From 6b2c87b56270bc60a1eb93e454aa64eefd2e2281 Mon Sep 17 00:00:00 2001 From: Alex Clarke Date: Thu, 12 Mar 2026 13:30:10 -0600 Subject: [PATCH] docs: Updated the docs to now explicitly mention Gemini OAuth support --- README.md | 2 +- config.example.yaml | 2 ++ docs/clients/CLIENTS.md | 26 ++++++++++++++++++++++++-- 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 026a718..df5e59e 100644 --- a/README.md +++ b/README.md @@ -154,7 +154,7 @@ loki --list-secrets ### Authentication Each client in your configuration needs authentication (with a few exceptions; e.g. ollama). Most clients use an API key (set via `api_key` in the config or through the [vault](./docs/VAULT.md)). For providers that support OAuth (e.g. Claude Pro/Max -subscribers), you can authenticate with your existing subscription instead: +subscribers, Google Gemini), you can authenticate with your existing subscription instead: ```yaml # In your config.yaml diff --git a/config.example.yaml b/config.example.yaml index 4b843d2..b6acb0a 100644 --- a/config.example.yaml +++ b/config.example.yaml @@ -192,6 +192,8 @@ clients: - type: gemini api_base: https://generativelanguage.googleapis.com/v1beta api_key: '{{GEMINI_API_KEY}}' # You can either hard-code or inject secrets from the Loki vault + auth: null # When set to 'oauth', Loki will use OAuth instead of an API key + # Authenticate with `loki --authenticate` or `.authenticate` in the REPL patch: chat_completions: '.*': diff --git a/docs/clients/CLIENTS.md b/docs/clients/CLIENTS.md index 576a6df..5e98a5b 100644 --- a/docs/clients/CLIENTS.md +++ b/docs/clients/CLIENTS.md @@ -137,8 +137,29 @@ loki --authenticate Alternatively, you can use the REPL command `.authenticate`. -This opens your browser for the OAuth authorization flow. After authorizing, paste the authorization code back into -the terminal. Loki stores the tokens in `~/.cache/loki/oauth` and automatically refreshes them when they expire. +This opens your browser for the OAuth authorization flow. Depending on the provider, Loki will either start a +temporary localhost server to capture the callback automatically (e.g. Gemini) or ask you to paste the authorization +code back into the terminal (e.g. Claude). Loki stores the tokens in `~/.cache/loki/oauth` and automatically refreshes +them when they expire. + +#### Gemini OAuth Note +Loki uses the following scopes for OAuth with Gemini: +* https://www.googleapis.com/auth/generative-language.peruserquota +* https://www.googleapis.com/auth/userinfo.email +* https://www.googleapis.com/auth/generative-language.retriever (Sensitive) + +Since the `generative-language.retriever` scope is a sensitive scope, Google needs to verify Loki, which requires full +branding (logo, official website, privacy policy, terms of service, etc.). The Loki app is open-source and is designed +to be used as a simple CLI. As such, there's no terms of service or privacy policy associated with it, and thus Google +cannot verify Loki. + +So, when you kick off OAuth with Gemini, you may see a page similar to the following: +![](../images/clients/gemini-oauth-page.png) + +Simply click the `Advanced` link and click `Go to Loki (unsafe)` to continue the OAuth flow. + +![](../images/clients/gemini-oauth-unverified.png) +![](../images/clients/gemini-oauth-unverified-allow.png) **Step 3: Use normally** @@ -153,6 +174,7 @@ loki -m my-claude-oauth:claude-sonnet-4-20250514 "Hello!" ### Providers That Support OAuth * Claude +* Gemini ## Extra Settings Loki also lets you customize some extra settings for interacting with APIs: