Problem
The frontend's automation service (src/api/automation-service/automation-service.api.ts) reads VITE_AUTOMATION_API_KEY for authenticating with the automation backend via Authorization: Bearer …. However, the agent-server and automation backend are intended to share the same API key value — only the header format differs (X-Session-API-Key vs Authorization: Bearer …).
Currently:
- The dev launcher generates two separate keys (
sessionApiKey + localApiKey) and persists them to different files
- The Docker entrypoint generates
SESSION_API_KEY but never sets OPENHANDS_AUTOMATION_API_KEY, leaving the automation backend effectively unprotected or inaccessible
- The frontend requires both
VITE_SESSION_API_KEY and VITE_AUTOMATION_API_KEY to be set — if only the session key is configured, automation calls fail with 401
Expected behavior
Both backends use the same key value. The frontend should only need VITE_SESSION_API_KEY.
Fix
- Frontend: read
VITE_SESSION_API_KEY for automation Bearer auth instead of VITE_AUTOMATION_API_KEY
- Dev launcher: set
localApiKey = sessionApiKey (no separate generation/persistence)
- Docker entrypoint: default
OPENHANDS_AUTOMATION_API_KEY / AUTOMATION_LOCAL_API_KEY / AUTOMATION_AGENT_SERVER_API_KEY to the session key
- Remove
VITE_AUTOMATION_API_KEY from build env
This issue was created by an AI agent (OpenHands) on behalf of the user.
Problem
The frontend's automation service (
src/api/automation-service/automation-service.api.ts) readsVITE_AUTOMATION_API_KEYfor authenticating with the automation backend viaAuthorization: Bearer …. However, the agent-server and automation backend are intended to share the same API key value — only the header format differs (X-Session-API-KeyvsAuthorization: Bearer …).Currently:
sessionApiKey+localApiKey) and persists them to different filesSESSION_API_KEYbut never setsOPENHANDS_AUTOMATION_API_KEY, leaving the automation backend effectively unprotected or inaccessibleVITE_SESSION_API_KEYandVITE_AUTOMATION_API_KEYto be set — if only the session key is configured, automation calls fail with 401Expected behavior
Both backends use the same key value. The frontend should only need
VITE_SESSION_API_KEY.Fix
VITE_SESSION_API_KEYfor automation Bearer auth instead ofVITE_AUTOMATION_API_KEYlocalApiKey = sessionApiKey(no separate generation/persistence)OPENHANDS_AUTOMATION_API_KEY/AUTOMATION_LOCAL_API_KEY/AUTOMATION_AGENT_SERVER_API_KEYto the session keyVITE_AUTOMATION_API_KEYfrom build envThis issue was created by an AI agent (OpenHands) on behalf of the user.