Why Grok and xAI need their own routing note—not a renamed OpenAI list
Clash does not care which logo sits on the landing page; it matches flows and selects an outbound. The maintenance burden is human: you must list the hostnames your traffic actually uses. xAI’s developer and marketing footprint clusters under the registrable domain x.ai. The public API typically terminates on api.x.ai and related first-party subdomains, which a single DOMAIN-SUFFIX,x.ai entry covers because suffix matching is hierarchical. That is simpler than some other vendors, yet simplicity hides two frequent mistakes. First, people import a generic “AI rules” bundle tuned for OpenAI and assume it silently includes xAI—it might not. Second, they proxy x.ai but forget that the Grok experience embedded inside another product can still pull assets and APIs from a different registrable domain, which your xAI-only lines never see.
This article complements our vendor-specific guides rather than repeating them. For OpenAI-shaped traffic, read the ChatGPT and OpenAI API routing guide; for Anthropic, open the Claude and Anthropic API walkthrough. Both explain policy-group patterns and failure modes that transfer here. What changes is the hostname map and a few API client quirks. For the mechanics of match order and Rule Providers, keep the YAML routing reference nearby while you edit.
Also separate network reachability from account policy. Clash can deliver TLS to a reachable edge; it cannot fix an expired key, a workspace restriction, or a terms-of-service outcome expressed as HTTP 403. When users say they are “blocked,” half the time the proxy never saw the right name, and the other half the upstream application already refused the call. The sections below give you a fast way to tell which story you are living.
Hostnames to cover: x.ai, api.x.ai, and where Grok actually runs
Start with suffix coverage. DOMAIN-SUFFIX,x.ai is the backbone: it picks up the corporate site, documentation, account or console flows, and api.x.ai without maintaining a growing list of third-level labels by hand. If you prefer explicit readability for operators, duplicate DOMAIN,api.x.ai above the suffix line; it is redundant logically but makes diffs easier to review in large teams.
Community “AI” rule sets sometimes tuck xAI entries under a separate tag. Before you trust them, read what outbound they target and whether any merged ad or tracker list issues a silent REJECT that overrides your intent. A deny rule that appears earlier in the chain than your AI bucket still wins—Clash stops at the first match. The same discipline applies when you convert to rule-set imports on Clash Meta (mihomo): ordering is ordering, regardless of syntax sugar.
Grok in a standalone browser session on xAI pages stays mostly inside the x.ai tree. The in-product experience bundled with a large social platform is a different beast: feeds, media, and real-time features may call hosts on another registrable domain entirely. If only the embedded assistant fails while the standalone site works, do not keep shuffling xAI YAML—inspect connection logs for the hosts your client actually hit and extend rules deliberately. Avoid spraying DOMAIN-KEYWORD entries such as bare “grok” unless you accept the risk of sweeping unrelated SaaS traffic into the same policy group. Keywords are blunt instruments; suffix and exact DOMAIN lines age better.
DOMAIN-SUFFIX or a sibling rule above a broad domestic DIRECT shortcut.
Policy groups: one shared “AI” bucket or a dedicated XAI group
Policy groups are the named targets your rules reference. A common pattern reuses a single select group—call it AI or US-West—for every generative vendor when they all tolerate the same exit geography. That keeps the tray UI small and predictable. The trade-off is coarser control: if only xAI misbehaves on a specific node, rotating the shared group perturbs ChatGPT and Claude too. Teams that A/B test exits per vendor often carve XAI as its own select so operators can pivot without touching unrelated traffic.
Nested groups still help. Wrap human choice in an outer select, then feed an inner url-test or fallback cluster for automatic picking among similar nodes. Streaming completions over HTTP/2 reward stable outbounds; aggressive url-test churn can interrupt long responses. Batch jobs may tolerate flapping latency optimizers; interactive chat rarely does. None of that is xAI-specific—it is how Clash behaves at the group boundary—but picking structure deliberately prevents misattributed “API flakiness.”
proxy-groups: - name: "XAI" type: select proxies: - "US-Stable" - "Direct" - name: "US-Stable" type: url-test proxies: - "node-us-west" - "node-us-east" url: "https://www.gstatic.com/generate_204" interval: 300
Rename nodes and probe URLs to match your operator. The structural goal is to give xAI traffic a visible outbound in the dashboard instead of hiding it inside an anonymous PROXY placeholder whose membership changes when subscriptions refresh.
Rules snippet: keep xAI lines above catch-alls that lie
Clash evaluates rules from top to bottom until one matches. Put specific matchers before broad ones. Domestic DIRECT shortcuts, LAN bypass, GEOIP splits, and aggressive blocklists often sit early; the terminal MATCH belongs at the bottom. Your xAI entries must appear before any rule that would send those flows to the wrong group—especially country lists that classify x.ai unexpectedly, or a subscription snippet that forces “foreign SaaS” direct for perceived latency wins.
rules: - DOMAIN-SUFFIX,x.ai,XAI - # Optional explicit anchor for readers of the diff: - DOMAIN,api.x.ai,XAI - # ... domestic DIRECT / GEOIP blocks ... - MATCH,PROXY
Policy names must match proxy-groups exactly, character for character. On Meta cores, if you migrate static lines into remote rule-sets, preserve the same ordering discipline: an early REJECT in an imported set is still an early match. When maintainers expand community lists, re-read release notes—benign tracker coverage can grow into accidental denials for AI endpoints overnight.
DNS, TLS, and symptoms that masquerade as missing DOMAIN-SUFFIX lines
Many outages are resolver problems wearing a proxy costume. If the operating system resolves api.x.ai before Clash’s DNS capture engages, hostname rules may not see the labels you expect under fake-IP modes, or the client may prefer an IPv6 path your template never matched. Align DNS mode with how you match: redir-host versus fake-IP changes whether the core observes original names or mapped addresses. Our Fake-IP vs redir-host guide covers the trade-offs that also bite AI vendors.
TLS alert strings and certificate warnings usually point to time skew, corporate HTTPS inspection, or a middlebox on the local segment—not a absent suffix line. Clash forwards bytes; it does not repair broken trust stores. On the application side, HTTP 401 and 403 responses from the API are almost always header, scope, or key problems. Rotate credentials deliberately; do not chase YAML ghosts when the server already told you “unauthorized.”
When the web console streams tokens but a terminal script fails, compare proxy awareness. Shells often ignore system proxy settings unless you export HTTPS_PROXY to Clash’s local listener, and some runtimes need explicit environment wiring. TUN mode transparently captures more processes at the cost of broader blast radius when misconfigured. The mismatch pattern matches OpenAI and Anthropic; only hostnames change. If you need whole-machine capture, read the desktop TUN article in the tech column before toggling switches blindly.
Common blocks and first checks for xAI-shaped traffic
Universal timeouts across every site. Start with node health, permissions, and subscription freshness—not vendor YAML. On Android, VPN scope and power optimizers mimic routing failure; walk the Android timeout checklist before rewriting rules.
Partially loaded console, missing scripts or styles. Typically an uncovered hostname went DIRECT while the document used the proxy, or the reverse. Inspect connection logs for stray flows; extend suffix coverage or move a conflicting matcher earlier or later as appropriate.
API TLS failures while the marketing site works. Often separate cipher expectations, inspection appliances, or IPv6-only paths. Confirm system time, disable opportunistic interception, and verify chained outbounds preserve SNI toward api.x.ai.
HTTP 429 or explicit rate-limit payloads. Service-side throttling, not Clash. Back off, respect published limits, and reduce client concurrency instead of rotating exits to dodge fair use.
Product messages about region, eligibility, or compliance. These reflect upstream policy state. Split routing cannot substitute for legitimate account access; it only ensures permitted traffic reaches a node that can complete TLS.
Embedded Grok flows fail while standalone xAI pages succeed. Re-read the hostname section: you may need additional suffix rules for the other registrable domains in that integration, not more copies of the same x.ai line.
Troubleshooting quick reference
| What you see | Where to look |
|---|---|
| Correct domain in logs but wrong outbound | An earlier rule matched; reorder or narrow the broader matcher |
| IP-based rule wins over DOMAIN-SUFFIX | Connection arrived as IP; review fake-IP, redir-host, and DNS routing |
| IPv4 works, IPv6 fails | Dual-stack exit or node IPv6 support; adjust stack or add parallel rules |
| Wi-Fi OK, mobile data broken | Carrier DNS or NAT; compare TUN vs explicit proxy on cellular |
| SDK only breaks in CI or a server subnet | That host bypasses Clash; install proxy env vars or a dedicated egress |
When stuck, reduce to a minimal profile: two groups, a handful of rules, one known-good node. Confirm xAI flows hit XAI (or your chosen name) in logs, then reintroduce complexity. Large templates often hide a single early line that overrides your AI entries.
Core version and protocol headroom
Modern subscriptions expose transports that stale cores mishandle. Running current Clash Meta (mihomo) avoids handshake failures that masquerade as mysterious blocks. Follow the Meta upgrade guide when refreshing the engine; routing logic still lives in your YAML, but the executable should not be the bottleneck.
Open source and documentation
Syntax evolves between releases. For authoritative behavior, keep upstream docs and release notes within reach. The mihomo repository is the right place for deep issues and examples—separate from day-to-day installers, which we centralize on this site for clarity.
Closing thoughts
Reliable Grok and xAI access through Clash is mostly disciplined hostname coverage, transparent policy groups, and respect for rule precedence—not a secret toggle. A concise DOMAIN-SUFFIX,x.ai pair with optional explicit api.x.ai anchors aligns the console with API clients when you intend a single exit. That is simpler than some competitors’ maps, which makes maintenance easy—until embedded experiences pull in sibling domains you forgot to list.
Compared with opaque mega-profiles, explicit suffix lines age well: when xAI adds hosts, you extend a short block instead of guessing which remote list swallowed your traffic. The same maintainability argument drives Rule Provider adoption—just keep AI-related targets reviewable so imported lists never block what you meant to permit.
For OpenAI-specific host patterns, see the ChatGPT and OpenAI API guide; for Anthropic, the Claude routing article; for the full matching tour, open the YAML routing guide and browse the tech column for more scenarios.