grok-oauth-mcp
This server provides a local MCP interface to xAI's Grok AI services using web OAuth PKCE authentication (no API key required). It includes the following tools:
Authentication
auth_login– Start an OAuth PKCE login flow and get an authorization URLauth_exchange_code– Exchange a callback code/URL to complete loginauth_status– Check authentication status and token expiryauth_logout– Delete locally stored OAuth tokens
Chat
grok_chat– Send chat/completion requests to Grok (defaults togrok-build-0.1) via the/responsesendpoint
Search
x_search– Query X (Twitter) through Grok with filters for date ranges, max results, and allowed/excluded handles
Image Generation & Editing
grok_image– Generate images from text prompts or edit existing images, with options for size, aspect ratio, and model
Video Generation
grok_video– Generate text-to-video or image-to-video content, with polling for completion and controls for fps, duration, and aspect ratio
Text-to-Speech
grok_tts– Convert text to speech with configurable voice, language, speed, and output format
Audio Transcription
grok_transcribe– Transcribe a local audio file via Grok's speech-to-text endpoint, with options for language, model, and temperature
Designed for local MCP clients like Claude Desktop, running on Node.js 20+. Requires an xAI account with an active SuperGrok or X Premium+ subscription.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@grok-oauth-mcpchat with Grok about existential risks"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
grok-oauth-mcp
Standalone TypeScript stdio MCP server for xAI Grok using web OAuth PKCE. It is intended for local MCP clients such as Claude Desktop, ChatGPT-compatible MCP hosts, and other stdio MCP launchers.
This server does not require XAI_API_KEY for normal usage. The primary auth path is xAI web OAuth with a local token store.
Requirements
Node.js 20+
A local MCP client that can launch stdio servers, such as Claude Desktop or another MCP-compatible host.
An xAI account with an active SuperGrok subscription or an X Premium+ subscription linked to the X account you sign in with. This matches the Hermes xAI Grok OAuth connector: the browser login works through
accounts.x.ai, and xAI links X Premium+ entitlement to the xAI session automatically.
No XAI_API_KEY is used for the normal OAuth path. xAI may still gate OAuth API access by subscription tier; if OAuth succeeds but xAI API calls return 403, your account may not be entitled for that OAuth API surface yet.
Related MCP server: Grok MCP
Features
xAI web OAuth PKCE login with the Hermes client ID.
Token storage at
~/.config/grok-oauth-mcp/tokens.jsonby default.Configurable token directory with
GROK_OAUTH_MCP_CONFIG_DIR.Refresh-token flow before access token expiry.
Configurable xAI API base with
XAI_BASE_URL, defaulting tohttps://api.x.ai/v1.MCP stdio tools for auth, Grok chat, X search, image, video, TTS, and transcription.
Multipart upload support for local image/audio paths.
Quick Start
This is the shortest path for a human or agent to get the MCP running, authenticate, and verify that Grok works.
1. Install
From source:
git clone https://github.com/bowtieswan/grok-oauth-mcp.git
cd grok-oauth-mcp
npm install
npm run buildRun directly from the built checkout:
node /absolute/path/to/grok-oauth-mcp/dist/index.jsOr install it globally from the checkout:
npm install -g .
grok-oauth-mcpPackage-runner form:
npx grok-oauth-mcp2. Add It To Your MCP Client
Use absolute paths when possible. This avoids PATH differences between your shell and GUI apps.
Claude Desktop
Add an MCP server entry that points at your local build or global executable. Local build example:
{
"mcpServers": {
"grok-oauth": {
"command": "node",
"args": ["/absolute/path/to/grok-oauth-mcp/dist/index.js"]
}
}
}If you installed globally and know the executable path:
{
"mcpServers": {
"grok-oauth": {
"command": "/absolute/path/to/node",
"args": ["/absolute/path/to/grok-oauth-mcp"]
}
}
}OpenCode
Add a local MCP server entry under the top-level mcp object in your OpenCode config, usually ~/.config/opencode/opencode.json:
{
"mcp": {
"grok-oauth": {
"command": [
"/absolute/path/to/node",
"/absolute/path/to/grok-oauth-mcp"
],
"enabled": true,
"type": "local"
}
}
}Then restart the MCP client or reload MCP servers. In OpenCode, verify discovery with:
opencode mcp listYou should see grok-oauth connected.
3. Authenticate
Use the MCP tool auth_login with wait=false first. This is the safest mode for most MCP clients because the tool returns the URL immediately.
Input:
{
"wait": false,
"timeout_ms": 600000
}The result contains:
auth_url: open this in your browser.state: the OAuth state for this attempt.redirect_uri: normallyhttp://127.0.0.1:56121/callback.token_path: where tokens will be written after success.
Open auth_url, sign in to xAI, then complete one of these two paths.
Path A: Browser Redirects To Localhost
If the browser redirects to http://127.0.0.1:56121/callback?... and shows a success message, login is complete. Run auth_status to confirm.
Path B: xAI Shows A Grok Build Code
Sometimes xAI shows a page saying:
Enter this code to finish signing in
Copy the code below into Grok Build to finish signing inIf that happens, copy the code and call auth_exchange_code immediately:
{
"code": "paste-the-grok-build-code-here"
}The code is tied to the most recent auth_login attempt and the saved PKCE verifier. If it expires or you started another login attempt, run auth_login again and use the fresh code from the fresh URL.
