2 min read

OpenAI Encrypts Codex Agent Messages, Worrying Devs

OpenAI changed Codex to encrypt MultiAgentV2 instructions between agents, and developers say it could make debugging and auditing harder.

Image: The Register

OpenAI has changed its Codex CLI so messages passed between subagents in its new MultiAgentV2 system are now encrypted, a move that has sparked concern among developers who rely on readable logs for debugging and audits.

Codex supports multi-agent orchestration, where a parent agent can spawn child agents or hand off tasks to other agents that may call different models. With Codex/GPT-5.6, OpenAI introduced a protocol called multi-agent v2 that appears designed to let the runtime assign work rather than depend on user-declared configuration settings.

The protocol is still under development and, according to the report, OpenAI has not formally documented it. But developers noticed recent code changes to support the new setup, including a pull request merged last month that encrypts multi-agent v2 message payloads — the text instructions sent between agents.

The pull request says that, before the change, agent instructions were routed through normal tool arguments and inter-agent context, allowing the parent model to emit plaintext task text, Codex to store it in history and rollouts, and the recipient to receive it as standard assistant-message JSON. Under the new approach, the path changes so instructions remain encrypted between model calls: Responses encrypts the message argument returned by the model, Codex forwards only the ciphertext, and Responses decrypts it internally for the recipient model.

Recommended reading

Helicone lets users query shared ClickHouse safely

OpenAI did not explain why it made the change. The report notes that privacy, security, or protecting useful data from model distillation could all be plausible reasons, but developers say the lack of explanation is part of the problem.

Ignat Remizov, CTO at payment service Zolvat, raised the issue directly:

“The encrypted delivery path is understandable as privacy hardening, but it also removes the human-readable task/message text from local rollout history, trace reduction, and parent-side audit/debug surfaces.”

Ignat Remizov, CTO at Zolvat

His concern is that developers and maintainers will have less visibility into what instructions an agent received and why it took certain actions.

“Guys, we don’t want to build Skynet and then be unable to audit what it’s doing.”

Ignat Remizov, CTO at Zolvat

Other developers, according to the report, have also speculated that OpenAI may be restricting visibility to prevent competitors from learning how its multi-agent system works. OpenAI did not immediately respond to a request for comment.

Marcus Vance

Enterprise Editor

Marcus follows the money. He covers enterprise software, cloud architecture, and the tectonic shifts in Big Tech strategy. He translates dense earnings calls and complex M&A activity into actionable insights about where the industry is actually heading. If a tech giant makes a silent pivot, Marcus is usually the first to notice.

via The Register

// Keep reading