#12059: feat(agents): Add Azure AI Foundry credential support
agents
stale
Cluster:
Model Authentication Enhancements
##Summary
Adds support for Azure AI Foundry as a model provider, enabling OpenClaw to use models deployed on Azure's AI foundry resources
## Changes
- Added Azure AI Foundry credential resolution in `src/agents/model-auth.ts`
- Checks `AZURE_AI_FOUNDRY_API_KEY` with fallback to `AZURE_OPENAI_API_KEY`
- Added to envMap for automatic environment variable detection
- Fixed formatting in security documentation files
## Testing
- ✅ Tested API authentication with Azure AI Foundry endpoint
- ✅ Verified response format compatibility with OpenClaw
- ✅ Full end-to-end test with Claude Opus 4.6
- ✅ Agent successfully responded using Azure AI Foundry
- ✅ All linting and formatting checks passed
## Configuration Example
Users can configure Azure AI Foundry by setting:
```bash
export AZURE_AI_FOUNDRY_API_KEY="your-key"
And in ~/.openclaw/openclaw.json:
{
"models": {
"providers": {
"azure-ai-foundry": {
"baseUrl": "https://your-resource.services.ai.azure.com/anthropic/",
"apiKey": "env:AZURE_AI_FOUNDRY_API_KEY",
"headers": {
"x-api-key": "env:AZURE_AI_FOUNDRY_API_KEY"
}
}
}
}
}
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR adds environment-variable based credential resolution for a new `azure-ai-foundry` provider (preferring `AZURE_AI_FOUNDRY_API_KEY` and falling back to `AZURE_OPENAI_API_KEY`), and updates the provider-to-env-var mapping used for automatic detection. It also includes purely formatting/markdown cleanup in the security threat model docs.
The main logic change lives in `src/agents/model-auth.ts`, which is responsible for resolving provider auth from (in order) explicit profile selection, auth-profile store order, environment variables, and config (`models.json`).
<h3>Confidence Score: 3/5</h3>
- Not safe to merge until auth mode detection for env-based OAuth is fixed.
- While the Azure AI Foundry env var support looks straightforward, the PR also introduces a regression/bug in how env-sourced OAuth is detected (string match against the formatted `source` label). This will misreport OAuth as api-key and can break providers that rely on OAuth token handling.
- src/agents/model-auth.ts
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#14475: feat: Add native Azure OpenAI support
by dzianisv · 2026-02-12
83.0%
#18002: fix: add Azure AI Foundry URL support for custom providers
by MisterGuy420 · 2026-02-16
81.6%
#13650: feat(agents): support env var overrides for default provider and model
by xrehpicx · 2026-02-10
81.3%
#14836: fix: strip apiKey from models.json to prevent credential exposure
by pahud · 2026-02-12
81.2%
#10424: feat: Add OVHcloud AI Endpoints as a provider
by eliasto · 2026-02-06
81.1%
#13079: feat: Add OpenAI-compatible API option to CLI for self-hosted models
by MikeWang0316tw · 2026-02-10
81.0%
#21884: feat(models): auth improvements — status command, heuristics, multi...
by kckylechen1 · 2026-02-20
80.9%
#9739: #9291 fix(models): preserve existing models in models.json when mer...
by ximzzzzz · 2026-02-05
80.0%
#15756: [Security]: strip provider apiKey from models.json before prompt se...
by SecBear · 2026-02-13
79.8%
#13295: feat: add Eternal AI provider integration
by peterparkernho · 2026-02-10
79.2%