Building a Research Assistant with Codex and Web Search

Codex CLI is fast and stays in the terminal, which is exactly where you want to be during development. Adding web search via AgentPatch means it can also do technical research inline — looking up docs, comparing options, verifying current information — without you switching context.

Why This Matters

A lot of development work is research-heavy: understanding unfamiliar APIs, evaluating libraries, reading error traces, checking whether something is a known issue upstream. Codex handles the implementation side well, but research requires current information that training data often can’t provide.

When Codex has access to web search as an MCP tool, it can pull that research itself. You describe the problem or question, it figures out what to search for, and it incorporates the results into its answer. The result is a tighter loop: less time spent gathering context, more time spent on the actual work.

Setup

Add AgentPatch to ~/.codex/config.toml:

[mcp_servers.agentpatch]
url = "https://agentpatch.ai/mcp"
bearer_token_env_var = "AGENTPATCH_API_KEY"

Then set your API key:

export AGENTPATCH_API_KEY=your_api_key

Replace your_api_key with your actual key from the AgentPatch dashboard. Codex discovers all AgentPatch tools automatically on next start.

Example

You’re setting up authentication in a new service and want a quick take on current options:

“What’s the current recommended approach for JWT refresh token rotation in a stateless Node.js API? Are there any security concerns with the standard pattern I should know about?”

Codex searches and summarizes:

Searching Google for "JWT refresh token rotation Node.js best practices 2026"...
Searching Google for "refresh token reuse detection security"...

The standard pattern is still rotation-with-reuse-detection:
- Issue a new refresh token on every use
- Invalidate the old one immediately
- If you detect a previously-used token being presented, treat it as a potential
  breach and revoke the entire session family

The main concern is the "race condition" case: if a client sends two requests with
the same refresh token simultaneously, one will succeed and one will invalidate.
This is usually handled with a short grace period or by making refresh requests
idempotent at the token level.

OWASP recommends persisting issued tokens (even in a "stateless" setup) to make
reuse detection reliable. Libraries like jose handle the cryptographic parts well.

Want me to sketch out a token service based on this?

Codex pulled current guidance from authoritative sources, surfaced a non-obvious edge case, and offered to implement it. That’s a more useful research interaction than “as of my training data, the recommendation was…”

Wrapping Up

Web search turns Codex into a more capable research partner without changing how you work. Connect AgentPatch once and you get this plus every other tool on the marketplace. More at agentpatch.ai.

← Back to blog