Problem
Using BYOK with COPILOT_PROVIDER_API_KEY and COPILOT_PROVIDER_BASE_URL pointing to an external provider (e.g. OpenRouter) causes every api-proxy request to fail with 400 Authorization header is badly formatted. All 4 retries are exhausted and the agent run aborts.
Context
Original report: github/gh-aw#30169
Affected version: v0.71.4. Provider: OpenRouter ((openrouter.ai/redacted), model minimax/minimax-m2.5:free`.
Root Cause
The api-proxy sidecar (containers/api-proxy/) constructs the Authorization header incorrectly for external (non-Copilot) providers when COPILOT_PROVIDER_API_KEY is set. Likely the header value is being double-prefixed (Bearer Bearer sk-...) or the key value includes extra whitespace/encoding introduced during env var injection.
Proposed Solution
Audit the Authorization header construction in containers/api-proxy/ for the BYOK external-provider code path. Add an integration test that sets COPILOT_PROVIDER_BASE_URL to a mock server and verifies the forwarded Authorization header is exactly Bearer (key) with no duplication or extra characters. Fix the formatting bug and ensure it covers both OpenAI-compatible and Azure provider types.
Generated by Firewall Issue Dispatcher · ● 1.2M · ◷
Problem
Using BYOK with
COPILOT_PROVIDER_API_KEYandCOPILOT_PROVIDER_BASE_URLpointing to an external provider (e.g. OpenRouter) causes every api-proxy request to fail with400 Authorization header is badly formatted. All 4 retries are exhausted and the agent run aborts.Context
Original report: github/gh-aw#30169
Affected version: v0.71.4. Provider: OpenRouter (
(openrouter.ai/redacted), modelminimax/minimax-m2.5:free`.Root Cause
The api-proxy sidecar (
containers/api-proxy/) constructs theAuthorizationheader incorrectly for external (non-Copilot) providers whenCOPILOT_PROVIDER_API_KEYis set. Likely the header value is being double-prefixed (Bearer Bearer sk-...) or the key value includes extra whitespace/encoding introduced during env var injection.Proposed Solution
Audit the Authorization header construction in
containers/api-proxy/for the BYOK external-provider code path. Add an integration test that setsCOPILOT_PROVIDER_BASE_URLto a mock server and verifies the forwardedAuthorizationheader is exactlyBearer (key)with no duplication or extra characters. Fix the formatting bug and ensure it covers both OpenAI-compatible and Azure provider types.