Skip to content

[awf] api-proxy: BYOK Authorization header badly formatted when forwarding to external provider #2513

Description

@lpcox

Problem

When users configure BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL pointing to an external provider like OpenRouter), the api-proxy sidecar sends a malformed Authorization header, causing all inference requests to fail with 400 bad request: Authorization header is badly formatted. All 4 retries are exhausted before giving up.

Context

Reported in gh-aw#30169 against v0.71.4. The health check correctly identifies BYOK mode, and the agent container holds only the placeholder key — the real COPILOT_PROVIDER_API_KEY is in the sidecar. Despite this, the sidecar forwards a badly-formatted Authorization header upstream.

Root Cause

The api-proxy sidecar in containers/api-proxy/ (port 10002, Copilot) likely constructs the Authorization header incorrectly when COPILOT_PROVIDER_BASE_URL overrides the upstream target — possibly missing Bearer prefix, double-prefixing, or URL-encoding the token.

Proposed Solution

  1. In containers/api-proxy/, audit the header injection logic for the Copilot handler when COPILOT_PROVIDER_API_KEY and COPILOT_PROVIDER_BASE_URL are set — ensure the forwarded header is exactly Authorization: Bearer <key>.
  2. Add an integration test that sends a request through the sidecar in BYOK mode and asserts the upstream sees a correctly formatted header.
  3. Classify 400 upstream responses from the provider as non-retryable auth errors in the copilot-harness to fail fast instead of exhausting all retries.

Generated by Firewall Issue Dispatcher · ● 569.4K ·

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions