openclaw - ✅(Solved) Fix Vertex AI ADC OAuth Authentication Fails with 401 Error [1 pull requests, 1 participants]

nakedsleepwalker · 2026-04-07T00:52:39Z

[openclaw] PR 65023: Feat/google genai sdk as common provider across Google AI Studio and Google Cloud - Repository: openclaw/openclaw - Author: zeroasterisk -… # PR #65023: Feat/google genai sdk as common provider across Google AI Studio and Google Cloud - Repository: openclaw/openclaw - Author: zeroasterisk - State: open | merged: False - Link: https://github.com/openclaw/openclaw/pull/65023 ## Description (problem / solution / changelog) ## Summary This PR integrates the new unified `@google/genai` SDK into OpenClaw, enabling support for both Google AI Studio (Gemini API) and Vertex AI (Google Cloud) via a single provider (`google-genai`). - **Problem**: Google AI Studio `API_KEY` and Google Cloud Vertex AI are confusing to users, and hard to configure - non-API_KEY auth needs to be standardized in several spots in the codebase. - **Why it matters**: IAM or ADC auth is more secure than API_KEYs and may help users get access. - **What changed**: Similar to the AWS SDK provider, we added a Google Gen AI SDK which is unified across endpoints and maintained by Google. - **What did NOT change (scope boundary)**: We did not yet deprecate or migrate other providers, but that's a reasonable next step. ## Change Type (select all) - [ ] Bug fix - [x] Feature - [ ] Refactor required for the fix - [x] Docs - [x] Security hardening - [x] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [x] Integrations - [x] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Related #48033, #49191, #52648, #62212 (Resolves/improves Vertex AI ADC authentication issues by providing a working SDK integration). ## Regression Test Plan (if applicable) For bug fixes or regressions, name the smallest reliable test coverage that should catch this. Otherwise write `N/A`. - Coverage level that should have caught this: - [ ] Unit test - [X] Seam / integration test - [ ] End-to-end test - [ ] Existing coverage already sufficient - Target test or file: `src/agents/google-genai.live.test.ts` - Scenario the test should lock in: Successful streaming and authentication for both API Key and Vertex AI (ADC) paths. - Why this is the smallest reliable guardrail: It exercises the actual SDK network calls and authentication resolution against live Google endpoints. - Existing test that already covers this (if any): None (this is a new provider integration). - If no new test is added, why not: N/A ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. - Added a new provider `google-genai` that can be used in `openclaw.json`. - Added support for `google-genai-sdk` authentication mode. - Defaulted Vertex AI location to `"global"` to better support modern model aliases (like `gemini-flash-latest`). ## Diagram (if applicable) For UI changes or non-trivial logic flows, include a small ASCII diagram reviewers can scan quickly. Otherwise write `N/A`. ```text Before (Vertex AI): [User Config] -> [Legacy Auth Resolution] -> [Failures on ADC/IAM paths] After (google-genai): [User Config] -> [google-genai-sdk Auth] -> [Checks API Key -> Falls back to ADC (global default)] -> [Success] ``` ## Security Impact (required) - New permissions/capabilities? (`No`) - Secrets/tokens handling changed? (`No`) - New/changed network calls? (`Yes`) - Command/tool execution surface changed? (`No`) - Data access scope changed? (`No`) - If any `Yes`, explain risk + mitigation: - **Risk**: New network calls to Google GenAI endpoints. - **Mitigation**: The calls use standard official Google SDKs and follow secure Application Default Credentials (ADC) patterns, which are preferred over static API keys. ## Repro + Verification ### Environment - OS: Linux - Runtime/container: Node.js (ESM) - Model/provider: `gemini-flash-latest` via `google-genai` - Integration/channel (if any): N/A - Relevant config (redacted): Set `GEMINI_LIVE_TEST=1`, `GEMINI_API_KEY` or `GOOGLE_APPLICATION_CREDENTIALS`. ### Steps 1. Configure environment with either an API Key or a Service Account JSON file. 2. Run the live test: `pnpm exec vitest run src/agents/google-genai.live.test.ts` ### Expected - Both tests (API Key and Vertex AI) pass and stream content successfully. ### Actual - Both tests passed successfully after applying a workaround for a known `gaxios` bug in Node ESM. ## Evidence Attach at least one: - [X] Failing test/log before + passing after (The Vertex AI test originally failed with a `gaxios` dynamic import error before the polyfill fix). - [ ] Trace/log snippets - [ ] Screenshot/recording - [ ] Perf numbers (if relevant) ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: Live streaming via API Key and live streaming via Vertex AI using a Service Account JSON key. - Edge cases checked: Verified that omitting the location defaults to `global` and successfully resolv

