OpenAI Realtime browser session sends unresolved keychain SecretRef as API key

[ctbritt]

Summary

OpenAI Realtime / Talk browser-session auth appears to read process.env.OPENAI_API_KEY directly and can pass an unresolved SecretRef string to OpenAI instead of resolving it first.

In a macOS Keychain-backed setup where the gateway LaunchAgent environment contains:

OPENAI_API_KEY=keychain:openclaw:OPENAI_API_KEY

Realtime browser session creation fails with OpenAI receiving the literal/placeholder value rather than the resolved sk-... key.

Observed behavior

talk.realtime.session fails with:

OpenAI Realtime browser session failed (401): Incorrect API key provided: keychain********************_KEY
[type=invalid_request_error, code=invalid_api_key]

The same Keychain entry resolves successfully via:

security find-generic-password -s openclaw -a OPENAI_API_KEY -w

and direct OpenAI API probes with the resolved value succeed, so this is not an invalid OpenAI key.

Likely cause

In the installed 2026.4.24 runtime, the OpenAI Realtime provider path uses roughly:

const apiKey = config.apiKey || process.env.OPENAI_API_KEY;

before POSTing to:

https://api.openai.com/v1/realtime/client_secrets

normalizeProviderConfig() correctly uses normalizeResolvedSecretInputString() for provider config apiKey, but the process.env.OPENAI_API_KEY fallback is not SecretRef-aware. If OpenClaw-managed launch env intentionally stores keychain refs rather than plaintext values, this fallback path passes the unresolved ref to OpenAI.

The same pattern also appears in the realtime voice bridge creation path.

Expected behavior

OpenAI Realtime should resolve supported SecretRef/env/keychain references before using the API key, or fail locally with a clear unresolved-secret error instead of sending the placeholder to OpenAI.

Ideally:

• plugins.entries.voice-call.config.realtime.providers.openai.apiKey SecretRefs are resolved before use.
• process.env.OPENAI_API_KEY fallback treats known OpenClaw SecretRef forms, such as keychain:openclaw:OPENAI_API_KEY, as references to resolve rather than literal keys.
• The resolved key should be cached in-process for the gateway lifetime/session rather than calling Keychain on every Realtime request.
• Plaintext secrets should not be written to openclaw.json or LaunchAgent plists as the workaround.

Environment

• OpenClaw: 2026.4.24
• macOS LaunchAgent-managed gateway
• Node: 25.9.0
• OpenAI Realtime browser session / Talk path
• Secrets stored in macOS Keychain and exposed to OpenClaw launch env as keychain:openclaw:<NAME> refs

Local workaround tested

A local hot patch resolved keychain:<service>:<account> via /usr/bin/security find-generic-password ... -w, cached the result in-process, and used that resolved value in both:

• Realtime browser session creation
• Realtime voice bridge creation

That eliminated the obvious broken code path without writing plaintext secrets to disk.

[ctbritt]

Follow-up: verified the local hot patch against the live Realtime path.

What was patched locally in realtime-voice-provider-BIA7LItQ.js:

• Added a resolver for keychain:<service>:<account> SecretRef-style env values using macOS /usr/bin/security find-generic-password ... -w.
• Added an in-process Map cache so Keychain is resolved once per gateway process/ref, not on every Realtime request.
• Updated both API key use sites to call the resolver:
  • Realtime browser session creation before POSTing to /v1/realtime/client_secrets
  • Realtime voice bridge creation

Verification:

node --check realtime-voice-provider-BIA7LItQ.js

passed.

Patch anchors confirmed in the installed runtime:

import { execFileSync } from "node:child_process";
const resolvedKeychainSecretRefCache = new Map();
function resolveOpenAIRealtimeApiKey(value) { ... }
const apiKey = resolveOpenAIRealtimeApiKey(config.apiKey || process.env.OPENAI_API_KEY);

The gateway LaunchAgent environment still contains the unresolved ref:

OPENAI_API_KEY => keychain:openclaw:OPENAI_API_KEY

After the patch, a live Realtime session succeeded:

2026-04-26T06:58:37.810-04:00 [ws] ⇄ res ✓ talk.realtime.session 3971ms

Before the patch, the same path failed with the OpenAI 401 Incorrect API key provided: keychain********************_KEY error. So this strongly confirms the failure is the unresolved SecretRef env fallback, and resolving/caching the key before use fixes the Realtime browser-session path without writing plaintext secrets to config or LaunchAgent plists.

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Issue #72120 is a real current-main bug report, but the same remaining work is already tracked by open PR #72126, which explicitly says it fixes #72120 and targets the same OpenAI realtime voice provider API-key paths. Current main still reads process.env.OPENAI_API_KEY directly for both talk.realtime.session browser client-secret creation and realtime voice bridge creation, while PR #72126 is the canonical active fix attempt for resolving and caching keychain refs before those uses.

Best possible solution:

Close #72120 as superseded by the canonical active fix PR #72126, and keep the actual code/test review focused there. The best product outcome is to land a provider-local resolver/cache for OpenAI realtime API keys, covering both browser client-secret creation and server-side voice bridge creation, with regression tests for keychain:<service>:<account> env fallback behavior.

What I checked:

• Current main browser-session path still uses raw env fallback: createOpenAIRealtimeBrowserSession() normalizes configured provider config, then falls back to process.env.OPENAI_API_KEY directly and sends that value in the Authorization header to /v1/realtime/client_secrets. This matches the reported unresolved SecretRef failure path and confirms the fix is not already on main. (extensions/openai/realtime-voice-provider.ts:596, 4e181d30fa6f)
• Current main voice-bridge path still uses raw env fallback: buildOpenAIRealtimeVoiceProvider().createBridge() also computes const apiKey = config.apiKey || process.env.OPENAI_API_KEY and passes it into OpenAIRealtimeVoiceBridge, matching the issue's second reported use site. (extensions/openai/realtime-voice-provider.ts:674, 4e181d30fa6f)
• SecretRef helper behavior explains the gap: The shared secret-input helper throws for unresolved structured SecretRefs in strict mode, but the realtime env fallback bypasses that helper entirely because a non-empty string from process.env.OPENAI_API_KEY is treated as available input. (src/config/types.secrets.ts:174, 4e181d30fa6f)
• Existing tests do not cover the reported keychain/env fallback: The current realtime voice provider tests cover provider-owned voice config, websocket readiness, audio draining, and early close behavior, but there is no test for resolving keychain:<service>:<account> or rejecting unresolved env fallback API keys. (extensions/openai/realtime-voice-provider.test.ts:65, 4e181d30fa6f)
• Canonical active PR: Provided GitHub context shows open PR fix(openai): resolve keychain refs for realtime API keys #72126, fix(openai): resolve keychain refs for realtime API keys, explicitly says Fixes #72120, changes only extensions/openai/realtime-voice-provider.test.ts/provider scope according to the compact PR metadata, and states it resolves keychain:<service>:<account> refs with an in-process cache for both browser session creation and voice bridge creation. PR head SHA: 08b22aa. (08b22aa3925f)
• Reporter live verification supports the canonical fix: The issue comment reports that a local hot patch adding the same resolver/cache made talk.realtime.session succeed while the LaunchAgent env still contained OPENAI_API_KEY => keychain:openclaw:OPENAI_API_KEY, confirming PR fix(openai): resolve keychain refs for realtime API keys #72126 is tracking the observed product problem rather than an unrelated cleanup.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 4e181d30fa6f.