Open Source Radar
dongguatanglinux/

grok-build-auth

GitHub

Research-oriented protocol client for x.ai / Grok build auth flow. Pure HTTP path, SSO reuse, and local auth JSON export; supports concurrent registration with serial OAuth and CLIProxyAPI compatibility.

250stars
116forks
0issues
MITlicense
2026since
Star historydaily snapshots by VibeCrowd
Reviewgenerated from repository data · Jul 18, 2026

What it is

Protocol research client for x.ai / Grok Build OAuth workflow. It reproduces the registration → SSO → OAuth PKCE → local auth JSON export chain using pure HTTP (curl_cffi fingerprint) without relying on a browser.

How it works

  • Modules: run.py orchestrates registration (client.py via email + Turnstile), SSO extraction from cookies, OAuth PKCE with consent, and export to local auth JSON compatible with CLIProxyAPI.
  • Export format: local JSON with fields including type, auth_kind, access_token, refresh_token, base_url, and headers for CPA loading.
  • Architecture diagram shows flow: run.py → client.py → sso.py → oauth_protocol.py → token exchange → cliproxyapi_auth/*.json.

Getting started

Installation

git clone https://github.com/<you>/grok-build-auth.git
cd grok-build-auth
python -m venv .venv

# Windows
.venv\Scripts\activate
# macOS / Linux
# source .venv/bin/activate

pip install -r requirements.txt
cp .env.example .env
# Edit .env with your keys, do not commit

Configuration

| Variable | Required | Description | |---|---|---| | YESCAPTCHA_API_KEY | Yes | Turnstile captcha key | | TEMPMAIL_API_KEY | -e tempmail 时 | Temporary email API key | | CLOUDFLARE_API_TOKEN | -e cloudflare 时 | CF API token | | CLOUDFLARE_ACCOUNT_ID | 同上 | CF account | | CLOUDFLARE_D1_DB_ID | 同上 | CF D1 DB ID | | ALIAS_MAIL_DOMAINS | 同上 | Allowed email domains | | CLIPROXYAPI_AUTH_DIR | 否 | Default ./cliproxyapi_auth | | HTTPS_PROXY / HTTP_PROXY | 否 | Proxy settings |

Running (research / own account)

# complete chain once
python run.py -n 1

# concurrent registrations; OAuth remains serial
python run.py -n 5 -t 3

# self-hosted Cloudflare email backend
python run.py -n 1 -e cloudflare

# only register + SSO (no CPA export)
python run.py -n 1 --no-oauth

# specify CLIProxyAPI auth dir
python run.py -n 1 --cliproxyapi-auth-dir /path/to/CLIProxyAPI/data/auth

# OAuth debug logs
python run.py -n 1 --oauth-debug

Auxiliary scripts

# with existing account: run OAuth only
python xai_oauth_login.py

# export OAuth output to CPA auth format
python xai_oauth_export_cliproxyapi.py --cliproxyapi-auth-dir ./cliproxyapi_auth

# probe build quota (mask tokens)
python xai_build_quota_probe.py --auth-dir ./cliproxyapi_auth

Export file shape (local, not official keys)

{
  "type": "xai",
  "auth_kind": "oauth",
  "access_token": "...",
  "refresh_token": "...",
  "base_url": "https://cli-chat-proxy.grok.com/v1",
  "headers": {
    "X-XAI-Token-Auth": "xai-grok-cli",
    "x-grok-client-version": "0.2.93",
    "x-grok-client-identifier": "grok-shell"
  }
}

Known limitations

  • Dependent on external services; may break if upstream changes.
  • Turnstile / email service stability affects success rate and duration.
  • High concurrency may trigger platform risk controls; use for research with restraint.
  • SSO alone does not equal CPA auth; OAuth must be completed.
  • Playwright is optional; default path does not require it.
SharePost on XLinkedIn
All trending reposRevenue-verified startups →