openclaw2026-04-07 00:52:39

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

openclaw/openclaw#62212•Fetched 2026-04-08 03:07:36

View on GitHub

Comments

Participants

Timeline

Reactions

Author

nakedsleepwalker

Participants

nakedsleepwalker

Error Message

When using Vertex AI with Application Default Credentials (ADC), OpenClaw returns 401 status code (no body) error. Direct API calls with curl using the same ADC credentials work correctly. 4. Receive 401 error: 401 status code (no body)

Root Cause

Root Cause Analysis

PR fix notes

PR #65023: Feat/google genai sdk as common provider across Google AI Studio and Google Cloud

Repository: openclaw/openclaw
Author: zeroasterisk
State: open | merged: False
Link: https://github.com/openclaw/openclaw/pull/65023

Description (problem / solution / changelog)

Summary

This PR integrates the new unified @google/genai SDK into OpenClaw, enabling support for both Google AI Studio (Gemini API) and Vertex AI (Google Cloud) via a single provider (google-genai).

Problem: Google AI Studio API_KEY and Google Cloud Vertex AI are confusing to users, and hard to configure - non-API_KEY auth needs to be standardized in several spots in the codebase.
Why it matters: IAM or ADC auth is more secure than API_KEYs and may help users get access.
What changed: Similar to the AWS SDK provider, we added a Google Gen AI SDK which is unified across endpoints and maintained by Google.
What did NOT change (scope boundary): We did not yet deprecate or migrate other providers, but that's a reasonable next step.

Change Type (select all)

Scope (select all touched areas)

Linked Issue/PR

Related #48033, #49191, #52648, #62212 (Resolves/improves Vertex AI ADC authentication issues by providing a working SDK integration).

Regression Test Plan (if applicable)

For bug fixes or regressions, name the smallest reliable test coverage that should catch this. Otherwise write N/A.

Coverage level that should have caught this:
- Unit test
- Seam / integration test
- End-to-end test
- Existing coverage already sufficient
Target test or file: src/agents/google-genai.live.test.ts
Scenario the test should lock in: Successful streaming and authentication for both API Key and Vertex AI (ADC) paths.
Why this is the smallest reliable guardrail: It exercises the actual SDK network calls and authentication resolution against live Google endpoints.
Existing test that already covers this (if any): None (this is a new provider integration).
If no new test is added, why not: N/A

User-visible / Behavior Changes

List user-visible changes (including defaults/config).
If none, write None.

Added a new provider google-genai that can be used in openclaw.json.
Added support for google-genai-sdk authentication mode.
Defaulted Vertex AI location to "global" to better support modern model aliases (like gemini-flash-latest).

Diagram (if applicable)

For UI changes or non-trivial logic flows, include a small ASCII diagram reviewers can scan quickly. Otherwise write N/A.

Before (Vertex AI):
[User Config] -> [Legacy Auth Resolution] -> [Failures on ADC/IAM paths]

After (google-genai):
[User Config] -> [google-genai-sdk Auth] -> [Checks API Key -> Falls back to ADC (global default)] -> [Success]

Security Impact (required)

New permissions/capabilities? (No)
Secrets/tokens handling changed? (No)
New/changed network calls? (Yes)
Command/tool execution surface changed? (No)
Data access scope changed? (No)
If any Yes, explain risk + mitigation:
- Risk: New network calls to Google GenAI endpoints.
- Mitigation: The calls use standard official Google SDKs and follow secure Application Default Credentials (ADC) patterns, which are preferred over static API keys.

