Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix QQ Bot channel fails with 'invalid appid or secret' after upgrade to v2026.4.23 when using secretref [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#71398Fetched 2026-04-26 05:13:15
View on GitHub
Comments
1
Participants
2
Timeline
1
Reactions
0
Author
bxy3045134656bxy3045134656
Participants
bxy3045134656bxy3045134656steipetesteipete
Timeline (top)
commented ×1

Error Message

After upgrading OpenClaw from v2026.4.21 to v2026.4.23, the QQ Bot channel fails to connect with error:

Root Cause

The secretref:/QQBOT_XXX_CLIENT_SECRET format in openclaw.json is not being properly resolved by the QQ Bot plugin in v2026.4.23. The raw secretref:/... string appears to be passed directly to the QQ OpenAPI instead of being resolved to the actual secret value from secrets.json.

Fix Action

Workaround

Hardcoding the secret value directly in openclaw.json (bypassing secretref:) fixes the issue:

"clientSecret": "<actual-secret-value>"  // works
// vs
"clientSecret": "secretref:/QQBOT_NUONUO_CLIENT_SECRET"  // fails

Code Example

Failed to get access_token: {"code":100016,"message":"invalid appid or secret"}

---

"clientSecret": "<actual-secret-value>"  // works
// vs
"clientSecret": "secretref:/QQBOT_NUONUO_CLIENT_SECRET"  // fails
RAW_BUFFERClick to expand / collapse

Bug Description

After upgrading OpenClaw from v2026.4.21 to v2026.4.23, the QQ Bot channel fails to connect with error:

Failed to get access_token: {"code":100016,"message":"invalid appid or secret"}

Root Cause

The secretref:/QQBOT_XXX_CLIENT_SECRET format in openclaw.json is not being properly resolved by the QQ Bot plugin in v2026.4.23. The raw secretref:/... string appears to be passed directly to the QQ OpenAPI instead of being resolved to the actual secret value from secrets.json.

Workaround

Hardcoding the secret value directly in openclaw.json (bypassing secretref:) fixes the issue:

"clientSecret": "<actual-secret-value>"  // works
// vs
"clientSecret": "secretref:/QQBOT_NUONUO_CLIENT_SECRET"  // fails

Reproduction Steps

  1. Configure QQ Bot with secretref:/QQBOT_XXX_CLIENT_SECRET in openclaw.json
  2. Store actual secret in secrets.json
  3. Upgrade from v2026.4.21 to v2026.4.23
  4. Restart Gateway
  5. QQ Bot connection fails with "invalid appid or secret"

Environment

  • OS: Windows 11 (10.0.26200)
  • OpenClaw: v2026.4.23 (upgraded from v2026.4.21)
  • Node.js: v24.14.0
  • QQ Bot plugin: @openclaw/qqbot v2026.4.20
  • Channel config: channels.qqbot.accounts.nuonuo.clientSecret: "secretref:/QQBOT_NUONUO_CLIENT_SECRET"

Additional Investigation

  • secrets.json encoding is correct (UTF-8, no BOM, pure ASCII)
  • The secret value is clean (no hidden characters or line breaks)
  • Direct API call with the same appId + secret succeeds (confirmed via Python urllib)
  • The resolveQQBotAccount() function in config--Jdei9fe.js correctly reads the secretref: value and calls adapter.resolveSecretInputString(), but the resolved value appears to be empty or incorrect.

extent analysis

TL;DR

Hardcoding the secret value in openclaw.json instead of using secretref: resolves the QQ Bot connection issue.

Guidance

  • Verify that the secrets.json file contains the correct secret value and is properly formatted.
  • Check the resolveQQBotAccount() function in config--Jdei9fe.js to ensure it correctly resolves the secretref: value.
  • Consider downgrading to v2026.4.21 or waiting for a fix in a future version of OpenClaw.
  • Test the QQ Bot connection with a hardcoded secret value to confirm the issue is related to the secretref: resolution.

Example

"clientSecret": "<actual-secret-value>"  // replace with the actual secret value

Notes

The issue seems to be specific to the QQ Bot plugin in OpenClaw v2026.4.23. The provided workaround should help mitigate the issue, but a permanent fix may require an update to the plugin or OpenClaw.

Recommendation

Apply the workaround by hardcoding the secret value in openclaw.json, as this is a simple and effective solution to restore QQ Bot connectivity.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#prompt formatting#chain error#conversation history#tool integration

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING