#OpenRouter - HTTPS:\ USER NOT FOUND error

I had my openclaw connected to hunter alpha and healer alpha via OpenRouter and it was working fine, then they killed the free versions and released the paid model. When this happened i accidentally exposed my API key and had to delete it, i created a new key but these new keys aren't actually being accepted by openclaw.

From what ive read it seems to be an issue on the OpenRouter side of things but im wondering Krill if you have any expertise dealing with this issue and fixing it on the openclaw side.

Yep — this is usually fixable on the OpenClaw side, and I’ve seen this exact pattern after key rotation.

Most common cause: OpenClaw is still picking an old/revoked OpenRouter credential (or daemon env didn’t refresh), so OpenRouter returns 401 User not found.

Try this order:

1. Version check first

openclaw --version

2. See what auth source OpenClaw is actually using

openclaw models status
openclaw doctor

3. Re-register the new OpenRouter key explicitly

openclaw models auth paste-token --provider openrouter
openclaw gateway restart
openclaw models status

4. If it still says 401 User not found, there may be a stale legacy auth file being migrated back in.

• Stop gateway
• Check ~/.openclaw for old auth.json / agent-level auth files containing the old key
• Move stale ones aside (don’t hard-delete), restart gateway, test again

If you want, paste:

• openclaw --version
• openclaw models status (redacted is fine)

• the exact error line from openclaw logs --follow

and I’ll pinpoint the exact path that’s winning in auth resolution.

Docs:

• OpenRouter provider: https://docs.openclaw.ai/providers/openrouter
• Auth setup: https://docs.openclaw.ai/gateway/authentication
• Troubleshooting: https://docs.openclaw.ai/gateway/troubleshooting

1. PS C:\Windows\system32> openclaw --version
   OpenClaw 2026.3.13 (61d171a)

Perfect — version looks good (2026.3.13), so you’re not on an old broken build.

Next step: let’s force OpenClaw to use the new OpenRouter key (this avoids Windows env/session weirdness).

openclaw models auth paste-token --provider openrouter
openclaw gateway restart
openclaw models status

Then run:

openclaw logs --follow

…and trigger one test message in chat so we can catch the exact auth line.

If it still fails with 401 User not found, paste:

1. openclaw models status output
2. the relevant openclaw logs --follow lines (redacted is fine)

That’ll tell us immediately whether it’s using the new key or a stale cached auth profile.

error: unknown option '--provider'
(Did you mean --profile?)
PS C:\Windows\system32>

PS C:\Windows\system32> openclaw models status

🦞 OpenClaw 2026.3.13 (61d171a) — Shell yeah—I'm here to pinch the toil and leave you the glory.

Config : ~.openclaw\openclaw.json
Agent dir : ~.openclaw\agents\main\agent
Default : ollama/kimi-k2.5:cloud
Fallbacks (10): minimax/minimax-m2.5, openrouter/auto, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud
Image model : -
Image fallbacks (0): -
Aliases (1) : OpenRouter -> openrouter/auto
Configured models (11): minimax/minimax-m2.5, openrouter/auto, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/kimi-k2.5:cloud, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud

Auth overview
Auth store : ~.openclaw\agents\main\agent\auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (0): -

• ollama effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | ollama:default=marker(ollama-local) | models.json=OL...EY | source=models.json: ~.openclaw\agents\main\agent\models.json
• openrouter effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | openrouter:default=sk-or-v1...38439d03 | env=sk-or-v1...efc9e5d7 | source=env: OPENROUTER_API_KEY

Missing auth

• minimax Run openclaw configure or set an API key env var.

The issue is that the old API key is automatically filled in when i go to openclaw configure models

Nice, this output is super useful — and it shows the likely bug source:

• openrouter:default=...38439d03 (profile key)
• env=...efc9e5d7 (env key)

Those are different keys, so OpenClaw can end up using the wrong one in some paths.

Fix (no flags, so we avoid the --provider parser issue)

Run:

openclaw models auth add

Then in the wizard:

1. choose custom (type provider id)
2. type provider: openrouter

3. choose paste token flow
4. profile id: openrouter:default
5. paste your new OpenRouter key

Then:

openclaw gateway restart
openclaw models status

You want openrouter:default and env to either match, or remove one source.

If it still fails after that, send:

openclaw models auth order get --provider openrouter --json

and I’ll give you the exact cleanup step for stale auth precedence.

Docs:

• https://docs.openclaw.ai/gateway/authentication
• https://docs.openclaw.ai/providers/openrouter

Yep — that confirms it. You’ve got a stale credential source that keeps re-seeding the old key.

The fix is to purge old auth files, then set the new key once.

1) Stop gateway

openclaw gateway stop

2) Find where the old key suffix exists

(use the suffix from models status, e.g. 38439d03)

$old = "38439d03"
Get-ChildItem "$HOME\.openclaw" -Recurse -File -Include auth.json,auth-profiles.json |
Select-String -Pattern $old | Select-Object Path, LineNumber

3) Move legacy auth.json files out of the way (safe backup, no delete)

Get-ChildItem "$HOME\.openclaw" -Recurse -File -Filter auth.json |
ForEach-Object { Rename-Item $_.FullName ($_.FullName + ".bak") }

4) Start gateway and add the new OpenRouter key fresh

openclaw gateway start
openclaw models auth add

In wizard:

• choose custom
• provider id: openrouter
• profile id: openrouter:default
• paste new key

5) Verify

openclaw models status

You should no longer see the old suffix anywhere.

This is a known pain point: old auth.json can get migrated back into auth-profiles.json and keep resurrecting revoked keys.

PS C:\Users\camer> openclaw models auth order get --provider openrouter --json
{
"agentId": "main",
"agentDir": "C:\Users\camer\.openclaw\agents\main\agent",
"provider": "openrouter",
"authStorePath": "~\.openclaw\agents\main\agent/auth-profiles.json",
"order": null
}

Great — order: null means OpenClaw is not locked to a specific auth order.
So the issue is now just stale credential values, not precedence rules.

Do this next:

openclaw models auth paste-token --provider openrouter --profile-id openrouter:default

Paste your new key when prompted, then:

openclaw gateway restart
openclaw models status

In models status, check OpenRouter line:

• openrouter:default=...
• env=...
  Both should be your new key (or remove one source).

If old key still reappears after that, then legacy auth.json is still being auto-migrated — and we’ll do the file-level cleanup step.

PS C:\Users\camer> $old = "38439d03"

Get-ChildItem "$HOME.openclaw" -Recurse -File -Include auth.json,auth-profiles.json |
Select-String -Pattern $old | Select-Object Path, LineNumber

Path LineNumber

C:\Users\camer.openclaw\agents\main\agent\auth-profiles.json 12
C:\Users\camer.openclaw\agents\tg\agent\auth-profiles.json 12

Boom, that’s the smoking gun.
The old key is still stored in both agent auth stores (main and tg).

Overwrite both profiles with the new key:

openclaw models auth --agent main paste-token --provider openrouter --profile-id openrouter:default
openclaw models auth --agent tg paste-token --provider openrouter --profile-id openrouter:default
openclaw gateway restart

Then verify both agents:

openclaw models status --agent main
openclaw models status --agent tg

You should no longer see suffix 38439d03 anywhere.

If that old suffix still appears after this, send the updated models status --agent main output and we’ll do one final cleanup pass.

OpenClaw 2026.3.13 (61d171a) — The only crab in your contacts you actually want to hear from. 🦞

Config : ~.openclaw\openclaw.json
Agent dir : ~.openclaw\agents\main\agent
Default : openrouter/openrouter/auto (from openrouter/auto)
Fallbacks (10): minimax/minimax-m2.5, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/kimi-k2.5:cloud, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud
Image model : -
Image fallbacks (0): -
Aliases (1) : OpenRouter -> openrouter/auto
Configured models (11): minimax/minimax-m2.5, openrouter/auto, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/kimi-k2.5:cloud, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud

Auth overview
Auth store : ~.openclaw\agents\main\agent\auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (2): openrouter (1), openrouter:default (1)

• ollama effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | ollama:default=marker(ollama-local) | models.json=OL...EY | source=models.json: ~.openclaw\agents\main\agent\models.json
• openrouter effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=1, api_key=0) | openrouter:default=token:sk-or-v1...efc9e5d7 | env=sk-or-v1...efc9e5d7 | source=env: OPENROUTER_API_KEY
• openrouter:default effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=1, api_key=0) | openrouter:default:manual=token:sk-or-v1...efc9e5d7

Missing auth

• minimax Run openclaw configure or set an API key env var.

OAuth/token status

• openrouter
  • openrouter:default static
• openrouter:default
  • openrouter:default:manual static
    PS C:\Users\camer>

This looks clean now ✅

Key signals:

• old suffix ...38439d03 is gone
• everything points to ...efc9e5d7
• auth source is consistent (auth-profiles + env both same key)

So the stale-key issue on OpenClaw side is fixed.

Final verification (live provider call):

openclaw models status --probe --probe-provider openrouter

If that passes, you’re done.
If it still errors, it’s likely OpenRouter account/key state (credits/permissions), not OpenClaw auth caching anymore.

Glad you stuck with the debugging 😄
If this fixed it, please right-click the solution message → Apps → ✅ Mark Solution so Answer Overflow can index it for others.

Auth probes
+----------------------------+----------------------------+---------------------------------------+
| Model | Profile | Status |
+----------------------------+----------------------------+---------------------------------------+
| openrouter/openrouter/auto | openrouter:default (token) | auth · 3s |
| | | ↳ HTTP 401: User not found. |
+----------------------------+----------------------------+---------------------------------------+

Auth overview
Auth store : ~.openclaw\agents\main\agent\auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (2): openrouter (1), openrouter:default (1)

• ollama effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | ollama:default=marker(ollama-local) | models.json=OL...EY | source=models.json: ~.openclaw\agents\main\agent\models.json
• openrouter effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=1, api_key=0) | openrouter:default=token:sk-or-v1...efc9e5d7 | env=sk-or-v1...efc9e5d7 | source=env: OPENROUTER_API_KEY
• openrouter:default effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=1, api_key=0) | openrouter:default:manual=token:sk-or-v1...efc9e5d7

Missing auth

• minimax Run openclaw configure or set an API key env var.

OAuth/token status

• openrouter
  • openrouter:default static
• openrouter:default
  • openrouter:default:manual static

PS C:\Users\camer> openclaw models status --probe --probe-provider openrouter

🦞 OpenClaw 2026.3.13 (61d171a) — Your task has been queued; your dignity has been deprecated.

|
19:33:03 [tools] tools.profile (coding) allowlist contains unknown entries (apply_patch, cron, image). These entries are shipped core tools but unavailable in the current runtime/provider/model/config.
o
Config : ~.openclaw\openclaw.json
Agent dir : ~.openclaw\agents\main\agent
Default : openrouter/openrouter/auto (from openrouter/auto)
Fallbacks (10): minimax/minimax-m2.5, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/kimi-k2.5:cloud, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud
Image model : -
Image fallbacks (0): -
Aliases (1) : OpenRouter -> openrouter/auto
Configured models (11): minimax/minimax-m2.5, openrouter/auto, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/kimi-k2.5:cloud, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud

Thanks — this is super clear.

That probe means OpenClaw is sending a key, but OpenRouter is still rejecting it (401 User not found).

Let’s do one decisive split test:

A) Test the same key directly against OpenRouter (outside OpenClaw)

$k = $env:OPENROUTER_API_KEY
Invoke-WebRequest "https://openrouter.ai/api/v1/models" -Headers @{ Authorization = "Bearer $k" }

• If this also returns 401 User not found → key/account issue on OpenRouter side (regenerate key, ensure it’s active, make sure you pasted raw sk-or-v1-... only, no Bearer prefix).
• If this returns 200 → OpenClaw auth profile state is still polluted.

B) If direct call is 200, reset auth profiles cleanly (backup first)

openclaw gateway stop
Rename-Item "$HOME\.openclaw\agents\main\agent\auth-profiles.json" "auth-profiles.json.bak"
Rename-Item "$HOME\.openclaw\agents\tg\agent\auth-profiles.json" "auth-profiles.json.bak"
openclaw gateway start
openclaw configure --section model

Then set OpenRouter again via configure and re-run:

openclaw models status --probe --probe-provider openrouter

Given your status output (openrouter + openrouter:default providers), I strongly suspect profile-state contamination rather than pure model config now.

Yep — this output confirms the bad state.

Providers w/ OAuth/tokens (2): openrouter, openrouter:default should not happen.
openrouter:default got registered like a fake provider id, and that can break auth resolution.

Let’s hard-reset just the auth stores (backup, no delete), then re-add OpenRouter cleanly:

openclaw gateway stop

Rename-Item "$HOME\.openclaw\agents\main\agent\auth-profiles.json" "auth-profiles.json.bak"
Rename-Item "$HOME\.openclaw\agents\tg\agent\auth-profiles.json" "auth-profiles.json.bak"

openclaw gateway start
openclaw configure --section model

In configure, pick normal OpenRouter API key setup (provider = openrouter, not openrouter:default).

Then verify:

openclaw models status --agent main
openclaw models status --probe --probe-provider openrouter

After reset, you should see only one OpenRouter provider entry (openrouter), not two.

Docs: https://docs.openclaw.ai/gateway/authentication

Got it — this paste stops before the actual probe result table, so I can’t see if it ended 200 or 401.

Two quick checks to finish this:

1. OpenClaw probe (JSON, easier to read)

openclaw models status --probe --probe-provider openrouter --json

Paste just the probes / auth part.

2. Direct OpenRouter check (same key, outside OpenClaw)

Invoke-WebRequest "https://openrouter.ai/api/v1/models" -Headers @{ Authorization = "Bearer $env:OPENROUTER_API_KEY" }

• If this is 401 User not found too → key/account issue at OpenRouter.
• If this is 200 but OpenClaw still fails → local auth profile state is still wrong and we’ll do one final targeted cleanup.

Also: the tools.profile allowlist contains unknown entries... warning is separate and not the cause of OpenRouter auth failing.

⚠️ First: you just exposed the full key in-thread again — rotate it immediately in OpenRouter and delete/edit that message if you can.

Also, important: GET /api/v1/models is public on OpenRouter, so 200 OK there does not prove auth is valid.

Use this auth-required check instead (with quotes):

$k = "sk-or-v1-REDACTED"
Invoke-WebRequest "https://openrouter.ai/api/v1/key" -Headers @{ Authorization = "Bearer $k" }

• 200 => key is valid
• 401 User not found => key/account problem on OpenRouter side

Your earlier PowerShell line failed because the key wasn’t quoted:

$k = sk-or-v1-...

That tries to execute it as a command.

If /api/v1/key returns 200 and OpenClaw still 401, then we’ll do one final clean reset of auth-profiles.json + re-add key (provider openrouter only).

PS C:\Users\camer> $k = "sk-or-v1-e503127729**********************************************************8efc9e5d7"

Invoke-WebRequest "https://openrouter.ai/api/v1/key" -Headers @{ Authorization = "Bearer $k" }

StatusCode : 200
StatusDescription : OK
Content : {"data":{"label":"sk-or-v1-e50...5d7","is_management_key":false,"is_provisioning_key":false,"limit"
:null,"limit_reset":null,"limit_remaining":null,"include_byok_in_limit":false,"usage":0.000896,"usa
ge...
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Server-Timing: cfEdge;dur=3,cfOrigin;dur=0,cfWorker;dur=263
Access-Control-Allow-Origin: *
Permissions-Policy: payment=(self "htt...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Connection, keep-alive], [Server-Timing,
cfEdge;dur=3,cfOrigin;dur=0,cfWorker;dur=263], [Access-Control-Allow-Origin, *]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 487

Perfect — that proves your OpenRouter key is valid (/api/v1/key = 200).
So this is now definitely a local OpenClaw auth-store corruption/state issue.

Let’s do a clean auth-store reset (backup-only, no delete), then re-add key once:

openclaw gateway stop

Get-ChildItem "$HOME\.openclaw" -Recurse -File -Include auth-profiles.json,auth.json |
ForEach-Object { Rename-Item $_.FullName ($_.FullName + ".bak") }

openclaw gateway start
openclaw configure --section model

In configure: set OpenRouter normally (provider: openrouter, API key starts with sk-or-v1-..., no Bearer ).

Then verify:

openclaw models status --probe --probe-provider openrouter

At this point, if 401 still appears, we should file a GitHub bug with these exact artifacts because key validity is confirmed externally:
https://github.com/openclaw/openclaw/issues

(And yeah — avoid pasting keys in thread; rotate if any full key leaked.)

yeah no worries deleted and new one put in the right place

Awesome 🙌 that should do it.

Quick final check:

openclaw models status --probe --probe-provider openrouter

If that comes back clean, you’re fully unblocked.

If this fixed it, please right-click the solution message → Apps → ✅ Mark Solution so Answer Overflow indexes it for the next person who hits this exact OpenRouter key-rotation mess.

PS C:\Users\camer> openclaw models status --probe --probe-provider openrouter

🦞 OpenClaw 2026.3.13 (61d171a) — No $999 stand required.

|
20:22:45 [tools] tools.profile (coding) allowlist contains unknown entries (apply_patch, cron, image). These entries are shipped core tools but unavailable in the current runtime/provider/model/config.
o
Config : ~.openclaw\openclaw.json
Agent dir : ~.openclaw\agents\main\agent
Default : openrouter/openrouter/auto (from openrouter/auto)
Fallbacks (30): minimax/minimax-m2.5, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/kimi-k2.5:cloud, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud, openrouter/arcee-ai/trinity-mini, openrouter/free, openrouter/google/gemma-3-27b-it:free, openrouter/meta-llama/llama-3.3-70b-instruct:free, openrouter/mistralai/mistral-small-3.1-24b-instruct:free, openrouter/nvidia/nemotron-3-nano-30b-a3b:free, openrouter/nvidia/nemotron-3-super-120b-a12b:free, openrouter/nvidia/nemotron-nano-12b-v2-vl:free, openrouter/nvidia/nemotron-nano-9b-v2:free, openrouter/openai/gpt-oss-120b:free, openrouter/openai/gpt-oss-20b:free, openrouter/qwen/qwen3-4b:free, openrouter/qwen/qwen3-coder:free, openrouter/qwen/qwen3-next-80b-a3b-instruct:free, openrouter/stepfun/step-3.5-flash:free, openrouter/z-ai/glm-4.5-air:free, openrouter/arcee-ai/trinity-large-preview:free, openrouter/deepseek/deepseek-v3.2, openrouter/openai/gpt-5-mini, openrouter/google/gemini-3.1-flash-lite-preview

Image model : -
Image fallbacks (0): -
Aliases (1) : OpenRouter -> openrouter/auto
Configured models (31): minimax/minimax-m2.5, openrouter/auto, openrouter/z-ai/glm-5, openrouter/minimax/minimax-m2.5, ollama/kimi-k2.5:cloud, ollama/phi3:mini, ollama/minimax-m2.5:cloud, ollama/llama3.2:latest, ollama/llama3.2:1b, ollama/llama3:8b-instruct-q4_K_M, ollama/glm-5:cloud, openrouter/arcee-ai/trinity-mini, openrouter/free, openrouter/google/gemma-3-27b-it:free, openrouter/meta-llama/llama-3.3-70b-instruct:free, openrouter/mistralai/mistral-small-3.1-24b-instruct:free, openrouter/nvidia/nemotron-3-nano-30b-a3b:free, openrouter/nvidia/nemotron-3-super-120b-a12b:free, openrouter/nvidia/nemotron-nano-12b-v2-vl:free, openrouter/nvidia/nemotron-nano-9b-v2:free, openrouter/openai/gpt-oss-120b:free, openrouter/openai/gpt-oss-20b:free, openrouter/qwen/qwen3-4b:free, openrouter/qwen/qwen3-coder:free, openrouter/qwen/qwen3-next-80b-a3b-instruct:free, openrouter/stepfun/step-3.5-flash:free, openrouter/z-ai/glm-4.5-air:free, openrouter/arcee-ai/trinity-large-preview:free, openrouter/deepseek/deepseek-v3.2, openrouter/openai/gpt-5-mini, openrouter/google/gemini-3.1-flash-lite-preview

Auth overview
Auth store : ~.openclaw\agents\main\agent\auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (0): -

• ollama effective=missing:missing | models.json=OL...EY | source=models.json: ~.openclaw\agents\main\agent\models.json
• openrouter effective=profiles:~.openclaw\agents\main\agent\auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | openrouter:default=sk-or-v1...efc9e5d7 | env=sk-or-v1...efc9e5d7 | source=env: OPENROUTER_API_KEY

Missing auth

• minimax Run openclaw configure or set an API key env var.

OAuth/token status

• none

Auth probes
+----------------------------+------------------------------+------------------------------------------+
| Model | Profile | Status |
+----------------------------+------------------------------+------------------------------------------+
| openrouter/openrouter/auto | openrouter:default (api_key) | unknown · 10.3s |
| | | ↳ LLM request timed out. |
+----------------------------+------------------------------+------------------------------------------+
Probed 1 target in 20.8s