google-vertex ADC auth broken: "<authenticated>" sentinel passed as literal API key → 401

[pdd-cli]

Bug

google-vertex models using Application Default Credentials (ADC) — via GOOGLE_APPLICATION_CREDENTIALS service account key or gcloud auth application-default login — fail with 401 UNAUTHENTICATED:

API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal.

Root Cause

pi-ai's getEnvApiKey("google-vertex") returns the string "<authenticated>" as a sentinel when ADC environment variables are configured (GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_LOCATION). This sentinel is meant to signal "auth is available" for model discovery, but it flows into the google-vertex provider as a literal API key through two independent paths:

Path 1: openclaw's resolveEnvApiKey

resolveEnvApiKey("google-vertex") in src/agents/model-auth.ts calls getEnvApiKey("google-vertex") → returns { apiKey: "<authenticated>", source: "gcloud adc" } → resolveApiKeyForProvider returns it with mode: "api-key" → applyApiKeyInfo calls authStorage.setRuntimeApiKey("google-vertex", "<authenticated>").

Path 2: pi-ai's internal AuthStorage.getApiKey fallback

Even without Path 1, pi-coding-agent's AuthStorage.getApiKey("google-vertex") falls back to getEnvApiKey("google-vertex") → returns "<authenticated>" → passed as options.apiKey to the provider.

Both paths end the same way

The google-vertex provider's resolveApiKey(options) returns options.apiKey ("<authenticated>", truthy) → calls createClientWithApiKey(model, "<authenticated>") → sends x-goog-api-key: <authenticated> header → Vertex AI rejects with 401.

The correct path would be resolveApiKey returning undefined → createClient(model, project, location) → uses GoogleAuth with GOOGLE_APPLICATION_CREDENTIALS → real OAuth Bearer token → 200.

Breaking Commits

1. bce62f8c0f (2026-01-05) — pi-ai upgrade to ^0.36.0 which introduced the "<authenticated>" sentinel in getEnvApiKey("google-vertex")
2. b04c838c15e (2026-01-06) — feat!: redesign model config + auth profiles which added the resolveEnvApiKey google-vertex block that passes the sentinel through Path 1

Before these commits, getEnvApiKey("google-vertex") returned undefined, so the provider always took the ADC path.

Environment

• Node.js 25.6.1
• @mariozechner/pi-ai 0.58.0
• @mariozechner/pi-coding-agent 0.58.0
• macOS with launchd-managed gateway
• GOOGLE_APPLICATION_CREDENTIALS pointing to a valid service account JSON key

Ideal upstream fix

The root fix belongs in @mariozechner/pi-ai: getEnvApiKey should not return "<authenticated>" from AuthStorage.getApiKey (or the google-vertex provider should recognize and strip the sentinel). Until then, openclaw needs a workaround.

[Hollychou924]

Analysis: google-vertex ADC sentinel "" flows through as literal API key

Root cause clearly identified in your report — two code paths both resolve the sentinel:

1. resolveEnvApiKey("google-vertex") → returns { apiKey: "<authenticated>", source: "gcloud adc" } → stored as runtime API key
2. AuthStorage.getApiKey("google-vertex") fallback → same sentinel → passed as options.apiKey

Both paths end with createClientWithApiKey(model, "<authenticated>") → Vertex rejects 401.

The correct flow: when ADC is configured, resolveApiKey should return undefined → createClient(model, project, location) → GoogleAuth picks up GOOGLE_APPLICATION_CREDENTIALS → real OAuth Bearer token.

OpenClaw-side workaround (until pi-ai upstream fix):

In src/agents/model-auth.ts, detect and strip the sentinel before treating it as a real API key:

// In resolveEnvApiKey / resolveApiKeyForProvider for google-vertex:
const result = getEnvApiKey('google-vertex');
if (result?.apiKey === '<authenticated>') {
  // ADC sentinel — do NOT store as API key, let provider use GoogleAuth
  return { mode: 'adc', source: result.source };
}

And in applyApiKeyInfo, skip authStorage.setRuntimeApiKey when mode is 'adc'.

In the google-vertex provider adapter:

function resolveApiKey(options) {
  const key = options.apiKey;
  // Strip ADC sentinel — not a real key
  if (key === '<authenticated>') return undefined;
  return key;
}

Why this matters: This is a clean sentinel-bleed bug — a string that means "auth is available" in one context (model discovery) is being passed unchanged into a different context (HTTP auth header) where it's interpreted as a literal key. The fix needs to happen at the boundary between the two contexts, not just in one place.

[Artyomkun]

@Hollychou924, this is exactly why I built config-resolver and auth-types in my fork.

The sentinel "" is a stringly-typed hack that was never meant to cross component boundaries. But because OpenClaw has no typed contracts between components, it leaks everywhere.

The real fix isn't patching resolveEnvApiKey — it's moving to a proper auth state type:

type AuthState = 
  | { kind: 'api-key'; key: string }
  | { kind: 'adc'; project: string; location: string }
  | { kind: 'none' };

Then the resolver returns AuthState, not string | undefined. The provider checks auth.kind and acts accordingly.

This is the same problem as #48204 (session keys), #48427 (config sources), #48854 (model IDs). Until OpenClaw adopts typed boundaries, sentinels will keep leaking.

My fork (global-architecture branch) already has this pattern implemented in config-resolver and auth-types. Happy to open a PR if there's interest. 🔧

[Artyomkun]

Comment:

@hailmary-ship-it, this isn't a gemini streaming issue — it's a systemic design flaw. The sentinel "" is being passed through multiple layers because there's no type-safe boundary between auth discovery and auth usage.

The fix isn't a one-liner in ai-doctor. It's adopting typed auth states across the entire auth pipeline. My global-architecture branch already has this. Let's fix it properly. 🔧

[GMTekAI]

Traced the full sentinel flow against current main. Here's what the source actually shows:

Confirmed: sentinel origin

node_modules/@mariozechner/pi-ai/dist/env-api-keys.js:58-64 — when hasVertexAdcCredentials() is true and GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_LOCATION are set, getEnvApiKey("google-vertex") returns the literal string "<authenticated>".

src/agents/model-auth.ts:351-357 — resolveEnvApiKey("google-vertex") wraps this without any guard:

return { apiKey: envKey, source: "gcloud adc" };

So ResolvedProviderAuth.apiKey is the literal string "<authenticated>".

Confirmed: sentinel stored as runtime key

src/agents/pi-embedded-runner/run.ts:629:

authStorage.setRuntimeApiKey(model.provider, apiKeyInfo.apiKey);

This stores "<authenticated>" in AuthStorage.runtimeOverrides (no guard before the call).

node_modules/@mariozechner/pi-coding-agent/dist/core/auth-storage.js:362-364 — runtime overrides have highest priority in getApiKey(), so every subsequent authStorage.getApiKey("google-vertex") returns "<authenticated>".

Confirmed: sentinel reaches the stream call

node_modules/@mariozechner/pi-agent-core/dist/agent-loop.js:150-153:

const resolvedApiKey = (config.getApiKey ? await config.getApiKey(config.model.provider) : undefined) || config.apiKey;
streamFunction(config.model, llmContext, { ...config, apiKey: resolvedApiKey, signal });

So options.apiKey = "<authenticated>" is passed to streamSimpleGoogleVertex.

Where Hollychou924's diagnosis diverges from what actually happens

node_modules/@mariozechner/pi-ai/dist/providers/google-vertex.js:247-259 — createClient() builds new GoogleGenAI({ vertexai: true, project, location, apiVersion, httpOptions }) with no apiKey field. The options.apiKey parameter is never read inside streamGoogleVertex or createClient. The @google/genai SDK handles ADC transparently for Vertex AI. No Authorization: Bearer <authenticated> header is constructed by this code path.

So the 401 is not caused by the sentinel flowing into an HTTP header via the built-in google-vertex provider path. The actual failure mode is different: "<authenticated>" is a meaningless truthy value that the rest of the auth machinery treats as a real resolved key. It passes the if (!apiKeyInfo.apiKey) guard at run.ts:607, it bypasses isNonSecretApiKeyMarker() (which has no entry for "<authenticated>" in src/agents/model-auth-markers.ts), and gets stored in the runtime overrides map. If anything downstream calls requireApiKey() or passes this value to a non-Vertex stream after a provider swap, it emits the literal string.

Second code path (models-config.providers.ts) — does not trigger

src/agents/models-config.providers.ts:90-100 — resolveEnvApiKeyVarName("google-vertex") calls resolveEnvApiKey, gets source: "gcloud adc", then the regex /^(?:env: |shell env: )([A-Z0-9_]+)$/ does not match "gcloud adc" and returns undefined. This path does not inject "<authenticated>" into the provider config.

Root cause and minimal fix surface

Two unguarded points:

1. src/agents/model-auth.ts:351-357 — when getEnvApiKey(normalized) returns "<authenticated>", resolveEnvApiKey should return null (or a result with no apiKey and mode: "adc") rather than forwarding the sentinel as a real key value.

2. src/agents/pi-embedded-runner/run.ts:607 — the applyApiKeyInfo block should guard against the sentinel before calling setRuntimeApiKey. A check for apiKeyInfo.apiKey === "<authenticated>" (or a named constant) before line 629 would prevent it from polluting the runtime overrides map.

No architectural rewrite needed — two guard points in two existing functions.

🤖 Triage via GMTekAI with Claude + Codex

[Artyomkun]

Comment:

@GMTekAI, thanks for the deep trace — I didn't realize the sentinel wasn't actually reaching the HTTP layer. That changes the severity, but not the root cause.

The fact that it's still polluting runtime state means it's a time bomb, not an active 401. If the provider ever changes or something downstream calls requireApiKey(), it will leak.

So the problem is still architectural:

The system treats everything as string | undefined. A sentinel, a real key, and "no auth" are all the same type. That's why this keeps happening — #48204 (session keys), #48427 (config sources), #49191 (auth), all the same.

Your minimal fix (two guard points) is practical. I'd support merging it. But the class of bugs will keep appearing until we have typed boundaries between components.

Thanks again for the detailed analysis. 🔧

[Hollychou924]

Analysis: google-vertex ADC auth broken — "" sentinel leaks as literal API key

The report nails the root cause precisely. This is a multi-path sentinel contamination bug. Let me add the OpenClaw-side workaround path since the upstream pi-ai fix may take time:

The sentinel contract is broken at two levels:

1. Semantic contract: "<authenticated>" was designed as an opaque signal ("ADC is available"), not a value to pass to providers. But resolveEnvApiKey treats any truthy return from getEnvApiKey as a real API key and stores it.

2. Type contract: The google-vertex provider's resolveApiKey should distinguish between "user provided an API key" vs "ADC is configured" — but it just checks truthiness on options.apiKey.

OpenClaw-side fix (without waiting for pi-ai upstream):

In src/agents/model-auth.ts (or wherever resolveEnvApiKey is called for google-vertex), add a sentinel guard:

const resolved = resolveEnvApiKey('google-vertex');
// Guard against pi-ai's ADC sentinel leaking as a literal key
if (resolved?.apiKey && resolved.apiKey.startsWith('<') && resolved.apiKey.endsWith('>')) {
  // This is a sentinel value, not a real key — skip api-key mode
  return { mode: 'adc', source: resolved.source };
}

In the google-vertex provider's resolveApiKey:

function resolveApiKey(options) {
  const key = options.apiKey;
  // Reject sentinel values — they signal ADC availability, not a real key
  if (!key || key.startsWith('<') && key.endsWith('>')) {
    return undefined; // → falls through to GoogleAuth / ADC path
  }
  return key;
}

Why the sentinel approach is fragile: Any provider that receives a sentinel through apiKey will fail this way. The fix should be generalized — not just for google-vertex. Consider a typed discriminated union at the getEnvApiKey return type level: { type: 'key', value: string } | { type: 'adc' } | { type: 'none' } — then providers can't accidentally treat ADC signals as API keys.

[Artyomkun]

Comment:

The direction is: stop treating auth as strings. Move to a typed state at every boundary:

• getEnvApiKey → returns AuthState, not string
• resolveEnvApiKey → passes AuthState through
• Providers check the type before acting

Then sentinels become impossible, not just guarded.

That's the direction. 🔧

[Artyomkun]

Comment:

The root cause is simple: OpenClaw sees "<authenticated>" and treats it as a real API key. But it's not a key — it's a signal that ADC is available.

The fix:

Step 1. Check ADC prerequisites

function hasValidADC(): boolean {
  return process.env.GOOGLE_APPLICATION_CREDENTIALS &&
         process.env.GOOGLE_CLOUD_PROJECT &&
         process.env.GOOGLE_CLOUD_LOCATION;
}

Step 2. Treat signal as signal, not key

const result = getEnvApiKey('google-vertex');
if (result === '<authenticated>' && hasValidADC()) {
  // This is not a key — use ADC mode
  return { mode: 'adc' };
}

Step 3. Provider checks mode, not just truthiness

function createClient(auth) {
  if (auth.mode === 'adc') {
    return new GoogleGenAI({ vertexai: true, project, location });
  }
  return new GoogleGenAI({ apiKey: auth.key });
}

That's it. No type unions, no big refactor — just check what's actually there. 🔧

[GMTekAI]

Quick clarification for the thread since it's getting long.

To Artyomkun — your concern about future leakage risk is valid. The sentinel bypassing isNonSecretApiKeyMarker() (src/agents/model-auth-markers.ts) and sitting in the runtime overrides map is a real problem — just not an active 401. Typed auth states would eliminate this class of issue permanently and are a reasonable long-term direction. That said, the immediate fix surface is two guard points in src/agents/model-auth.ts:351–357 and src/agents/pi-embedded-runner/run.ts:607 — adding a sentinel check before writing to runtimeOverrides costs one line and unblocks users today. The architectural refactor and the guard are not mutually exclusive.

To Hollychou924 — the Bearer-token-as-literal-API-key path we both traced doesn't fire for google-vertex. streamGoogleVertex in node_modules/@mariozechner/pi-ai/dist/providers/google-vertex.js:247–259 creates new GoogleGenAI({ vertexai: true, project, location }) with no apiKey field — options.apiKey is never read by that path. ADC is handled internally by @google/genai. The real harm is the runtime overrides map contamination, not an HTTP 401.

🤖 Triage via GMTekAI with Claude + Codex

[Artyomkun]

@GMTekAI, perfect summary — thank you.

The two‑guard fix unblocks users today. The typed‑state direction kills the whole class of bugs forever. Both matter.

Glad we're all on the same page. 🔧

[Hung2124]

OpenClaw google-vertex Issue (v2026.3.13)

I hit what looks like the same google-vertex problem on OpenClaw 2026.3.13.

---

Environment

• OpenClaw: 2026.3.13

• Host: Ubuntu 24.04 VPS

• Provider: google-vertex

• Models tested:

  • google-vertex/gemini-3.1-pro-preview
  • google-vertex/gemini-3-flash-preview

• Auth method: Google ADC via gcloud auth application-default login

---

Same symptom

I initially got:

401
API keys are not supported by this API.
Expected OAuth2 access token or other authentication credentials that assert a principal.

This happened even though the machine was configured to use ADC, not an API key.

---

Workaround

In my case, the effective workaround was patching the bundled provider runtime under:

/usr/lib/node_modules/openclaw/node_modules/@mariozechner/pi-ai/dist/providers/google-vertex.js

After that, direct google-vertex model calls started working again.

---

Additional failure mode

After getting past the 401, I also hit a second issue where OpenClaw failed with:

No credentials found for profile "google-vertex:default"

I opened a separate issue for that because it seems related but distinct:

google-vertex fails with "No credentials found for profile google-vertex:default" even when ADC is valid

---

Notes

If needed, I can provide sanitized logs and config

[gaiterjones]

Confirm manually patching resolveApiKey fixes this issue. Vertex AI working in 2026.3.14