Is your feature request related to a problem? Please describe.
CLI tools and headless applications cannot use browser-based OAuth flows. Users must manually copy-paste API keys from La Plateforme dashboard, which is error-prone and breaks the developer flow.
I'm building a Rust CLI for OSS contribution triage that needs Mistral API access. With the rise of AI-powered CLI tools (Claude Code, Codex, Block Goose, Mistral Vibe, etc.), there's growing demand for seamless CLI authentication without manual token handling.
Describe the solution you'd like
Implement OAuth 2.0 Device Authorization Grant (RFC 8628):
- CLI calls
POST /oauth/device/code with client_id and optional scope
- Mistral returns
device_code, user_code, verification_uri, expires_in, interval
- CLI displays: "Visit https://console.mistral.ai/device and enter code: XXXX-XXXX"
- CLI polls
POST /oauth/device/token with device_code (respecting interval)
- User authorizes in browser
- Mistral returns
access_token and optional refresh_token
Proposed Python API:
from mistralai import Mistral
# Device flow authentication
client = Mistral.device_login() # "Visit https://console.mistral.ai/device and enter code: XXXX-XXXX"
Describe alternatives you've considered
- Current flow: Requires manual API key copy-paste from La Plateforme dashboard
- Environment variables: Works but requires users to manage token lifecycle manually
- Config files: Static credentials, no rotation or revocation
Additional context
Prior art:
Use cases:
- Mistral Vibe (dog-fooding opportunity for your own tool!)
- Third-party Rust/Go/Python CLI tools
- SSH sessions without browser access
- Desktop apps without embedded browser
- Initial authentication for AI coding assistants
Strategic timing: Mistral already has a CLI tool (Mistral Vibe). Implementing device flow would benefit Vibe directly and demonstrate commitment to developer experience for the CLI ecosystem.
Suggested token design (following GitHub's approach):
- Access tokens: Long-lived or configurable expiry
- Scopes: Supported via
scope parameter in initial /device/code request
- Refresh tokens: Optional for short-lived token rotation
Is your feature request related to a problem? Please describe.
CLI tools and headless applications cannot use browser-based OAuth flows. Users must manually copy-paste API keys from La Plateforme dashboard, which is error-prone and breaks the developer flow.
I'm building a Rust CLI for OSS contribution triage that needs Mistral API access. With the rise of AI-powered CLI tools (Claude Code, Codex, Block Goose, Mistral Vibe, etc.), there's growing demand for seamless CLI authentication without manual token handling.
Describe the solution you'd like
Implement OAuth 2.0 Device Authorization Grant (RFC 8628):
POST /oauth/device/codewithclient_idand optionalscopedevice_code,user_code,verification_uri,expires_in,intervalPOST /oauth/device/tokenwithdevice_code(respectinginterval)access_tokenand optionalrefresh_tokenProposed Python API:
Describe alternatives you've considered
Additional context
Prior art:
aws sso login --use-device-codeUse cases:
Strategic timing: Mistral already has a CLI tool (Mistral Vibe). Implementing device flow would benefit Vibe directly and demonstrate commitment to developer experience for the CLI ecosystem.
Suggested token design (following GitHub's approach):
scopeparameter in initial/device/coderequest