Description
When using Kimi K2.5 through OpenCode Zen, all requests fail with the following error:
Extra inputs are not permitted, field: 'safety_identifier'
The Kimi API is rejecting requests because OpenCode Zen is injecting a safety_identifier field containing what appears to be the user's IPv6 address. The Kimi API does not accept this field.
This may have originated from using the same OpenCode Zen API key in OpenClaw, where an IP address was entered during a setup process. The value appears to have been persisted server-side on the account.
What I've tried:
- Updated OpenCode from 1.3.0 to 1.3.8
- Cleared ~/.local/share/opencode/auth.json and re-authenticated
- Generated a new API key on OpenCode Zen
- Verified no local files contain the value (logs, database, config all clean)
None of these resolved the issue, confirming it is persisted server-side.
Expected behavior:
Requests to Kimi K2.5 should not include a safety_identifier field, as the Kimi API rejects it as an invalid input.
Security concern:
The user's IPv6 address is being exposed in plaintext error messages returned by the API. This is a privacy issue -- IP addresses should not be stored or transmitted as part of model request payloads.
Environment:
- OpenCode: 1.3.8
- Install method: Homebrew (anomalyco/tap/opencode)
- Platform: macOS (Apple Silicon)
- Provider: OpenCode Zen
Plugins
No response
OpenCode version
1.3.8
Steps to reproduce
No response
Screenshot and/or share link
No response
Operating System
macOS 26.4
Terminal
Mac Terminal, Warp
Description
When using Kimi K2.5 through OpenCode Zen, all requests fail with the following error:
Extra inputs are not permitted, field: 'safety_identifier'
The Kimi API is rejecting requests because OpenCode Zen is injecting a
safety_identifierfield containing what appears to be the user's IPv6 address. The Kimi API does not accept this field.This may have originated from using the same OpenCode Zen API key in OpenClaw, where an IP address was entered during a setup process. The value appears to have been persisted server-side on the account.
What I've tried:
None of these resolved the issue, confirming it is persisted server-side.
Expected behavior:
Requests to Kimi K2.5 should not include a safety_identifier field, as the Kimi API rejects it as an invalid input.
Security concern:
The user's IPv6 address is being exposed in plaintext error messages returned by the API. This is a privacy issue -- IP addresses should not be stored or transmitted as part of model request payloads.
Environment:
Plugins
No response
OpenCode version
1.3.8
Steps to reproduce
No response
Screenshot and/or share link
No response
Operating System
macOS 26.4
Terminal
Mac Terminal, Warp