OAuth & subscription providers

Most Revka providers authenticate with a plain API key. The providers on this page are different: they reuse a subscription you already pay for — a ChatGPT/Codex plan, a Gemini CLI login, a Claude Code subscription, a GitHub Copilot seat, or a MiniMax/Qwen OAuth account — instead of a per-token API key. There is no sk-... value to paste; Revka either drives an OAuth flow, reuses tokens another CLI already minted, or spawns an authenticated local binary.

Reach for these providers when you want your agent to bill against a flat-rate subscription rather than metered API usage, or when you already have one of these CLIs installed and authenticated and want Revka to ride on its credentials.

Auth profiles minted by the OAuth flows are stored separately from config.toml, cached in ~/.revka/auth-profiles.json, and keyed by provider plus a profile name. For the full revka auth command reference see revka models, providers & auth; for how credentials are stored at rest see Secrets, pairing & device auth.

How these providers authenticate

There are three distinct mechanisms on this page:

Mechanism	Providers	How Revka gets a token
Revka OAuth flow	openai-codex, GitHub Copilot	revka auth login (or device-code) runs an OAuth flow and caches the token
Reuse another CLI’s credentials	gemini-cli, claude-code, kilocli, Qwen Code	Revka spawns the authenticated binary, or reads its on-disk credential file
OAuth token env vars	MiniMax, Qwen	You supply an OAuth/refresh token via environment variables; Revka refreshes it

The subprocess providers (gemini-cli, claude-code, kilocli) never hold a key — they shell out to a binary that holds its own session. The token-env providers (MiniMax, Qwen) accept an OAuth access token or a refresh token that Revka rotates in-process.

OpenAI Codex

The openai-codex provider (alias codex) talks to OpenAI’s Responses API at https://chatgpt.com/backend-api/codex/responses — a different surface from Chat Completions — using OAuth credentials from your ChatGPT/Codex subscription. It supports SSE streaming, reasoning-effort levels, and native tool calling, including pre-executed tool-call pass-through.

Authenticate

# Browser/redirect OAuth flow
revka auth login --provider openai-codex

# Headless host — device-code flow
revka auth login --provider openai-codex --device-code

# Reuse credentials the Codex CLI already minted
revka auth login --provider openai-codex --import ~/.codex/auth.json

--import defaults to ~/.codex/auth.json, so if you already use the Codex CLI you can adopt its login without re-authenticating. The browser flow opens a URL, captures the redirect, and caches the token in ~/.revka/auth-profiles.json. On a machine where the redirect can’t be captured, finish manually:

revka auth paste-redirect --provider openai-codex --input "<URL_OR_CODE>"

Access tokens refresh automatically in long-running deployments; force a refresh with revka auth refresh --provider openai-codex.

Configure

default_provider = "openai-codex"
default_model    = "gpt-5.3-codex"

[runtime]
reasoning_effort = "medium"   # minimal | low | medium | high | xhigh

Setting	Type	Meaning
[runtime] reasoning_effort	string	Reasoning depth: minimal, low, medium, high, xhigh. Also settable via REVKA_CODEX_REASONING_EFFORT.
REVKA_CODEX_RESPONSES_URL	env	Override the Responses API endpoint.
REVKA_CODEX_BASE_URL	env	Override the base URL.

Gemini CLI

The gemini-cli provider spawns the gemini binary (Google’s Gemini CLI) as a child process and feeds it prompts over stdin. It reuses the CLI’s own credential store, so no Revka API key is required — the gemini binary must already be installed and logged in separately.

default_provider = "gemini-cli"
default_model    = "gemini-2.5-pro"

Setting	Type	Meaning
GEMINI_CLI_PATH	env	Path to the gemini binary. Default: gemini from PATH.

Caution

Subprocess providers forward only the system prompt and the last user message — not full conversation history. Temperature is restricted to 0.7 or 1.0; any other value errors. Each invocation has a 120-second timeout.

If you’d rather hit the Gemini API directly (with full history and an API key, OAuth-token reuse, or Vertex AI), use the gemini provider instead — see Cloud API providers (Gemini, Bedrock, Azure).

Claude Code

The claude-code provider spawns the claude binary (Claude Code CLI) as a child process and feeds prompts over stdin, reusing Claude Code’s own authentication. No separate API key is needed; the claude binary must be installed and authenticated.

default_provider = "claude-code"
default_model    = "claude-sonnet-4-6"

Setting	Type	Meaning
CLAUDE_CODE_PATH	env	Path to the claude binary. Default: claude from PATH.

Unlike Gemini CLI and KiloCLI, Claude Code forwards the full conversation (system prompt plus all prior turns) flattened into one labeled prompt — so multi-turn history is preserved. Temperature values outside 0.7/1.0 are silently clamped to the nearest supported value (only non-finite values error), whereas Gemini CLI and KiloCLI reject any unsupported temperature with an error. The per-request timeout is 120 seconds.

KiloCLI

The kilocli provider (alias kilo) spawns the kilo binary (KiloCLI) — architecturally identical to the Claude Code provider. KiloCLI must be installed and authenticated separately.

default_provider = "kilocli"
default_model    = "default"

Setting	Type	Meaning
KILO_CLI_PATH	env	Path to the kilo binary.

Same limits as the other subprocess providers: no multi-turn history, temperature 0.7/1.0 only, 120-second timeout.

