ChatGPT access, API key access, and workspace controls
After this, you'll be able to explain when to sign in with ChatGPT, when API-key sign-in fits, and why Codex cloud requires ChatGPT sign-in.
Before you start
Complete Layer instructions without conflict first.
The idea
How you sign in changes what rules apply. Codex supports ChatGPT sign-in and API-key sign-in for local workflows, but the policies behind those paths are different.

Here is the before and after: before, Codex is guessing from a loose request. After, you can explain when to sign in with ChatGPT, when API-key sign-in fits, and why Codex cloud requires ChatGPT sign-in.
Now try it use the exercise prompt on one real repo task. Keep the output small enough to check before you accept the change.
You are ready when the Codex action, boundary, and proof all match the task.
Try it (10 min)
Watch out for
Paste this into Claude
Choose a Codex sign-in path for this scenario: Work type: [personal repo, company repo, cloud task, CI job, local CLI task] Needs Codex cloud: [yes/no] Needs ChatGPT workspace policy: [yes/no/unknown] Billing owner: [ChatGPT plan, OpenAI API org, company workspace, unknown] Secrets involved: [yes/no] Return the recommended sign-in path, what policy applies, and one thing to verify before running Codex.
What a good response looks like
Use ChatGPT sign-in. This is a company repo that needs workspace controls and may run in Codex cloud. Verify that the repo is available in the workspace and that the cloud environment does not expose secrets during the agent phase.
What good looks like
When this breaks
AI can help with this
Use Codex to help you you can explain when to sign in with ChatGPT, when API-key sign-in fits, and why Codex cloud requires ChatGPT sign-in. Start with the exercise prompt and your real input. Ask for one draft, then check it against this proof: The answer distinguishes ChatGPT sign-in from API-key sign-in. Accept only the version you can verify yourself.

You can now
You can explain ChatGPT sign-in
Key takeaways
Authentication is part of the work boundary. Pick the sign-in path that matches who owns the repo and policy.