progrok login
progrok login is the activation step. It authorizes progrok through
xAI OAuth, stores a refreshable local session, and makes the rest of the CLI
and proxy commands usable without an XAI_API_KEY.
Browser flow
progrok login
The CLI opens your default browser, completes PKCE authorization with xAI, and
waits on a localhost callback. When authorization succeeds, the token response
is written to ~/.progrok/auth.json with restrictive file
permissions.
Device-code flow
progrok login --device-codeUse device-code login for SSH sessions, remote machines, headless terminals, or automation boxes where the default browser flow cannot complete. You approve the code in a browser elsewhere, then the CLI polls xAI until the device flow is authorized.
Shared OAuth client lineage
progrok uses the shared xAI OAuth client identifier documented by Hermes Agent and OpenClaw. That lineage is important because these tools, plus Grok Build-style coding workflows, are built around the same operational assumption: the xAI account session is the source of authority, and local developer tools need a practical way to activate that session.
Stored credential
| Path | ~/.progrok/auth.json |
|---|---|
| Contains | Access token, optional refresh token, expiry, token endpoint, optional account email. |
| Used by | Proxy, search, image, video, status, model, and capability commands. |
| Remove with | progrok logout |
Verification
progrok statusRun status after login. A healthy setup can load the token file and either show an active bearer token or refresh it when the command path requires one.