Summary

openclaw onboard --non-interactive has two silent failure modes in --auth-choice handling: (1) apiKey ignores --token-provider and always assumes Anthropic, and (2) unknown or unsupported auth choices are silently skipped with no error.

Steps to reproduce

Problem 1: --token-provider ignored for apiKey

export OPENROUTER_API_KEY=sk-or-...
openclaw onboard --non-interactive --auth-choice apiKey --token-provider openrouter
# Expected: OpenRouter auth profile configured
# Actual: looks for Anthropic API key, fails or configures wrong provider

Problem 2: Unknown auth choice silently skipped

openclaw onboard --non-interactive --auth-choice anthropic-api-key
# Expected: error "unknown auth choice: anthropic-api-key"
# Actual: no error, no auth configured, proceeds to gateway setup

Expected behavior

1. --auth-choice apiKey --token-provider openrouter should configure an OpenRouter auth profile (as it does in the interactive path)
2. Unknown or unsupported --auth-choice values should produce an error, not silently skip auth configuration

Actual behavior

Problem 1: In the non-interactive path (src/commands/onboard-non-interactive/local/auth-choice.ts:105-125), authChoice === "apiKey" always resolves as Anthropic:

if (authChoice === "apiKey") {
  const resolved = await resolveNonInteractiveApiKey({
    provider: "anthropic",              // always anthropic
    cfg: baseConfig,
    flagValue: opts.anthropicApiKey,     // looks for --anthropic-api-key
    flagName: "--anthropic-api-key",
    envVar: "ANTHROPIC_API_KEY",
    runtime,
  });
  // ...
}

The interactive path (src/commands/auth-choice.apply.api-providers.ts:87-128) correctly remaps based on --token-provider:

if (authChoice === "apiKey" && params.opts?.tokenProvider) {
  if (params.opts.tokenProvider === "openrouter") {
    authChoice = "openrouter-api-key";    // remapped
  } else if (params.opts.tokenProvider === "litellm") {
    authChoice = "litellm-api-key";
  }
  // ...
}

Problem 2: In src/commands/onboard-non-interactive/local/auth-choice.ts, the function is a chain of if blocks for each known auth choice. Unknown values (including valid AuthChoice union members not handled in the non-interactive path, such as google-antigravity, github-copilot, copilot-proxy) fall through to line 737:

return nextConfig;  // no error, no warning, auth not configured

Root cause

The non-interactive path was implemented separately from the interactive path and does not share the --token-provider remapping logic. Additionally, the auth choice dispatcher uses sequential if blocks with no final else clause to catch unhandled values.

OpenClaw version

2026.2.15

Operating system

Amazon Linux 2023 (aarch64)

Install method

npm global (from tarball)

Impact and severity

• Affected: Users running onboard --non-interactive with OpenRouter or other non-Anthropic providers, or with typos in --auth-choice
• Severity: Medium (auth silently misconfigured, gateway may start without working auth)
• Frequency: 100% for affected flag combinations
• Consequence: Onboarding appears to succeed but auth is not configured for the intended provider. Gateway starts, agent fails at inference time with no clear link back to onboarding.

✍️ Author: Claude Code with @carrotRakko (AI-written, human-approved)