Description
When deploying with a custom OpenAI-compatible endpoint that does not require an API key (e.g., a vLLM InferenceService with no auth), OpenClaw fails at startup because no auth profile or API key ref is populated for the provider.
The installer UI already allows the API key field to be left blank ("Leave blank for local endpoints that do not require auth"), but the backend doesn't compensate — if no key is provided, the provider config in openclaw.json omits the apiKey field entirely, and no auth profile is written to the auth store. OpenClaw requires auth for every registered provider and won't start without it.
Root cause
In both deployers, modelEndpointApiKeyRef is only created when an API key value exists:
local.ts ~L763-769:
const modelEndpointApiKeyRef = hasSecretRef(config.modelEndpointApiKeyRef)
? config.modelEndpointApiKeyRef
: (config.modelEndpointApiKey || hasPodmanSecretTarget(...))
? envSecretRef("MODEL_ENDPOINT_API_KEY")
: undefined;k8s-helpers.ts ~L700-704:
const modelEndpointApiKeyRef = hasSecretRef(config.modelEndpointApiKeyRef)
? config.modelEndpointApiKeyRef
: config.modelEndpointApiKey
? envSecretRef("MODEL_ENDPOINT_API_KEY")
: undefined;When undefined, the provider config gets apiKey: undefined (omitted from JSON), and the env var MODEL_ENDPOINT_API_KEY is never set.
Workaround
The MLflow tracing overlay in agentic-starter-kits works around this by setting "apiKey": "${VLLM_API_KEY}" in openclaw.json and sourcing a dummy value from a K8s Secret.
Proposed fix
When a custom endpoint is configured without an API key, inject a placeholder value automatically:
- In both deployers: when
config.modelEndpoint is set and no API key is provided, create a modelEndpointApiKeyRef pointing to MODEL_ENDPOINT_API_KEY
- Set
MODEL_ENDPOINT_API_KEY to a placeholder value (e.g., no-key-required) in the container environment
- This satisfies OpenClaw's auth requirement without requiring the user to provide a dummy key
Related issues
Description
When deploying with a custom OpenAI-compatible endpoint that does not require an API key (e.g., a vLLM InferenceService with no auth), OpenClaw fails at startup because no auth profile or API key ref is populated for the provider.
The installer UI already allows the API key field to be left blank ("Leave blank for local endpoints that do not require auth"), but the backend doesn't compensate — if no key is provided, the provider config in
openclaw.jsonomits theapiKeyfield entirely, and no auth profile is written to the auth store. OpenClaw requires auth for every registered provider and won't start without it.Root cause
In both deployers,
modelEndpointApiKeyRefis only created when an API key value exists:local.ts ~L763-769:
k8s-helpers.ts ~L700-704:
When
undefined, the provider config getsapiKey: undefined(omitted from JSON), and the env varMODEL_ENDPOINT_API_KEYis never set.Workaround
The MLflow tracing overlay in agentic-starter-kits works around this by setting
"apiKey": "${VLLM_API_KEY}"inopenclaw.jsonand sourcing a dummy value from a K8s Secret.Proposed fix
When a custom endpoint is configured without an API key, inject a placeholder value automatically:
config.modelEndpointis set and no API key is provided, create amodelEndpointApiKeyRefpointing toMODEL_ENDPOINT_API_KEYMODEL_ENDPOINT_API_KEYto a placeholder value (e.g.,no-key-required) in the container environmentRelated issues
/get misrouted (separate issue)