Current public support is macOS and Windows. The remote control surface itself is browser-first.
Documentation
FlyDex technical documentation
FlyDex is a local-first remote control plane for desktop Codex sessions on macOS and
Windows. The public workflow is intentionally compact: open FlyDex on the desktop that
is already running Codex, run one npx install command if the local helper
is missing, scan the QR code from your phone, and continue reading threads, sending
prompts, and handling approvals without moving the Codex runtime into a hosted
workspace. OpenAI positions Codex as its software engineering agent for development
work; FlyDex focuses on the remote operational layer around that local desktop runtime.
See the official OpenAI Codex documentation
for the upstream product context.
The landing experience is install on desktop first, then scan on phone. No separate public installer pages are required.
FlyDex uses npx -y --prefer-online flydex@latest for helper bootstrap on the desktop that is running Codex.
QR handoff claims are designed to expire quickly and can be consumed once, reducing replay risk.
The current public offer is a one-time 72-hour trial followed by a $10 per month subscription in USD.
The desktop helper exposes localhost-only health and connect endpoints for the FlyDex browser app.
Reference map
Jump to deeper docs
Desktop install, QR scan, and the first localhost health checks.
Account auth, QR claims, local-connect tokens, and machine continuity.
Thread reads, remote prompts, and approval handling scope.
Documented relay surfaces, localhost endpoints, and lifecycle states.
Threat model, data minimization, and transport-security notes.
System components, readiness flow, and connector topology.
Overview
How FlyDex works end to end
FlyDex has three active surfaces. First, the web app provides the public landing page, authentication, QR handoff, thread views, and approval controls. Second, the FlyDex control plane routes authenticated browser traffic, keeps machine registry state, tracks pairing and local-connect lifecycle, and stores the minimal billing and audit metadata needed for continuity. Third, the local connector runs on the same desktop as Codex and is the only component that talks to the local runtime. That split matters: the browser never needs a direct public route to the Codex app server, and the Codex runtime never has to move into a hosted cloud environment just to become reachable from a phone.
The current implementation is designed around operational reliability rather than “remote desktop” semantics. FlyDex is not trying to stream a full screen or expose a general-purpose shell to the internet. It is optimized for the moments that actually stall local agent work: checking whether a thread is still alive, reading the current session state, sending a clarifying prompt, and resolving approvals before a long run sits blocked for hours. That is why the pairing surface is QR-first, the control plane is machine-aware, and the app keeps the session and approval model close to Codex itself instead of pretending the problem is generic device remoting.
Desktop browser -> FlyDex web UI
Phone browser -> account sign-in + QR handoff
Local connector -> http://127.0.0.1:48163/v1/health and /v1/connect
Control plane -> session routing, machine registry, approval relay, audit metadata
Codex runtime -> stays on the local desktopInstallation
Start on the desktop running Codex
The first run starts on the Mac or Windows PC that already has local Codex access.
FlyDex checks the local helper at http://127.0.0.1:48163/v1/health. If
the helper is missing, the homepage surfaces a copyable install command and an
optional prompt you can paste into Codex itself. The goal is practical and specific:
first-time pairing should complete in under two minutes on a clean desktop with local
Codex already installed.
npx -y --prefer-online flydex@latest- Open FlyDex on the desktop that is already running Codex.
- Run the one-line install command once if the helper is not already present.
- Wait for the desktop to expose a live QR code for that machine.
- Scan the code from your phone and complete sign-in there.
- Let the desktop finalize local connect and wait until Codex is reported ready.
Pairing flow
QR-first handoff, then machine continuity
Pairing is intentionally short-lived and single-use. The QR code does not represent a permanent credential; it represents a claim that expires quickly and is consumed once. After the phone finishes sign-in, the control plane binds the machine to that account and the desktop helper restores the same machine identity on reconnect. That means the public pairing ceremony is not repeated every time you revisit the app. After the first successful pair, FlyDex is built to bring the same machine back online from local state without requiring a desktop browser session to stay open.
Current product numbers
Concrete implementation stats that matter operationally
FlyDex does not publish vanity throughput claims that the product cannot defend. The useful numbers are the ones that affect real operator behavior: how many steps the public workflow requires, how quickly a claim expires, where the helper binds, what the trial window is, and how long a signed-in session remains valid before refresh or sign-out changes the state. The following figures are current product-backed targets or implementation details, not marketing estimates.
Under 2 minutes on a clean desktop with Codex already installed.
Short-lived, single-use, account-bound QR handoff material.
Localhost only on 127.0.0.1, using port 48163.
14-day TTL window with refresh behavior, plus explicit revocation on sign-out.
One-time 72-hour trial, then $10/month USD with Stripe-backed checkout.
macOS and Windows today; mobile control happens through the web UI.
Threads and approvals
What remote control means in practice
The operational center of FlyDex is the thread surface. Once a machine is online, the app can list and read local threads, resume or start turns remotely, and route approval decisions back to the correct session. This is especially useful for unattended or long-running Codex work, where the most expensive failure mode is not a hard crash but a silent pause that waits for a human decision. FlyDex shortens that loop by keeping the state and approval queue reachable from a phone.
High-risk actions still preserve a deliberate approval boundary. FlyDex does not treat a paired device as blanket permission to run everything invisibly. Command execution, file writes, and approval decisions remain explicit UI actions. That is the correct trade-off for a remote control plane: fast enough to unblock work, narrow enough that a lost moment of attention does not become a broad blast radius. The model is closer to “remote steering for a local agent” than “remote shell for a public server.”
Local connector and selected endpoints
Current interfaces used by the web app and helper
These endpoints describe the current FlyDex implementation and are useful for troubleshooting or architecture review. They should be read as operational documentation, not as a promise that every internal control-plane route is a stable public API.
| Surface | Route | Purpose | Notes |
|---|---|---|---|
| Local connector | GET http://127.0.0.1:48163/v1/health |
Desktop readiness probe for the FlyDex browser app. | Localhost only. Used to confirm helper, bridge, and runtime state. |
| Local connector | POST http://127.0.0.1:48163/v1/connect |
Starts or finalizes the desktop helper connect flow. | Localhost only. Invoked after the control plane issues local-connect state. |
| Control plane | POST /api/local-connect/start |
Creates a local-connect session for the authenticated machine. | Browser asks the server for a connect session before calling the helper. |
| Control plane | POST /api/local-connect/:id/agent-status |
Receives connector-side state transitions until the machine reaches readiness. | Used by the helper to report progress such as awaiting browser finalize and codex ready. |
curl http://127.0.0.1:48163/v1/health
# Expected use: local desktop diagnostics only.
# Do not expose this endpoint publicly.Security and privacy
Localhost binding, authenticated relay, minimal storage
FlyDex is designed so the browser never has to talk directly to a public Codex server.
The local connector binds to 127.0.0.1 only, the control plane handles the
authenticated relay and machine scoping, and pairing claims expire quickly. For network
terminology and transport expectations, the relevant external references are the
WebSocket standard in RFC 6455
and the modern TLS baseline in
RFC 8446. FlyDex is not claiming
a formal certification here; these are the primary standards that define the transport
model around secure web and relay communication.
For application hardening, the relevant external checklists are OWASP MASVS and OWASP MASTG. Those references are useful because FlyDex has both browser and mobile-adjacent usage patterns, even though the current control surface is web-first. The practical controls that matter most in FlyDex today are account-scoped machine access, short-lived single-use pairing claims, explicit confirmation for higher-risk actions, redaction of secrets from logs, and at-rest data minimization.
Account metadata, billing state, machine metadata, and privacy-scrubbed audit history.
Prompt bodies, chat content, Codex output, thread previews, token-usage summaries, and completed approval payload details.
No inbound port forwarding to your desktop and no public exposure of the local Codex service.
Comparison
How FlyDex differs from common alternatives
The useful comparison is not brand versus brand. It is whether the control model matches local-first Codex work. FlyDex is opinionated toward secure remote steering of a local agent. Generic remoting, direct tunnels, and hosted workspaces solve adjacent problems, but they make different trade-offs.
| Approach | Where Codex runs | What the user remotely controls | Trade-off |
|---|---|---|---|
| FlyDex local-first control plane | Your own Mac or Windows desktop | Threads, prompts, approvals, machine continuity | Purpose-built for Codex operations, but intentionally narrower than full desktop remoting. |
| Generic remote desktop | Your own desktop | Entire screen and input surface | Broad access, but poor fit for thread-aware approvals and mobile readability. |
| Direct tunnel to local APIs | Your own desktop | Whatever you expose through the tunnel | Flexible, but easy to widen the attack surface and harder to keep account and machine boundaries clear. |
| Hosted cloud workspace | Remote infrastructure | The hosted runtime itself | Good for cloud-native workflows, but it changes the locality and trust model of the desktop setup. |
Troubleshooting
Common issues and the fastest checks
No QR appears on the desktop
Start on the desktop that is actually running Codex, not on the phone. If the page is open on the wrong device, FlyDex will not have the right machine context to generate the QR for pairing.
The helper looks missing
Run the one-line npx install command from the homepage, then re-check http://127.0.0.1:48163/v1/health locally. If the helper still does not answer, gather the exact error and send it to support.
Phone sign-in succeeded but the machine is not ready
This usually means the browser handoff completed before the connector reached codex_ready. Leave the desktop page open long enough for local connect to finish, then refresh the machine state.
Approvals are not showing remotely
Confirm the correct machine is online and paired to the same account that completed the QR flow. Approval events are machine- and account-scoped, not global across unrelated sessions.
Trial or billing questions
The current offer is a one-time 72-hour trial followed by $10/month USD. If a subscription, wallet option, or access state looks wrong, contact support@flydex.net with the account email and screenshots.
References
Primary sources and standards
- OpenAI Codex documentation
- RFC 6455: The WebSocket Protocol
- RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
- OWASP MASVS
- OWASP MASTG
For FlyDex-specific storage, pairing, and connector behavior, see the public Trust & Security and Privacy pages.