[Bug]: google-vertex OAuth/service-account auth works on 2026.4.9, fails on 2026.4.10 with 401 CREDENTIALS_MISSING

[qearlyao]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After upgrading from 2026.4.9 to 2026.4.10, google-vertex requests that worked with OAuth/service-account authentication in the same environment now fail with 401 UNAUTHENTICATED / CREDENTIALS_MISSING.

Steps to reproduce

1. Configure OpenClaw to use google-vertex with OAuth/service-account authentication.
2. Verify the setup works on OpenClaw 2026.4.9 in the current environment.
3. Upgrade OpenClaw to 2026.4.10 without changing the Vertex credentials or environment.
4. Send a request through the same google-vertex setup.
5. Observe the 401 authentication failure below.
6. Downgrade back to 2026.4.9 and observe that the same setup works again.

Expected behavior

The same google-vertex OAuth/service-account setup that works on 2026.4.9 should continue to authenticate and complete requests on 2026.4.10.

Actual behavior

On 2026.4.10, google-vertex requests fail with a 401 authentication error instead of completing successfully.

OpenClaw version

2026.4.10

Operating system

Debian 12

Install method

npm global

Model

google-vertex/gemini-3.1-pro-preview, google-vertex/gemini-3-flash-preview

Provider / routing chain

openclaw -> google-vertex -> Vertex AI (aiplatform.googleapis.com)

Additional provider/model setup details

No response

Logs, screenshots, and evidence

lane task error: lane=session:agent:main:discord:channel:1426980503596175403 durationMs=67008 error="FailoverError: LLM error: {
  "error": {
    "code": 401,
    "message": "API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal. See https://cloud.google.com/docs/authentication",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "CREDENTIALS_MISSING",
        "domain": "googleapis.com",
        "metadata": {
          "method": "google.cloud.aiplatform.v1.PredictionService.StreamGenerateContent",
          "service": "aiplatform.googleapis.com"
        }
      }
    ]
  }
}
"

Impact and severity

Affected users/systems/channels: Environments using google-vertex with OAuth/service-account authentication
Severity: High (blocks google-vertex requests in the tested setup)
Frequency: Reproduced in version comparison: fails on 2026.4.10, works on 2026.4.9 after downgrade
Consequence: google-vertex becomes unusable in the affected environment until downgraded

Additional information

This appears closely related to:

• [Bug]: google-vertex provider broken with ADC auth: "<authenticated>" sentinel passed as API key + gaxios@7.1.3 incompatible with Node 24 #48910
• google-vertex ADC auth broken: "<authenticated>" sentinel passed as literal API key → 401 #49191

[jerviscui]

same question!

[qearlyao]

same question!

My Claw did a quick fix, it works for me, hope this helps!

---

Temporary local patch for OpenClaw google-vertex ADC auth regression

Symptom

After updating OpenClaw, google-vertex/... models fail with auth errors like:

401 UNAUTHENTICATED

even though Google ADC / service-account credentials are valid.

The bug is that OpenClaw returns this internal marker as if it were a real API key:

gcp-vertex-credentials

The workaround is to patch the built OpenClaw file so Vertex ADC auth returns:

<authenticated>

instead.

---

1. Find the built auth file

If OpenClaw was installed globally with npm:

DIST="$(npm root -g)/openclaw/dist"
rg -n "gcp-vertex-credentials|resolveGoogleVertexEnvApiKey" "$DIST"

Look for a file like:

.../dist/model-auth-env-XXXXXXXX.js

On ours for 2026.4.11, it was:

/usr/lib/node_modules/openclaw/dist/model-auth-env-CUN3E4LN.js

The hashed part may differ. Don’t copy our exact filename blindly.

---

2. Back it up

Replace the file path with the one found above:

FILE="/usr/lib/node_modules/openclaw/dist/model-auth-env-CUN3E4LN.js"
cp "$FILE" "$FILE.bak.$(date +%Y%m%d-%H%M%S)"

If permission denied, use sudo.

