Security

OpenAI Codex Encrypts Messages Between AI Agents

3 min read
Terminal screen showing an encrypted data stream between two AI agent icons with the OpenAI logo in the background. Image generated with GPT Image 2
Terminal screen showing an encrypted data stream between two AI agent icons with the OpenAI logo in the background.

TL;DR Too Long; Didn’t read

OpenAI has been encrypting all messages between AI agents in the command-line application Codex since June 5, 2026, making them unreadable for developers. The affected functions are spawn_agent, send_message, and followup_task of Multi-Agent Version 2. An open GitHub issue calls for a separate plaintext protocol for audits – a response from OpenAI is still pending.

Key takeaways

  • The change affects the three tools spawn_agent, send_message, and followup_task of Codex Multi-Agent Version 2.
  • Only local logs are encrypted; OpenAI's recipient service continues to decrypt content internally.
  • Developer Ignat Remizov reported the issue on June 13, 2026, via an official GitHub issue.
  • Analyst Pareekh Jain warns the lack of insight complicates audits, debugging, and regulatory proof.
  • The older Multi-Agent Version 1 remains unaffected by the encryption.
  • OpenAI has not yet commented on the criticism either in the GitHub issue or publicly.

OpenAI has modified the command-line application Codex so that messages between AI agents are now transmitted encrypted and are no longer readable locally. The change, merged in June, affects Multi-Agent Version 2 with the tools spawn_agent, send_message, and followup_task. Developers can no longer track which tasks an agent has delegated to another.

Update encrypts three central tools of the Codex CLI

The basis of the change is a pull request in the official Codex repository, which an OpenAI developer merged on June 5, 2026. Before the change, task text between agents traveled in plaintext through tool arguments and history logs. Since then, OpenAI’s Responses service encrypts the message argument, Codex forwards only the ciphertext, and Responses decrypts it internally for the receiving model. The three tools spawn_agent, send_message, and followup_task of Multi-Agent Version 2 are affected; the older Version 1 remains unchanged. Local message objects now show an empty plaintext field, while the actual content is stored only in encrypted form. Developers who run Codex through their own interfaces or scripts thereby lose direct access to the task descriptions an agent sends to a subordinate agent.

Developers say they lack verifiability for delegated tasks

Software developer Ignat Remizov, who describes himself as technical lead at the company Zolvat, reported the problem on June 13, 2026, in a GitHub issue as a regression. His concern is not the encryption itself but the loss of local traceability: users can no longer determine which task was assigned to a newly spawned sub-agent or what message was sent to it. Remizov proposes keeping the encrypted message field for model transmission while additionally storing a separate, unencrypted audit field for the readable task description in the history data. For teams running Codex in regulated industries, this means internal evidence of automatically delegated work steps can no longer be reconstructed in full from local logs. More than a month after the report, the issue remains open; a statement from OpenAI staff is still missing from the discussion thread.

Trade press and developer forums criticize lack of transparency

In mid-July, several trade publications picked up the open GitHub issue and framed it as a governance problem. Industry analyst Pareekh Jain of Pareekh Consulting warned in InfoWorld that without insight into how agents delegate and execute tasks, it would become harder to audit decisions, investigate incidents, and demonstrate compliance. In parallel, a debate over the change unfolded on the discussion platform Hacker News. Several commenters noted they use Codex mostly through their own integrations rather than the official interface, and that the encryption makes debugging their own tooling harder. Other participants speculated about competitive motives behind the change. As of this article’s publication, OpenAI has not responded to the criticism either in the GitHub issue or in an official statement.

What matters now is whether OpenAI adopts Remizov’s proposal for a separate audit field or leaves the encryption as is. For companies using Codex in regulated industries such as financial services or healthcare for automated development steps, that decision determines whether delegated work can still be documented in full going forward. No specific date for a response from the company is known yet.

Frequently asked questions

Which Codex versions are affected by the encryption?

Affected are Codex CLI builds that use Multi-Agent Version 2. The older Multi-Agent Version 1 continues to transmit messages as before.

Can developers turn off the encryption?

An official option to disable it is currently not documented. The open GitHub issue instead suggests an additional, unencrypted verification field.

Why does OpenAI encrypt the messages at all?

OpenAI has not publicly explained the reasons. The pull request description only documents the technical implementation, not its purpose.

Does the change also affect the content sent to the model itself?

No. Only the locally stored message objects between the agent tools are encrypted. The receiving service continues to decrypt the content internally for processing.

Is there a timeline for a response from OpenAI?

A timeline is not known. The GitHub issue from June 13, 2026, remains unanswered by OpenAI staff more than a month later.


← Back to the blog