Summary
/auth xai-device currently fails immediately with Failed to parse xAI device-code response.
Root cause
CodeWhale posts to a hard-coded device authorization path:
https://auth.x.ai/oauth2/device/code
The installed official Grok CLI (0.2.101) uses /oauth2/device. CodeWhale then calls response.json() before checking the HTTP status or content type, so a stale-path 404/HTML/non-JSON response is reported only as a JSON parse failure.
Relevant implementation: crates/tui/src/xai_oauth.rs (request_device_code).
Expected
- Discover
device_authorization_endpoint from https://auth.x.ai/.well-known/openid-configuration instead of hard-coding the path; retain a documented fallback only if necessary.
- Check status and content type first; return bounded/redacted diagnostic text such as HTTP status and expected JSON rather than an opaque parse error.
- Verify current scopes against the official Grok CLI flow (including whether
team:read remains accepted).
Workaround
Until fixed, use the official grok login --device-auth flow and configure [providers.xai] auth_mode = "oauth", or use an XAI_API_KEY. Do not paste credentials into issue comments.
Tests
Cover current device endpoint, legacy/non-JSON failure handling, discovery fallback, and a structured invalid_scope response.
Summary
/auth xai-devicecurrently fails immediately withFailed to parse xAI device-code response.Root cause
CodeWhale posts to a hard-coded device authorization path:
The installed official Grok CLI (0.2.101) uses
/oauth2/device. CodeWhale then callsresponse.json()before checking the HTTP status or content type, so a stale-path 404/HTML/non-JSON response is reported only as a JSON parse failure.Relevant implementation:
crates/tui/src/xai_oauth.rs(request_device_code).Expected
device_authorization_endpointfromhttps://auth.x.ai/.well-known/openid-configurationinstead of hard-coding the path; retain a documented fallback only if necessary.team:readremains accepted).Workaround
Until fixed, use the official
grok login --device-authflow and configure[providers.xai] auth_mode = "oauth", or use anXAI_API_KEY. Do not paste credentials into issue comments.Tests
Cover current device endpoint, legacy/non-JSON failure handling, discovery fallback, and a structured
invalid_scoperesponse.