Summary
CodeWhale has no xAI / Grok provider. The only grok reference in-tree is a model-family heuristic (crates/agent/src/lib.rs) that categorizes a model named grok-* for accounting — it does not connect CodeWhale to x.ai. Users can currently reach x.ai only via the Custom OpenAI-compatible provider with a hand-set API key, or via OpenRouter.
xAI now exposes two distinct authentication paths, and we should support both:
| Path |
Auth |
Endpoint |
Billing |
| API key |
static Bearer token from console.x.ai |
https://api.x.ai/v1 |
pay-per-use credits |
| OAuth 2.0 device code |
account login against accounts.x.ai / auth.x.ai |
OpenAI-compatible |
SuperGrok / X Premium+ subscription |
The API-key path is OpenAI Chat Completions–compatible and is the lower-risk first step. The OAuth path is the better experience (no key to manage, uses an existing subscription) and is well-suited to a TUI via the device-code flow (print URL + code → user approves in any browser → poll → done; no loopback HTTP listener required, which is ideal for SSH/remote/headless).
Reference for the OAuth/device-code path and current xAI model lineup: pi-xai-oauth and the Hermes Agent xAI Grok OAuth guide. Both confirm accounts.x.ai as the OAuth authority and document auto-reuse of the official Grok CLI token file (~/.grok/auth.json).
API-key provider (low effort, ship first)
Add a ProviderKind::Xai variant + a provider! macro entry + a ProvidersToml field + a registry slot, consistent with how the existing 31 providers are wired in crates/config/src/provider.rs and crates/config/src/provider_kind.rs.
Proposed metadata:
- id / key:
xai
- display name:
xAI
- base URL:
https://api.x.ai/v1
- env vars:
XAI_API_KEY
- default model:
grok-4.5 (500K context) — see current catalog notes below
- wire format:
ChatCompletions
- auth: Bearer token via existing
Authorization: Bearer <key> path (crates/tui/src/client.rs)
Acceptance:
[providers.xai] works with api_key set, env var, or keyring.
grok-* models appear in /model and route through the xAI base URL.
- The existing
ModelFamily::Grok heuristic continues to classify these for accounting.
OAuth path (follow-up, real work)
CodeWhale already has two bespoke OAuth integrations to model after — OpenAI Codex/ChatGPT (crates/tui/src/oauth.rs) and Moonshot Kimi (crates/tui/src/config.rs) — but there is no generic OAuth framework: each hardcodes its own client_id and token endpoint, and both follow a "delegate the login to an external CLI, then load + refresh the token file" pattern.
Two realistic routes for xAI OAuth:
- (a) Delegate-login pattern — detect and read
~/.grok/auth.json from the official Grok CLI, then load + refresh. Lowest effort, consistent with Codex/Kimi. Mirrors what pi-xai-oauth does (auto-detects ~/.grok/auth.json).
- (b) Native device-code flow — implement the
accounts.x.ai device-code request + poll + token store + refresh directly. More work (no shared OAuth abstraction exists yet), but the device-code pattern is a clean fit for a terminal app and avoids depending on the Grok CLI being installed.
Either way, token redaction already knows about access_token / refresh_token / client_secret (crates/config/src/lib.rs) and the secrets crate handles 0600 file storage.
Acceptance:
auth_mode = "oauth" (or similar) for [providers.xai] triggers the token path instead of api_key.
- Device-code login prints a verification URL + code for the user to open.
- Tokens are stored
0600 and refreshed before expiry (JWT exp + margin, matching the Codex approach).
- Remote/headless fallback: if localhost callbacks are unavailable, the TUI accepts a pasted redirect URL (the same UX
pi-xai-oauth documents for VPN/Docker/SSH).
Caveat
xAI has been observed to return HTTP 403 to some SuperGrok tiers on the OAuth API surface even when the subscription is active (see OmniRoute feature request). OAuth should be offered alongside the API-key path, not as a replacement for it. The API-key path is the reliable one today.
Current xAI model catalog (as of Jul 2026, for the model list)
| Model ID |
Context |
Notes |
grok-4.5 |
500K |
flagship, reasoning low/med/high (default high), text+image |
grok-4.3 |
1M |
full reasoning, long context |
grok-build |
512K |
coding model (Grok CLI OAuth endpoint) |
grok-composer-2.5-fast |
200K |
coding model (Grok CLI OAuth endpoint) |
grok-4.20-0309-reasoning |
2M |
auto reasoning |
grok-4.20-0309-non-reasoning |
2M |
fast responses |
Pricing reference: grok-4.5 at $2/$6 per 1M input/output, $0.50 cache read.
Proposed scope for this issue
- Ship the API-key provider first (low risk, works immediately).
- Add xAI models to the catalog.
- OAuth as a follow-up: start with the delegate-login pattern (read
~/.grok/auth.json), then consider a native device-code flow.
Summary
CodeWhale has no xAI / Grok provider. The only
grokreference in-tree is a model-family heuristic (crates/agent/src/lib.rs) that categorizes a model namedgrok-*for accounting — it does not connect CodeWhale to x.ai. Users can currently reach x.ai only via theCustomOpenAI-compatible provider with a hand-set API key, or via OpenRouter.xAI now exposes two distinct authentication paths, and we should support both:
console.x.aihttps://api.x.ai/v1accounts.x.ai/auth.x.aiThe API-key path is OpenAI Chat Completions–compatible and is the lower-risk first step. The OAuth path is the better experience (no key to manage, uses an existing subscription) and is well-suited to a TUI via the device-code flow (print URL + code → user approves in any browser → poll → done; no loopback HTTP listener required, which is ideal for SSH/remote/headless).
Reference for the OAuth/device-code path and current xAI model lineup:
pi-xai-oauthand the Hermes Agent xAI Grok OAuth guide. Both confirmaccounts.x.aias the OAuth authority and document auto-reuse of the official Grok CLI token file (~/.grok/auth.json).API-key provider (low effort, ship first)
Add a
ProviderKind::Xaivariant + aprovider!macro entry + aProvidersTomlfield + a registry slot, consistent with how the existing 31 providers are wired incrates/config/src/provider.rsandcrates/config/src/provider_kind.rs.Proposed metadata:
xaixAIhttps://api.x.ai/v1XAI_API_KEYgrok-4.5(500K context) — see current catalog notes belowChatCompletionsAuthorization: Bearer <key>path (crates/tui/src/client.rs)Acceptance:
[providers.xai]works withapi_keyset, env var, or keyring.grok-*models appear in/modeland route through the xAI base URL.ModelFamily::Grokheuristic continues to classify these for accounting.OAuth path (follow-up, real work)
CodeWhale already has two bespoke OAuth integrations to model after — OpenAI Codex/ChatGPT (
crates/tui/src/oauth.rs) and Moonshot Kimi (crates/tui/src/config.rs) — but there is no generic OAuth framework: each hardcodes its ownclient_idand token endpoint, and both follow a "delegate the login to an external CLI, then load + refresh the token file" pattern.Two realistic routes for xAI OAuth:
~/.grok/auth.jsonfrom the official Grok CLI, then load + refresh. Lowest effort, consistent with Codex/Kimi. Mirrors whatpi-xai-oauthdoes (auto-detects ~/.grok/auth.json).accounts.x.aidevice-code request + poll + token store + refresh directly. More work (no shared OAuth abstraction exists yet), but the device-code pattern is a clean fit for a terminal app and avoids depending on the Grok CLI being installed.Either way, token redaction already knows about
access_token/refresh_token/client_secret(crates/config/src/lib.rs) and the secrets crate handles0600file storage.Acceptance:
auth_mode = "oauth"(or similar) for[providers.xai]triggers the token path instead ofapi_key.0600and refreshed before expiry (JWT exp + margin, matching the Codex approach).pi-xai-oauthdocuments for VPN/Docker/SSH).Caveat
xAI has been observed to return
HTTP 403to some SuperGrok tiers on the OAuth API surface even when the subscription is active (see OmniRoute feature request). OAuth should be offered alongside the API-key path, not as a replacement for it. The API-key path is the reliable one today.Current xAI model catalog (as of Jul 2026, for the model list)
grok-4.5grok-4.3grok-buildgrok-composer-2.5-fastgrok-4.20-0309-reasoninggrok-4.20-0309-non-reasoningPricing reference:
grok-4.5at $2/$6 per 1M input/output, $0.50 cache read.Proposed scope for this issue
~/.grok/auth.json), then consider a native device-code flow.