Skip to content

fix: support X-OpenViking-Account and X-OpenViking-User headers for root API key#1057

Open
leckylao wants to merge 3 commits intovolcengine:mainfrom
leckylao:fix/root-key-agent-scope-access
Open

fix: support X-OpenViking-Account and X-OpenViking-User headers for root API key#1057
leckylao wants to merge 3 commits intovolcengine:mainfrom
leckylao:fix/root-key-agent-scope-access

Conversation

@leckylao
Copy link
Copy Markdown

@leckylao leckylao commented Mar 28, 2026
edited
Loading

Problem

When using root API key with the OpenClaw plugin, users get this error:

Access denied for viking://agent/xxx/memories

Background

We understand the recommendation is to use user API keys instead of root API keys. However, there is a fundamental mismatch in the current plugin design:

  1. The plugin searches both scopes by default:

    • viking://user/memories (user scope)
    • viking://agent/memories (agent scope)

  2. User API keys can only access user scope (viking://user/*)

  3. Agent scope requires either:

    • Root API key + X-OpenViking-Account + X-OpenViking-User headers
    • Or disabling agent scope search entirely

This means users who follow the recommendation to use user API keys will still get Access denied errors for agent scope searches.

Current Options (Before This Fix)

Option Pros Cons
Use user API key More secure, recommended Agent scope search fails with Access denied
Use root API key without headers Works for user scope Agent scope search fails with Access denied
Disable agent scope search No errors Lose agent-specific memory context

Solution

This PR adds accountId and userId config options so that root API key users can properly access agent scope:

// client.ts - Send headers when configured
if (this.accountId) {
  headers.set("X-OpenViking-Account", this.accountId);
}
if (this.userId) {
  headers.set("X-OpenViking-User", this.userId);
}

Usage

# For root API key users who want agent scope access
openclaw config set plugins.entries.openviking.config.apiKey <root-api-key>
openclaw config set plugins.entries.openviking.config.accountId default
openclaw config set plugins.entries.openviking.config.userId main

# For user API key users (no additional config needed, but agent scope will be denied)
openclaw config set plugins.entries.openviking.config.apiKey <user-api-key>
# Note: agent scope search will return Access denied with user key

Alternative Solutions Considered

  1. Disable agent scope search by default - Would require code change to skip agent scope, losing functionality
  2. Detect root vs user key and auto-adjust - Not feasible, API key types are not distinguishable
  3. Document the limitation - Works for user key users, but root key users still broken

Testing

Tested on OpenClaw + OpenViking 0.2.12:

  • Root API key + accountId/userId → both scopes work ✅
  • User API key → user scope works, agent scope denied (expected) ✅

@leckylao
fix: support X-OpenViking-Account and X-OpenViking-User headers for r…
4f620bb 
…oot API key

When using root API key, the plugin needs to send X-OpenViking-Account
and X-OpenViking-User headers to access agent scope (viking://agent/*).

This fix:
- Adds accountId and userId config options
- Sends X-OpenViking-Account and X-OpenViking-User headers when configured
- Enables proper agent scope memory search with root API key

Without this fix, users get 'Access denied for viking://agent/xxx/memories'
when using root API key, because OpenViking requires these headers for
tenant-scoped APIs.

Usage:
  openclaw config set plugins.entries.openviking.config.accountId default
  openclaw config set plugins.entries.openviking.config.userId main
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

Failed to generate code suggestions for PR

leckylao added 2 commits March 29, 2026 00:07
@leckylao
fix: add accountId and userId to plugin schema
d4b8e75 
OpenClaw validates config against the plugin schema. Add accountId and userId
to uiHints so they are recognized as valid config options.
@leckylao
fix: add accountId/userId to allowed keys in config validation
18220e7 
The config.ts has its own validation that checks for unknown keys.
Add accountId and userId to the allowed keys list so they pass validation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MaojiaSheng MaojiaSheng MaojiaSheng approved these changes

Assignees

No one assigned

Labels

None yet

Projects

OpenViking project
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leckylao @MaojiaSheng