Skip to content

fix(provider): scope AI Gateway token to first-party Workers AI models#33597

Open
keefetang wants to merge 1 commit into
anomalyco:devfrom
keefetang:fix/ai-gateway-scope-token
Open

fix(provider): scope AI Gateway token to first-party Workers AI models#33597
keefetang wants to merge 1 commit into
anomalyco:devfrom
keefetang:fix/ai-gateway-scope-token

Conversation

@keefetang

@keefetang keefetang commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Issue for this PR

Closes #32051

Reapplies and extends #33407 (auto-closed on a PR-template technicality).
Fixes the third-party regression introduced by #32052.

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

#32052 fixed #32051 (Workers AI models 401'd through the gateway) by passing
apiKey to createUnified. That apiKey was applied to every model, so the
Cloudflare API token was sent as the upstream Authorization header for
third-party providers (OpenAI, Anthropic) too — causing them to 401 with
"Invalid API Key".

This scopes token forwarding to be model-aware. The Cloudflare token is only
attached for first-party Workers AI models, whose upstream is Cloudflare
itself; everything else relies on the gateway's stored/BYOK credentials (or
Unified Billing):

const isWorkersAi = modelID.startsWith("workers-ai/") || modelID.startsWith("@cf/")
createUnified(isWorkersAi ? { apiKey } : {})

Both Workers AI id forms the Unified API accepts are matched: the explicit
workers-ai/... prefix and the bare @cf/... form. @cf/ is Cloudflare's
reserved namespace, so this never matches a third-party model.

Applied in both the v1 provider path (provider.ts) and the v2 plugin path
(core/.../cloudflare-ai-gateway.ts). The gateway-level auth
(createAiGateway({ apiKey }), the cf-aig-authorization header) is unchanged.

How did you verify your code works?

Added regression tests in packages/opencode/test/provider/cf-ai-gateway-e2e.test.ts
that capture the real forwarded headers and assert both directions:

cd packages/opencode
bun test test/provider/cf-ai-gateway-e2e.test.ts   # 6 pass
bun typecheck                                       # clean

Screenshots / recordings

N/A — no UI changes.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@keefetang
fix(provider): scope AI Gateway token to first-party Workers AI models
34c64fb 
anomalyco#32052 fixed anomalyco#32051 (Workers AI 401s) by passing apiKey to createUnified,
but applied it to every model — so the Cloudflare API token was sent as the
upstream Authorization header for third-party providers (OpenAI, Anthropic),
causing them to 401 with "Invalid API Key".

Scope token forwarding to be model-aware: attach the Cloudflare token only
for first-party Workers AI models, whose upstream is Cloudflare itself. The
Unified API addresses Workers AI both as "workers-ai/..." and as bare
"@cf/..." ids, so match both; "@cf/" is Cloudflare's reserved namespace, so
this never matches a third-party model. Other providers receive no upstream
Authorization and fall back to the gateway's stored/BYOK keys. Applied in
both the v1 provider (provider.ts) and v2 plugin
(core/.../cloudflare-ai-gateway.ts) paths.

Tests assert both directions, including that third-party sub-requests carry
no upstream authorization header.

Reapplies and extends the approach from anomalyco#33407.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contributor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cloudflare-ai-gateway provider returns 401 for Workers AI models

1 participant

@keefetang