Model failover does not activate on rate limit - agents stay on primary model

[cryptopafi]

Description

When the primary model (Anthropic Claude) hits API rate limits, the gateway does NOT automatically switch agents to configured fallback models (OpenRouter/DeepSeek, OpenRouter/Kimi). Agents remain stuck on the rate-limited primary model, causing cascading failures.

Environment

• OpenClaw version: 2026.2.14
• OS: macOS (Intel)
• Node: v22.22.0
• Gateway mode: local
• 8 agents configured with fallback chains

Configuration

{
  "agents": {
    "defaults": {
      "model": {
        "primary": "anthropic/claude-sonnet-4-5-20250929",
        "fallbacks": ["openrouter/deepseek/deepseek-v3.2", "openrouter/moonshotai/kimi-k2.5"]
      }
    }
  }
}

Auth profiles exist for both anthropic:manual and openrouter:manual in each agent's auth-profiles.json.

Steps to Reproduce

1. Configure agent with Anthropic primary + OpenRouter fallbacks
2. Trigger rate limit on Anthropic (e.g., activate multiple agents simultaneously)
3. Observe that agents do NOT switch to fallback models

Expected Behavior

Per model-failover docs: "If all profiles for a provider fail, OpenClaw moves to the next model in agents.defaults.model.fallbacks."

Agents should automatically switch to openrouter/deepseek/deepseek-v3.2 when Anthropic is rate-limited.

Actual Behavior

• All agents fail with FailoverError: ⚠️ API rate limit reached. Please try again later.
• No attempt to use fallback models
• Gateway error log shows cascading failures across all agents
• Messages queue up (321 seconds max wait observed)
• Eventually OAuth token expires (HTTP 401), compounding the issue

Testing Done

1. Manual cooldown in auth-profiles.json: Set cooldownUntil in the future for anthropic:manual → gateway IGNORES file-based cooldowns for existing sessions
2. Changed primary model to DeepSeek in config: Gateway hot-reloads config but existing sessions keep old model
3. Gateway restart with DeepSeek as primary: Agent correctly responds on DeepSeek → confirms OpenRouter integration works
4. Verified OpenRouter API key: Direct curl to OpenRouter returns successful response

Key Finding

The failover mechanism appears to only work at session creation (after gateway restart), not at runtime when rate limits are encountered. File-based cooldowns in auth-profiles.json are not respected by running sessions.

Error Log Excerpt

2026-02-17T13:45:54Z [diagnostic] lane task error: lane=session:agent:lexi:discord:channel:... error="FailoverError: ⚠️ API rate limit reached."
2026-02-17T13:45:58Z [diagnostic] lane task error: lane=session:agent:ressie:discord:channel:... error="FailoverError: ⚠️ API rate limit reached."
2026-02-17T13:46:01Z [diagnostic] lane task error: lane=session:agent:mark:discord:channel:... error="FailoverError: ⚠️ API rate limit reached."
2026-02-17T13:46:16Z [diagnostic] lane task error: lane=session:agent:dessie:discord:channel:... error="FailoverError: ⚠️ API rate limit reached."
2026-02-17T13:46:18Z [diagnostic] lane task error: lane=session:agent:afy:discord:channel:... error="FailoverError: ⚠️ API rate limit reached."
2026-02-17T13:46:24Z [diagnostic] lane task error: lane=session:agent:tech:discord:channel:... error="FailoverError: ⚠️ API rate limit reached."
2026-02-17T13:51:01Z [discord] Slow listener detected: DiscordMessageListener took 321 seconds

Workaround

Manually switch model via config + gateway restart:

# Edit openclaw.json to change agent model
# Then restart gateway to clear sessions
launchctl kickstart -k gui/$(id -u)/ai.openclaw.gateway

[alxfoster]

Confirming this same behavior on Linux (Ubuntu Desktop v 25.10). Failure to switchover properly to secondary fallback models on rate-limit is a critical issue.

[YishenTu]

Confirming on macOS (Apple Silicon, v2026.2.15). Primary model anthropic/claude-opus-4-6 hit 429 rate limit, fallbacks configured as openai-codex/gpt-5.2 → moonshot/kimi-k2.5 → zai/glm-5 but none were tried. Gateway kept retrying the primary until all auth profiles entered cooldown, then threw FailoverError: No available auth profile for anthropic (all in cooldown or unavailable). This caused the gateway to become unresponsive and eventually crash — watchdog couldn't recover for 8+ hours. Log snippet: FailoverError: ⚠️ API rate limit reached. Please try again later.

