MiniMax (/anthropic) auth gets overridden by Anthropic token refresh, causing 401

[acsezen]

Summary

When Hermes runs MiniMax via the Anthropic-compatible endpoint (https://api.minimax.io/anthropic), auth can be overwritten by Anthropic OAuth/token resolution (ANTHROPIC_TOKEN / Claude Code creds). This results in 401s from MiniMax even though MINIMAX_API_KEY is set and valid.

Environment

• Hermes Agent v0.4.0 (installed CLI)
• Provider: minimax
• Model: MiniMax-M2.7-highspeed
• Base URL: https://api.minimax.io/anthropic

Repro

1. Configure model.provider: minimax with base URL https://api.minimax.io/anthropic.
2. Set MINIMAX_API_KEY in ~/.hermes/.env.
3. Have Anthropic OAuth/token state present (for example from Claude login/setup token).
4. Run a normal Hermes prompt.

Actual

Hermes logs show auth method Bearer with an Anthropic-style token (sk-ant-oat...) and MiniMax responds 401, e.g. "Please carry the API secret key in the Authorization field".

Expected

For provider minimax / minimax-cn, Hermes should always keep provider key auth (MINIMAX_API_KEY / MINIMAX_CN_API_KEY) and never refresh/override from Anthropic token sources.

Root Cause

In run_agent.py under api_mode == "anthropic_messages":

• Init path falls back to resolve_anthropic_token() for non-DashScope providers.
• _try_refresh_anthropic_client_credentials() refreshes from resolve_anthropic_token() for non-DashScope providers.
• Fallback activation path also uses resolve_anthropic_token().

This logic is correct for native Anthropic, but too broad for third-party Anthropic-compatible providers (MiniMax, custom /anthropic endpoints).

Proposed Fix

Gate Anthropic token fallback/refresh to native Anthropic only (for example: provider == "anthropic" or base URL contains api.anthropic.com).

Suggested implementation shape:

1. Add helper like _uses_native_anthropic_auth(provider, base_url) -> bool.
2. In Anthropic init path, only call resolve_anthropic_token() when helper returns true.
3. In _try_refresh_anthropic_client_credentials(), early-return false when helper returns false.
4. In fallback activation path for anthropic_messages, apply the same gating.
5. Add regression tests:
   • MiniMax init must not call resolve_anthropic_token()
   • MiniMax refresh must not call resolve_anthropic_token()

Additional note

ANTHROPIC_AUTH_TOKEN in .env appears to be a user-facing convention/comment only and is not consumed by auth resolution; this can confuse users troubleshooting MiniMax auth. Consider documenting/removing it if present in templates.

[Mibayy]

This was fixed in run_agent.py — the current main branch already gates Anthropic token fallback to native Anthropic only.

Init path (line 687-688):

_is_native_anthropic = self.provider == "anthropic"
effective_key = (api_key or resolve_anthropic_token() or "") if _is_native_anthropic else (api_key or "")

Refresh path (_try_refresh_anthropic_client_credentials, line 3346):

if self.provider != "anthropic":
    return False

Both the init and refresh paths now early-exit for non-native Anthropic providers (MiniMax, DashScope, any custom /anthropic-endpoint). If you are still seeing 401s on the current version, make sure model.provider is explicitly set to minimax (not anthropic) in your config.yaml.

[teknium1]

Fixed on main. The _try_refresh_anthropic_client_credentials() method now gates on self.provider != "anthropic" (line 4043 of run_agent.py), and the init path gates Anthropic token fallback to _is_native_anthropic = self.provider == "anthropic" (line 775-776). MiniMax, Alibaba, and other third-party anthropic_messages providers will never have their keys overridden by Anthropic token resolution.

These fixes landed across multiple PRs: #4028 (bearer auth for MiniMax), #4093 (non-sk-ant- key handling), #4148 (URL-based auth for third-party endpoints).