google-vertex ADC broken: '<authenticated>' marker passed as apiKey to @google/genai SDK

[seperman-dev]

Bug Description

Google Vertex AI with Application Default Credentials (ADC) fails with 401 UNAUTHENTICATED since OpenClaw 2026.3.13 / pi-ai 0.58.0 / @google/genai 1.45.0.

The <authenticated> sentinel value returned by pi-ai's getEnvApiKey("google-vertex") is passed as a literal API key to the @google/genai SDK, which bypasses ADC token exchange and sends the string <authenticated> as an x-goog-api-key header to aiplatform.googleapis.com.

Root Cause

Two layers contribute to the bug:

Layer 1: pi-ai env-api-keys.js

When GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_LOCATION are all set, getEnvApiKey("google-vertex") returns the marker string "<authenticated>":

// pi-ai/dist/env-api-keys.js
if (hasCredentials && hasProject && hasLocation) {
    return "<authenticated>";
}

Layer 2: OpenClaw reply-*.js — resolveEnvApiKey()

OpenClaw calls getEnvApiKey() and blindly passes the result as apiKey:

// openclaw/dist/reply-Bm8VrLQh.js line ~36942
if (normalized === "google-vertex") {
    const envKey = getEnvApiKey(normalized);  // returns "<authenticated>"
    if (!envKey) return null;
    return {
        apiKey: envKey,    // "<authenticated>" treated as a real key!
        source: "gcloud adc"
    };
}

Layer 3: pi-ai google-vertex.js

The correctly-implemented google-vertex.js provider checks options.apiKey:

function resolveApiKey(options) {
    return options?.apiKey || process.env.GOOGLE_CLOUD_API_KEY;
}

const client = apiKey
    ? createClientWithApiKey(model, apiKey, ...)   // ← takes this path with "<authenticated>"!
    : createClient(model, project, location, ...); // ← should take this ADC path

Since options.apiKey is "<authenticated>" (truthy), it uses createClientWithApiKey() which passes apiKey: "<authenticated>" to new GoogleGenAI({ vertexai: true, apiKey: "<authenticated>" }).

Layer 4: @google/genai SDK 1.45.0

The SDK constructor sees apiKey is set and clears project/location:

if ((envProject || envLocation) && options.apiKey) {
    console.debug('The user provided Vertex AI API key will take precedence...');
    this.project = undefined;
    this.location = undefined;
}

Then sends <authenticated> as x-goog-api-key header → Google returns 401.

Expected Behavior

When ADC is configured (service account JSON + project + location), OpenClaw should:

1. NOT pass "<authenticated>" as apiKey to pi-ai stream options
2. Let google-vertex.js's resolveApiKey() return undefined
3. Which correctly invokes createClient() with vertexai: true + project + location

Suggested Fix

In resolveEnvApiKey() (OpenClaw side), when the provider is google-vertex and the env key is the <authenticated> marker, return null (or omit apiKey) so the pi-ai google-vertex provider falls through to the ADC path:

if (normalized === "google-vertex") {
    const envKey = getEnvApiKey(normalized);
    if (!envKey) return null;
    // Don't pass the marker as an actual apiKey
    if (envKey === "<authenticated>") {
        return { apiKey: undefined, source: "gcloud adc" };
    }
    return { apiKey: envKey, source: "gcloud adc" };
}

Alternatively, pi-ai's google-vertex.js should filter out the <authenticated> marker in resolveApiKey().

Environment

• OpenClaw: 2026.3.13 (61d171a)
• pi-ai: 0.58.0
• @google/genai: 1.45.0
• Node.js: v24.14.0
• OS: macOS (darwin)
• Auth: Service account JSON via GOOGLE_APPLICATION_CREDENTIALS
• gcloud ADC: Working (gcloud auth application-default print-access-token succeeds)

Reproduction

1. Configure Google Vertex AI with service account ADC:

   GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
   GOOGLE_CLOUD_PROJECT=my-project
   GOOGLE_CLOUD_LOCATION=global
   

2. Set default model to google-vertex/gemini-3-flash-preview
3. Run openclaw models status --probe
4. Observe 401: "API keys are not supported by this API. Expected OAuth2 access token"
5. The warning "The user provided Vertex AI API key will take precedence" confirms the SDK received an API key instead of ADC credentials

[Ryce]

The <authenticated> sentinel passing through as a literal API key is a textbook credential drift case. You configured ADC correctly (GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_CLOUD_PROJECT all set), but pi-ai returns a marker string that the @google/genai SDK treats as an actual API key — bypassing the entire ADC token exchange.

This is the same class of silent failure that keeps showing up: credentials are stored and configured correctly, but somewhere in the pipeline they get mutated, overridden, or misinterpreted. The user thinks auth is working because the config looks right. The actual runtime path is using <authenticated> as an API key string.

A credential state snapshot would show: what credentials are stored, what environment variables are set, what the SDK actually receives at runtime. Right now you have to instrument the SDK itself to see the mutation. The gap between "configured correctly" and "working at runtime" is where all these auth bugs hide.

[ordiy]

Additional reproduction: upgraded from 2026.3.2, macOS + Homebrew npm global

Confirming this regression on OpenClaw 2026.3.13 (61d171a) after upgrading from 2026.3.2.

Environment

Field	Value
OpenClaw	2026.3.13 (61d171a)
pi-ai	0.58.0
Node.js	v25.8.0
OS	macOS (darwin)
Install method	npm global via Homebrew
Model	google-vertex/gemini-2.5-flash
Auth	Service account JSON via GOOGLE_APPLICATION_CREDENTIALS
GOOGLE_CLOUD_LOCATION	global

Config (redacted)

{
  "env": {
    "GOOGLE_APPLICATION_CREDENTIALS": "/path/to/service-account.json",
    "GOOGLE_CLOUD_PROJECT": "<redacted>",
    "GOOGLE_CLOUD_LOCATION": "global"
  },
  "agents": {
    "defaults": {
      "model": { "primary": "google-vertex/gemini-2.5-flash" }
    }
  }
}

Observed error

The user provided Vertex AI API key will take precedence over the project/location from the environment variables.
error=LLM error: {
  "error": {
    "code": 401,
    "message": "API keys are not supported by this API. Expected OAuth2 access token...",
    "status": "UNAUTHENTICATED",
    "details": [{ "reason": "CREDENTIALS_MISSING" }]
  }
}

Local workaround applied

Patched @mariozechner/pi-ai/dist/providers/google-vertex.js resolveApiKey() to intercept the sentinel:

function resolveApiKey(options) {
    // "<authenticated>" is a sentinel from getEnvApiKey() indicating ADC is configured.
    // Must NOT be passed as an actual API key — doing so causes 401.
    const key = options?.apiKey;
    if (key === "<authenticated>") return undefined;
    return key || process.env.GOOGLE_CLOUD_API_KEY;
}

This restores ADC behavior. Workaround is confirmed working.

[vincentkoc]

This is the same ADC marker leak tracked in #47304. Current main plus #71105 resolves the marker path correctly: gcp-vertex-credentials / <authenticated> are authentication sentinels, not API keys. Closing as duplicate.