GitHub Copilot

The copilot provider (alias github-copilot) reaches GitHub Copilot inference at https://api.githubcopilot.com. It performs a GitHub device-code flow using VS Code’s OAuth client ID (Iv1.b507a08c87ecfe98), exchanges the result for a GitHub OAuth token, then mints short-lived Copilot API tokens. Tokens are cached and auto-refreshed.

default_provider = "copilot"
default_model    = "gpt-4o"
api_key          = "<github-oauth-token>"

Setting	Type	Meaning
api_key	string	The GitHub OAuth token (not the short-lived Copilot key). This is the value stored in config or env.
Token cache	path	~/.config/revka/copilot/ (containing api-key.json and access-token).

During the device-code flow Revka prints a URL and a user code for you to authorize in a browser.

Caution

Copilot support uses VS Code’s OAuth client ID against a private Copilot token endpoint. It is best-effort and not officially supported by GitHub — GitHub can change or revoke this at any time, which would break all third-party integrations at once.

MiniMax OAuth mode

MiniMax (Global and CN) supports automatic OAuth token resolution. Setting api_key = "minimax-oauth" is a placeholder that switches the provider into the OAuth path: it checks MINIMAX_OAUTH_TOKEN, then MINIMAX_API_KEY, and if needed calls the token-refresh endpoint with MINIMAX_OAUTH_REFRESH_TOKEN.

default_provider = "minimax-oauth"
api_key          = "minimax-oauth"

export MINIMAX_OAUTH_TOKEN="<token>"            # preferred: a direct OAuth token
# or, to auto-refresh:
export MINIMAX_OAUTH_REFRESH_TOKEN="<token>"
export MINIMAX_OAUTH_REGION="global"            # global | cn

Variable	Meaning
MINIMAX_OAUTH_TOKEN	Direct OAuth access token (checked first).
MINIMAX_API_KEY	Standard API key fallback.
MINIMAX_OAUTH_REFRESH_TOKEN	Refresh token; Revka exchanges it for a fresh access token.
MINIMAX_OAUTH_REGION	global or cn — selects the token endpoint and base URL.
MINIMAX_OAUTH_CLIENT_ID	Override the default OAuth client id.

Region routing: Global tokens use https://api.minimax.io/oauth/token; CN tokens use https://api.minimaxi.com/oauth/token. The same region is inferred from the alias you choose (minimax/minimax-intl for Global, minimax-cn/minimaxi for CN) or from MINIMAX_OAUTH_REGION.

Note

All MiniMax variants merge the system message into the first user turn (merge_system_into_user), because the MiniMax API rejects role: system. In channel conversations this means system-level delivery guidance is folded into the user prompt rather than sent separately.

Qwen / Qwen Code OAuth mode

Alibaba Qwen (DashScope) has three sub-variants: a direct API key, OAuth token reuse from the Qwen Code CLI, or an explicit OAuth token. The qwen-code variant (api_key = "qwen-oauth") is the subscription path — analogous to openai-codex — for users with a Qwen Code CLI login.

# Direct API key
default_provider = "qwen"
# then: export DASHSCOPE_API_KEY=...

# OAuth / Qwen Code subscription
default_provider = "qwen-code"
api_key          = "qwen-oauth"

Variable	Meaning
DASHSCOPE_API_KEY	Direct API key (for the non-OAuth variants).
QWEN_OAUTH_TOKEN	Explicit OAuth access token.
QWEN_OAUTH_REFRESH_TOKEN	Enables in-process auto-refresh when the cached token is expired.
QWEN_OAUTH_RESOURCE_URL	Endpoint override carried from the OAuth session.
QWEN_OAUTH_CLIENT_ID	Override the default OAuth client.

If no explicit token is set, Revka auto-discovers credentials written by the Qwen Code CLI at ~/.qwen/oauth_creds.json. Region endpoints are separate:

Region	Base URL
CN	dashscope.aliyuncs.com/compatible-mode/v1
International	dashscope-intl.aliyuncs.com/compatible-mode/v1
US	dashscope-us.aliyuncs.com/compatible-mode/v1

For the broader China-region provider picture (GLM, Moonshot/Kimi, Doubao, and the full alias-to-region map), see China-region providers.

revka auth flows

The OAuth-based providers above are managed with the revka auth command group. The most common flows:

revka auth login --provider openai-codex            # start an OAuth login
revka auth login --provider openai-codex --device-code
revka auth login --provider gemini --profile work   # named profile
revka auth status                                    # active profile + token expiry per provider
revka auth use --provider openai-codex --profile work
revka auth refresh --provider openai-codex          # force a token refresh
revka auth logout --provider openai-codex

Command	What it does
login	Run an OAuth login (--device-code for headless, --import <PATH> to adopt an existing auth.json).
paste-redirect	Finish a login by pasting the redirect URL or raw code when capture failed.
paste-token / setup-token	Store a subscription/setup token directly (used for Anthropic subscription auth).
refresh	Refresh an access token from its stored refresh token.
use	Switch the active profile for a provider.
list / status	List stored profiles, or show the active profile and token expiry per provider.
logout	Remove a stored profile.

Profiles let you keep, for example, a personal and a work subscription side by side and switch between them with revka auth use. See revka models, providers & auth for the complete flag reference.

Tip

After logging in, confirm the credential works before deploying. revka auth status shows token expiry, and revka doctor models --provider openai-codex probes the provider end-to-end.

Related pages

• revka models, providers & auth — full revka auth command and flag reference.
• Provider catalog — every provider ID, alias, base URL, and capability.
• Cloud API providers (Gemini, Bedrock, Azure) — the API-key/ADC gemini provider as an alternative to Gemini CLI.
• China-region providers — MiniMax and Qwen region routing alongside GLM, Kimi, and others.
• Secrets, pairing & device auth — how stored credentials are protected at rest.
• Config: provider, agent & routing — the config.toml keys behind these providers.