fix(vllm): pass env.VLLM_API_KEY to chat requests

[toddkim95]

Summary

This PR fixes an issue where the VLLM_API_KEY wasn't being passed in chat requests, causing authentication errors with OpenAI-compatible APIs like LiteLLM.

Previously, the BYOK logic for vLLM models returned a hardcoded 'empty' string. Since this evaluates as truthy, it accidentally bypassed the env.VLLM_API_KEY fallback in the provider's executeRequest() method.

I've updated byok.ts to properly check for env.VLLM_API_KEY before falling back to 'empty'. This ensures authenticated requests get the correct Authorization: Bearer header, while keeping everything fully backward compatible for unauthenticated local vLLM setups.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

• Set VLLM_API_KEY via .env.local and verified that executing a workflow with a vLLM model successfully injects the Authorization: Bearer header into the /v1/chat/completions payload.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 31, 2026 11:48am

[cursor]

PR Summary

Low Risk
Small, isolated change to API-key fallback logic for the vllm provider; behavior only changes when VLLM_API_KEY is configured.

Overview
Fixes vLLM API key selection in getApiKeyWithBYOK so vLLM requests use env.VLLM_API_KEY when no userProvidedKey is supplied, instead of always returning a truthy 'empty' placeholder.

This enables authenticated OpenAI-compatible vLLM/LiteLLM calls while preserving the unauthenticated fallback to 'empty' for local setups.

^{Written by Cursor Bugbot for commit ae2e7c6. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a one-line bug in apps/sim/lib/api-key/byok.ts where vLLM auth resolution ignored the bearer token environment variable, breaking authenticated setups such as LiteLLM proxies.

Root cause: The previous code returned userProvidedKey || 'empty'. The string 'empty' is truthy, so when it reached executeRequest in vllm/index.ts, the line that resolves the bearer token always short-circuited on 'empty', permanently bypassing the environment fallback.

Fix: Inserting the env bearer token into the fallback chain before 'empty' inside byok.ts ensures the token is properly injected before the request ever reaches executeRequest. Unauthenticated local vLLM deployments continue to work unchanged since the 'empty' sentinel is still the final fallback.

• Adds the env import to byok.ts using the correct @/ path alias.
• The change is fully backward-compatible: no schema, API, or config changes required.

Confidence Score: 5/5

Safe to merge — the fix is a targeted, minimal one-line correction with no breaking changes and confirmed backward compatibility.

No P0 or P1 findings. The change correctly resolves the auth bypass and uses the established env import pattern. The || env.VLLM_API_KEY fallback that already exists in executeRequest becomes redundant (but harmless) after this fix, which is a pre-existing pattern not introduced here.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/api-key/byok.ts	Adds env.VLLM_API_KEY fallback before the hardcoded 'empty' string for vLLM models, fixing the authentication bypass where a truthy 'empty' string was preventing the env-key from being used in executeRequest.

Sequence Diagram

sequenceDiagram
    participant C as Client/Executor
    participant PI as providers/index.ts
    participant BK as byok.ts
    participant VP as vllm/index.ts

    C->>PI: executeProvider(request)
    PI->>BK: getApiKeyWithBYOK(provider, model, workspaceId, userKey)

    alt userKey exists
        BK-->>PI: apiKey = userKey
    else env bearer token is configured
        BK-->>PI: apiKey = env bearer token (NEW path - previously skipped)
    else no auth configured
        BK-->>PI: apiKey = 'empty' (unauthenticated local vLLM)
    end

    PI->>VP: executeRequest with resolved apiKey
    Note over VP: OpenAI client initialized with correct bearer token
    VP-->>C: ProviderResponse or StreamingExecution

Loading

_{Reviews (1): Last reviewed commit: "fix(vllm): pass env.VLLM_API_KEY to chat..." | Re-trigger Greptile}