Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [/status] api-key label shadows claude-cli OAuth when env key present [2 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#80184Fetched 2026-05-11 03:17:56
View on GitHub
Comments
1
Participants
2
Timeline
4
Reactions
2
Author
gorkem2020gorkem2020
Participants
clawsweeper[bot]clawsweeper[bot]gorkem2020gorkem2020
Timeline (top)
cross-referenced ×2commented ×1referenced ×1

On 2026.5.7, /status shows 🔑 api-key (env: ANTHROPIC_API_KEY) when an agent is actually routing through the claude-cli backend via Max OAuth, simply because ANTHROPIC_API_KEY is also present in the environment. This is a related-but-distinct case from #79015 (fixed in #79082), which only addressed the 🔑 unknown symptom.

Root Cause

On 2026.5.7, /status shows 🔑 api-key (env: ANTHROPIC_API_KEY) when an agent is actually routing through the claude-cli backend via Max OAuth, simply because ANTHROPIC_API_KEY is also present in the environment. This is a related-but-distinct case from #79015 (fixed in #79082), which only addressed the 🔑 unknown symptom.

Fix Action

Fixed

PR fix notes

PR #80260: fix(status): prefer OAuth auth label over env api-key when runtime alias routes through claude-cli

Description (problem / solution / changelog)

Summary

  • status-message.ts displayed api-key (env: ANTHROPIC_API_KEY) when the agent actually routed through claude-cli OAuth, because resolveModelAuthMode resolved auth against the raw model provider (anthropic) rather than the runtime provider (claude-cli).
  • The existing runtimeAliasModelEquivalent fallback only covered the unknown to oauth case (from #79082), but not the api-key to oauth case.
  • Extended the fallback to both the auth label and the cost display: when runtimeAliasModelEquivalent is true and selectedAuthMode is api-key but activeAuthMode is oauth, the status now correctly displays the OAuth label and suppresses the cost line from the unused env API key.

Verification

  • Existing status-message.test.ts passes (2/2).
  • New test in auto-reply/status.test.ts: verifies that cost is hidden and oauth label shown when api-key is selected but oauth is active via runtime alias (72/72 tests pass).
  • Live buildStatusMessage output from source confirms the fix works end-to-end (see Real behavior proof below).

Real behavior proof

Behavior addressed: Status auth label now shows oauth instead of api-key and the cost line is suppressed when the agent routes through a claude-cli runtime alias but ANTHROPIC_API_KEY is also present in the environment.

Environment tested: Node 22.x on Linux, pnpm test, live buildStatusMessage invocation from source with node --import tsx.

Steps run after the patch: Ran buildStatusMessage from the fix branch source with modelAuth: "api-key", activeModelAuth: "oauth", and session entry model claude-cli/claude-opus-4-6 selected as anthropic/claude-opus-4-6 to reproduce the runtime alias scenario. Compared against the non-alias api-key-only baseline.

Evidence after fix:

Case 1 — api-key selected + oauth active via runtime alias (the fixed scenario):

🦞 OpenClaw 2026.5.10-beta.1 (70c9b8c)
🧠 Model: anthropic/claude-opus-4-6 · 🔑 oauth
🧮 Tokens: 1.0k in / 500 out
📚 Context: 1.5k/200k (1%) · 🧹 Compactions: 0
🧵 Session: agent:main:main • updated just now
⚙️ Execution: direct · Runtime: Claude CLI · Think: off · elevated
🪢 Queue: collect (depth 0)

Key observations: 🔑 oauth (not api-key), no 💵 Cost line.

Case 2 — api-key only, no runtime alias (original behavior preserved):

🦞 OpenClaw 2026.5.10-beta.1 (70c9b8c)
🧠 Model: anthropic/claude-opus-4-6 · 🔑 api-key
🧮 Tokens: 1.0k in / 500 out · 💵 Cost: $0.05
📚 Context: 1.5k/1.0m (0%) · 🧹 Compactions: 0
🧵 Session: agent:main:main • updated just now
⚙️ Execution: direct · Runtime: OpenClaw Pi Default · Think: off · elevated
🪢 Queue: collect (depth 0)

Key observations: 🔑 api-key, 💵 Cost: $0.05 shown as expected.

Test suite output:

pnpm test src/auto-reply/status.test.ts
 Tests  72 passed (72)

Observed result: In the runtime alias case, the status correctly shows the oauth auth label and suppresses the cost line. In the non-alias case, api-key label and cost are shown as before. Both scenarios verified against live buildStatusMessage output from the fix branch.

Not tested: Live gateway /status output from a running OpenClaw instance with a real claude-cli OAuth session.

Fixes #80184

Changed files

  • CHANGELOG.md (modified, +1/-0)
  • src/auto-reply/status.test.ts (modified, +39/-0)
  • src/status/status-message.ts (modified, +13/-3)

PR #80417: fix(status): prefer claude-cli OAuth over env API key shadowed by provider alias

Description (problem / solution / changelog)

Summary

/status displayed 🔑 api-key (env: ANTHROPIC_API_KEY) for sessions running via claude-cli OAuth when ANTHROPIC_API_KEY was also present in the environment — even though the active auth path was OAuth through the Claude CLI integration, not the API key.

Root cause: resolveModelAuthLabel calls resolveEnvApiKey(providerKey, env, ...) before checking for CLI credentials. The provider alias system maps claude-cli → anthropic for env-var lookup (so claude-cli inherits ANTHROPIC_API_KEY from CORE_PROVIDER_AUTH_ENV_VAR_CANDIDATES.anthropic). When that env key was present, it short-circuited at the env check and the readClaudeCliCredentialsCached block was never reached.

Fix: Move the codex-cli and claude-cli credential checks before resolveEnvApiKey. Live OAuth credentials from a CLI integration always take priority over env API keys surfaced through the alias map.

The fix is symmetric: codex-cli is moved for the same reason — it also inherits env vars from its openai alias.

Changes

  • src/agents/model-auth-label.ts: move CLI credential checks before env API key lookup
  • src/agents/model-auth-label.test.ts: add regression test asserting oauth (claude-cli) when both CLI OAuth and an aliased env key are present

Real behavior proof

Behavior or issue addressed: openclaw /status shows 🔑 api-key (env: ANTHROPIC_API_KEY) when the agent is actually routing through claude-cli OAuth. After this fix, openclaw /status shows 🔑 oauth (claude-cli).

Real environment tested: Node.js v22, Linux, openclaw monorepo from source with this patch applied.

Exact steps or command run after fix:

  1. Config: agents.defaults.agentRuntime.id = "claude-cli", ANTHROPIC_API_KEY present in env
  2. Verify openclaw /status auth label via the resolveModelAuthLabel code path:
pnpm vitest run src/agents/model-auth-label.test.ts

Evidence after fix: The new regression test prefers claude-cli OAuth over env API key inherited via provider alias directly exercises the resolveModelAuthLabel function that openclaw /status calls. It sets up both readClaudeCliCredentialsCached → valid OAuth token and resolveEnvApiKey → {apiKey: "sk-ant-key", source: "env: ANTHROPIC_API_KEY"}. Before this patch, the env key was reached first. After this patch, the CLI OAuth check fires first and resolveEnvApiKey is never called.

Test Files  1 passed (1)
     Tests  16 passed (16)

Observed result after fix: openclaw /status reports 🔑 oauth (claude-cli) instead of 🔑 api-key (env: ANTHROPIC_API_KEY) when Claude CLI OAuth credentials are active. 16/16 unit tests pass. The regression test verifies both the return value and that resolveEnvApiKey was not reached.

What was not tested: Live openclaw /status output on a real gateway instance running the claude-cli integration with both ANTHROPIC_API_KEY and active CLI OAuth tokens simultaneously (no dual-auth test environment available), but resolveModelAuthLabel is the exact function /status calls for auth label resolution.

Fixes #80184.

Changed files

  • src/agents/model-auth-label.test.ts (modified, +30/-0)
  • src/agents/model-auth-label.ts (modified, +14/-11)

Code Example

🧠 Model: anthropic/claude-sonnet-4-6 · 🔑 oauth (claude-cli)
⚙️ Execution: direct · Runtime: OpenClaw Pi Default

---

🧠 Model: anthropic/claude-sonnet-4-6 · 🔑 api-key (env: ANTHROPIC_API_KEY)
⚙️ Execution: direct · Runtime: OpenClaw Pi Default

---

if (
  runtimeAliasModelEquivalent &&
  normalizeOptionalLowercaseString(selectedModelAuth) === "unknown" &&
  activeModelAuth &&
  normalizeOptionalLowercaseString(activeModelAuth) !== "unknown"
) {
  selectedModelAuth = activeModelAuth;
}

---

const selectedAuthLabelValue =
  rawSelectedAuthLabelValue ?? (runtimeAliasModelEquivalent ? activeAuthLabelValue : undefined);
RAW_BUFFERClick to expand / collapse

Summary

On 2026.5.7, /status shows 🔑 api-key (env: ANTHROPIC_API_KEY) when an agent is actually routing through the claude-cli backend via Max OAuth, simply because ANTHROPIC_API_KEY is also present in the environment. This is a related-but-distinct case from #79015 (fixed in #79082), which only addressed the 🔑 unknown symptom.

Reproduction

Setup:

  • 2026.5.7
  • Agent has model: anthropic/claude-sonnet-4-6
  • agents.defaults.agentRuntime: { id: "claude-cli" } (no per-agent override)
  • ANTHROPIC_API_KEY is set in the gateway environment (e.g., for use by a separate anthropic-api provider configured in the same models.providers block)
  • Active OAuth profile anthropic:claude-cli exists and works

Send the agent a normal prompt. It answers correctly via Max OAuth.

Expected

/status should reflect that the active auth path is OAuth via claude-cli, e.g.:

🧠 Model: anthropic/claude-sonnet-4-6 · 🔑 oauth (claude-cli)
⚙️ Execution: direct · Runtime: OpenClaw Pi Default

Actual

🧠 Model: anthropic/claude-sonnet-4-6 · 🔑 api-key (env: ANTHROPIC_API_KEY)
⚙️ Execution: direct · Runtime: OpenClaw Pi Default

The display claims api-key is in use. Verification confirms it is not:

  • Anthropic console shows no charge for the turn
  • New assistant entry appears in ~/.openclaw-claude/projects/.../[claude-cli-session].jsonl (claude-cli OAuth store)
  • No corresponding entry with provider: "anthropic" and nonzero usage in ~/.openclaw/agents/<id>/sessions/[id].jsonl

So the call definitely went via claude-cli OAuth, but the auth label in /status advertises the env api-key.

Why #79082 does not cover this

The fix landed in 2bdbec8246d8 adds a fallback rule that swaps in the active model's auth label when the selected model's auth resolves to "unknown":

src/status/status-text.ts:

if (
  runtimeAliasModelEquivalent &&
  normalizeOptionalLowercaseString(selectedModelAuth) === "unknown" &&
  activeModelAuth &&
  normalizeOptionalLowercaseString(activeModelAuth) !== "unknown"
) {
  selectedModelAuth = activeModelAuth;
}

src/status/status-message.ts:

const selectedAuthLabelValue =
  rawSelectedAuthLabelValue ?? (runtimeAliasModelEquivalent ? activeAuthLabelValue : undefined);

In our case, selectedModelAuth does not resolve to "unknown". resolveModelAuthMode in src/agents/model-auth.ts:746 finds ANTHROPIC_API_KEY via resolveConfigAwareEnvApiKey (because ANTHROPIC_API_KEY is the conventional candidate for the anthropic provider per CORE_PROVIDER_AUTH_ENV_VAR_CANDIDATES in src/secrets/provider-env-vars.ts:13). It then returns "api-key" confidently. Since "api-key" !== "unknown", the new fallback rule never triggers, and the env-derived label wins even though claude-cli backend is the active execution path.

Suggestion

Extend the fallback rule in status-text.ts and status-message.ts to prefer the active model's auth label when:

  1. The active model is a CLI runtime alias of the selected provider (runtimeAliasModelEquivalent === true), AND
  2. The active model's auth is non-unknown,

regardless of whether the selected model's auth resolved to "unknown" or to a concrete env-key. The env-key may exist in the environment for unrelated reasons (e.g., a separate anthropic-api provider configured for testing), but the actual execution path is what users care about.

Alternatively, resolveModelAuthMode could accept an activeRuntime hint so it can skip the env-key lookup when a CLI-runtime backend will own auth for the call.

Environment

  • OpenClaw 2026.5.7 (Docker, Linux x86_64, Node 24.14.0)
  • agents.defaults.agentRuntime: { id: "claude-cli" } set globally
  • ANTHROPIC_API_KEY in gateway env (used by a separate anthropic-api provider entry for cross-API testing)
  • Anthropic Max OAuth profile anthropic:claude-cli is the actual active auth

Notes

  • Not blocking. The functional path works correctly (no surprise charges, no broken inference).
  • Misleading enough that I personally spent diagnostic time today double-checking I was not being charged before realizing the label was wrong. Filing because the fix surface is the same code paths #79082 just touched.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#vector store#embedding generation#cache error#pipeline error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix [/status] api-key label shadows claude-cli OAuth when env key present [2 pull requests, 1 comments, 2 participants]