Trust Center

The license can know it is valid without knowing what you are doing.

Codex Panels separates content, identity, entitlement, and money into explicit boundaries. A paid panel can prove the right to run and contribute to a creator’s usage reward without transmitting prompts, outputs, captures, files, repository contents, or workflow purpose.

Content-blind licensing

Entitlement events contain no panel content or user intent.

Short, revocable grants

Panel access uses signed, scoped grants with a 30-day offline grace window and a revocation receipt.

Separate ledgers

Identity, licenses, minimal usage events, and money records live in separate tables with separate purposes.

No invisible green lights

Installs, checks, refunds, revocations, splits, and payouts produce inspectable receipts.

Panel License Receipt

Usable offline. Checkable online. Never a hostage situation.

Paid panels refresh their entitlement at most once per day while online. If Codex Panels is unavailable, the last valid grant continues for 30 days. A failed check never blocks export of the user’s own data.

Read the license draft
  1. 1
    Account proves entitlement

    Codex Panels checks the signed-in account against the purchased panel and version.

  2. 2
    Server returns a scoped grant

    Panel slug, license class, grant ID, expiry, and offline grace—no workspace content.

  3. 3
    Runtime verifies the grant

    The panel runs locally and records only a day-bucketed active-license receipt when due.

  4. 4
    Creator pool counts verified days

    Aggregates determine usage rewards; raw events expire on a short retention schedule.

Exact telemetry contract

Five fields in. One receipt out.

Collectedpanel slug, panel version, license/grant ID, pseudonymous installation hash, UTC day bucket
Not collectedprompts, outputs, captures, chat text, filenames, file contents, repository contents, project names, workflow purpose
Retention targetraw active-license events: 30 days; creator payout aggregates and financial records: as required for accounting and law
User controlview receipts, disable optional diagnostics, export data, disconnect providers, delete account; paid entitlement checks remain required

Founder and creator money security

No shared wallet. No mystery transfers.

Customer payments originate on the platform account. Creator shares route to verified connected accounts. Codex Panels’ application fee settles to the company payment balance. Webhook receipts reconcile the internal ledger; payouts never depend on browser-supplied amounts or destination IDs.

Frontier-model security

Connect model access—not passwords.

CodexPanels does not ask for a consumer ChatGPT, Claude, Gemini, or other frontier-model password. Intelligence requests use Vercel AI Gateway with workspace-managed access, scoped API credentials, enterprise federation, or a provider-supported OAuth flow. Provider credentials remain server-side or in the user’s local Codex environment and never enter panel manifests, captures, or creator telemetry.

Launch security baseline

Provider credentials encrypted or local-only and rotatedGateway allowlists, budgets, and per-user attributionWebhook signatures verified before fulfillmentOwner-scoped database queriesStrict file type and size limitsLicense grants scoped by panel and versionRate limits on checkout, license, capture, and intelligence APIsContent Security Policy and secure headersDependency and migration checks in CICreator payout destinations read from verified server recordsIncident, deletion, and vulnerability-response runbooksNo consumer account scraping or password collection

Architecture commitment, not a certification claim. Controls must be independently tested before public launch.