[Bug]: No documentation or setup path for custom provider auth in isolated cron sessions

[liaoandi]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

When using sessionTarget: isolated cron jobs with a custom model provider (e.g. a company-internal LLM proxy), the isolated agent silently fails with No API key found for provider "<custom-provider>" — with no actionable setup path.

The root issue is a combination of three problems:

1. auth-profiles.json format for custom providers is undocumented. The type field accepts "oauth" or "token", but this is not documented anywhere. Trial-and-error through "api_key", "bearer", "static", etc. all fail with invalid_type — no error message indicates what values are valid.

2. openclaw models auth paste-token requires an interactive TTY. It cannot be scripted or used non-interactively, making it impossible to configure auth programmatically or via automation.

3. The isolated agent gives no setup guidance. The error message says "Configure auth for this agent (openclaw agents add ) or copy auth-profiles.json from the main agentDir" — but openclaw agents add does not have a subcommand for adding auth to an existing agent, and copying the file does not help if the format is wrong.

Steps to reproduce

1. Configure a cron job with sessionTarget: isolated and a custom provider (e.g. my-proxy/gpt-4) in models.json
2. Trigger the cron job
3. Observe: FallbackSummaryError: All models failed: No API key found for provider "my-proxy"
4. Try to fix: openclaw models auth paste-token --provider my-proxy → requires TTY, fails in automation
5. Try to fix manually: add entry to auth-profiles.json with type: "api_key" → invalid_type error, no hint on valid values
6. The only working format (type: "token", field name token not key) must be discovered by reading minified source code

Expected behavior

• The paste-token command should work non-interactively via --token flag or stdin
• Valid type values should be documented or listed in the error message
• auth-profiles.json schema should be documented in the official docs

Environment

• OpenClaw version: 2026.4.5
• macOS 26.4

Additional context

The type: "token" format with field token (not key) was discovered by reading profiles-DKQdaSwr.js:

type === "token" ? { ...credential, token: normalizeSecretInput(credential.token) }

This should not be necessary.

🤖 Generated with Claude Code

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Issue #63042 is not implemented on current main, but it is fully superseded by the already-linked open PR #63050 from the same reporter. That PR is the canonical active implementation track for the remaining paste-token --token non-interactive path and invalid auth-profile type diagnostics.

Best possible solution:

Close #63042 as superseded by #63050 and keep the remaining work on that PR: land or replace it with an equivalent maintainer patch that adds the non-interactive paste-token --token path, preserves provider-specific validation, reports accepted auth-profile types for invalid entries, and adds focused CLI/auth-profile tests or docs if maintainers want that extra coverage.

What I checked:

• Current CLI still lacks --token on paste-token: On current main, the models auth paste-token command registers --provider, --profile-id, and --expires-in, then forwards only those fields to modelsAuthPasteTokenCommand; there is no --token option in the shipped CLI registration. (src/cli/models-cli.ts:339, b565e6e96310)
• Current command still prompts interactively: modelsAuthPasteTokenCommand currently accepts only provider/profile/expiry options and always calls the interactive text() prompt for the token, so the reported non-interactive setup gap remains on main. (src/commands/models/auth.ts:374, b565e6e96310)
• Current invalid_type warning lacks valid types: warnRejectedCredentialEntries logs source, dropped count, reasons, and keys, but does not include validTypes when entries are rejected with invalid_type. (src/agents/auth-profiles/persisted.ts:87, b565e6e96310)
• Current credential types are known in source: The auth-profile type contract includes api_key, token, and oauth, and token credentials use the token/tokenRef fields. This confirms the linked PR is addressing diagnostics and setup UX, not an unknown schema question. (src/agents/auth-profiles/types.ts:18, b565e6e96310)
• Canonical linked PR tracks the exact remaining work: GitHub PR fix(auth): document stdin paste-token setup and surface validTypes #63050 is open, non-draft, authored by the issue reporter, says Fixes #63042, and its diff adds --token, forwards it to modelsAuthPasteTokenCommand, skips the prompt when supplied, validates empty/Anthropic token values, and adds validTypes to invalid-type warnings. (289bca318e5d)
• PR discussion has already handled review feedback: Review comments on fix(auth): document stdin paste-token setup and surface validTypes #63050 flagged Anthropic validation and empty-token handling in the new non-interactive path; later commits in the PR address those exact review points, leaving the PR as the focused place to finish validation and tests. (289bca318e5d)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against b565e6e96310.

[steipete]

Fixed on main by #63050.

• Merge commit: 085228c96177bdca3ee66a2f06b643f6ce7c1388
• Proof: GitHub CI run 26498853020 success and Real behavior proof run 26499181774 success on PR head 3b8f5adadbd704e01a70f1d9bf58ffbc21e6994f.
• Result: models auth paste-token stdin automation is documented, argv token ingestion remains absent, and invalid auth-profile warnings now include accepted validTypes.