From 2410e1139547abcd5a6705d2a5f3297633f454ff Mon Sep 17 00:00:00 2001 From: Evo Date: Thu, 28 May 2026 22:30:06 +0800 Subject: [PATCH] docs(xai-oauth): note bare-code manual-paste from #33880 --- website/docs/guides/oauth-over-ssh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/guides/oauth-over-ssh.md b/website/docs/guides/oauth-over-ssh.md index 15ac3668f..22ee2f5f6 100644 --- a/website/docs/guides/oauth-over-ssh.md +++ b/website/docs/guides/oauth-over-ssh.md @@ -40,7 +40,7 @@ hermes auth add xai-oauth --manual-paste # → Paste it back into the terminal at the "Callback URL:" prompt. ``` -The same flag works on `hermes model --manual-paste` for the integrated model picker. A bare `?code=...&state=...` query fragment is accepted too if you don't want to paste the whole URL. +The same flag works on `hermes model --manual-paste` for the integrated model picker. Hermes accepts three callback paste forms interchangeably: the full URL, a bare `?code=...&state=...` query fragment, or — when the upstream consent page renders the authorization code in-page instead of redirecting (xAI's current behavior on browser-based consoles) — just the bare code value on its own. Hermes uses the **same PKCE verifier, state and nonce** for both paths, so the upstream OAuth flow is byte-identical — `--manual-paste` is purely a transport change for the callback hop and is not a security downgrade.