docs: document --oauth flag for sbx secret set openai

content/manuals/ai/sandboxes/agents/codex.md

@@ -30,16 +30,30 @@ $ sbx run codex
 
 ## Authentication
 
-Codex requires an OpenAI API key. Store your key using
+Codex supports two authentication methods: an API key or OAuth.
+
+**API key**: Store your OpenAI API key using
 [stored secrets](../security/credentials.md#stored-secrets):
 
 ```console
 $ sbx secret set -g openai
 ```
 
 Alternatively, export the `OPENAI_API_KEY` environment variable in your shell
-before running the sandbox. See
-[Credentials](../security/credentials.md) for details on both methods.
+before running the sandbox.
+
+**OAuth**: If you prefer not to use an API key, start the OAuth flow on your
+host with:
+
+```console
+$ sbx secret set -g openai --oauth
+```
+
+This opens a browser window for authentication and stores the resulting tokens
+in your OS keychain. The OAuth flow runs on the host, not inside the sandbox,
+so browser-based authentication works without any extra setup.
+
+See [Credentials](../security/credentials.md) for more details.
 
 ## Configuration
 

content/manuals/ai/sandboxes/security/credentials.md

@@ -134,9 +134,9 @@ The proxy reads the variable from your terminal session. See individual
 - Don't set API keys manually inside the sandbox. Credentials stored in
   environment variables or configuration files inside the VM are readable by
   the agent process directly.
-- For Claude Code, the interactive OAuth flow is another secure option: the
-  proxy handles authentication without exposing the token inside the sandbox.
-  Leave `ANTHROPIC_API_KEY` unset to use OAuth.
+- For Claude Code and Codex, OAuth is another secure option: the flow runs on
+  the host, so the token is never exposed inside the sandbox. For Claude Code,
+  use `/login` inside the agent. For Codex, run `sbx secret set -g openai --oauth`.
 
 ## Custom templates and placeholder values
 

data/sbx_cli/sbx_secret_rm.yaml

@@ -28,5 +28,8 @@ example: |4-
 
       # Remove without confirmation prompt
       sbx secret rm -g github -f
+
+      # Remove OpenAI credential(s) from global scope
+      sbx secret rm -g openai
 see_also:
     - sbx secret - Manage stored secrets

data/sbx_cli/sbx_secret_set.yaml

@@ -21,6 +21,9 @@ options:
       shorthand: h
       default_value: "false"
       usage: help for set
+    - name: oauth
+      default_value: "false"
+      usage: Start OAuth flow and store OAuth tokens (openai/global only)
     - name: token
       shorthand: t
       usage: 'Secret value (less secure: visible in shell history)'
@@ -38,5 +41,8 @@ example: |4-
 
       # Non-interactive via stdin (e.g., from a secret manager or env var)
       echo "$ANTHROPIC_API_KEY" | sbx secret set -g anthropic
+
+      # Start OpenAI OAuth flow and store global OAuth tokens
+      sbx secret set -g openai --oauth
 see_also:
     - sbx secret - Manage stored secrets