vscode-ai-toolkit icon indicating copy to clipboard operation
vscode-ai-toolkit copied to clipboard
verified publisher icon microsoft

Custom Model api-key header being sent as empty

Open parijatn opened this issue 5 months ago • 7 comments

This was working with previous releases. With the latest release the api-key for authentication is not being sent although it has been added in the configuration I can verify the same key works with cURL and postman requests

Image

parijatn avatar Jul 09 '25 18:07 parijatn

Hi, @parijatn I have tried with AI Toolkit v0.16.1 and api key for custom models works as expected.

Are you using models hosted on Azure AI Foundry / Azure OpenAI service or OpenAI? For Azure or OpenAI models, you directly input the API key when configuring custom models. But for any other providers, you need to set the full auth header

For example, set Authorization: Bearer xxx, api-key: xxx or in any other format according to your model provider.

Image

a1exwang avatar Jul 15 '25 07:07 a1exwang

We are proxying models provided by Azure Foundry via Azure APIM

Here is the URL I am providing for the custom connection

Image

After specifying the model and display name for the key screen

Image

I have tried values

api-key: KEYVAL and KEYVAL

(Our auth is key based and api-key is the header required which maps to the apim subscription key) However for both I see auth errors

Image

Also in my APIM logs I see the call was made but the api-key was missing

Image

Please let me know what I am missing. Thanks

parijatn avatar Jul 22 '25 20:07 parijatn

Hi @parijatn, thanks for the clarification. By default APIM requires subscription key header, otherwise, it will return 401. So you need 2 headers Ocp-Apim-Subscription-Key: <APIM_SUBSCRIPTION_KEY> and Authorization: Bearer <Foundry_API_KEY> to call the model. But AITK currently only support one auth header.

A workaround is to disable APIM subscription key requirement:

Image

And in AITK, set authorization header when adding custom model with Authorization: Bearer <Foundry_API_KEY>

a1exwang avatar Jul 28 '25 08:07 a1exwang

Thanks @a1exwang, I had forgotten to mention,

  1. our apim has a managed identity access to foundry hence no auth is required there
  2. The APIM header names have been changed to use api-key instead of the default key names

Below is an example of the call which works in postman and curl

Image

Please help, thanks

parijatn avatar Jul 28 '25 17:07 parijatn

@parijatn Thanks for the clarification. However, I cannot reproduce the issue.

One possible cause might be AITK incorrectly treat the URL as OpenAI URL and use Authorization instead. If so, you can check C:\users\<username>\.aitk\models\my-models.yml file, and find Custom section and for the object of your model name, manually set headers to your format.

For example: Image

a1exwang avatar Jul 29 '25 05:07 a1exwang

Thank you for the workaround it works now!

We were able to reproduce the same issue for a different developer's VSCode The entries when we enter api-key are showing up as below

Image

We can work with the current workaround which is much appreciated. However please let us know if this is the path forward or will this be resolved on your side. Thanks

parijatn avatar Jul 29 '25 14:07 parijatn

Thank you for the workaround it works now!

We were able to reproduce the same issue for a different developer's VSCode The entries when we enter api-key are showing up as below

Image We can work with the current workaround which is much appreciated. However please let us know if this is the path forward or will this be resolved on your side. Thanks

It's good it works. This is a temporary workaround for now. We will fix this bug and let you directly input API key.

a1exwang avatar Aug 01 '25 06:08 a1exwang