Codex Deploy Runbook
Pay-To Address Configuration
The CODEX_PAY_TO_ADDRESS is the on-chain address that receives x402 USDC payments for Codex API access.
Initial Setup
- Generate a Coffer-deposit-derived address controlled by the Praetor multisig
- Set in Doppler:
``bash doppler secrets set CODEX_PAY_TO_ADDRESS=0x<address> \ --project atrium --config staging --group codex ``
- Deploy the service, it will fail loudly at startup if the address is missing or invalid
Rotation Procedure
- Generate new receiving address from Praetor multisig
- Update Doppler:
``bash doppler secrets set CODEX_PAY_TO_ADDRESS=0x<new-address> \ --project atrium --config prod --group codex ``
- Redeploy the service (Vercel auto-deploys on env change if configured)
- Verify:
curl -I https://codex.useatrium.me/healthshould return 200 - Old address continues receiving in-flight payments for up to 5 minutes (payment TTL)
Verification
# Check the service starts correctly
curl https://codex.useatrium.me/health
# If CODEX_PAY_TO_ADDRESS is unset, the service refuses to start
# and logs: "[codex] FATAL: CODEX_PAY_TO_ADDRESS is not configured"Security Notes
- The pay-to address MUST be controlled by the Praetor multisig (not a single EOA)
- Never use the deployer EOA as the pay-to address
- The address is public (visible in x402 payment headers), security comes from multisig control, not secrecy