Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix xAI OAuth: refresh token blocked by Cloudflare, no automated token renewal possible [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#84018Fetched 2026-05-20 03:45:15
View on GitHub
Comments
1
Participants
2
Timeline
8
Reactions
1
Author
qq230849622-a11yqq230849622-a11y
Participants
clawsweeper[bot]clawsweeper[bot]qq230849622-a11yqq230849622-a11y
Timeline (top)
labeled ×7commented ×1

Root Cause

Cloudflare's anti-bot protection prevents programmatic use of refresh tokens against uth.x.ai. This is a known Cloudflare behavior for OAuth token endpoints.

Even when the refresh token is valid and the OpenClaw code correctly implements grant_type=refresh_token, the Cloudflare challenge blocks the actual HTTP request before it reaches the OAuth server.

Fix Action

Fix / Workaround

Current workaround

RAW_BUFFERClick to expand / collapse

Problem

xAI OAuth tokens expire every ~6 hours, and the refresh token cannot be used to automatically renew because Cloudflare blocks all automated requests to the xAI token endpoint.

Environment

  • OS: Windows
  • OpenClaw: 2026.5.19-beta.1
  • xAI account: SuperGrok subscriber (web-only membership)

What was done

  1. Authenticated via openclaw models auth login --provider xai (OAuth PKCE flow)
  2. Token saved with offline_access scope and efresh_token in auth-profiles.json
  3. Token expired after ~6 hours (2026-05-18T22:46 UTC)

Observed behavior

Token refresh blocked by Cloudflare

When OpenClaw attempts to use the refresh token to get a new access token, the request to https://auth.x.ai/oauth/token is blocked by Cloudflare with CAPTCHA challenge:

Attention Required! | Cloudflare You are unable to access x.ai

This means automated refresh is impossible — every 6 hours the user must manually re-authenticate via browser.

Token expiration

  • Token: xai:[email protected] [xai/oauth; expires 2026-05-18T22:46:23.273Z]
  • Refresh token: present in auth-profiles.json (verified)
  • Automatic refresh: fails due to Cloudflare blocking

Root cause

Cloudflare's anti-bot protection prevents programmatic use of refresh tokens against uth.x.ai. This is a known Cloudflare behavior for OAuth token endpoints.

Even when the refresh token is valid and the OpenClaw code correctly implements grant_type=refresh_token, the Cloudflare challenge blocks the actual HTTP request before it reaches the OAuth server.

Expected behavior

  1. Token refresh should work automatically when access token expires (standard OAuth2 behavior)
  2. User should not need to re-authenticate every 6 hours

Current workaround

Manually re-run openclaw models auth login --provider xai when token expires, which requires browser interaction.

Proposed solution

  • Explore using the xAI API endpoint (rather than auth.x.ai) for token refresh, if it bypasses Cloudflare
  • Document the limitation clearly for SuperGrok (non-API) subscribers
  • Consider adding a warning when token is approaching expiry

Tags

provider xai oauth authentication refresh token cloudflare

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

  1. Token refresh should work automatically when access token expires (standard OAuth2 behavior)
  2. User should not need to re-authenticate every 6 hours
#api#indexing error#inference speed#output truncation#response parsing

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING