fix(tts): resolve TTS API keys through auth profile store

[alexey-pelykh]

Problem

TTS has its own credential resolution (resolveTtsApiKey in src/tts/tts.ts) that completely bypasses the auth profile store. This means:

• OpenAI API key in auth profiles (openai:default) is invisible to TTS
• ElevenLabs keys must be configured separately in messages.tts.elevenlabs.apiKey or ELEVENLABS_API_KEY
• No key rotation support for TTS providers
• Onboarding doesn't know TTS needs its own credential path

This is an upstream design gap — verified identical in OpenClaw (openclaw/main). Never fixed.

Current resolution (TTS)

// src/tts/tts.ts — resolveTtsApiKey (SYNC)
export function resolveTtsApiKey(
  config: ResolvedTtsConfig,
  provider: TtsProvider,
): string | undefined {
  if (provider === "elevenlabs") {
    return config.elevenlabs.apiKey || process.env.ELEVENLABS_API_KEY || process.env.XI_API_KEY;
  }
  if (provider === "openai") {
    return config.openai.apiKey || process.env.OPENAI_API_KEY;
  }
}

Current resolution (auth profiles)

// src/auth/provider-auth.ts
// resolveApiKeyForProvider: profile store → env var fallback (ASYNC)
// Already handles "openai" → OPENAI_API_KEY, "deepgram" → DEEPGRAM_API_KEY

Proposed fix

resolveTtsApiKey should use resolveApiKeyForProvider from src/auth/provider-auth.ts as the first check, before config and env vars. This is a direct import — no DI wrapper needed (STT and media-understanding already import auth profiles directly).

Resolution order (new)

resolveApiKeyForProvider (auth profile store → env var fallback)
  → Config fallback (messages.tts.{provider}.apiKey) — backwards compat only

Note: resolveApiKeyForProvider already includes env var fallback internally, so the config-embedded apiKey fields become a tertiary backwards-compat fallback only.

Implementation

import { resolveApiKeyForProvider } from "../auth/provider-auth.js";

export async function resolveTtsApiKey(
  config: ResolvedTtsConfig,
  provider: TtsProvider,
): Promise<string | undefined> {
  // Skip auth lookup for providers that don't need API keys
  if (provider === "edge") return undefined;

  // 1. Auth profile store (unified credential system)
  try {
    const auth = await resolveApiKeyForProvider({
      provider: ttsProviderToAuthProvider(provider),
    });
    if (auth.apiKey) return auth.apiKey;
  } catch {
    // no profile found — fall through
  }

  // 2. Config fallback (backwards compat)
  if (provider === "elevenlabs") {
    return config.elevenlabs.apiKey || undefined;
  }
  if (provider === "openai") {
    return config.openai.apiKey || undefined;
  }
  return undefined;
}

function ttsProviderToAuthProvider(provider: TtsProvider): string {
  // Direct 1:1 mapping — no translation needed today
  return provider;
}

Sync → async impact

resolveTtsApiKey becomes async because resolveApiKeyForProvider is async (profile store I/O). This impacts 8 call sites across 3 files, including 2 currently-sync functions that must become async:

Function	File	Calls	Currently	Impact
getTtsProvider()	src/tts/tts.ts	2	sync	Must become async — cascades to callers
isTtsProviderConfigured()	src/tts/tts.ts	1	sync	Must become async — cascades to callers
textToSpeech()	src/tts/tts.ts	1	async	Add await
tts.status handler	src/gateway/server-methods/tts.ts	2	async	Add await
tts.providers handler	src/gateway/server-methods/tts.ts	2	async	Add await
handleTtsCommands()	src/auto-reply/reply/commands-tts.ts	2	async	Add await

Provider mapping

TTS provider	Auth profile provider	Notes
openai	openai	Same API key for models and TTS
elevenlabs	elevenlabs	Requires #403 (add to auth provider system)
edge	N/A	No API key needed

Backwards compatibility

Fully backwards-compatible:

1. If auth profiles have a matching key → use it (new behavior, better)
2. If not → fall back to existing config resolution (unchanged behavior)

Depends on

• feat(auth): add ElevenLabs provider to auth profile system #403 — ElevenLabs auth provider (for elevenlabs support)

Related

• feat: unified auth + multimodal AgentRuntime — implementation plan #415 — implementation plan (Phase 6)
• research(auth+media): auth profiles and media understanding architecture #376 — auth/media research (predecessor)
• Upstream candidate: yes (adjust import path to src/agents/provider-auth.ts for OpenClaw)

[alexey-pelykh]

Update: direct import, not dependency injection

Media understanding already imports resolveApiKeyForProvider directly from agents/provider-auth.ts (in runner.ts line 5 and runner.entries.ts line 7). It also uses api-key-rotation.ts for rotating keys during vision/audio API calls.

The dependency injection approach proposed in the original issue description was over-engineered given the existing codebase patterns. TTS should just import resolveApiKeyForProvider directly, matching how media understanding does it.

Simplified implementation

// src/tts/tts.ts
import { resolveApiKeyForProvider } from "../agents/provider-auth.js";

export async function resolveTtsApiKey(
  config: ResolvedTtsConfig,
  provider: TtsProvider,
): Promise<string | undefined> {
  // 1. Auth profile store + env var fallback (unified path)
  try {
    const auth = await resolveApiKeyForProvider({
      provider: ttsProviderToAuthProvider(provider),
    });
    if (auth.apiKey) return auth.apiKey;
  } catch {
    // no profile found — fall through
  }

  // 2. TTS-specific config fallback (backwards compat)
  if (provider === "elevenlabs") {
    return config.elevenlabs.apiKey || undefined;
  }
  if (provider === "openai") {
    return config.openai.apiKey || undefined;
  }
  return undefined;
}

Note: resolveTtsApiKey becomes async (it's sync today). All callers are already in async contexts, so this is a non-breaking change.

Provider mapping

function ttsProviderToAuthProvider(provider: TtsProvider): string {
  switch (provider) {
    case "openai": return "openai";
    case "elevenlabs": return "elevenlabs";
    default: return provider;
  }
}

resolveApiKeyForProvider already handles openai → OPENAI_API_KEY env var fallback. Adding elevenlabs → ELEVENLABS_API_KEY (#403) completes the picture. The TTS-specific config fields (messages.tts.{provider}.apiKey) become a tertiary fallback for backwards compat only.

[alexey-pelykh]

Implementation validation (2026-03-08)

Implementation is complete. All spec items verified:

Item	Status
resolveTtsApiKey async + imports resolveApiKeyForProvider	✅
Resolution order: auth profile → config fallback	✅
ttsProviderToAuthProvider mapping	✅
edge provider skips auth lookup	✅
getTtsProvider() — now async	✅
isTtsProviderConfigured() — now async	✅
textToSpeech() / textToSpeechTelephony() — await added	✅
Gateway handlers (tts.status, tts.providers) — await added	✅
handleTtsCommands() — await added	✅
Cascading callers (formatVoiceModeLine, buildStatusMessage) — async	✅
Existing tests updated for async	✅

Minor gap: no dedicated tests for auth profile → config fallback precedence (covered indirectly via env var tests).