Repro + Verification

Environment

OS: Linux
Runtime/container: Node.js (ESM)
Model/provider: gemini-flash-latest via google-genai
Integration/channel (if any): N/A
Relevant config (redacted): Set GEMINI_LIVE_TEST=1, GEMINI_API_KEY or GOOGLE_APPLICATION_CREDENTIALS.

Steps

Configure environment with either an API Key or a Service Account JSON file.
Run the live test: pnpm exec vitest run src/agents/google-genai.live.test.ts

Expected

Both tests (API Key and Vertex AI) pass and stream content successfully.

Actual

Both tests passed successfully after applying a workaround for a known gaxios bug in Node ESM.

Evidence

Attach at least one:

Failing test/log before + passing after (The Vertex AI test originally failed with a gaxios dynamic import error before the polyfill fix).
Trace/log snippets
Screenshot/recording
Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

Verified scenarios: Live streaming via API Key and live streaming via Vertex AI using a Service Account JSON key.
Edge cases checked: Verified that omitting the location defaults to global and successfully resolves the gemini-flash-latest alias on Vertex AI.
What you did not verify: Did not verify gcloud auth application-default login directly due to environment constraints on the test machine, but verified the identical ADC resolution path via a service account file.

Review Conversations

I replied to or resolved every bot review conversation I addressed in this PR.
I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

Backward compatible? (Yes)
Config/env changes? (Yes - adds new config options for the new provider).
Migration needed? (No)
If yes, exact upgrade steps: N/A

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

Risk: The underlying gaxios library has a bug in Node ESM environments where it fails to dynamically import node-fetch when checking for window.fetch.
- Mitigation: We added documentation in docs/google-genai-auth.md explaining the workaround (global.window = globalThis) and applied it in the test file.

Changed files

docs/google-genai-auth.md (added, +99/-0)
src/agents/google-genai-stream.ts (added, +173/-0)
src/agents/google-genai.live.test.ts (added, +104/-0)
src/agents/model-auth-runtime-shared.ts (modified, +1/-1)
src/agents/model-auth.ts (modified, +39/-2)
src/agents/pi-embedded-runner/compact.ts (modified, +1/-1)
src/agents/pi-embedded-runner/run/auth-controller.ts (modified, +1/-1)
src/agents/pi-embedded-runner/stream-resolution.ts (modified, +5/-0)
src/config/types.models.ts (modified, +6/-2)
src/config/zod-schema.core.ts (modified, +14/-2)

Code Example

TOKEN=$(gcloud auth application-default print-access-token)
curl -X POST -H Authorization: Bearer $TOKEN -H Content-Type: application/json -d {contents:[{parts:[{text:Hello}]}]} https://us-central1-aiplatform.googleapis.com/v1beta1/projects/[PROJECT]/locations/us-central1/publishers/google/models/gemini-2.5-flash:generateContent

RAW_BUFFERClick to expand / collapse

Problem Description

When using Vertex AI with Application Default Credentials (ADC), OpenClaw returns 401 status code (no body) error. Direct API calls with curl using the same ADC credentials work correctly.

Environment

OpenClaw version: 2026.4.2
pi-ai version: 0.64.0
@google/genai version: 1.47.0
GCP Project: [REDACTED]
Location: us-central1

Environment Variables

GOOGLE_CLOUD_PROJECT=[REDACTED]
GOOGLE_CLOUD_LOCATION=us-central1
GOOGLE_APPLICATION_CREDENTIALS=/root/.config/gcloud/application_default_credentials.json
GOOGLE_GENAI_USE_VERTEXAI=true

Reproduction Steps

Configure OpenClaw to use google-vertex provider with OAuth authentication
Ensure ADC credentials are properly set up (gcloud auth application-default login)
Attempt to make a request using any google-vertex model (e.g., google/gemini-2.5-flash)
Receive 401 error: 401 status code (no body)

Expected Behavior

OpenClaw should properly authenticate with Vertex AI using ADC OAuth and return valid responses, same as direct curl requests.

Direct Curl Test (Works)

TOKEN=$(gcloud auth application-default print-access-token)
curl -X POST -H Authorization: Bearer $TOKEN -H Content-Type: application/json -d {contents:[{parts:[{text:Hello}]}]} https://us-central1-aiplatform.googleapis.com/v1beta1/projects/[PROJECT]/locations/us-central1/publishers/google/models/gemini-2.5-flash:generateContent

Root Cause Analysis

Finding 1: pi-ai google-vertex.js imports wrong SDK module

The google-vertex.js provider in pi-ai imports from @google/genai which resolves to the web version, not the Node.js version. The SDK requires Node.js-specific imports for proper ADC authentication.

Finding 2: Google extension hooks into google-vertex requests

The bundled Google extension in OpenClaw core registers hookAliases: [google-antigravity, google-vertex]. This causes it to intercept ALL google-vertex requests. However, the Google extension auth handling is designed for API key authentication (createProviderApiKeyAuthMethod), NOT ADC OAuth.

Finding 3: Custom provider config conflicts

The custom google-vertex provider config has auth: oauth which triggers OpenClaw OAuth handling but returns <authenticated> marker string without properly exchanging it for a real bearer token.

What We Tried

Fixed pi-ai SDK imports - Changed from @google/genai to @google/genai/node
Removed custom provider config - Still returns 401
Changed auth setting - Still returns 401
Changed location - Still returns 401

Issue Summary

The core problem is that OpenClaw bundled Google extension has hookAliases: [google-vertex] which intercepts all google-vertex requests, but its auth handling is for API keys only - NOT ADC OAuth.

Request

Please fix the Google extension to properly support ADC OAuth for Vertex AI, OR provide a way to disable the hook alias for google-vertex so pi-ai implementation can work correctly.

extent analysis

TL;DR

Update the Google extension in OpenClaw to support ADC OAuth for Vertex AI or disable the hook alias for google-vertex to allow the pi-ai implementation to handle authentication.

Guidance

Verify that the @google/genai version is compatible with Node.js and supports ADC OAuth.
Check the OpenClaw configuration to ensure that the google-vertex provider is correctly set up to use ADC OAuth.
Consider disabling the Google extension's hook alias for google-vertex to prevent it from intercepting requests and allow the pi-ai implementation to handle authentication.
Review the custom provider config to ensure that it is not conflicting with the ADC OAuth setup.

Example

// Disable the Google extension's hook alias for google-vertex
const googleExtension = require('google-extension');
googleExtension.hookAliases = googleExtension.hookAliases.filter(alias => alias !== 'google-vertex');

Notes

The issue seems to be related to the Google extension's authentication handling, which is designed for API keys only.
Disabling the hook alias for google-vertex may be a temporary workaround, but a proper fix would involve updating the Google extension to support ADC OAuth.

Recommendation

Apply workaround: Disable the Google extension's hook alias for google-vertex to allow the pi-ai implementation to handle authentication, as updating the Google extension may require significant changes.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

#api #environment variable #SSR setup #ISR setup #authentication setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

openclaw - ✅(Solved) Fix Vertex AI ADC OAuth Authentication Fails with 401 Error [1 pull requests, 1 participants]

Recommended Tools

GitHub issue graph ai analysis

Error Message

Root Cause

Root Cause Analysis

PR fix notes

PR #65023: Feat/google genai sdk as common provider across Google AI Studio and Google Cloud

Description (problem / solution / changelog)

Summary

Change Type (select all)

Scope (select all touched areas)

Linked Issue/PR

Regression Test Plan (if applicable)

User-visible / Behavior Changes

Diagram (if applicable)

Security Impact (required)

Repro + Verification

Environment

Steps

Expected

Actual

Evidence

Human Verification (required)

Review Conversations

Compatibility / Migration

Risks and Mitigations

Changed files

Code Example

Problem Description

Environment

Environment Variables

Reproduction Steps

Expected Behavior

Direct Curl Test (Works)

Root Cause Analysis

Finding 1: pi-ai google-vertex.js imports wrong SDK module

Finding 2: Google extension hooks into google-vertex requests

Finding 3: Custom provider config conflicts

What We Tried

Issue Summary

Request

extent analysis

TL;DR

Guidance

Example

Notes

Recommendation

Still need to ship something?

RELATED_DISCOVERY

TRENDING