If you have a full callback URL instead of a bare code, pass it as callback_url:
{
"callback_url": "http://127.0.0.1:56121/callback?code=...&state=..."
}4. Verify Auth
Run auth_status. A successful login returns authenticated: true, has_refresh_token: true, and an expiry time. Token values are never returned.
Tokens are stored at:
~/.config/grok-oauth-mcp/tokens.jsonTemporary pending OAuth state is stored at:
~/.config/grok-oauth-mcp/pending_oauth.jsonBoth files are written with mode 0600 where the local filesystem supports POSIX permissions.
5. Test Grok
After auth_status is authenticated, try a small call. For X search:
{
"query": "latest xAI Grok updates",
"filters": {
"max_results": 5
}
}If the first broad search times out, retry with a narrower query and fewer results.
OAuth Details
Discovery:
https://auth.x.ai/.well-known/openid-configurationDisplayed authorization server:
accounts.x.aiClient ID:
b1a00492-073a-47ea-816f-4c329264a828Scope:
openid profile email offline_access grok-cli:access api:accessRedirect URI:
http://127.0.0.1:56121/callbackAuthorize URL includes
plan=genericandreferrer=hermes-agent.
Authentication Notes For Agents
Prefer
auth_loginwithwait=false. Do not usewait=trueunless your MCP host surfaces stderr or tool output while the call is still running.Always open the exact
auth_urlfrom the latestauth_loginresult.If the page shows a Grok Build code, call
auth_exchange_codewith that code. Do not try to open/callbackmanually.If
auth_exchange_codereturnsNo pending OAuth login foundorPending OAuth login is expired, runauth_loginagain and use the fresh URL/code.If xAI returns
invalid_grant, the code is stale, already used, or from a different login attempt. Runauth_loginagain.
Tools
auth_login
Starts OAuth login and returns an authorization URL.
Input:
{
"wait": false,
"timeout_ms": 300000
}Set wait=true only for clients that can show stderr or otherwise surface the URL while the tool is still running.
auth_exchange_code
Exchanges a pasted xAI/Grok Build OAuth code, or a full callback URL, using pending PKCE state from the last auth_login call.
Input with a bare Grok Build code:
{
"code": "paste-the-grok-build-code-here"
}Input with a callback URL:
{
"callback_url": "http://127.0.0.1:56121/callback?code=...&state=..."
}auth_status
Reports whether a token is stored, whether a refresh token exists, and approximate expiry. Token values are never returned.
auth_logout
Deletes the local token file and any pending OAuth state.
grok_chat
Posts to /responses with store=false. Default model: grok-build-0.1.
Example:
{
"input": "Explain what this MCP server can do."
}x_search
Posts to /responses with tools: [{ "type": "x_search" }] and optional filters.
Example:
{
"query": "latest xAI Grok updates",
"filters": {
"max_results": 5
}
}grok_tts
Posts to /tts.
Example:
{
"text": "Hello from Grok.",
"voice_id": "eve",
"language": "en"
}grok_image
Posts to /images/generations for text-to-image and /images/edits when image_path is present.
Defaults:
Generation model:
grok-imagine-imageEdit model:
grok-imagine-image-quality
Common image options include aspect_ratio, resolution, size, n, and response_format. Pass values supported by the current xAI/Hermes image surface, such as common aspect ratios like 1:1, 16:9, 9:16, 4:3, and 3:4 when available on your account.
grok_video
Posts to /videos/generations. Supports text-to-video and image-to-video when image_path is present.
Defaults:
Text-to-video model:
grok-imagine-videoImage-to-video model:
grok-imagine-video-1.5-preview
Set poll=true to poll /videos/{request_id} until the request leaves a queued or processing state.
grok_transcribe
Posts a local audio file to /stt with multipart form data, matching xAI Grok STT.
Example:
{
"file_path": "/path/to/audio.wav",
"language": "en"
}Troubleshooting
Not authenticated. Run auth_login first.: Runauth_loginwithwait=false, open the returnedauth_url, then complete the redirect or useauth_exchange_codewith the Grok Build code.Browser cannot reach callback: If xAI showed a Grok Build code, do not manually open
/callback; callauth_exchange_codewith the code instead. If you expected a redirect, make sure nothing else is using port56121, then runauth_loginagain.No pending OAuth login foundorPending OAuth login is expired: Runauth_loginagain and use the fresh URL/code.invalid_grant: The pasted code is stale, already used, or belongs to a different login attempt. Runauth_loginagain and paste the fresh code.403from xAI: Your xAI account may not have the required SuperGrok or X Premium+ entitlement for the requested Grok API surface.Token refresh fails: Run
auth_logout, thenauth_loginagain.Custom API gateway or mock server: Set
XAI_BASE_URLto the replacement base URL.Custom token location: Set
GROK_OAUTH_MCP_CONFIG_DIRto a directory path. The server writestokens.jsoninside it.
Development
npm test
npm run buildTests mock all OAuth and xAI network calls. They must not call real xAI OAuth or xAI APIs.
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/BowTiedSwan/grok-oauth-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server