- The `paste-token` command should work non-interactively via `--token` flag or stdin - Valid `type` values should be documented or listed in the error message - `auth-profiles.json` schema should be documented in the official docs

openclaw - ✅(Solved) Fix [Bug]: No documentation or setup path for custom provider auth in isolated cron sessions [1 pull requests, 1 participants]

liaoandi · 2026-04-08T08:40:43Z

[openclaw] When using sessionTarget: isolated cron jobs with a custom model provider e.g. a company-internal LLM proxy , the isolated agent silently fails with… When using `sessionTarget: isolated` cron jobs with a custom model provider (e.g. a company-internal LLM proxy), the isolated agent silently fails with `No API key found for provider " "` — with no actionable setup path. The root issue is a combination of three problems: 1. **`auth-profiles.json` format for custom providers is undocumented.** The `type` field accepts `"oauth"` or `"token"`, but this is not documented anywhere. Trial-and-error through `"api_key"`, `"bearer"`, `"static"`, etc. all fail with `invalid_type` — no error message indicates what values are valid. 2. **`openclaw models auth paste-token` requires an interactive TTY.** It cannot be scripted or used non-interactively, making it impossible to configure auth programmatically or via automation. 3. **The isolated agent gives no setup guidance.** The error message says *"Configure auth for this agent (openclaw agents add ) or copy auth-profiles.json from the main agentDir"* — but `openclaw agents add` does not have a subcommand for adding auth to an existing agent, and copying the file does not help if the format is wrong. # PR #63050: fix(auth): add --token flag to paste-token and surface validTypes in invalid_type warning - Repository: openclaw/openclaw - Author: liaoandi - State: open | merged: False - Link: https://github.com/openclaw/openclaw/pull/63050 ## Description (problem / solution / changelog) ## Summary Fixes #63042. Three targeted changes to improve non-interactive auth setup (e.g. CI/scripted environments) and debuggability of auth profile load errors. ### Changes **`src/cli/models-cli.ts`** - Added `.option("--token ", "Token value (skip interactive prompt)")` to the `paste-token` subcommand registration. - Passes `token: opts.token` through to `modelsAuthPasteTokenCommand`. **`src/commands/models/auth.ts`** - Added `token?: string` to the `modelsAuthPasteTokenCommand` opts type. - Short-circuits the `await text({...})` interactive prompt when `opts.token` is provided, using `normalizeOptionalString` for consistent coercion: ```ts const rawToken = normalizeOptionalString(opts.token); const tokenInput = rawToken ?? (await text({ ... })); ``` **`src/agents/auth-profiles/persisted.ts`** - In `warnRejectedCredentialEntries`, spreads `validTypes: [...AUTH_PROFILE_TYPES]` into the log context when `reasons.invalid_type` is truthy, making it easier to diagnose which credential types are accepted. ## Test plan - [ ] `openclaw models auth paste-token --provider anthropic --token sk-ant-...` completes without an interactive prompt - [ ] `openclaw models auth paste-token --provider anthropic` (no `--token`) still shows the interactive prompt as before - [ ] Load an `auth-profiles.json` with an entry whose `type` is not in `["api_key", "oauth", "token"]`; verify the warning log now includes a `validTypes` field - [ ] Existing `paste-token` flows (with `--expires-in`, `--profile-id`) unaffected 🤖 Generated with [Claude Code](https://claude.com/claude-code) ## Changed files - `src/agents/auth-profiles/persisted.ts` (modified, +1/-0) - `src/cli/models-cli.ts` (modified, +2/-0) - `src/commands/models/auth.ts` (modified, +17/-13) ## Fixed - Fixed by PR: fix(auth): add --token flag to paste-token and surface validTypes in invalid_type warning (https://github.com/openclaw/openclaw/pull/63050) ### Bug type Behavior bug (incorrect output/state without crash) ### Summary When using `sessionTarget: isolated` cron jobs with a custom model provider (e.g. a company-internal LLM proxy), the isolated agent silently fails with `No API key found for provider " "` — with no actionable setup path. The root issue is a combination of three problems: 1. **`auth-profiles.json` format for custom providers is undocumented.** The `type` field accepts `"oauth"` or `"token"`, but this is not documented anywhere. Trial-and-error through `"api_key"`, `"bearer"`, `"static"`, etc. all fail with `invalid_type` — no error message indicates what values are valid. 2. **`openclaw models auth paste-token` requires an interactive TTY.** It cannot be scripted or used non-interactively, making it impossible to configure auth programmatically or via automation. 3. **The isolated agent gives no setup guidance.** The error message says *"Configure auth for this agent (openclaw agents add ) or copy auth-profiles.json from the main agentDir"* — but `openclaw agents add` does not have a subcommand for adding auth to an existing agent, and copying the file does not help if the format is wrong. ### Steps to reproduce 1. Configure a cron job with `sessionTarget: isolated` and a custom provider (e.g. `my-proxy/gpt-4`) in `models.json` 2. Trigger the cron job 3. Observe: `FallbackSummaryError: All models failed: No API key found for provider "my-proxy"` 4. Try to fix: `openclaw models

openclaw2026-04-08 08:40:43

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

openclaw/openclaw#63042•Fetched 2026-04-09 07:59:11

View on GitHub

Comments

Participants

Timeline

Reactions

Author

liaoandi

Participants

liaoandi

Timeline (top)

cross-referenced ×1

When using sessionTarget: isolated cron jobs with a custom model provider (e.g. a company-internal LLM proxy), the isolated agent silently fails with No API key found for provider "<custom-provider>" — with no actionable setup path.

The root issue is a combination of three problems:

auth-profiles.json format for custom providers is undocumented. The type field accepts "oauth" or "token", but this is not documented anywhere. Trial-and-error through "api_key", "bearer", "static", etc. all fail with invalid_type — no error message indicates what values are valid.
openclaw models auth paste-token requires an interactive TTY. It cannot be scripted or used non-interactively, making it impossible to configure auth programmatically or via automation.
The isolated agent gives no setup guidance. The error message says "Configure auth for this agent (openclaw agents add <id>) or copy auth-profiles.json from the main agentDir" — but openclaw agents add does not have a subcommand for adding auth to an existing agent, and copying the file does not help if the format is wrong.

Error Message

auth-profiles.json format for custom providers is undocumented. The type field accepts "oauth" or "token", but this is not documented anywhere. Trial-and-error through "api_key", "bearer", "static", etc. all fail with invalid_type — no error message indicates what values are valid.
The isolated agent gives no setup guidance. The error message says "Configure auth for this agent (openclaw agents add <id>) or copy auth-profiles.json from the main agentDir" — but openclaw agents add does not have a subcommand for adding auth to an existing agent, and copying the file does not help if the format is wrong.
Try to fix manually: add entry to auth-profiles.json with type: "api_key" → invalid_type error, no hint on valid values

Valid type values should be documented or listed in the error message

Root Cause

The root issue is a combination of three problems:

auth-profiles.json format for custom providers is undocumented. The type field accepts "oauth" or "token", but this is not documented anywhere. Trial-and-error through "api_key", "bearer", "static", etc. all fail with invalid_type — no error message indicates what values are valid.
openclaw models auth paste-token requires an interactive TTY. It cannot be scripted or used non-interactively, making it impossible to configure auth programmatically or via automation.
The isolated agent gives no setup guidance. The error message says "Configure auth for this agent (openclaw agents add <id>) or copy auth-profiles.json from the main agentDir" — but openclaw agents add does not have a subcommand for adding auth to an existing agent, and copying the file does not help if the format is wrong.

Fix Action

Fixed

Fixed by PR: fix(auth): add --token flag to paste-token and surface validTypes in invalid_type warning (https://github.com/openclaw/openclaw/pull/63050)

PR fix notes

PR #63050: fix(auth): add --token flag to paste-token and surface validTypes in invalid_type warning

Repository: openclaw/openclaw
Author: liaoandi
State: open | merged: False
Link: https://github.com/openclaw/openclaw/pull/63050

Description (problem / solution / changelog)

Summary

Fixes #63042. Three targeted changes to improve non-interactive auth setup (e.g. CI/scripted environments) and debuggability of auth profile load errors.

Changes

src/cli/models-cli.ts

Added .option("--token <value>", "Token value (skip interactive prompt)") to the paste-token subcommand registration.
Passes token: opts.token through to modelsAuthPasteTokenCommand.

src/commands/models/auth.ts

Added token?: string to the modelsAuthPasteTokenCommand opts type.
Short-circuits the await text({...}) interactive prompt when opts.token is provided, using normalizeOptionalString for consistent coercion:
```
const rawToken = normalizeOptionalString(opts.token);
const tokenInput = rawToken ?? (await text({ ... }));
```

src/agents/auth-profiles/persisted.ts

In warnRejectedCredentialEntries, spreads validTypes: [...AUTH_PROFILE_TYPES] into the log context when reasons.invalid_type is truthy, making it easier to diagnose which credential types are accepted.

Test plan

openclaw models auth paste-token --provider anthropic --token sk-ant-... completes without an interactive prompt
openclaw models auth paste-token --provider anthropic (no --token) still shows the interactive prompt as before
Load an auth-profiles.json with an entry whose type is not in ["api_key", "oauth", "token"]; verify the warning log now includes a validTypes field
Existing paste-token flows (with --expires-in, --profile-id) unaffected

🤖 Generated with Claude Code

Changed files

src/agents/auth-profiles/persisted.ts (modified, +1/-0)
src/cli/models-cli.ts (modified, +2/-0)
src/commands/models/auth.ts (modified, +17/-13)

Code Example

type === "token" ? { ...credential, token: normalizeSecretInput(credential.token) }

RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Summary

The root issue is a combination of three problems:

auth-profiles.json format for custom providers is undocumented. The type field accepts "oauth" or "token", but this is not documented anywhere. Trial-and-error through "api_key", "bearer", "static", etc. all fail with invalid_type — no error message indicates what values are valid.
openclaw models auth paste-token requires an interactive TTY. It cannot be scripted or used non-interactively, making it impossible to configure auth programmatically or via automation.
The isolated agent gives no setup guidance. The error message says "Configure auth for this agent (openclaw agents add <id>) or copy auth-profiles.json from the main agentDir" — but openclaw agents add does not have a subcommand for adding auth to an existing agent, and copying the file does not help if the format is wrong.

Steps to reproduce

Configure a cron job with sessionTarget: isolated and a custom provider (e.g. my-proxy/gpt-4) in models.json
Trigger the cron job
Observe: FallbackSummaryError: All models failed: No API key found for provider "my-proxy"
Try to fix: openclaw models auth paste-token --provider my-proxy → requires TTY, fails in automation
Try to fix manually: add entry to auth-profiles.json with type: "api_key" → invalid_type error, no hint on valid values
The only working format (type: "token", field name token not key) must be discovered by reading minified source code

Expected behavior

The paste-token command should work non-interactively via --token flag or stdin
Valid type values should be documented or listed in the error message
auth-profiles.json schema should be documented in the official docs

Environment

OpenClaw version: 2026.4.5
macOS 26.4

Additional context

The type: "token" format with field token (not key) was discovered by reading profiles-DKQdaSwr.js:

type === "token" ? { ...credential, token: normalizeSecretInput(credential.token) }

This should not be necessary.

🤖 Generated with Claude Code

extent analysis

TL;DR

To fix the issue with isolated cron jobs and custom model providers, update the auth-profiles.json format to use type: "token" with a token field, and consider requesting a non-interactive paste-token command or improved documentation.

Guidance

Verify that the auth-profiles.json file is correctly formatted with type: "token" and a token field, as implied by the profiles-DKQdaSwr.js code snippet.
Test the openclaw models auth paste-token command with the --provider flag and check if it can be used non-interactively by providing the token via stdin or a file.
Check the official documentation for any updates on the auth-profiles.json schema and valid type values.
Consider filing a feature request or issue for a non-interactive paste-token command and improved documentation.

Example

{
  "provider": "my-proxy",
  "type": "token",
  "token": "your_api_token_here"
}

This example shows the correct format for the auth-profiles.json file.

Notes

The current solution relies on discovering the correct auth-profiles.json format by reading the source code, which is not ideal. Improved documentation and a non-interactive paste-token command would make it easier to configure auth for custom providers.

Recommendation

Apply workaround: use the type: "token" format with a token field in auth-profiles.json and provide the token via stdin or a file when using the paste-token command. This is a temporary solution until the documentation and command are improved.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

FAQ

Expected behavior

The paste-token command should work non-interactively via --token flag or stdin
Valid type values should be documented or listed in the error message
auth-profiles.json schema should be documented in the official docs

#api #ssr #installation #tensor shape #request timeout

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

openclaw - ✅(Solved) Fix [Bug]: No documentation or setup path for custom provider auth in isolated cron sessions [1 pull requests, 1 participants]

Recommended Tools

GitHub issue graph ai analysis

Error Message

Root Cause

Fix Action

Fixed

PR fix notes

PR #63050: fix(auth): add --token flag to paste-token and surface validTypes in invalid_type warning

Description (problem / solution / changelog)

Summary

Changes

Test plan

Changed files

Code Example

Bug type

Summary

Steps to reproduce

Expected behavior

Environment

Additional context

extent analysis

TL;DR

Guidance

Example

Notes

Recommendation

FAQ

Expected behavior

Still need to ship something?

RELATED_DISCOVERY

TRENDING