Bug Report
Description
When using BYOK (Bring Your Own Key) with COPILOT_PROVIDER_API_KEY and COPILOT_PROVIDER_BASE_URL pointing to an external provider (e.g. OpenRouter), every request to the api-proxy fails with:
400 400 bad request: Authorization header is badly formatted
This happens on every attempt (all 4 retries exhaust), causing the entire agent run to fail.
Environment
- gh-aw version: v0.71.4
- Runner image: ubuntu-24.04 (20260413.86.1)
- Model:
minimax/minimax-m2.5:free (via OpenRouter)
- COPILOT_PROVIDER_BASE_URL:
https://openrouter.ai/api/v1
Steps to Reproduce
- Set
COPILOT_PROVIDER_BASE_URL and COPILOT_PROVIDER_API_KEY in the workflow .md config file for BYOK mode.
- Trigger the agentic workflow.
- Observe the agent container logs.
Observed Behavior
The health check passes and correctly identifies offline+BYOK mode:
[health-check] ✓ COPILOT_PROVIDER_API_KEY is placeholder value (correct)
[health-check] COPILOT_PROVIDER_BASE_URL=http://172.30.0.30:10002 (offline+BYOK mode)
[health-check] ✓ Copilot CLI offline+BYOK mode configured
[health-check] ✓ All API proxy health checks passed
But all inference requests immediately fail:
● Request failed (transient_bad_request). Retrying...
● Request failed (transient_bad_request). Retrying...
400 400 bad request: Authorization header is badly formatted
Additionally, the models endpoint also returns 400:
[copilot-harness] awf-reflect: models fetch returned 400 for http://api-proxy:10002/models
The harness does not classify this as an auth error (isAuthError=false), so all 3 retries are consumed before giving up:
[copilot-harness] attempt 4 failed: exitCode=1 isCAPIError400=false isMCPPolicyError=false isModelNotSupportedError=false isNullTypeToolCallError=false isAuthError=false hasOutput=true retriesRemaining=0
[copilot-harness] all 3 retries exhausted — giving up (exitCode=1)
Expected Behavior
The api-proxy sidecar should correctly inject the COPILOT_PROVIDER_API_KEY as a properly formatted Authorization: Bearer <key> header when proxying requests to the external provider URL.
Additionally, a badly-formatted Authorization header (400 from the upstream provider) should ideally be classified as a non-retryable auth error to fail fast rather than exhausting all retries.
Additional Context
- The
COPILOT_API_KEY env var inside the container is correctly set to the dummy-byok-key-for-offline-mode placeholder.
- The actual provider key (
COPILOT_PROVIDER_API_KEY) is held securely in the sidecar proxy container.
- The issue appears to be in how the sidecar proxy formats the Authorization header when forwarding requests upstream to the external provider.
Bug Report
Description
When using BYOK (Bring Your Own Key) with
COPILOT_PROVIDER_API_KEYandCOPILOT_PROVIDER_BASE_URLpointing to an external provider (e.g. OpenRouter), every request to the api-proxy fails with:This happens on every attempt (all 4 retries exhaust), causing the entire agent run to fail.
Environment
minimax/minimax-m2.5:free(via OpenRouter)https://openrouter.ai/api/v1Steps to Reproduce
COPILOT_PROVIDER_BASE_URLandCOPILOT_PROVIDER_API_KEYin the workflow .md config file for BYOK mode.Observed Behavior
The health check passes and correctly identifies offline+BYOK mode:
But all inference requests immediately fail:
Additionally, the models endpoint also returns 400:
The harness does not classify this as an auth error (
isAuthError=false), so all 3 retries are consumed before giving up:Expected Behavior
The api-proxy sidecar should correctly inject the
COPILOT_PROVIDER_API_KEYas a properly formattedAuthorization: Bearer <key>header when proxying requests to the external provider URL.Additionally, a badly-formatted Authorization header (400 from the upstream provider) should ideally be classified as a non-retryable auth error to fail fast rather than exhausting all retries.
Additional Context
COPILOT_API_KEYenv var inside the container is correctly set to thedummy-byok-key-for-offline-modeplaceholder.COPILOT_PROVIDER_API_KEY) is held securely in the sidecar proxy container.