackers, screenshots, or shared documents.
Cached credentials and new machines
Codex can cache login details. The Codex authentication docs say cached login may live in ~/.codex/auth.json or in the operating-system credential store, and that CLI and IDE extension login can share cached details.
That helps explain why one machine works while another asks again. The working machine may have a valid cached session. The new machine may need the browser login, MFA, or device-code flow again. Use codex login status to check whether the CLI sees credentials before you assume phone verification is the core issue.
Do not solve a new-machine prompt by posting or casually copying ~/.codex/auth.json. The Codex docs warn that this file can contain access tokens. Treat it like a password. If you must move machines, prefer official sign-in and credential storage. If you suspect the token file was exposed, revoke or rotate the relevant credentials.
For mobile or remote access, keep the device flow separate. OpenAI's remote connections docs describe mobile setup through a QR code from the host and ChatGPT on the phone, with possible MFA, SSO, or passkey steps. That is a trusted-device setup path, not proof that a phone-number verification service is broken.
Shortcuts that make the problem worse
The risky shortcuts are tempting because the blocked state feels binary: either you receive the code or you cannot work. The safer way to think about it is account continuity. You want the account to remain recoverable, explainable, and owned by you after the current prompt is gone.
Do not use disposable or rented numbers for a main account. Even if a code arrives, you may lose the ability to receive future checks, prove account ownership, or explain the account path to support. That risk is larger than the few minutes saved today.
Do not create a chain of new accounts just to find one that accepts a code. That can turn a verification problem into an account-trust problem, and it makes support evidence worse because the prompt is no longer tied to one clean account history.
Do not change network, device, number, browser, account, and login method all at once. If the prompt changes, you will not know which action mattered. If the prompt gets stricter, you will not know which action caused it.
Do not share secrets. OTPs, API keys, access tokens, full phone numbers, full billing details, HAR files with cookies, and auth.json belong outside public threads and ordinary screenshots.
What to send when support owns the branch
Escalation is not failure. For phone-number limits, locked MFA methods, persistent missing codes, unknown account risk checks, and contradictory account states, support may be the only owner that can see enough backend context.
Send a compact packet:
- account email or organization context, if support asks for it through an official channel
- where the prompt appeared: ChatGPT login, Codex app, CLI, IDE, API Platform, mobile QR, or device code
- exact prompt wording with personal data removed
- verification method shown: SMS, WhatsApp, push, email, passkey, authenticator, device code, or API key
- time, timezone, device, browser/app/CLI version, and network type
- what changed recently: new device, cleared cookies, new location, new key, new organization, reinstall, or MFA change
- actions already tried, one per line
- what is blocked and how urgent it is
Do not attach secrets. Redact phone numbers except the country code and last two digits if necessary. Redact OTPs completely. Do not attach auth.json. If a log includes tokens, clean it first or ask support for a safer upload route.
FAQ
Why is Codex asking for phone verification if ChatGPT already works?
Because Codex may be starting a new account login, device, MFA, API-key, or cached-credential flow. A working ChatGPT web session does not automatically prove every Codex surface is already trusted.
Does OpenAI still require phone verification?
Checked on May 21, 2026, OpenAI Help says new account creation and ordinary ChatGPT usage no longer require phone verification, but first API-key generation on the API Platform can still require it. Treat the prompt location as the deciding fact.
What if the SMS or WhatsApp code never arrives?
Pause resend, identify the surface, try another enabled method if OpenAI offers one, check number format once, wait, then collect evidence. Repeated resend is a worse first move than clean evidence.
Can I use a temporary phone number?
For a main OpenAI or Codex account, it is a bad recovery tradeoff. You may lose future account recovery, create support ambiguity, or tie the account to a number you cannot control.
Can API-key auth avoid the prompt?
Only for the right job. API-key auth is appropriate for Codex CLI, CI, and non-interactive automation when API billing and capability differences are acceptable. It does not repair an interactive ChatGPT-login verification problem.
Should I copy ~/.codex/auth.json from another machine?
No casual copying. The file can contain access tokens and should be treated like a password. Use official sign-in or secure credential management instead.
If phone verification succeeds, does Codex access automatically work?
Not necessarily. Phone verification can satisfy one account or API setup step, but Codex access can still depend on plan, organization, region, feature availability, and the specific auth route you are using.
What is the safest next step if nothing works?
Stop changing variables and send a clean support packet through an official channel. Include where the prompt appeared, what method was offered, exact wording with secrets removed, when it started, and what you already tried.