How to Use Codex Effectively: A Workflow That Actually Works

Mar 25, 2026

Cowrie

Dev @ Bswen

I tried building an entire app in one Codex session. The result was a mess of technical debt, broken context, and security holes I had to fix later. Here’s what I learned about using Codex the right way.

The Problem

When I first started using Codex, I made every mistake in the book:

• Typed a massive prompt describing an entire e-commerce platform
• Expected Codex to build everything at once
• Skipped planning because I wanted to “just code”
• Let Codex handle authentication logic

The output looked impressive at first. But then I ran into problems:

• Codex started “spinning its wheels” after a while—making changes that undid previous work
• I couldn’t track what decisions were made or why
• The authentication code had vulnerabilities I only discovered weeks later
• I had no idea where to pick up when I started a new session

I realized I was using Codex wrong. It’s not a magic app generator—it’s a tool that needs structure.

What Works: The Phased Approach

After reading Reddit discussions and experimenting, I found a workflow that actually works.

Phase 1: Plan Before You Code

I now start every project by creating a PRD (Product Requirements Document) first. I use ChatGPT or Claude to help me think through the requirements, then bring that document to Codex.

Here’s what a good first prompt looks like:

initial-prompt.txt

I want to build a task management app with the following requirements:
- Tech stack: React, Node.js, PostgreSQL
- Core features: Create tasks, assign to users, set deadlines
- Auth: Will use Clerk (don't implement custom auth)

Please create a project structure and architect.md file.

Notice what I’m NOT doing: asking Codex to build everything. I’m asking for structure and documentation first.

Phase 2: Create Documentation Files

Before writing any actual code, I have Codex create several markdown files:

Files to Create

- todo.md: Task list for the project
- security.md: Security considerations and decisions
- tech-stack.md: Technology choices and rationale
- milestones.md: Project phases and goals

These files serve two purposes:

1. They help ME keep track of what’s happening
2. They help Codex manage context window limitations

When Codex can reference these files, it doesn’t need to remember everything in its context.

Phase 3: Build in Small, Focused Sessions

The biggest mistake I made was trying to solve everything in one prompt. A Reddit user named szansky put it well:

“Prompt very precisely and in a very simple way. When coding, the first prompt can describe the entire application so the model understands what’s on your mind, but later prompt by solving problems in parts. Don’t try to solve a problem/create an app in one prompt.”

Here’s how I structure my prompts now:

BAD: Everything at once

Build me a complete e-commerce app with payment processing,
inventory management, and admin dashboard.

GOOD: Phased approach

Phase 1: Create the project structure and database schema
        for an e-commerce app.

Phase 2: Implement the product catalog API endpoints.

Phase 3: Add shopping cart functionality.

Phase 4: Integrate Stripe for payments.

Each phase gets its own session. I complete discrete chunks before the context window fills up.

Phase 4: Use Planning Mode

Codex has a planning mode (Shift+Tab) that I now use constantly. When I want to add a feature mid-project, I don’t just start coding—I switch to planning mode first.

Planning mode helps Codex think through the implications without making changes. This prevents the “spinning wheels” problem where Codex makes changes that break other parts of the codebase.

The Security Lesson

Here’s something I learned the hard way: don’t let AI handle security.

I used to let Codex write authentication code. Then I discovered vulnerabilities I didn’t even know existed. A Reddit user named KevinCoderZA gave me the right advice:

“I would not trust an LLM to do that properly. You’d be better off offloading auth to some third-party service like Clerk.”

Now I use:

• Clerk or Auth0 for authentication
• Snyk for security auditing
• Codex High or Opus for code review, not implementation

The pattern is clear: let specialists handle security. Use AI for everything else.

The Architecture File

One thing that really improved my workflow was creating an architect.md file with project-specific instructions. This file contains:

architect.md

# Project Architecture

## Tech Stack
- Frontend: React with TypeScript
- Backend: Node.js with Express
- Database: PostgreSQL with Prisma ORM

## Coding Standards
- Use functional components with hooks
- All API responses follow standard format
- Error handling wraps all async operations

## Security Notes
- Never implement custom auth
- All user inputs validated with Zod
- Rate limiting on all public endpoints

## Decisions Log
- 2026-03-20: Chose Clerk over Auth0 for simpler setup
- 2026-03-22: Decided against GraphQL for MVP

This file becomes the source of truth for Codex sessions. When I start a new session, Codex reads this file and understands the project context.

Visualizing the Workflow

Here’s how I now structure my Codex sessions:

Codex Workflow Diagram

+------------------+
|   Create PRD     |  <- ChatGPT/Claude for thinking
+--------+---------+
         |
         v
+------------------+
| Setup Project    |  <- Codex: project structure
| + architect.md   |
+--------+---------+
         |
         v
+------------------+
| Phase 1: Core    |  <- Codex: discrete chunk
+--------+---------+
         |
         v
+------------------+
| Planning Mode    |  <- Before each new feature
+--------+---------+
         |
         v
+------------------+
| Phase 2: Add     |  <- Codex: next discrete chunk
| Features         |
+--------+---------+
         |
         v
+------------------+
| Security Audit   |  <- Snyk + manual review
| Code Review      |  <- Stronger model
+------------------+

Each box is a separate session or step. The key is never combining too many boxes into one session.

Common Mistakes to Avoid

Based on my experience and Reddit discussions, here are the mistakes that waste time:

Mistake 1: Building everything at once This leads to technical debt. Codex makes decisions you don’t understand, and you spend weeks debugging.

Mistake 2: Ignoring context window limits When Codex runs out of context, it starts making inconsistent changes. Keep sessions focused and end them at logical breakpoints.

Mistake 3: Trusting AI for security Authentication, authorization, encryption—use established services. Don’t reinvent security.

Mistake 4: Not using planning mode When adding features mid-project, planning mode prevents Codex from making changes that break existing code.

Mistake 5: No documentation trail Without markdown files tracking decisions, you lose context between sessions. Codex also loses context.

The Mental Shift

The biggest change for me was thinking about Codex differently. It’s not a genie that grants wishes—it’s a collaborator that needs structure.

When I structure my work properly:

• Codex understands what I want
• I understand what Codex is doing
• The codebase stays maintainable
• Security is handled by specialists

When I don’t structure my work:

• Codex makes decisions I can’t track
• Technical debt accumulates
• Security vulnerabilities hide in generated code
• I can’t reproduce or explain the codebase

What I Do Now

Here’s my current workflow for any new project:

1. Write a PRD using ChatGPT or Claude to think through requirements
2. Start Codex with a focused prompt asking for project structure + architect.md
3. Create documentation files (todo.md, security.md, milestones.md)
4. Build in phases with separate sessions for each major feature
5. Use planning mode before adding new features mid-project
6. Offload security to Clerk, Auth0, or similar services
7. Audit with Snyk and review with stronger models

This workflow produces cleaner code, fewer bugs, and better security than my old “build everything at once” approach.

Summary

Using Codex effectively requires a structured workflow:

• Start with a PRD created outside of Codex
• Build in phases, not all at once
• Create documentation files for context management
• Use planning mode before new features
• Never trust AI with security implementation
• Audit code with specialized tools

The developers getting the most value from Codex aren’t the ones typing the longest prompts—they’re the ones structuring their work into focused, documented sessions.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

• 👨‍💻 Reddit Discussion: Best Way to Use Codex
• 👨‍💻 Clerk Authentication
• 👨‍💻 Auth0
• 👨‍💻 Snyk Security

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments

Tags:

• ai-coding
• productivity
• ai
• security

GLM5 vs GPT-5 vs Claude: How Do the Latest Coding Models Compare?

Should I Use Kotlin Multiplatform (KMP) for My Android App in 2026?