Hey devs! When you use Codex, putting too many tasks into a single conversation makes the model slow, confused, and unreliable. To solve this problem, I highly recommend using subagents (or Custom Agents).
Think of it like this: instead of forcing one agent to do everything, you act as the manager running a team. You can have one subagent write front-end code, another write back-end code, and another review the code, all working in parallel at the exact same time. And this is what we cover in today’s article ;).
A subagent is a separate Codex agent thread that the parent Codex session can spawn for a focused task. Subagents are useful when a job can be split into independent or specialized work: code review, security audit, documentation research, frontend debugging, test generation, or implementation planning.
Codex includes built-in agents such as `default`, `worker`, and `explorer`.
Codex includes built-in agents
Codex already comes with a few basic agents built right in:
You can also define custom agents as TOML files. Each custom agent has its own name, description, instructions, and optional model, reasoning, sandbox, MCP, and skill settings.
Subagents are not spawned automatically just because files exist. In normal use, ask Codex explicitly:
Spawn security_auditor to review this authentication change for OWASP risks.
Spawn python_expert to refactor this module with type hints and pytest tests.
Spawn orchestrator to plan this full-stack feature and recommend specialist handoffs.
Using sub-agents gives you three massive advantages:
Codex supports two common install locations:
Where Custom Agents Live
For public libraries and team repos, use project-scoped agents so they clone with the repository:
.codex/
config.toml
agents/
python_expert.toml
security_auditor.toml
orchestrator.toml
Dot directories are hidden in many file explorers. If you do not see .codex, use:
ls -la
ls -la .codex/agents
When you find yourself repeating the same workflow many times, it’s time to build a Custom Agent. You can set these up directly inside your terminal, VS Code, or whatever IDE you prefer.
Go to your project folder and create a directory structure that looks exactly like this:
your-project/
│
└── .codex/
├── config.toml
└── agents/
├── backend_developer.toml
└── code_reviewer.toml
(Tip: If you want these agents to be accessible across your entire computer for all projects, place them in your home directory at ~/.codex/agents/ instead).
config.toml)Open your config.toml file to set up the global boundaries for your team. Here is the configuration I recommend:
[agents]
max_threads = 6
max_depth = 1
max_threads controls how many agent threads can be open concurrently. max_depth = 1 is a good default because it allows direct child agents but prevents recursive fan-out that can become expensive and hard to reason about.
Inside your .codex/agents/ folder, create files using readable, clear names. We will use these exact file names to call the agents in our prompts later.
name
The identifier Codex uses when spawning the agent. Keep it stable and easy to type. This library uses lowercase underscore_case:
python_expert
security_auditor
frontend_developer
description
Tells humans and Codex when this agent should be used. Make it specific. A weak description says:
Helps with code.
A stronger description says:
Use when you need read-only pull request review focused on correctness,
regressions, security risks, and missing tests.
developer_instructions
The agent’s core behavior. Include:
model & model_reasoning_effort
Use stronger models and higher reasoning for review, security, architecture, orchestration, and difficult debugging. Use smaller or faster models for routine implementation, documentation, and focused exploration. If you omit model fields, the agent inherits the parent Codex session settings.
sandbox_mode
Use read-only for agents that inspect and report without changing files; use workspace-write for agents that implement code or documentation changes.
sandbox_mode = "read-only"
sandbox_mode = "workspace-write"
Subagents still inherit the parent session’s approval policy and live runtime overrides, so the parent session remains the final control point.
nickname_candidates
Display labels for spawned agent threads. They do not change the real agent's name. Use simple ASCII names with letters, digits, spaces, hyphens, or underscores.
nickname_candidates = ["Atlas", "Delta", "Echo"]
Example 1: security_auditor.toml Open the file and define the properties. The most important parts to include are the name, description, and developer instructions:
name = "security_auditor"
description = "Use when you need read-only security review, OWASP risk analysis, dependency risk triage, or credential-handling review."
model = "gpt-5.4"
model_reasoning_effort = "high"
sandbox_mode = "read-only"
nickname_candidates = ["Security Auditor"]
developer_instructions = """
You are the Codex custom subagent `security_auditor`.
Review code like a security owner. Stay read-only. Prioritize exploitable vulnerabilities, auth and access-control flaws, injection risks, data exposure, insecure secrets handling, and dependency risk.
Lead with concrete findings ordered by severity. Include affected files or symbols, impact, and remediation. Avoid style-only comments.
"""
Example 2: python_expert.toml
name = "python_expert"
description = "Use when you need modern Python implementation, refactoring, type hints, pytest tests, or framework-specific Python guidance."
developer_instructions = """
You are the Codex custom subagent `python_expert`.
Focus on modern Python. Prefer type hints, explicit error handling, pathlib, small functions, and pytest coverage. Follow the parent Codex session's repository instructions and approval policy.
When editing code, keep changes scoped to the Python task. When you cannot run validation, state the exact command the parent should run.
"""
My Pro-Tip on Budgeting: If you are on a pay-as-you-go plan, defining the
modelproperty is incredibly useful. You can set up a cheaper model for low-effort tasks and save expensive, high-reasoning models for complex tasks!
Shortcut: The Codex Agents Library
If you don’t want to create these from scratch, you don’t have to. I have a library containing around 36 different pre-made agents. You can simply download a file-like the front_end_developer agent, and drop it straight into your project's agents folder using VS Code.
Codex Agents Library:
Now that everything is configured, let’s launch Codex and look at how to control your new team.
To spawn a custom agent, you must explicitly call it by its name inside your prompt:
Spawn code_reviewer to review this branch against main for correctness,
regressions, and missing tests. Report findings only.
Codex will analyze your folder, find the front-end agent, and successfully assign the task to it.
Because we allowed up to 6 concurrent threads in our config, you can call multiple agents at once to handle separate tasks simultaneously:
Review this PR with parallel subagents. Spawn code_reviewer for correctness,
security_auditor for exploitable risks, test_generator for coverage gaps,
and performance_optimizer for latency or memory issues. Wait for all results
and summarize findings by severity.
You will see both agents trigger and start working side-by-side in real-time.
/agent command in your session terminal. This lists every active sub-agent currently running.Watch out for Git Branches: By default, sub-agents do not create separate working branches; they will dump all changes straight onto your
mainbranch. If you want to keep things clean, explicitly tell them in your prompt: "create a separate branch before you start the job."
As you start experimenting with sub-agents, please keep these five classic beginner traps in mind:
At the end of the day, subagents are incredibly powerful tools to speed up your development, but you are still completely responsible for the final code!
Watch my full step-by-step tutorial about Codex agents on YouTube:
Watch on YouTube:
Cheers, proflead! ;)