Problem
When users configure BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL pointing to an external provider like OpenRouter), the api-proxy sidecar sends a malformed Authorization header, causing all inference requests to fail with 400 bad request: Authorization header is badly formatted. All 4 retries are exhausted before giving up.
Context
Reported in gh-aw#30169 against v0.71.4. The health check correctly identifies BYOK mode, and the agent container holds only the placeholder key — the real COPILOT_PROVIDER_API_KEY is in the sidecar. Despite this, the sidecar forwards a badly-formatted Authorization header upstream.
Root Cause
The api-proxy sidecar in containers/api-proxy/ (port 10002, Copilot) likely constructs the Authorization header incorrectly when COPILOT_PROVIDER_BASE_URL overrides the upstream target — possibly missing Bearer prefix, double-prefixing, or URL-encoding the token.
Proposed Solution
- In
containers/api-proxy/, audit the header injection logic for the Copilot handler when COPILOT_PROVIDER_API_KEY and COPILOT_PROVIDER_BASE_URL are set — ensure the forwarded header is exactly Authorization: Bearer <key>.
- Add an integration test that sends a request through the sidecar in BYOK mode and asserts the upstream sees a correctly formatted header.
- Classify
400 upstream responses from the provider as non-retryable auth errors in the copilot-harness to fail fast instead of exhausting all retries.
Generated by Firewall Issue Dispatcher · ● 569.4K · ◷
Problem
When users configure BYOK mode (
COPILOT_PROVIDER_API_KEY+COPILOT_PROVIDER_BASE_URLpointing to an external provider like OpenRouter), the api-proxy sidecar sends a malformedAuthorizationheader, causing all inference requests to fail with400 bad request: Authorization header is badly formatted. All 4 retries are exhausted before giving up.Context
Reported in gh-aw#30169 against v0.71.4. The health check correctly identifies BYOK mode, and the agent container holds only the placeholder key — the real
COPILOT_PROVIDER_API_KEYis in the sidecar. Despite this, the sidecar forwards a badly-formattedAuthorizationheader upstream.Root Cause
The api-proxy sidecar in
containers/api-proxy/(port 10002, Copilot) likely constructs theAuthorizationheader incorrectly whenCOPILOT_PROVIDER_BASE_URLoverrides the upstream target — possibly missingBearerprefix, double-prefixing, or URL-encoding the token.Proposed Solution
containers/api-proxy/, audit the header injection logic for the Copilot handler whenCOPILOT_PROVIDER_API_KEYandCOPILOT_PROVIDER_BASE_URLare set — ensure the forwarded header is exactlyAuthorization: Bearer <key>.400upstream responses from the provider as non-retryable auth errors in the copilot-harness to fail fast instead of exhausting all retries.