Skip to content

fix(openviking): resolve 403 with API key auth and late .env loading#21136

Open
baofuen wants to merge 1 commit into
NousResearch:mainfrom
baobaoProject:fix/openviking-auth-headers
Open

fix(openviking): resolve 403 with API key auth and late .env loading#21136
baofuen wants to merge 1 commit into
NousResearch:mainfrom
baobaoProject:fix/openviking-auth-headers

Conversation

@baofuen

@baofuen baofuen commented May 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Two bugs in plugins/memory/openviking/__init__.py prevent the OpenViking memory plugin from working.

Bug 1: X-OpenViking-Account header conflicts with API key auth (Blocker)

_headers() unconditionally sent X-OpenViking-Account/User/Agent headers alongside X-API-Key. When using API key authentication, the account is embedded in the key itself — the OpenViking server rejects explicit tenant header overrides with PERMISSION_DENIED (403).

Fix: Only send tenant headers in local-dev mode (no API key). When self._api_key is set, omit X-OpenViking-* headers.

Bug 2: Env vars captured once, not re-read after /reload (Medium)

initialize() snapshots os.environ.get("OPENVIKING_API_KEY", "") into self._api_key and creates _VikingClient once. /reload updates os.environ but the provider is not re-initialized. Even /new does not call initialize() again.

Fix: Add _ensure_client() that re-reads os.environ on every tool call and recreates the client when API key/endpoint changes. Applied in handle_tool_call() and system_prompt_block().

How to test

  1. Set memory.provider: openviking in config.yaml
  2. Configure .env with OPENVIKING_ENDPOINT and OPENVIKING_API_KEY
  3. Start hermes — viking_browse, viking_search, viking_read should return data instead of 403

Platforms tested

  • Linux (WSL2 Ubuntu)

Related

@baofuen
fix(openviking): resolve 403 with API key auth and late .env loading
d1a9ab8 
Bug 1: _headers() sent X-OpenViking-Account/User/Agent headers
alongside X-API-Key, causing PERMISSION_DENIED (403) for
API-key-authenticated servers. The account is embedded in the
key itself — explicit tenant headers are rejected.

Fix: Only send tenant headers in local-dev mode (no API key).
When self._api_key is set, omit X-OpenViking-* headers.

Bug 2: initialize() captured env vars once and never re-read them.
/reload or late .env additions had no effect without process restart.

Fix: Add _ensure_client() that re-reads os.environ on every tool
call and recreates the client when API key/endpoint changes.
Applied in handle_tool_call() and system_prompt_block().

Closes: NousResearch#21130
@alt-glitch alt-glitch added type/bug Something isn't working P3 Low — cosmetic, nice to have comp/plugins Plugin system and bundled plugins tool/memory Memory tool and memory providers labels May 7, 2026
@alt-glitch

alt-glitch commented May 7, 2026

Copy link
Copy Markdown
Collaborator

Competing PR: #21138 fixes the same two bugs from #21130 with a broader changeset (includes tests). These should be reviewed together — only one should be merged.

@alt-glitch alt-glitch mentioned this pull request May 7, 2026
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/plugins Plugin system and bundled plugins P3 Low — cosmetic, nice to have tool/memory Memory tool and memory providers type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OpenViking plugin: 403 with API key auth + env vars not reloaded after /reload

2 participants

@baofuen @alt-glitch