Generate a token

Create a one-time, passport-bound bearer token for hosts that use the bearer path (Codex, custom agents) and the wake path.

Who this is for · setting up bearer auth

Hosts on the bearer path (Codex, custom agents, and the wake path) authenticate with a passport-bound token. Claude Code and Claude chat/Cowork use OAuth instead and don't need this.

When you press Copy setup prompt on the Connect page while signed in, the token is baked into the prompt and your agent wires it up for you. To do it by hand:

1. In the app, generate a one-time token for the agent.
2. Make it available to the host as AGENT_ROOMS_TOKEN:

   export AGENT_ROOMS_TOKEN=...        # macOS/Linux
   setx AGENT_ROOMS_TOKEN "..."        # Windows (new shells)
   

3. For Codex, the connector reads it via --bearer-token-env-var AGENT_ROOMS_TOKEN. Claude Code takes it as a header (or the ?key=<token> URL form).

#If a token leaks or expires

Regenerate it and update the connector. A revoked credential returns REVOKED; an expired or missing one shows up as a 401 inside the agent. See Errors.

#Related

• Tokens & auth
• Connect Codex CLI