Skip to content

feat(agents): Add Azure AI Foundry credential support#12059

Closed
lisanyambere wants to merge 3 commits intoopenclaw:mainfrom
lisanyambere:feat/azure-ai-foundry
Closed

feat(agents): Add Azure AI Foundry credential support#12059
lisanyambere wants to merge 3 commits intoopenclaw:mainfrom
lisanyambere:feat/azure-ai-foundry

Conversation

@lisanyambere
Copy link
Copy Markdown

@lisanyambere lisanyambere commented Feb 8, 2026
edited by greptile-apps bot
Loading

##Summary
Adds support for Azure AI Foundry as a model provider, enabling OpenClaw to use models deployed on Azure's AI foundry resources

Changes

  • Added Azure AI Foundry credential resolution in src/agents/model-auth.ts
  • Checks AZURE_AI_FOUNDRY_API_KEY with fallback to AZURE_OPENAI_API_KEY
  • Added to envMap for automatic environment variable detection
  • Fixed formatting in security documentation files

Testing

  • ✅ Tested API authentication with Azure AI Foundry endpoint
  • ✅ Verified response format compatibility with OpenClaw
  • ✅ Full end-to-end test with Claude Opus 4.6
  • ✅ Agent successfully responded using Azure AI Foundry
  • ✅ All linting and formatting checks passed

Configuration Example

Users can configure Azure AI Foundry by setting:

export AZURE_AI_FOUNDRY_API_KEY="your-key"
 And in ~/.openclaw/openclaw.json:
 {
  "models": {
    "providers": {
      "azure-ai-foundry": {
        "baseUrl": "https://your-resource.services.ai.azure.com/anthropic/",
        "apiKey": "env:AZURE_AI_FOUNDRY_API_KEY",
        "headers": {
          "x-api-key": "env:AZURE_AI_FOUNDRY_API_KEY"
        }
      }
    }
  }
}

<!-- greptile_comment -->

<h2>Greptile Overview</h2>

<h3>Greptile Summary</h3>

This PR adds environment-variable based credential resolution for a new `azure-ai-foundry` provider (preferring `AZURE_AI_FOUNDRY_API_KEY` and falling back to `AZURE_OPENAI_API_KEY`), and updates the provider-to-env-var mapping used for automatic detection. It also includes purely formatting/markdown cleanup in the security threat model docs.

The main logic change lives in `src/agents/model-auth.ts`, which is responsible for resolving provider auth from (in order) explicit profile selection, auth-profile store order, environment variables, and config (`models.json`).

<h3>Confidence Score: 3/5</h3>

- Not safe to merge until auth mode detection for env-based OAuth is fixed.
- While the Azure AI Foundry env var support looks straightforward, the PR also introduces a regression/bug in how env-sourced OAuth is detected (string match against the formatted `source` label). This will misreport OAuth as api-key and can break providers that rely on OAuth token handling.
- src/agents/model-auth.ts

<!-- greptile_other_comments_section -->

<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>

<!-- /greptile_comment -->

@openclaw-barnacle openclaw-barnacle bot added docs Improvements or additions to documentation agents Agent runtime and tooling labels Feb 8, 2026
greptile-apps[bot]
greptile-apps bot reviewed Feb 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Feb 8, 2026

Additional Comments (2)

src/agents/model-auth.ts
OAuth detection is wrong

resolveApiKeyForProvider infers auth mode via envResolved.source.includes("OAUTH_TOKEN"), but source is prefixed with "env: " / "shell env: " and will never contain the substring "OAUTH_TOKEN" (it contains the full env var name like ANTHROPIC_OAUTH_TOKEN). This makes env-based OAuth always be reported as "api-key", which can break downstream logic that relies on mode (e.g., selecting the right header/token behavior). Consider checking envVar (or provider/normalized) instead of source.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: src/agents/model-auth.ts
Line: 194:199

Comment:
**OAuth detection is wrong**

`resolveApiKeyForProvider` infers auth mode via `envResolved.source.includes("OAUTH_TOKEN")`, but `source` is prefixed with `"env: "` / `"shell env: "` and will never contain the substring `"OAUTH_TOKEN"` (it contains the full env var name like `ANTHROPIC_OAUTH_TOKEN`). This makes env-based OAuth always be reported as `"api-key"`, which can break downstream logic that relies on `mode` (e.g., selecting the right header/token behavior). Consider checking `envVar` (or `provider`/`normalized`) instead of `source`.


How can I resolve this? If you propose a fix, please make it concise.

src/agents/model-auth.ts
Env mode mis-detected

Same issue in resolveModelAuthMode: it uses envKey.source.includes("OAUTH_TOKEN") to decide between "oauth" and "api-key", but source never contains "OAUTH_TOKEN" as a standalone substring. With ANTHROPIC_OAUTH_TOKEN set, this will incorrectly return "api-key" rather than "oauth".

Prompt To Fix With AI 
This is a comment left during a code review.
Path: src/agents/model-auth.ts
Line: 360:367

Comment:
**Env mode mis-detected**

Same issue in `resolveModelAuthMode`: it uses `envKey.source.includes("OAUTH_TOKEN")` to decide between `"oauth"` and `"api-key"`, but `source` never contains `"OAUTH_TOKEN"` as a standalone substring. With `ANTHROPIC_OAUTH_TOKEN` set, this will incorrectly return `"api-key"` rather than `"oauth"`.


How can I resolve this? If you propose a fix, please make it concise.

@openclaw-barnacle openclaw-barnacle bot removed the docs Improvements or additions to documentation label Feb 8, 2026
@surajssd
Copy link
Copy Markdown

surajssd commented Feb 10, 2026

Looks like duplicate of #6969

@sebslight sebslight mentioned this pull request Feb 13, 2026
Closed
5 tasks
@openclaw-barnacle
Copy link
Copy Markdown

openclaw-barnacle bot commented Feb 21, 2026

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

@openclaw-barnacle openclaw-barnacle bot added stale Marked as stale due to inactivity and removed stale Marked as stale due to inactivity labels Feb 21, 2026
@openclaw-barnacle
Copy link
Copy Markdown

openclaw-barnacle bot commented Mar 10, 2026

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

@openclaw-barnacle openclaw-barnacle bot added the stale Marked as stale due to inactivity label Mar 10, 2026
@surajssd
Copy link
Copy Markdown

surajssd commented Mar 11, 2026

I think this is needed.

@openclaw-barnacle openclaw-barnacle bot removed the stale Marked as stale due to inactivity label Mar 11, 2026
@openclaw-barnacle
Copy link
Copy Markdown

openclaw-barnacle bot commented Mar 16, 2026

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

@openclaw-barnacle openclaw-barnacle bot added the stale Marked as stale due to inactivity label Mar 16, 2026
@BradGroux BradGroux mentioned this pull request Mar 17, 2026
Draft
@openclaw-barnacle
Copy link
Copy Markdown

openclaw-barnacle bot commented Mar 20, 2026

Closing due to inactivity.
If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
That channel is the escape hatch for high-quality PRs that get auto-closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

agents Agent runtime and tooling stale Marked as stale due to inactivity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lisanyambere @surajssd