Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/phpaisdk/xai/llms.txt

Use this file to discover all available pages before exploring further.

Every request the aisdk/xai package sends to the xAI API must include an API key. The key is transmitted as an HTTP Authorization: Bearer header, assembled by XAIOptions::authHeaders() and merged into every request at send time. You can supply the key through an environment variable (the recommended approach) or pass it directly when constructing the provider.

Obtaining an API key

Sign in to the xAI developer console at https://console.x.ai and generate a new API key from the API Keys section of your account. Copy the key immediately — it is only shown once.
xAI API keys begin with xai-. If your key does not start with this prefix, double-check that you copied it in full from the console.
Export the key in your shell or set it in your deployment environment before starting the application:
export XAI_API_KEY=xai-your-key-here
With the variable present, you can call XAI::create() or XAI::default() without mentioning the key anywhere in PHP source code. XAIOptions::fromArray() reads XAI_API_KEY automatically:
use AiSdk\XAI;

// API key is loaded from the XAI_API_KEY environment variable.
XAI::create();

// Or rely on lazy initialisation via the default singleton.
$provider = XAI::default();

Setting programmatically

Pass the key in the configuration array when you need to manage credentials at runtime — for example, when multi-tenant applications use different keys per request:
use AiSdk\XAI;

XAI::create(['apiKey' => 'xai-your-key-here']);
The value supplied in the array takes precedence over any environment variable that is set.

How the key is sent

XAIOptions::authHeaders() prepends the Authorization header to any extra headers you configured, and the result is attached to every outgoing HTTP request:
public function authHeaders(): array
// Returns: ['Authorization' => 'Bearer xai-...', ...extra headers]
You can verify this in practice — the test suite asserts it directly:
expect($client->lastRequest->getHeaderLine('Authorization'))
    ->toBe('Bearer xai-test');
No other authentication mechanism (cookies, query parameters, etc.) is used.

Security best practices

Never commit your API key to source control. A key checked into a repository — even a private one — can be extracted from git history and used to make requests billed to your account. Store secrets in environment variables, a secrets manager (such as AWS Secrets Manager, HashiCorp Vault, or 1Password Secrets Automation), or an encrypted .env file that is excluded from version control via .gitignore.
Additional recommendations:
  • Rotate keys regularly. Treat API keys like passwords and replace them on a schedule, or immediately if you suspect a leak.
  • Use the minimum required scope. If the xAI console allows scoped keys, grant only the permissions your application actually needs.
  • Audit key usage. Monitor the xAI console for unexpected request volumes or unusual usage patterns that could indicate a compromised key.

Build docs developers (and LLMs) love