Problem
When COPILOT_PROVIDER_API_KEY is set for BYOK mode with an external provider (e.g. OpenRouter), every request through the api-proxy fails with 400 bad request: Authorization header is badly formatted. All retries exhaust and the agent run fails entirely.
Context
Reported in github/gh-aw#30169. Affects v0.71.4 with COPILOT_PROVIDER_BASE_URL pointing to a non-GitHub provider. The api-proxy receives the request but constructs a malformed Authorization header before forwarding.
Root Cause
In containers/api-proxy/, the proxy likely prepends token (GitHub-style) or Bearer in a duplicated or incorrectly cased form to the outgoing Authorization header when the upstream is an external provider that expects a plain Bearer <key> format. The header may also be double-encoded if the Copilot client already adds its own Authorization value.
Proposed Solution
- In the api-proxy handler for the Copilot port (10002), detect whether
COPILOT_PROVIDER_BASE_URL is non-GitHub and apply the appropriate header format (Bearer <key> only, stripping any client-supplied auth).
- Add provider-type-specific header normalization in
containers/api-proxy/.
- Add integration tests for the OpenRouter/Azure OpenAI external-provider path verifying the exact
Authorization header format sent upstream.
Generated by Firewall Issue Dispatcher · ● 1.3M · ◷
Problem
When
COPILOT_PROVIDER_API_KEYis set for BYOK mode with an external provider (e.g. OpenRouter), every request through the api-proxy fails with400 bad request: Authorization header is badly formatted. All retries exhaust and the agent run fails entirely.Context
Reported in github/gh-aw#30169. Affects v0.71.4 with
COPILOT_PROVIDER_BASE_URLpointing to a non-GitHub provider. The api-proxy receives the request but constructs a malformedAuthorizationheader before forwarding.Root Cause
In
containers/api-proxy/, the proxy likely prependstoken(GitHub-style) orBearerin a duplicated or incorrectly cased form to the outgoingAuthorizationheader when the upstream is an external provider that expects a plainBearer <key>format. The header may also be double-encoded if the Copilot client already adds its ownAuthorizationvalue.Proposed Solution
COPILOT_PROVIDER_BASE_URLis non-GitHub and apply the appropriate header format (Bearer <key>only, stripping any client-supplied auth).containers/api-proxy/.Authorizationheader format sent upstream.