Answer Box: Grok2API, an open-source Go-based API gateway, enables multi-account access to Grok Build, Grok Web, and Grok Console via OpenAI- and Anthropic-compatible interfaces. The project, released on GitHub, supports account pools, model routing, and a management dashboard, with deployment via Docker Compose or manual setup. It is intended for learning and research only, requiring compliance with Grok's terms of service and local laws.
Overview and Architecture
Grok2API is a pure Go implementation that organizes three distinct provider types—Grok Build OAuth, Grok Web SSO, and Grok Console SSO—into separate account pools. It exposes standard APIs including Responses, Chat Completions, Images, asynchronous Videos, and Anthropic Messages, allowing clients to interact with Grok models using familiar interfaces. The gateway handles multi-account scheduling with features like priority, concurrency limits, quota gating, session stickiness, cooldown, and failover.
Account integration supports Device OAuth, OAuth JSON, SSO JSON, and line-by-line SSO tokens. Media capabilities include image generation and editing, video generation, and local image archiving with URL or Base64 return. The infrastructure relies on SQLite or PostgreSQL for persistent storage, with Memory or Redis for caching and distributed locking. Security measures include AES-256-GCM credential encryption, client key hashing, log sanitization, SSRF protection, and transfer limits.
Deployment and Configuration
To deploy, users clone the repository and copy the example configuration file. Security keys must be generated using `openssl rand -hex 32` and `openssl rand -base64 32` for JWT and credential encryption respectively. A bootstrap admin account is configured in `config.yaml`. The recommended deployment method is via Docker Compose, which includes the built frontend and mounts the configuration file read-only. The default port is 8000.
For manual setup, the backend can be run with `go run ./cmd/grok2api` from the backend directory, while the frontend development server runs on port 5173 with API proxied to 8000. After initial admin login, users should change the admin password and remove the `bootstrapAdmin` section from the configuration. The `credentialEncryptionKey` must be kept permanently, as changing it will render existing credentials undecryptable.
Account Management and Model Routing
Grok Build OAuth supports on-demand renewal, while Grok Web and Grok Console SSO tokens cannot be auto-renewed; expired credentials cause accounts to leave the pool until reauthorized. Both Web and Console support bulk import via JSON or line-by-line tokens. The management interface can reuse Web SSO credentials to create or update Console accounts, with synchronization idempotent on the Console identity key.
Grok Console uses stateless mode, disabling `previous_response_id`, Response query/deletion, and `/responses/compact`. Multi-turn calls require replaying full inputs, tool calls, and results. External model names omit provider prefixes (e.g., `grok-4.5`), while internal routing uses `Build/`, `Web/`, `Console/` prefixes. Models from multiple sources can share the same external name, with the gateway selecting based on client permissions, protocol capability, and account availability. Provider-prefixed names remain as compatibility entry points.
API Usage and Best Practices
All `/v1` endpoints except health checks and public images require a client API key in the Authorization header (format: `Bearer g2a_xxx_xxx`). The management dashboard at `/docs` provides API documentation and code examples in cURL, Python, and JavaScript. Swagger documentation is available in development with `server.swaggerEnabled: true`, but should be disabled in production.
Production recommendations include using HTTPS with secure cookies, PostgreSQL with Redis for multi-instance deployments, shared volumes for media directories, and regular backups of configuration, database, and media. Users should avoid committing OAuth tokens, SSO cookies, or account export files to Git, and configure reverse proxies and network protection before exposing the gateway externally.