Release 2026.6.6:0 — fix API key auth + bump OpenClaw 2026.6.6#12
Merged
Conversation
Configure API Credentials stores provider API keys in auth-profiles.json,
but current OpenClaw reads auth from a per-agent SQLite store and no longer
consumes auth-profiles.json at runtime — so configured keys are never found
("No API key found for provider anthropic") after upgrading to such a build.
OpenClaw does read provider keys from the environment (ANTHROPIC_API_KEY /
OPENAI_API_KEY). Read the stored token profiles in setupMain and pass them as
env to the gateway daemon. The read is reactive (.const), so reconfiguring a
key restarts the gateway with the new value. Independent of agent id and the
auth-store format. API-key profiles only; OAuth is unchanged.
Verified against the 2026.6.5 binary: with the env set, `openclaw models
status` resolves the configured model as effective=env.
9670ce8 to
cc56e78
Compare
- Dockerfile: OPENCLAW_VERSION 2026.6.5 -> 2026.6.6, GH_VERSION 2.93.0 -> 2.94.0 - adopt the current.ts versioning convention (rename version file to current.ts, export 'current'); update CONTRIBUTING.md/UPDATING.md to match - releaseNotes: OpenClaw 2026.6.6 + the API-key auth fix OpenClaw 2026.6.6 is a maintenance/security release with no breaking changes to the env-var auth path; re-verified the API-key fix resolves on the 2026.6.6 binary.
MattDHill
approved these changes
Jun 12, 2026
Contributor
Author
|
Thanks for the review and merge, @MattDHill 🙏 Released as 2026.6.6:0. Existing affected users recover on next restart — the already-stored API key gets passed to the gateway as |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Releases 2026.6.6:0, combining the API-key auth fix with the upstream bump.
Fix: provider API key not used (the "wiped key" report)
OpenClaw moved auth to a per-agent SQLite store and no longer reads
auth-profiles.jsonat runtime (verified: a validauth-profiles.jsonstill reportsMissing auth). Configure API Credentials stores keys there, so after upgrading to such a build the key is never consumed →No API key found for provider "anthropic".OpenClaw does read keys from the environment, so the fix consumes the already-stored key: in
setupMain, read the stored token profiles and pass them to the gateway daemon asANTHROPIC_API_KEY/OPENAI_API_KEY. Reactive (.const) so reconfiguring restarts the gateway with the new value; agent-id- and store-format-agnostic. One file, ~20 lines — no changes to the action, its prefill, or any schema. API keys only (OAuth unchanged).Existing affected users recover automatically on next restart — the key they already saved gets used.
Upstream bump
2026.6.5→2026.6.6(maintenance/security release; no breaking changes to the env-var auth path)2.93.0→2.94.0Versioning
current.tsconvention (renamed the version file tocurrent.ts, exportcurrent);CONTRIBUTING.md/UPDATING.mdupdated to match.Verification
Against the 2026.6.6 binary built into the image:
npm run checkpasses;makebuilds both arches at2026.6.6:0.Still worth confirming against a real Anthropic key.