Skip to content

Release 2026.6.6:0 — fix API key auth + bump OpenClaw 2026.6.6#12

Merged
MattDHill merged 2 commits into
masterfrom
fix/api-key-via-env-block
Jun 12, 2026
Merged

Release 2026.6.6:0 — fix API key auth + bump OpenClaw 2026.6.6#12
MattDHill merged 2 commits into
masterfrom
fix/api-key-via-env-block

Conversation

@helix-nine

@helix-nine helix-nine commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Releases 2026.6.6:0, combining the API-key auth fix with the upstream bump.

Fix: provider API key not used (the "wiped key" report)

OpenClaw moved auth to a per-agent SQLite store and no longer reads auth-profiles.json at runtime (verified: a valid auth-profiles.json still reports Missing auth). Configure API Credentials stores keys there, so after upgrading to such a build the key is never consumed → No API key found for provider "anthropic".

OpenClaw does read keys from the environment, so the fix consumes the already-stored key: in setupMain, read the stored token profiles and pass them to the gateway daemon as ANTHROPIC_API_KEY / OPENAI_API_KEY. Reactive (.const) so reconfiguring restarts the gateway with the new value; agent-id- and store-format-agnostic. One file, ~20 lines — no changes to the action, its prefill, or any schema. API keys only (OAuth unchanged).

Existing affected users recover automatically on next restart — the key they already saved gets used.

Upstream bump

  • OpenClaw 2026.6.52026.6.6 (maintenance/security release; no breaking changes to the env-var auth path)
  • GitHub CLI (bundled) 2.93.02.94.0

Versioning

  • Adopts the current.ts convention (renamed the version file to current.ts, export current); CONTRIBUTING.md / UPDATING.md updated to match.

Verification

Against the 2026.6.6 binary built into the image:

Default : anthropic/claude-opus-4-6
- anthropic effective=env:sk-ant-... | source=env: ANTHROPIC_API_KEY

npm run check passes; make builds both arches at 2026.6.6:0.

Still worth confirming against a real Anthropic key.

Configure API Credentials stores provider API keys in auth-profiles.json,
but current OpenClaw reads auth from a per-agent SQLite store and no longer
consumes auth-profiles.json at runtime — so configured keys are never found
("No API key found for provider anthropic") after upgrading to such a build.

OpenClaw does read provider keys from the environment (ANTHROPIC_API_KEY /
OPENAI_API_KEY). Read the stored token profiles in setupMain and pass them as
env to the gateway daemon. The read is reactive (.const), so reconfiguring a
key restarts the gateway with the new value. Independent of agent id and the
auth-store format. API-key profiles only; OAuth is unchanged.

Verified against the 2026.6.5 binary: with the env set, `openclaw models
status` resolves the configured model as effective=env.
@helix-nine helix-nine force-pushed the fix/api-key-via-env-block branch from 9670ce8 to cc56e78 Compare June 12, 2026 12:25
@helix-nine helix-nine changed the title fix: store provider API keys in openclaw.json env block (Anthropic key wiped on update) fix: feed stored API keys to the gateway via env (Anthropic key wiped on update) Jun 12, 2026
- Dockerfile: OPENCLAW_VERSION 2026.6.5 -> 2026.6.6, GH_VERSION 2.93.0 -> 2.94.0
- adopt the current.ts versioning convention (rename version file to
  current.ts, export 'current'); update CONTRIBUTING.md/UPDATING.md to match
- releaseNotes: OpenClaw 2026.6.6 + the API-key auth fix

OpenClaw 2026.6.6 is a maintenance/security release with no breaking changes
to the env-var auth path; re-verified the API-key fix resolves on the 2026.6.6
binary.
@helix-nine helix-nine changed the title fix: feed stored API keys to the gateway via env (Anthropic key wiped on update) Release 2026.6.6:0 — fix API key auth + bump OpenClaw 2026.6.6 Jun 12, 2026
@MattDHill MattDHill merged commit 9d000a3 into master Jun 12, 2026
1 check passed
@MattDHill MattDHill deleted the fix/api-key-via-env-block branch June 12, 2026 13:20
@helix-nine

Copy link
Copy Markdown
Contributor Author

Thanks for the review and merge, @MattDHill 🙏

Released as 2026.6.6:0. Existing affected users recover on next restart — the already-stored API key gets passed to the gateway as ANTHROPIC_API_KEY/OPENAI_API_KEY via the reactive .const read in setupMain, so no reconfigure needed. Still worth a confirm against a real Anthropic key as noted in the description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants