Overview
Plugins help Codex complete repeatable work by packaging the capabilities it needs for a specific workflow. A plugin can include workflow guidance, such as skills, and can also depend on approved apps that connect Codex to tools, data, or actions.
This article is for workspace admins, owners, and users who need to understand how plugins work and what needs to be enabled before a plugin can be used.
What is a plugin?
A plugin is a packaged capability for a workflow. Depending on the plugin, it may include:
Skills, which provide reusable instructions, prompts, and workflow patterns that help Codex complete a task.
Apps, which connect Codex to systems, data, and actions approved for your workspace.
App templates, which help an admin create or configure the app the plugin needs.
Some plugins are broad, while others are built for a specific line of business, such as sales, data analytics, or internal operations. A line-of-business plugin may bring together several capabilities so users can complete a job without manually switching between separate tools.
A single plugin may have multiple skills and apps, allowing users to accomplish a wide variety of tasks. A new Plugins section in Workspace settings lets workspace admins manage plugin availability and choose which roles receive a plugin automatically. Existing app settings continue to control who can use an app, what actions it can take, and related settings. Any plugin that includes the app inherits those permissions. For example, a sales-focused plugin might include multiple app-backed capabilities that support a sales workflow.
How plugins use apps
Many plugins depend on apps to reach external systems. For example, a plugin may need access to a workspace-approved app that connects to a repository, data warehouse, CRM, document store, or messaging tool.
A plugin that requires an app is available only when that app is enabled for the member's role. If a plugin contains only skills, or any included apps are optional, the plugin remains available by default.
Existing app permissions continue to apply to plugins. Depending on the app, workspace admins and owners may control:
Which users, groups, or roles can access it (Enterprise and Edu only). For more information, see: RBAC.
Whether it can read data only or also take actions
Whether users must confirm actions before they run
Whether sync, domain restrictions, source boundaries, or other app-specific settings apply.
Any plugin that uses the app inherits these settings.
Approving an app in ChatGPT does not override permissions in the source system. If a user cannot access a file, repository, record, workspace, or channel in the connected system, the plugin should not give them access to it through Codex.
Plugins that include app templates
Some plugins may include an app template or depend on an app created from a template. App templates are not the same as a ready-to-use app. A workspace admin or owner may need to enter organization-specific configuration, create a draft app, publish it, and assign access before members can use the plugin.
If a plugin depends on an app template that has not been set up yet, members may need an admin to complete setup first. The plugin cannot use the app template by itself.
For more about template setup, see ChatGPT app templates.
Setting up a plugin
Plugins are enabled by default in eligible workspaces, but workspace admins can choose which available plugins are installed automatically for each role. Before asking members to use a plugin, review its requirements and configure any required apps.
A plugin that requires a specific app is available only when that app is enabled for the member's role. Plugins that include only skills, or include optional apps, remain available by default.
Go to Workspace settings > Plugins, and select the plugin.
Review the plugin's included skills, required apps, and optional apps.
Choose which roles should have the plugin installed automatically.
If the plugin requires an app, go to Workspace settings > Apps, and select the app or app template.
Enable the app for the roles that should use the plugin.
If the app requires provider authentication, ask a test user to connect their account, then run a low-risk test prompt.
Find and review the relevant app or app template
If you know which plugin you want to set up, go to Workspace settings > Plugins, select the plugin, and review the included apps and app templates. If an app is required, go to Workspace settings > Apps to configure it. Existing role access, action controls, app permissions, and related settings apply to every plugin that uses the app.
You can also go directly to Workspace Settings > Apps when you already know the app or template name. Start in Directory if you are enabling a new app, or check Enabled if the app has already been approved. For Business plans, most apps are enabled by default. Use Drafts when you are reviewing a custom app that is waiting to be published.
Select the more options menu (•••) for the app, then select View Details and confirm:
Which system the app connects to
What information it can search or fetch
Whether it can sync data into ChatGPT
Then review any actions the app can take, especially anything that can create, update, or send information.
If the app connects to sensitive systems or regulated data, pause for the right vendor, legal, security, or data residency review. For custom MCP apps, include the MCP server, authentication model, exposed tools, and write-action behavior in that review before publishing.
Assign app access and set action and data boundaries
Enterprise and Edu admins and owners can decide which workspace members can use an app by assigning it to users, groups, or roles. A plugin that includes the app inherits this access assignment.
You can use RBAC or app access controls to assign the app only to that group, then expand later once the workflow is validated.
A plugin that uses an app inherits the app's role access, action controls, and related settings. Note that app assignment in your workspace settings controls who can access the app in ChatGPT. It does not override the user's existing permissions in the connected source system. Users must still have the appropriate OAuth and other permissions to use the connected system that powers the app.
Admins and owners can also review what the app is allowed to do:
Keep the first version read-only when possible.
Allow write or modify actions only when the team needs them.
Require admin review for newly added actions when appropriate.
Use domain restrictions to keep users on approved work accounts.
Limit sync to approved folders, drives, repositories, spaces, or channels when available.
Publish and validate
When the app settings look right, select Publish.
If the plugin was imported from a marketplace, use Refresh on the workspace plugin when you want to pull the latest version from its original source.
After launch, periodically review access, action controls, sync settings, support questions, analytics, and compliance needs.
Security and permission considerations
When reviewing a plugin, use the same review process you use for apps in ChatGPT.
Confirm what external system the plugin depends on. Confirm whether the plugin can use read-only actions, write actions, or both. Confirm whether action confirmation is required for sensitive actions. Keep the first rollout limited to a pilot group when possible. Review whether legal, security, privacy, data residency, or vendor approval is needed before expanding access. Periodically review access after rollout.
Apps may have their own terms, privacy policies, and data residency commitments. Review those terms before enabling access for sensitive or regulated workflows.
FAQ
Why can't I find the plugin?
Plugins are enabled by default in eligible workspaces, but availability can still depend on your plan, rollout status, workspace settings, and role. If you expected to see a plugin and do not, ask your workspace admin or owner to confirm that the plugin is available to your role and whether it should be installed automatically.
Why does the plugin say an app needs setup?
The plugin may require an app that is not enabled for your role or that still needs configuration. Ask a workspace admin or owner to review the required app. The admin may need to enable it, create it from a template, publish a draft, or assign access before members can use the plugin.
Why can't the plugin access the expected data?
Check both ChatGPT workspace access and the source system. The user must have access to the app in ChatGPT and must also have permission to the underlying content in the connected system.
Why can't the plugin take an action?
An admin may have limited the app to read-only access, or the action may require confirmation. Ask the admin to review action controls, action confirmation settings, and any source-system permissions required for the action.
Why is the related plugin still visible in Codex after I disabled an app in ChatGPT?
Disabling an app prevents the plugin from using that app-backed capability. If the plugin requires the app, the plugin is no longer available to affected roles. If the app is optional, or the plugin also contains skills, the plugin may remain visible and its other capabilities remain available. Ask a workspace admin or owner to review the plugin's required and optional apps, role settings, and app permissions.
Why don't I have access to skills?
Plugins that contain only skills are available by default in eligible workspaces, but availability may still depend on your plan, rollout status, workspace settings, and role. If a plugin is visible but does not work as expected, ask your admin or workspace owner to confirm whether the plugin and skill capabilities are available to your role.