OpenClaw version
2026.3.13 (pi-ai 0.58.0 bundled)
Description
When using google-vertex as a built-in provider with gcloud ADC, all LLM calls fail with 401 API keys are not supported by this API. The root cause is in pi-ai 0.58.0 google-vertex.js provider: the resolveApiKey function receives a sentinel string indicating ADC is available and passes it as a literal API key to the Google GenAI SDK, which sends it as x-goog-api-key to the Vertex endpoint.
Steps to reproduce
- Configure google-vertex/gemini-2.5-flash as a fallback or primary model
- Set up gcloud ADC (GOOGLE_APPLICATION_CREDENTIALS, GOOGLE_CLOUD_PROJECT, GOOGLE_CLOUD_LOCATION)
- Do NOT set GOOGLE_CLOUD_API_KEY
- Make any LLM request through the google-vertex provider
Expected: ADC/OAuth token used for authentication
Actual: sentinel string sent as API key, Vertex returns 401
Workaround
Patch node_modules/@mariozechner/pi-ai/dist/providers/google-vertex.js resolveApiKey to filter out the ADC sentinel value and return undefined instead, allowing the SDK to fall through to ADC auth.
Related
badlogic/pi-mono Discussion 2147
OpenClaw version
2026.3.13 (pi-ai 0.58.0 bundled)
Description
When using google-vertex as a built-in provider with gcloud ADC, all LLM calls fail with 401 API keys are not supported by this API. The root cause is in pi-ai 0.58.0 google-vertex.js provider: the resolveApiKey function receives a sentinel string indicating ADC is available and passes it as a literal API key to the Google GenAI SDK, which sends it as x-goog-api-key to the Vertex endpoint.
Steps to reproduce
Expected: ADC/OAuth token used for authentication
Actual: sentinel string sent as API key, Vertex returns 401
Workaround
Patch node_modules/@mariozechner/pi-ai/dist/providers/google-vertex.js resolveApiKey to filter out the ADC sentinel value and return undefined instead, allowing the SDK to fall through to ADC auth.
Related
badlogic/pi-mono Discussion 2147