Key takeaways
- Codex supports skills and MCP installation but not the plugin method available in Claude Code and Cursor.
- Manual skills installation works but schemas drift from the live platform without manual updates.
- MCP configuration for Codex uses TOML format, unlike JSON for Cursor and Gemini CLI.
- Set
OPT_OUT_INSTRUMENTATION=truebefore your first validation if you’re working with proprietary code.- Store operations execute immediately on your live store. There is no draft step and no undo.
OpenAI’s Codex CLI is one of the AI coding tools supported by the Shopify AI Toolkit, with its own plugin manifest in the repo. Once installed, Codex gets access to Shopify documentation search, code validation against bundled API schemas, and the same skill set available to Claude Code and Cursor.
This guide covers setup and what to know. For the full breakdown of what the toolkit does, how it works, and the governance risks around store execution, see our Shopify AI Toolkit overview.
Why you can trust us
Jacques has over 15 years of development experience and has worked with hundreds of Shopify stores. We built Fudge - an AI-native Shopify page builder and store editor with a 5.0 rating and a Built for Shopify badge. We use these tools daily.
Prerequisites
- OpenAI Codex CLI installed and working
- Node.js 18 or higher (
node --versionto check) - Shopify CLI installed (needed for store operations)
- A Shopify store to connect to (only required for store operations)
Installation: plugin method
In the Codex CLI, run:
/pluginsSearch for Shopify, then select Add to Codex.
This installs the Shopify plugin with all available agent skills.
Verify installation
Ask Codex something Shopify-specific:
What's the correct GraphQL mutation to update a product's title in the Shopify Admin API?If the toolkit is active, Codex will search current Shopify documentation and validate its output rather than guessing from training data.
Alternative: manual skills installation
If you prefer to install skills manually:
Install all skills
npx skills add Shopify/shopify-ai-toolkitInstall a specific skill
npx skills add Shopify/shopify-ai-toolkit --skill shopify-adminManually installed skills don’t auto-update. The bundled schemas will drift from the live platform if you don’t re-install periodically.
Alternative: MCP server setup
For direct MCP integration, Codex uses TOML configuration (unlike Cursor and Gemini CLI which use JSON). The Dev MCP server runs as a local server/client integration but makes network calls to Shopify endpoints for documentation search.
Refer to the Shopify AI Toolkit docs for the Codex-specific TOML configuration format.
Telemetry and code transmission
Before you start validating code: both validate.mjs and search_docs.mjs send usage payloads to Shopify’s servers by default.
The SKILL.md files describe this as “anonymized validation results (pass/fail and skill name).” However, the actual validation payload includes the code being validated - your GraphQL queries, Liquid templates, and other code you run through the validator.
To opt out:
export OPT_OUT_INSTRUMENTATION=trueSet this before launching Codex if you’re working with proprietary or client code.
Connecting to your store
For store operations (not just code generation and validation), you authenticate through Shopify CLI:
shopify store auth --store yourstore.myshopify.com --scopes write_products,read_productsThe toolkit detects minimum required scopes during validation. Common scopes:
| Operation | Scope |
|---|---|
| Read products | read_products |
| Update products | write_products |
| Read inventory | read_inventory |
| Adjust inventory | write_inventory |
| Read orders | read_orders |
| Read customers | read_customers |
Use the minimum scopes needed. write_products grants access to all product write operations, not just the specific mutation you’re running.
What you can do
The capabilities are the same across all supported AI clients. Here’s what the toolkit enables:
Validated GraphQL - Queries and mutations validated against the bundled Shopify API schema before you use them. No more hallucinated fields or deprecated patterns.
Theme development - Liquid templates validated against Shopify’s theme rules, including schema blocks and LiquidDoc headers.
Related: adding custom Liquid logic in Shopify.
Hydrogen storefronts - React component generation with validated imports and patterns.
Functions and extensions - Backend customization (discounts, cart validation, delivery rules) and UI extension scaffolding with Polaris components.
Related: adding custom JavaScript in Shopify.
Store operations - Execute Admin GraphQL against a live store via shopify store execute --allow-mutations. Changes are immediate - there is no draft step. See our main guide for the full risk breakdown.
Metafield management - Extend your store’s data model with metafield definitions and custom data.
Related: adding metafields to Shopify products.
Best practices
These apply across all toolkit clients, but are worth repeating.
-
Query before you mutate. Always read the current state of a resource before updating it. This prevents unintended overwrites.
-
Be specific with mutations. “Optimize my products for SEO” is too vague. “Update the meta description for product handle ‘classic-tee’ to ’…’” is specific enough to be safe.
-
Push themes as unpublished. The toolkit supports
shopify theme push --unpublishedbut doesn’t enforce it. Make it a habit. -
One resource at a time for critical changes. Limits blast radius if something goes wrong.
-
Keep your own backups. The toolkit has no undo. Export current values before running mutations that update existing content.
Limitations
These are structural to the toolkit, not Codex-specific. For the full risk analysis, see our Shopify AI Toolkit overview.
- No draft mode - Store mutations execute on your live store immediately
- No preview - You can’t see what changes will look like before they happen
- No undo/rollback - Changes are permanent once executed
- No audit trail - No toolkit-level record of what was changed
- Broad scopes - OAuth permissions apply to entire resource types, not individual items
- Code sent to Shopify - Validation payloads include your code by default (opt out with
OPT_OUT_INSTRUMENTATION=true) - Manual skills decay - Non-plugin installations need periodic manual updates
Quick reference
| Task | How |
|---|---|
| Install plugin | /plugins then search Shopify and select Add to Codex |
| Install all skills manually | npx skills add Shopify/shopify-ai-toolkit |
| Install one skill | npx skills add Shopify/shopify-ai-toolkit --skill shopify-admin |
| MCP config format | TOML (unlike JSON for Cursor/Gemini) |
| Auth with store | shopify store auth --store domain --scopes list |
| Opt out of telemetry | export OPT_OUT_INSTRUMENTATION=true |
| Check Node version | node --version (need 18+) |
Summary
The Shopify AI Toolkit works with Codex the same way it does with Claude Code and Cursor: documentation search, schema validation, and optional store execution. The value is in the accuracy loop - Codex stops guessing at Shopify’s APIs and starts validating against real schemas.
The same governance caveats apply: no drafts, no preview, no undo, and code telemetry enabled by default. Set OPT_OUT_INSTRUMENTATION=true if you’re working with anything proprietary, and be deliberate about store execution.
For the full picture on risks, read our Shopify AI Toolkit overview. For other platforms, see our Claude Code guide and Cursor guide.
This article was last updated in April 2026 based on the Shopify Editions Winter 2026 release.
