Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Bug]: google-vertex provider broken with ADC auth: "<authenticated>" sentinel passed as API key + [email protected] incompatible with Node 24 [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#48910Fetched 2026-04-08 00:51:10
View on GitHub
Comments
1
Participants
2
Timeline
4
Reactions
0
Author
mhakbymhakby
Participants
mhakbymhakbyRyceRyce
Timeline (top)
labeled ×2commented ×1renamed ×1

When GOOGLE_APPLICATION_CREDENTIALS is set for ADC auth, the google-vertex provider passes the internal "<authenticated>" sentinel string as an API key to pi-ai, causing all Vertex AI requests to fail with UNAUTHENTICATED.

Error Message

Gateway log output:

The user provided Vertex AI API key will take precedence over the project/location from the environment variables. UNAUTHENTICATED: API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal. "reason": "CREDENTIALS_MISSING", "domain": "googleapis.com", "method": "google.cloud.aiplatform.v1.PredictionService.StreamGenerateContent", "service": "aiplatform.googleapis.com"

Runtime debug (patched resolveApiKey() to log its return value):

[DBG] apiKey= "<authenticated>" GOOGLE_CLOUD_API_KEY= undefined

This confirms "<authenticated>" is being passed as a real API key despite no key being configured.

Secondary issue — [email protected] incompatible with Node 24:

After fixing the sentinel bug, token minting via google-auth-library fails on Node 24:

Error: Cannot convert undefined or null to object at Gaxios._request (gaxios.js:165) at async #getFetch (gaxios.js:530)

Root cause: [email protected] attempts await import('node-fetch') at runtime. node-fetch is not installed in the container, and this dynamic ESM import fails specifically on Node 24. The same [email protected] works correctly on Node 22 LTS.

Root Cause

Root cause: [email protected] attempts await import('node-fetch') at runtime. node-fetch is not installed in the container, and this dynamic ESM import fails specifically on Node 24. The same [email protected] works correctly on Node 22 LTS.

Fix Action

Fix / Workaround

Runtime debug (patched resolveApiKey() to log its return value):

Temporary workaround:

  1. Use the Node 22-based image (ghcr.io/openclaw/openclaw:2026.2.26).
  2. Apply the following patch to @mariozechner/pi-ai/dist/providers/google-vertex.js to treat "<authenticated>" as undefined:

Code Example

Gateway log output:

The user provided Vertex AI API key will take precedence over the project/location from the environment variables.
UNAUTHENTICATED: API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal.
  "reason": "CREDENTIALS_MISSING",
  "domain": "googleapis.com",
  "method": "google.cloud.aiplatform.v1.PredictionService.StreamGenerateContent",
  "service": "aiplatform.googleapis.com"


Runtime debug (patched `resolveApiKey()` to log its return value):

[DBG] apiKey= "<authenticated>" GOOGLE_CLOUD_API_KEY= undefined


This confirms `"<authenticated>"` is being passed as a real API key despite no key being configured.

**Secondary issue — `[email protected]` incompatible with Node 24:**

After fixing the sentinel bug, token minting via `google-auth-library` fails on Node 24:

Error: Cannot convert undefined or null to object
    at Gaxios._request (gaxios.js:165)
    at async #getFetch (gaxios.js:530)

Root cause: `[email protected]` attempts `await import('node-fetch')` at runtime. `node-fetch` is not installed in the container, and this dynamic ESM import fails specifically on Node 24. The same `[email protected]` works correctly on Node 22 LTS.

---

// in resolveApiKey()
// before:
return options?.apiKey || process.env.GOOGLE_CLOUD_API_KEY;

// after:
const k = options?.apiKey || process.env.GOOGLE_CLOUD_API_KEY;
return (k === "<authenticated>") ? undefined : k;
RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Summary

When GOOGLE_APPLICATION_CREDENTIALS is set for ADC auth, the google-vertex provider passes the internal "<authenticated>" sentinel string as an API key to pi-ai, causing all Vertex AI requests to fail with UNAUTHENTICATED.

Steps to reproduce

  1. Set up OpenClaw in Docker with network_mode: host on a GCP VM.
  2. Mount a valid service account key JSON file into the container (e.g. at /run/secrets/vertex-sa-key.json).
  3. Set the following environment variables in docker-compose.yml:
    • GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/vertex-sa-key.json
    • GOOGLE_CLOUD_PROJECT=<your-project-id>
    • GOOGLE_CLOUD_LOCATION=global
  4. Set the default model to google-vertex/gemini-3-flash-preview in openclaw.json.
  5. Start the container and open the Control UI.
  6. Send any message to the assistant.
  7. Observe the error in docker logs.

Expected behavior

The google-vertex provider should detect that GOOGLE_APPLICATION_CREDENTIALS is set, use the service account key to obtain an OAuth2 access token via google-auth-library (ADC), and successfully authenticate with the Vertex AI API. The assistant should respond to the message normally.

Actual behavior

The assistant does not respond. The gateway logs the following error:

UNAUTHENTICATED: API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal.

Instead of using ADC, the google-vertex provider passes the internal string "<authenticated>" as options.apiKey to pi-ai. The pi-ai SDK treats this as a real API key and calls createClientWithApiKey() instead of createClient() (the ADC path), causing Google to reject the request entirely.

OpenClaw version

2026.3.13 (also reproduced on 2026.2.26)

Operating system

Ubuntu 24.04 LTS (Running on GCP Compute Engine)

Install method

Docker (network_mode: host)

Model

google-vertex/gemini-3-flash-preview, google-vertex/gemini-3.1-pro-preview

Provider / routing chain

openclaw -> google-vertex (Gemini)

Config file / key location

~/.openclaw/openclaw.json ; GOOGLE_APPLICATION_CREDENTIALS (mounted service account JSON)

Additional provider/model setup details

Using the built-in google-vertex provider with ADC (Application Default Credentials). No API keys are defined in auth-profiles.json or openclaw.json. The service account key is mounted into the Docker container and GOOGLE_APPLICATION_CREDENTIALS correctly points to it.

Logs, screenshots, and evidence

Gateway log output:

The user provided Vertex AI API key will take precedence over the project/location from the environment variables.
UNAUTHENTICATED: API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal.
  "reason": "CREDENTIALS_MISSING",
  "domain": "googleapis.com",
  "method": "google.cloud.aiplatform.v1.PredictionService.StreamGenerateContent",
  "service": "aiplatform.googleapis.com"


Runtime debug (patched `resolveApiKey()` to log its return value):

[DBG] apiKey= "<authenticated>" GOOGLE_CLOUD_API_KEY= undefined


This confirms `"<authenticated>"` is being passed as a real API key despite no key being configured.

**Secondary issue — `[email protected]` incompatible with Node 24:**

After fixing the sentinel bug, token minting via `google-auth-library` fails on Node 24:

Error: Cannot convert undefined or null to object
    at Gaxios._request (gaxios.js:165)
    at async #getFetch (gaxios.js:530)

Root cause: `[email protected]` attempts `await import('node-fetch')` at runtime. `node-fetch` is not installed in the container, and this dynamic ESM import fails specifically on Node 24. The same `[email protected]` works correctly on Node 22 LTS.

Impact and severity

  • Affected users: Anyone using google-vertex with Service Account / ADC in Docker.
  • Severity: High — blocks all Vertex AI functionality.
  • Frequency: 100% reproduction rate on latest (Node 24) image.
  • Consequence: The assistant cannot initialize or respond using any google-vertex model.

Additional information

  • Last known good version: 2026.2.26 (Node 22 LTS)
  • First known bad version: 2026.3.13 (Node 24)

Temporary workaround:

  1. Use the Node 22-based image (ghcr.io/openclaw/openclaw:2026.2.26).
  2. Apply the following patch to @mariozechner/pi-ai/dist/providers/google-vertex.js to treat "<authenticated>" as undefined:
// in resolveApiKey()
// before:
return options?.apiKey || process.env.GOOGLE_CLOUD_API_KEY;

// after:
const k = options?.apiKey || process.env.GOOGLE_CLOUD_API_KEY;
return (k === "<authenticated>") ? undefined : k;

extent analysis

Fix Plan

To fix the issue, we need to update the google-vertex provider to correctly handle the GOOGLE_APPLICATION_CREDENTIALS environment variable and use the service account key to obtain an OAuth2 access token via google-auth-library (ADC). We also need to update gaxios to a version compatible with Node 24.

Step-by-Step Solution

  1. Update @mariozechner/pi-ai: Apply the patch to @mariozechner/pi-ai/dist/providers/google-vertex.js to treat "<authenticated>" as undefined:
// in resolveApiKey()
const k = options?.apiKey || process.env.GOOGLE_CLOUD_API_KEY;
return (k === "<authenticated>") ? undefined : k;
  1. Update gaxios: Update gaxios to a version compatible with Node 24, such as [email protected]:
npm install gaxios@2.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

The google-vertex provider should detect that GOOGLE_APPLICATION_CREDENTIALS is set, use the service account key to obtain an OAuth2 access token via google-auth-library (ADC), and successfully authenticate with the Vertex AI API. The assistant should respond to the message normally.

#api#ssr#installation#tensor shape#environment variable#agent setup#task chaining#parallel task

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix [Bug]: google-vertex provider broken with ADC auth: "<authenticated>" sentinel passed as API key + gaxios@7.1.3 incompatible with Node 24 [1 comments, 2 participants]