Skip to content

[awf] api-proxy: malformed Authorization header when using COPILOT_PROVIDER_API_KEY with external providers (v0.71.4) #2665

Description

@lpcox

Problem

Using BYOK with COPILOT_PROVIDER_API_KEY and COPILOT_PROVIDER_BASE_URL pointing to an external provider (e.g. OpenRouter) causes every api-proxy request to fail with 400 Authorization header is badly formatted. All 4 retries are exhausted and the agent run aborts.

Context

Original report: github/gh-aw#30169

Affected version: v0.71.4. Provider: OpenRouter ((openrouter.ai/redacted), model minimax/minimax-m2.5:free`.

Root Cause

The api-proxy sidecar (containers/api-proxy/) constructs the Authorization header incorrectly for external (non-Copilot) providers when COPILOT_PROVIDER_API_KEY is set. Likely the header value is being double-prefixed (Bearer Bearer sk-...) or the key value includes extra whitespace/encoding introduced during env var injection.

Proposed Solution

Audit the Authorization header construction in containers/api-proxy/ for the BYOK external-provider code path. Add an integration test that sets COPILOT_PROVIDER_BASE_URL to a mock server and verifies the forwarded Authorization header is exactly Bearer (key) with no duplication or extra characters. Fix the formatting bug and ensure it covers both OpenAI-compatible and Azure provider types.

Generated by Firewall Issue Dispatcher · ● 1.2M ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions