Skip to content

[Bug]: onboard --non-interactive silently mishandles --auth-choice in two ways #17191

Closed as not planned
Closed as not planned
[Bug]: onboard --non-interactive silently mishandles --auth-choice in two ways#17191
Labels
staleMarked as stale due to inactivity
@carrotRakko

Description

@carrotRakko
carrotRakko
opened on Feb 15, 2026

Summary

openclaw onboard --non-interactive has two silent failure modes in --auth-choice handling: (1) apiKey ignores --token-provider and always assumes Anthropic, and (2) unknown or unsupported auth choices are silently skipped with no error.

Steps to reproduce

Problem 1: --token-provider ignored for apiKey

export OPENROUTER_API_KEY=sk-or-...
openclaw onboard --non-interactive --auth-choice apiKey --token-provider openrouter
# Expected: OpenRouter auth profile configured
# Actual: looks for Anthropic API key, fails or configures wrong provider

Problem 2: Unknown auth choice silently skipped

openclaw onboard --non-interactive --auth-choice anthropic-api-key
# Expected: error "unknown auth choice: anthropic-api-key"
# Actual: no error, no auth configured, proceeds to gateway setup

Expected behavior

  1. --auth-choice apiKey --token-provider openrouter should configure an OpenRouter auth profile (as it does in the interactive path)
  2. Unknown or unsupported --auth-choice values should produce an error, not silently skip auth configuration

Actual behavior

Problem 1: In the non-interactive path (src/commands/onboard-non-interactive/local/auth-choice.ts:105-125), authChoice === "apiKey" always resolves as Anthropic:

if (authChoice === "apiKey") {
  const resolved = await resolveNonInteractiveApiKey({
    provider: "anthropic",              // always anthropic
    cfg: baseConfig,
    flagValue: opts.anthropicApiKey,     // looks for --anthropic-api-key
    flagName: "--anthropic-api-key",
    envVar: "ANTHROPIC_API_KEY",
    runtime,
  });
  // ...
}

The interactive path (src/commands/auth-choice.apply.api-providers.ts:87-128) correctly remaps based on --token-provider:

if (authChoice === "apiKey" && params.opts?.tokenProvider) {
  if (params.opts.tokenProvider === "openrouter") {
    authChoice = "openrouter-api-key";    // remapped
  } else if (params.opts.tokenProvider === "litellm") {
    authChoice = "litellm-api-key";
  }
  // ...
}

Problem 2: In src/commands/onboard-non-interactive/local/auth-choice.ts, the function is a chain of if blocks for each known auth choice. Unknown values (including valid AuthChoice union members not handled in the non-interactive path, such as google-antigravity, github-copilot, copilot-proxy) fall through to line 737:

return nextConfig;  // no error, no warning, auth not configured

Root cause

The non-interactive path was implemented separately from the interactive path and does not share the --token-provider remapping logic. Additionally, the auth choice dispatcher uses sequential if blocks with no final else clause to catch unhandled values.

OpenClaw version

2026.2.15

Operating system

Amazon Linux 2023 (aarch64)

Install method

npm global (from tarball)

Impact and severity

  • Affected: Users running onboard --non-interactive with OpenRouter or other non-Anthropic providers, or with typos in --auth-choice
  • Severity: Medium (auth silently misconfigured, gateway may start without working auth)
  • Frequency: 100% for affected flag combinations
  • Consequence: Onboarding appears to succeed but auth is not configured for the intended provider. Gateway starts, agent fails at inference time with no clear link back to onboarding.

✍️ Author: Claude Code with @carrotRakko (AI-written, human-approved)

Metadata

Metadata

Assignees

No one assigned

    Labels

    staleMarked as stale due to inactivity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions