openclaw - 💡(How to fix) Fix LLM error: Authorization Not Found - SecretRef apiKey not properly resolved in Gateway

openclaw2026-05-31 09:50:36

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

Error Message

After setting provider apiKey to SecretRef format (e.g., { "source": "env", "provider": "default", "id": "SENSENOVA_API_KEY" }), the Gateway still fails with Authorization Not Found error. Direct API calls work fine with the same API key. 3. Error: LLM error: Authorization Not Found

Even after manually adding sensenova:default to auth-profiles.json, error persists
The error occurs regardless of whether the provider is used as primary or fallback model Possibly related to agent auth inheritance semantics (read-through from default/main agent store to subagents). The issue mentions "inheriter" in error context.

Code Example

"models": {
  "providers": {
    "sensenova": {
      "apiKey": { "source": "env", "provider": "default", "id": "SENSENOVA_API_KEY" },
      "baseUrl": "https://token.sensenova.cn/v1"
    }
  }
}

---

SENSENOVA_API_KEY=sk-xxx

---

{
  "profiles": {
    "sensenova:default": { "type": "api_key", "provider": "sensenova", "key": "sk-xxx" }
  }
}

RAW_BUFFERClick to expand / collapse

Problem Description

Environment

OpenClaw version: 2026.5.28
OS: Ubuntu (Linux 6.17.0)
Provider: sensenova (also affects deepseek as fallback)

Steps to Reproduce

Set models.providers.<provider>.apiKey to SecretRef format referencing an env var
Start Gateway and attempt to use the model
Error: LLM error: Authorization Not Found

Configuration

openclaw.json:

"models": {
  "providers": {
    "sensenova": {
      "apiKey": { "source": "env", "provider": "default", "id": "SENSENOVA_API_KEY" },
      "baseUrl": "https://token.sensenova.cn/v1"
    }
  }
}

~/.openclaw/.env:

SENSENOVA_API_KEY=sk-xxx

auth-profiles.json:

{
  "profiles": {
    "sensenova:default": { "type": "api_key", "provider": "sensenova", "key": "sk-xxx" }
  }
}

Expected Behavior

The Gateway should resolve the SecretRef and use the actual API key from the environment variable or auth-profiles.json.

Actual Behavior

Direct curl test with same API key: ✅ works
OpenClaw Gateway with SecretRef: ❌ Authorization Not Found
openclaw secrets reload completes successfully but does not fix the issue
Gateway restart does not fix the issue

Additional Observations

models.json in agent directory still shows apiKey as redacted placeholder (sk-R49…aXNA)
auth-profiles.json only has entries for minimax-cn:default and minimax:cn, no sensenova
Even after manually adding sensenova:default to auth-profiles.json, error persists
The error occurs regardless of whether the provider is used as primary or fallback model

Related Issues

Possibly related to agent auth inheritance semantics (read-through from default/main agent store to subagents). The issue mentions "inheriter" in error context.

Would appreciate any guidance on how to properly configure provider API keys that persist across Gateway restarts.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Data

Security

Network

Code

UI/UX

Text

System

Multimedia

Protocol

API

Engineering