[robertvanstedum]

Confirming with Anthropic billing exhaustion + local Ollama fallback

We experienced the identical issue today (Feb 18, 2026), but with a different trigger: Anthropic API balance hitting zero instead of rate limits.

Our Configuration

• Primary: anthropic/claude-sonnet-4-5
• Fallbacks: anthropic/claude-haiku-4-5, anthropic/claude-opus-4-5, ollama/phi:latest
• OpenClaw 2026.2.15, macOS 15.7.3 (arm64)

What Happened

Four complete lockouts in one session:

1. ~11 AM CST: Balance exhausted during updates → complete lockout
2. ~4 PM CST: Balance exhausted while investigating failure fix: add @lid format support and allowFrom wildcard handling #1 → lockout
3. ~4:22 PM CST: Balance exhausted while documenting → lockout
4. ~4:27 PM CST: Gateway token auth issue (different root cause)

Each time: No automatic failover to Ollama despite it being configured, running, and ready at localhost:11434. System entered ~5 hour circuit breaker backoff instead. Manual recovery via openclaw doctor required every time.

Key Addition to Your Findings

• Local fallbacks (Ollama) also fail to activate — not just cloud providers
• Billing exhaustion treated same as rate limits — triggers circuit breaker instead of failover
• Multiple failures compound — each lockout burned more API credits investigating the previous one

Verified Working

• Ollama responding: curl localhost:11434/api/tags ✓
• Models loaded: phi:latest, gemma3:1b ✓
• Config correct: Ollama in fallback chain ✓
• Post-doctor restart: System functional ✓

This confirms your diagnosis that failover only works at session creation, not at runtime. The circuit breaker prevents reaching any fallback (cloud or local) when the primary provider fails due to billing/rate limits.

Workaround We're Using

Enable auto-refill on Anthropic billing to avoid hitting zero while waiting for a fix.

[bradgarland30]

Confirming on macOS (Apple Silicon, v2026.2.17) + Custom Workaround

Hitting this same issue. Setup:

• Primary: anthropic/claude-sonnet-4-6
• Fallbacks: anthropic/claude-haiku-4-5, anthropic/claude-opus-4-6, google/gemini-3-flash-preview, xai/grok-4-1-fast-non-reasoning
• 4 agents running in parallel (main, skyrise, ghost, sharpe)
• OpenClaw 2026.2.17, macOS 25.3.0 (arm64)

Behavior Observed

When Anthropic hits rate limits, none of the configured fallbacks activate. All 4 agents fail with FailoverError: ⚠️ API rate limit reached. No automatic switchover occurs at runtime, consistent with what others have reported.

Workaround We Built

Since automatic failover doesn't work, we implemented a custom hybrid-failover-monitor cron job (maestro:hybrid-failover-monitor, runs every 3 minutes) that:

1. Monitors session logs for early rate limit warning signals (before hard limits hit)
2. Automatically patches the gateway config to switch all 4 agents to the next provider in the cascade
3. Restarts the gateway (~10–15 sec)
4. Sends a Telegram notification confirming the switch + reason

Failover cascade we use: anthropic → google/gemini → anthropic/claude-sonnet → anthropic/claude-opus → google/gemini-3-flash → xai/grok

Also worth noting: OpenClaw's own diagnostics correctly flags this with "flags": ["rate limit"] in the config — the detection layer seems to work; the automatic model-switching layer is what's broken.

This cron workaround functions but is obviously a hack. Native runtime failover would eliminate the need entirely.

[ruzzzz6312]

Same, on Mac OS.

[Glucksberg]

This could be relevant to what you're working on.

Several PRs appear to address this issue:

• PR fix: derive failover reason from timedOut flag to prevent unknown cooldown cascade #19267 by @austenstone — Both describe model failover not activating correctly due to incorrect error classification, causing the agent to stay on the failing primary model.
• PR fix: skip auth cooldown on timeout (not an auth failure) #20946 by @austenstone
• PR fix(agents): skip auth profile cooldown for timeout failures #22622 by @vageeshkumar

Both describe model failover not activating correctly due to incorrect error classification, causing the agent to stay on the failing primary model.

If any of these links don't look right, let me know and I'll correct them.