fix: query apiKey auth lost when request has no query parameters

[Copilot]

When using a query apiKey security scheme, the token was silently dropped from the URL if the request had no other query parameters. Requests with existing query params worked fine because they shared an object reference; requests without query params did not because setAuthParams was mutating a detached local copy.

Root cause

setAuthParams destructured its argument, creating a new local options object:

// Before — destructuring creates a new object; options.query = {} never reaches opts
export const setAuthParams = async ({ security, ...options }) => {
  case 'query':
    if (!options.query) options.query = {};  // only mutates the local copy
    options.query[name] = token;
};

if (opts.security) {
  await setAuthParams({ ...opts, security: opts.security });  // another spread
}
const url = buildUrl(opts);  // opts.query is still undefined

Changes

• setAuthParams (all clients) — removed destructuring; function now takes options directly and iterates options.security ?? []. Signature changed from Pick<Required<RequestOptions>, 'security'> & Pick<RequestOptions, 'auth' | 'query'> to Pick<RequestOptions, 'auth' | 'query' | 'security'>.

• beforeRequest callers (all clients) — replaced await setAuthParams({ ...opts, security: opts.security }) with await setAuthParams(opts) so mutations to options.query are visible to the subsequent buildUrl(opts) call.

• Nuxt onRequest interceptor — kept a thin authOpts wrapper (the $fetch interceptor options have no auth/security), but propagated the initialized query back: if (authOpts.query !== options.query) options.query = authOpts.query.

• Regression tests — added 'sets access token in query when query is initially undefined' to each client's utils.test.ts.

• Snapshots — updated ~300 generated snapshots to reflect the simplified await setAuthParams(opts) call site.

Affected: client-fetch, client-next, client-axios, client-ky, client-ofetch, client-nuxt, client-angular, @hey-api/custom-client.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/apt/methods/https /usr/lib/apt/methods/https (dns block)
• fonts.googleapis.com
  • Triggering command: /usr/bin/node /usr/bin/node /home/REDACTED/work/openapi-ts/openapi-ts/node_modules/.pnpm/next@15.2.4_react-dom@19.0.0_react@19.0.0__react@19.0.0_sass@1.97.3/node_modules/next/dist/compiled/jest-worker/processChild.js rgo/bin/git bash preview/bin/tsgo.js --noprofile (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web	Ready	Preview, Comment	May 6, 2026 5:53pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: ecce682

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pullfrog]

TL;DR — WIP PR opened by Copilot to address a bug where query apiKey auth is lost when a request has no other query parameters. No code changes have been pushed yet; only an initial planning commit exists.

Key changes

• No changes yet — The PR currently contains a single "Initial plan" commit with no file modifications.

_{Summary ｜ 0 files ｜ 1 commits ｜ base: main ← copilot/fix-apikey-auth-issue}

Context

Before: PR is empty pending implementation.
After: This summary will be updated once code is pushed.

The linked issue traces the bug to setAuthParams destructuring its input with a rest spread ({ security, ...options }), which creates a detached local object. When opts.query is initially undefined, assigning options.query = {} inside setAuthParams only mutates the local copy, so buildUrl(opts) later sees query: undefined and drops the token. When opts.query already exists, the spread preserves the same reference and mutation propagates — which is why the bug only surfaces on requests with no other query parameters.

The reporter suggests either making setAuthParams mutate the original options object or having it return updated query/options for the caller to assign back. The issue's agent instructions ask to identify whether the bug affects multiple clients or is isolated to one — this scope analysis is pending implementation.

  ^{｜ View workflow run ｜ via Pullfrog ｜ 𝕏}

[pullfrog]

Note

No file changes yet — the only commit is a placeholder "Initial plan" by Copilot and the diff is empty. Re-request review once the implementation is pushed.

A few notes for when the fix lands, based on the issue's root-cause analysis:

• The bug is in the shared bundle helper setAuthParams (under packages/openapi-ts/src/plugins/@hey-api/client-core/bundle/), which is consumed by all three plugin clients — client-fetch, client-ky, and client-next. Verify the fix lands in the shared file and that all three client bundles pick it up; otherwise the regression coverage is incomplete.
• packages/custom-client has its own setAuthParams and should be checked separately — it is not part of the client-core bundle.
• Prefer mutating options directly (drop the { security, ...options } rest destructure) over returning a new object — it keeps the call site in beforeRequest unchanged and matches the existing header-mutation pattern. Returning a new value forces every caller (including makeSseFn) to reassign, which is a wider blast radius.
• Add a regression test for the no-query-params case at packages/openapi-ts/src/plugins/@hey-api/client-{fetch,ky}/__tests__/client.test.ts (the existing query-auth tests likely all set query already, which is why this slipped through). client-next has no equivalent interceptor test file today — worth adding one.
• Generated snapshots under packages/openapi-ts-tests/**/__snapshots__/**/client.gen.ts and examples/**/client.gen.ts will need regenerating if the bundle template changes.

  ^{｜ Fix it ➔ ｜ View workflow run ｜ 𝕏}