---

3. Patch the ADC marker

Open the file and find this function:

function resolveGoogleVertexEnvApiKey(env) {
	const explicitApiKey = normalizeOptionalSecretInput(env.GOOGLE_CLOUD_API_KEY);
	if (explicitApiKey) return explicitApiKey;
	const hasProject = Boolean(env.GOOGLE_CLOUD_PROJECT || env.GCLOUD_PROJECT);
	const hasLocation = Boolean(env.GOOGLE_CLOUD_LOCATION);
	return hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? GCP_VERTEX_CREDENTIALS_MARKER : void 0;
}

Change the last line to:

	return hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? "<authenticated>" : void 0;

So the final function becomes:

function resolveGoogleVertexEnvApiKey(env) {
	const explicitApiKey = normalizeOptionalSecretInput(env.GOOGLE_CLOUD_API_KEY);
	if (explicitApiKey) return explicitApiKey;
	const hasProject = Boolean(env.GOOGLE_CLOUD_PROJECT || env.GCLOUD_PROJECT);
	const hasLocation = Boolean(env.GOOGLE_CLOUD_LOCATION);
	return hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? "<authenticated>" : void 0;
}

Optional but tidy: also find this source-label line:

source: resolved === "gcp-vertex-credentials" ? "gcloud adc" : "env"

Change it to:

source: resolved === "gcp-vertex-credentials" || resolved === "<authenticated>" ? "gcloud adc" : "env"

---

4. One-command patch version

If they want the quick and dirty version:

DIST="$(npm root -g)/openclaw/dist"
FILE="$(rg -l "function resolveGoogleVertexEnvApiKey" "$DIST"/model-auth-env-*.js | head -n 1)"

echo "Patching: $FILE"
cp "$FILE" "$FILE.bak.$(date +%Y%m%d-%H%M%S)"

perl -0pi -e 's/hasProject && hasLocation && hasGoogleVertexAdcCredentials\(env\) \? GCP_VERTEX_CREDENTIALS_MARKER : void 0/hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? "<authenticated>" : void 0/' "$FILE"

perl -0pi -e 's/resolved === "gcp-vertex-credentials" \? "gcloud adc" : "env"/resolved === "gcp-vertex-credentials" || resolved === "<authenticated>" ? "gcloud adc" : "env"/' "$FILE"

rg -n "<authenticated>|gcp-vertex-credentials" "$FILE"

If permission denied, rerun the cp / perl commands with sudo.

---

5. Restart OpenClaw

openclaw gateway restart

Or, if they manage the gateway manually/systemd, restart however their install normally restarts it.

---

6. Test

Use any small google-vertex/... model request.

For us, after the patch, this worked:

google-vertex/gemini-3-flash-preview

If it replies normally instead of throwing 401 UNAUTHENTICATED, the patch took.

---

Notes

• This is a local hotpatch, not a proper upstream fix.
• It may be overwritten by the next OpenClaw update.
• After updating again, repeat the rg step because the built filename hash may change.
• Don’t patch provider catalog / marker files first. The important file is the runtime env resolver: model-auth-env-*.js.

[akshayverma1]

@qearlyao That did it! Thanks a ton for sharing this fix! What model did you use to solve this? Just curious.

[qearlyao]

@qearlyao That did it! Thanks a ton for sharing this fix! What model did you use to solve this? Just curious.搞定了！非常感谢分享这个解决方法！请问您是用什么模型解决的？我只是好奇。

gpt-5.4 with thinking level=high 😁

[zkdekey]

same question!

My Claw did a quick fix, it works for me, hope this helps!

Temporary local patch for OpenClaw google-vertex ADC auth regression

Symptom

After updating OpenClaw, google-vertex/... models fail with auth errors like:

401 UNAUTHENTICATED

even though Google ADC / service-account credentials are valid.

The bug is that OpenClaw returns this internal marker as if it were a real API key:

gcp-vertex-credentials

The workaround is to patch the built OpenClaw file so Vertex ADC auth returns:

<authenticated>

instead.

1. Find the built auth file

If OpenClaw was installed globally with npm:

DIST="$(npm root -g)/openclaw/dist"
rg -n "gcp-vertex-credentials|resolveGoogleVertexEnvApiKey" "$DIST"
Look for a file like:

.../dist/model-auth-env-XXXXXXXX.js

On ours for 2026.4.11, it was:

/usr/lib/node_modules/openclaw/dist/model-auth-env-CUN3E4LN.js

The hashed part may differ. Don’t copy our exact filename blindly.

2. Back it up

Replace the file path with the one found above:

FILE="/usr/lib/node_modules/openclaw/dist/model-auth-env-CUN3E4LN.js"
cp "$FILE" "$FILE.bak.$(date +%Y%m%d-%H%M%S)"
If permission denied, use sudo.

3. Patch the ADC marker

Open the file and find this function:

function resolveGoogleVertexEnvApiKey(env) {
const explicitApiKey = normalizeOptionalSecretInput(env.GOOGLE_CLOUD_API_KEY);
if (explicitApiKey) return explicitApiKey;
const hasProject = Boolean(env.GOOGLE_CLOUD_PROJECT || env.GCLOUD_PROJECT);
const hasLocation = Boolean(env.GOOGLE_CLOUD_LOCATION);
return hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? GCP_VERTEX_CREDENTIALS_MARKER : void 0;
}
Change the last line to:

return hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? "" : void 0;
So the final function becomes:

function resolveGoogleVertexEnvApiKey(env) {
const explicitApiKey = normalizeOptionalSecretInput(env.GOOGLE_CLOUD_API_KEY);
if (explicitApiKey) return explicitApiKey;
const hasProject = Boolean(env.GOOGLE_CLOUD_PROJECT || env.GCLOUD_PROJECT);
const hasLocation = Boolean(env.GOOGLE_CLOUD_LOCATION);
return hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? "" : void 0;
}
Optional but tidy: also find this source-label line:

source: resolved === "gcp-vertex-credentials" ? "gcloud adc" : "env"
Change it to:

source: resolved === "gcp-vertex-credentials" || resolved === "" ? "gcloud adc" : "env"

4. One-command patch version

If they want the quick and dirty version:

DIST="$(npm root -g)/openclaw/dist"
FILE="$(rg -l "function resolveGoogleVertexEnvApiKey" "$DIST"/model-auth-env-*.js | head -n 1)"

echo "Patching: $FILE"
cp "$FILE" "$FILE.bak.$(date +%Y%m%d-%H%M%S)"

perl -0pi -e 's/hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? GCP_VERTEX_CREDENTIALS_MARKER : void 0/hasProject && hasLocation && hasGoogleVertexAdcCredentials(env) ? "" : void 0/' "$FILE"

perl -0pi -e 's/resolved === "gcp-vertex-credentials" ? "gcloud adc" : "env"/resolved === "gcp-vertex-credentials" || resolved === "" ? "gcloud adc" : "env"/' "$FILE"

rg -n "|gcp-vertex-credentials" "$FILE"
If permission denied, rerun the cp / perl commands with sudo.

5. Restart OpenClaw

openclaw gateway restart
Or, if they manage the gateway manually/systemd, restart however their install normally restarts it.

6. Test

Use any small google-vertex/... model request.

For us, after the patch, this worked:

google-vertex/gemini-3-flash-preview

If it replies normally instead of throwing 401 UNAUTHENTICATED, the patch took.

Notes

• This is a local hotpatch, not a proper upstream fix.
• It may be overwritten by the next OpenClaw update.
• After updating again, repeat the rg step because the built filename hash may change.
• Don’t patch provider catalog / marker files first. The important file is the runtime env resolver: model-auth-env-*.js.

appreciate bro! It also works for me!

[qearlyao]

also confirmed this no-code method works: #48479 (comment)
that way you won't need to re-apply the patches after an update!

[vincentkoc]

Closing as a duplicate of the Vertex ADC auth fix tracked through #47304. The current mainline path detects GOOGLE_APPLICATION_CREDENTIALS + project/location, and pi-ai 0.70.2 from #71105 treats the ADC markers as authenticated state rather than literal API keys.