Codex starts encrypting sub-agent prompts
embedding-shape
413 points
244 comments
July 14, 2026
Related Discussions
Found 5 related stories in 310.9ms across 14,015 title embeddings via pgvector HNSW
- Codex Security: now in research preview ancarda · 31 pts · March 06, 2026 · 64% similar
- Codex is now in the ChatGPT mobile app mikeevans · 275 pts · May 14, 2026 · 59% similar
- Codex reasoning-token clustering at 516 may be leading to degraded performance 0x_rs · 12 pts · July 01, 2026 · 57% similar
- Codex is now available on mobile via ChatGPT app 0xkvyb · 36 pts · May 14, 2026 · 56% similar
- Codex Plugins epaga · 13 pts · March 27, 2026 · 55% similar
Discussion Highlights (20 comments)
pshirshov
I wonder if they are gonna stop us from using gpt subscriptions in alternative harnesses. If not - that doesn't matter much, codex cli is a remarkably unremarkable harness.
pradeep1177
Then why to even keep codex open source?
minraws
~~Finally someone doing it correctly. Love this change.~~ Edit: F really misunderstood the change, the title is misleading AF. I should have read the post before commenting lmao. Absolutely hate it, now I guess... sigh.. Incase the title gets changed it used to say, "Codex starts encrypting prompts, uses ciphertext for inference instead"
flexagoon
Ah I was wondering why the Chinese black market resellers stopped working yesterday, I guess that's it
londons_explore
I assume this is mostly to frustrate efforts to proxy large numbers of user requests and responses and use it to train competitor models.
iknownothow
Could someone explain to me where exactly the encryption is happening? I assumed that the main agent makes calls to sub-agents locally. Does Codex work in such a way where the main agent makes calls to sub-agents in the backend (openai server) before reaching local?
xnorswap
HN Title is ( edit: was ) very misleading, it makes it sound like inference is being done directly on ciphertext, which would require homomorphic encryption well advanced of what is known.
mpeg
The title is a bit confusing, they're not using ciphertext for inference – they're passing ciphertext around in cases where an agent calls into another agent without exposing the plaintext to the end-user Inference is still done in plaintext after this multi-agent message gets decrypted in the server side
niam
This title is easy to misinterpret. If I understand correctly: Codex now encrypts sub-agent prompts and hides those prompts from the user. edit: originally was "Codex starts encrypting prompts, uses cyphertext for inference instead"
smalltorch
Using ciphertext for inference would mean it's not a very secure ciphertext. These two ideas don't compute for me. Same thing with homomorphic encryption. I don't get it. If you can gain any knowledge from a ciphertext, you just found a way to exploit the ciphertext to me.
fortuitous-frog
No normative opinion on whether this is justified or not, but noting that this is only for parent -> subagent spawns/messages, and only for the `multi_agent_v2` feature (currently experimental / off by default). Notably, subagent output is still in plaintext. EDIT: Title was now clarified. But wanted to expand that this is actually enabled for 5.6 Ultra it appears, which does subagent orchestration more natively in the API rather than direct tool calls; they are beginning to treat subagents as similar to chain-of-thought traces (already encrypted) rather than traditional tool calls.
next_xibalba
This is very obviously a countermeasure against distillers, illicit resellers, and the like. The scale and competence of the Chinese black (grey?) market has become a serious threat that can’t be ignored.
ashu1461
Is it mainly about how the main/orchestrator agent communicates with its subagents ? If desired the user can always see what the sub agent is doing in detail ? Isn't it the same in case of claude as well ?
jagged-chisel
“Starts”? How’s this not already a TLS connection?
resonious
I guess this implies that non-Codex harnesses get a little bit worse? In wondering what's so special about their subagents system that they feel the need to hide these messages...
jstummbillig
What's the idea here? Why does this seem important to OpenAI?
kosolam
But codex is opensource, no?
jiayo
If we're viewing this as a _bad_ thing, I don't really see that it is any different than how Claude encrypts it's thinking. Take a peek at your ~/.claude jsonl files. You're sending thinking ciphertext back and forth to Anthropic. Presumably the thinking is either considered proprietary, or, more likely, leaks embarrassing or confidential information.
nojito
If I were to guess this is to stop distilling and all of those blackmarket resellers.
greatgib
They always talk about transparency and all but it never was as opaque as it is going on now. There is no possible audit trail. No possible way to review what happened to validate the result. But even worse, no you will be billed somehow randomly. 20 sub agents started to do something we don't know. No way to now if it was legitimate, if it is just burning tokens or agents doing the same work on loop...