Skip to content

[awf] api-proxy: malformed Authorization header with COPILOT_PROVIDER_API_KEY (BYOK, v0.71.4) #2703

Description

@lpcox

Problem

When using BYOK with COPILOT_PROVIDER_API_KEY and an external provider base URL (e.g., OpenRouter), every request via the api-proxy fails with 400: Authorization header is badly formatted. All retries fail, causing the entire agent run to abort.

Context

Upstream: github/gh-aw#30169

  • gh-aw v0.71.4, ubuntu-24.04
  • `COPILOT_PROVIDER_BASE_URL: (openrouter.ai/redacted)
  • Model: minimax/minimax-m2.5:free

Root Cause

The api-proxy in containers/api-proxy/ likely double-encodes or mis-formats the Authorization header when injecting COPILOT_PROVIDER_API_KEY — possibly prepending Bearer to a value that already contains it, or incorrectly concatenating with another header.

Proposed Solution

  1. Audit the Authorization header construction in containers/api-proxy/ — ensure the injected key is formatted as Bearer (raw_key) with no duplication.
  2. Add a unit test for header injection with a raw API key value.
  3. Add an integration test against a mock external provider endpoint to verify header format.

Generated by Firewall Issue Dispatcher · ● 1.2M ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions