Home / How-to Guides
Edit
Report

Route OpenAI Codex CLI traffic through Kong AI Gateway

Uses: Kong Gateway AI Gateway deck
Deployment Platform
Related Documentation
Gateway Documentation decK Documentation
Tags
#ai #openai
Related Resources
AI Gateway
AI Proxy Advanced
AI Request Transformer
File Log
Minimum Version
Kong Gateway - 3.6
TL;DR

Create a Gateway Service and Route, attach AI Proxy Advanced to forward requests to OpenAI, add a Request Transformer plugin to normalize upstream paths, enable file-log to inspect traffic, and point Codex CLI to the local proxy endpoint so all LLM requests go through the Gateway for monitoring and control.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

    curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK   v1.43+

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.

This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance. We recommend upgrading your decK installation to take advantage of this tool.

You can check your current decK version with deck version.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: codex-service
    url: http://localhost
routes:
  - name: codex-route
    paths:
    - "/codex"
    service:
      name: codex-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

OpenAI

This tutorial uses OpenAI:

  1. Create an OpenAI account.
  2. Get an API key.
  3. Create a decK variable with the API key:
```bash export DECK_OPENAI_API_KEY="YOUR OPENAI API KEY" ```

export DECK_OPENAI_API_KEY="YOUR OPENAI API KEY"

Codex CLI

This tutorial uses the OpenAI Codex CLI. Install Node.js 18+ if needed (verify with node --version), then install and launch Codex:

  1. Run the following command in your terminal to install the Codex CLI:

     npm install -g @openai/codex

  2. Once the installation process is complete, run the following command:

     codex

  3. The CLI will prompt you to authenticate in your browser using your OpenAI account.

  4. Once authenticated, close the Codex CLI session by hitting ctrl + c on macOS or ctrl + break on Windows.

Configure the AI Proxy Advanced plugin

First, let’s configure the AI Proxy Advanced plugin. In this setup, we use the Responses route because the Codex CLI calls it by default. We don’t hard-code a model in the plugin — Codex sends the model in each request. We also raise the body size limit to 128 KB to support larger prompts.

echo '
_format_version: "3.0"
plugins:
  - name: ai-proxy-advanced
    service: codex-service
    config:
      genai_category: text/generation
      llm_format: openai
      max_request_body_size: 131072
      model_name_header: true
      response_streaming: allow
      balancer:
        algorithm: round-robin
        tokens_count_strategy: total-tokens
        latency_strategy: tpot
        retries: 3
      targets:
      - route_type: llm/v1/responses
        auth:
          header_name: Authorization
          header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
        logging:
          log_payloads: false
          log_statistics: true
        model:
          provider: openai
' | deck gateway apply -

Configure the Request Transformer plugin

To ensure that Codex forwards clean, predictable requests to OpenAI, we configure a Request Transformer plugin. This plugin normalizes the upstream URI and removes any extra path segments, so only the expected route reaches the OpenAI endpoint. This small guardrail avoids malformed paths and keeps the proxy behavior consistent.

echo '
_format_version: "3.0"
plugins:
  - name: request-transformer
    service: codex-service
    config:
      replace:
        uri: "/"
' | deck gateway apply -

Now, we can pre-validate our current configuration:

curl -X POST "$KONNECT_PROXY_URL/codex" \
     -H "Content-Type: application/json" \
     --json '{
       "model": "gpt-4o",
       "input": [
         {
           "role": "user",
           "content": "Ping"
         }
       ]
     }'

curl -X POST "http://localhost:8000/codex" \
     -H "Content-Type: application/json" \
     --json '{
       "model": "gpt-4o",
       "input": [
         {
           "role": "user",
           "content": "Ping"
         }
       ]
     }'

Export environment variables

Now, let’s open a new terminal window and export the variables that the Codex CLI will use. We set a dummy API key here just to confirm the variable exists, and point OPENAI_BASE_URL to the local proxy endpoint where we will route LLM traffic from Codex CLI:

export OPENAI_API_KEY=sk-xxx
export OPENAI_BASE_URL=http://localhost:8000/codex

export OPENAI_API_KEY=sk-xxx
export OPENAI_BASE_URL=$KONNECT_PROXY_URL/codex

Configure the File Log plugin

Finally, to see the exact payloads traveling between Codex and the AI Gateway, let’s attach a File Log plugin to the service. This gives us a local log file so we can inspect requests and responses as Codex runs through Kong.

echo '
_format_version: "3.0"
plugins:
  - name: file-log
    service: codex-service
    config:
      path: "/tmp/file.json"
' | deck gateway apply -

Start and use Codex CLI

Let’s test our Codex CLI set up now:

  1. In the terminal where you exported your environment variables, run:

    codex

    You should see:

     ╭───────────────────────────────────────────╮
 │ >_ OpenAI Codex (v0.55.0)                 │
 │                                           │
 │ model:     gpt-5-codex   /model to change │
 │ directory: ~                              │
 ╰───────────────────────────────────────────╯

  To get started, describe a task or try one of these commands:

  /init - create an AGENTS.md file with instructions for Codex
  /status - show current session configuration
  /approvals - choose what Codex can do without approval
  /model - choose what model and reasoning effort to use
  /review - review any changes and find issues

    {.no-copy-code}

  2. Run a simple command to call Codex using the gpt-4o model:

    codex exec --model gpt-4o "Hello"

    Codex will prompt:

      Would you like to run the following command?

  Reason: Need temporary network access so codex exec can reach the OpenAI API

  $ codex exec --model gpt-4o "Hello"

› 1. Yes, proceed
  2. Yes, and don't ask again for this command
  3. No, and tell Codex what to do differently

    {.no-copy-code}

    Select Yes, proceed and press Enter.

    Expected output:

    • Ran codex exec --model gpt-4o "Hello"
  └ OpenAI Codex v0.55.0 (research preview)
    --------
    … +12 lines
    6.468
    Hi there! How can I assist you today?

─ Worked for 9s ────────────────────────────────────────────────────────────────

• codex exec --model gpt-4o "Hello" returned: “Hi there! How can I assist you today?”

    {.no-copy-code}

  3. Check that LLM traffic went through Kong AI Gateway:

    docker exec kong-quickstart-gateway cat /tmp/file.json | jq

    Look for entries similar to:

    {
  ...
  "ai": {
    "proxy": {
      "tried_targets": [
        {
          "ip": "0000.000.000.000",
          "route_type": "llm/v1/responses",
          "port": 443,
          "upstream_scheme": "https",
          "host": "api.openai.com",
          "upstream_uri": "/v1/responses",
          "provider": "openai"
        }
      ]
    }
  }
  ...
}

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support