Bug type

Regression (worked before, now fails)

Summary

In 2026.3.13 on Windows, the google-vertex provider passes GOOGLE_APPLICATION_CREDENTIALS file path as an API key to @google/genai instead of loading the credential file, causing a 401. Regression from 2026.3.12.

Steps to reproduce

1. Windows 10/11, Node.js v24.x
2. Set up gcloud ADC: gcloud auth application-default login
3. Create a service account JSON key with roles/aiplatform.user
4. Set in ~/.openclaw/openclaw.json env block:
   GOOGLE_APPLICATION_CREDENTIALS: "C:\path\to\key.json"
   GOOGLE_CLOUD_PROJECT: "your-project-id"
   GOOGLE_CLOUD_LOCATION: "us-central1"
5. Set model to google-vertex/gemini-2.5-pro
6. Install [email protected] and start gateway
7. Send any message

Expected behavior

OpenClaw loads the service account JSON from the path in GOOGLE_APPLICATION_CREDENTIALS and uses it to obtain an OAuth2 token for Vertex AI requests.

Actual behavior

The file path string is passed as an apiKey to @google/genai, triggering:
"The user provided Vertex AI API key will take precedence over the project/location from the environment variables."
Then a 401: "API keys are not supported by this API. Expected OAuth2 access token."

Removing GOOGLE_APPLICATION_CREDENTIALS causes a different error:
"No API key found for provider google-vertex."
ADC at %APPDATA%\gcloud\application_default_credentials.json is not auto-discovered.

OpenClaw version

Broken: 2026.3.13 (61d171a) Last working: 2026.3.12 (6472949) Confirmed working: 2026.3.8 (3caab92)

Operating system

Windows 11

Install method

npm install -g openclaw@ via PowerShell Gateway run as Windows Scheduled Task

Model

google-vertex/gemini-2.5-pro

Provider / routing chain

google-vertex provider, direct to Vertex AI API (us-central1), no proxy

Config file / key location

~/.openclaw/openclaw.json env block: { "GOOGLE_CLOUD_PROJECT": "", "GOOGLE_CLOUD_LOCATION": "us-central1", "GOOGLE_APPLICATION_CREDENTIALS": "<path-to-service-account-key.json>" } auth.profiles: { "vertex_ai:default": { "provider": "google-vertex", "mode": "oauth" } }

Additional provider/model setup details

No custom routing. Direct gateway → google-vertex provider → Vertex AI API (us-central1).
No per-agent overrides, no proxies, no model routers.

Logs, screenshots, and evidence

With GOOGLE_APPLICATION_CREDENTIALS set (2026.3.13):
The user provided Vertex AI API key will take precedence over the project/location from the environment variables.
error: 401 UNAUTHENTICATED — API keys are not supported by this API.
profile=-

openclaw models status --json (2026.3.13):
"effective": { "kind": "env", "detail": "<a...d>" },
"env": { "value": "<a...d>", "source": "gcloud adc" }
→ credential value is detected but passed as apiKey instead of loading the file

Without GOOGLE_APPLICATION_CREDENTIALS (2026.3.13):
No API key found for provider "google-vertex".
Auth store: ...\agents\main\agent\auth-profiles.json
→ ADC not auto-discovered from %APPDATA%\gcloud\application_default_credentials.json

GEMINI_API_KEY: not set (confirmed via PowerShell [System.Environment]::GetEnvironmentVariable)
GOOGLE_API_KEY: not set (confirmed)
No ~/.openclaw/.env file present.

Impact and severity

Vertex AI is completely unusable on Windows in 2026.3.13. Affects all Windows users using google-vertex with service account or ADC auth. Blocks core functionality. Workaround: pin to 2026.3.12 or 2026.3.8.

Additional information

Related: #11413
Bisected: works on 2026.3.12 (6472949), broken on 2026.3.13 (61d171a)
Config (cli) and Config (service) paths identical — not a service env mismatch.
No ~/.openclaw/.env file present.
Vertex AI API enabled, service account has roles/aiplatform.user confirmed.
gcloud auth application-default print-access-token returns valid token.