Put following to .codex/config.toml:
[mcp_servers.appm]
enabled = true
required = true
url = "https://HOSTNAME/appm/mcp"
http_headers = { "X-API-Key" = "MCP_API_KEY" }
# default ~10
# How long Codex waits for the MCP server to respond to initial connection/handshake
startup_timeout_sec = 20
# default ~60
# Maximum time Codex waits for a single MCP tool call to complete.
tool_timeout_sec = 120
Replace HOSTNAME with hostname where APPM is running and MCP_API_KEY with the key you generated in previous chapter.
TLS certificates
If you’re using self-signed certificates for GUI (which is the default), you’ll need to make sure:
hostname
the correct hostname (see cat /srv/appm/docker-compose.yml | grep APP_HOSTNAME) - this is the hostname
application server will use to automatically generate self-signed certificate. codex has no option to ignore mismatch
between hostname in certificate and URL used to connect to the server.
Trusted CA
codex has no way of ignoring untrusted CA. So you need to tell it to trust the self signed certificate using:
openssl s_client -connect "HOSTNAME:443" -servername "${HOST}" -showcerts </dev/null 2>/dev/null \
| sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > appm-ca.pem
(replace HOSTNAME with the hostname where APPM is running).
Then, before running codex, tell it to trust the given CA using:
export CODEX_CA_CERTIFICATE='/path/to/appm-ca.pem'
You can refer to the APPM installation manual regarding how to setup proper certificates (under “Change SSL Certificate” title).