Skip to content

fix(zen): strip auth header for zen google requests#35324

Open
abeisleem wants to merge 2 commits into
anomalyco:devfrom
abeisleem:zen-gemini-auth-clean
Open

fix(zen): strip auth header for zen google requests#35324
abeisleem wants to merge 2 commits into
anomalyco:devfrom
abeisleem:zen-gemini-auth-clean

Conversation

@abeisleem

@abeisleem abeisleem commented Jul 4, 2026

Copy link
Copy Markdown

Issue for this PR

Closes #35338

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Zen's public OpenAI-compatible chat/completions route authenticates callers with Authorization: Bearer <OPENCODE_API_KEY>, but Google-backed upstream requests should use x-goog-api-key only.

For Gemini-backed Zen models, the proxy was forwarding the incoming Authorization header upstream in addition to setting x-goog-api-key. GCP then treats that bearer token as the upstream auth credential and rejects the request with ACCESS_TOKEN_TYPE_UNSUPPORTED / UNAUTHENTICATED.

This PR strips the forwarded Authorization header in the Google helper before setting x-goog-api-key, and adds a focused regression test for that header behavior.

Relevant Gemini REST docs:

Both docs show API-key-authenticated REST requests using the x-goog-api-key header.

How did you verify your code works?

  • reproduced the public API failure manually against https://opencode.ai/zen/v1/chat/completions with model: gemini-3-flash
  • confirmed the Google-native Zen endpoint works when the request uses only x-goog-api-key
  • added a focused unit regression test for the Google helper header rewrite
  • ran:
    • bun test test/providerUsage.test.ts test/googleProvider.test.ts
    • bun typecheck

Screenshots / recordings

If this is a UI change, please include a screenshot or recording.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@github-actions github-actions Bot added needs:compliance This means the issue will auto-close after 2 hours. needs:issue labels Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

  1. Open an issue describing the bug/feature (if one doesn't exist)
  2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

@github-actions github-actions Bot removed the needs:compliance This means the issue will auto-close after 2 hours. label Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Thanks for updating your PR! It now meets our contributing guidelines. 👍

@abeisleem abeisleem changed the title fix(console): strip auth header for zen google requests fix(zen): strip auth header for zen google requests Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Zen Gemini chat completions forward an invalid Authorization header upstream

1 participant