#Can't use Gemini CLI auth

Hi ! I've been trying to set up Gemini CLI authentification to access models, but I can't get it to work, I have some errors like

11:25:36+00:00 error Embedded agent failed before reply: No API key found for provider "google". Auth store: /home/lj50/.openclaw/agents/main/agent/auth-profiles.json (agentDir: /home/lj50/.openclaw/agents/main/agent). Configure auth for this agent (openclaw agents add <id>) or copy only portable static auth profiles from the main agentDir. | No API key found for provider "google". Auth store: /home/lj50/.openclaw/agents/main/agent/auth-profiles.json (agentDir: /home/lj50/.openclaw/agents/main/agent). Configure auth for this agent (openclaw agents add <id>) or copy only portable static auth profiles from the main agentDir.

Config shows gemini-cli auth metod configured, so I don't really understand why it seems broken

  "profiles": {
    "google-gemini-cli:EMAIL@gmail.com": {
      "type": "oauth",
      "provider": "google-gemini-cli",
      "access": "ya29...",
      "refresh": "1//03...",
      "expires": 1778842040502,
      "email": "EMAIL@gmail.com",
      "projectId": "chrome-folio-ID"
    },

First thing: can you paste openclaw --version? Version matters a lot for this auth path.

From the current docs/source, this looks like a provider/runtime mismatch rather than a missing token. Your stored profile is for google-gemini-cli, but the failing run is asking for provider google:

No API key found for provider "google"

Those are separate auth paths:

• google = Gemini API key auth via GEMINI_API_KEY / GOOGLE_API_KEY
• google-gemini-cli = Gemini CLI OAuth profile/runtime

For Gemini CLI OAuth, rerun:

openclaw models auth login --provider google-gemini-cli --set-default
openclaw models status --probe

Then check your model/runtime config. Newer docs say configs should use canonical google/... model refs, but if you want Gemini CLI OAuth behind that, the model/provider needs runtime policy agentRuntime: { id: "google-gemini-cli" }. If that runtime policy is missing, OpenClaw treats google/... as normal Gemini API access and looks for an API key, which produces exactly your error.

Docs:
https://docs.openclaw.ai/providers/google
https://docs.openclaw.ai/gateway/config-agents#runtime-policy

If you paste the output of openclaw --version and openclaw models status --probe with tokens/emails redacted, we can tell whether it’s just the runtime policy or an auth-order/profile issue.

For the version, I got this:

lj50@raspberrypi:~ $ openclaw --version
OpenClaw 2026.5.12 (f066dd2)

For OAuth commands,

◇  Gemini CLI OAuth complete
Config overwrite: /home/lj50/.openclaw/openclaw.json
Updated ~/.openclaw/openclaw.json
Auth profile: google-gemini-cli:EMAIL@gmail.com (google-gemini-cli/oauth)
Default model set to google/gemini-3.1-pro-preview

🦞 OpenClaw 2026.5.12 (f066dd2) — I'm not AI-powered, I'm AI-possessed. Big difference.

│
13:42:15 [plugins] plugins.allow is empty; discovered non-bundled plugins may auto-load: discord (/home/lj50/.openclaw/npm/.../index.js). Set plugins.allow to explicit trusted ids.
◇  
Config        : ~/.openclaw/openclaw.json
Agent dir     : ~/.openclaw/agents/main/agent
Default       : google/gemini-3.1-pro-preview
Fallbacks (0) : -
Image model   : -
Image fallbacks (0): -
Aliases (4)   : gemini -> google/gemini-3.1-pro-preview, gemini-flash -> google/gemini-3-flash-preview, opus -> anthropic/claude-opus-4-7, sonnet -> anthropic/claude-sonnet-4-6
Configured models (6): google/gemini-3.1-pro-preview, google/gemini-3-flash-preview, anthropic/claude-opus-4-7, anthropic/claude-3-5-haiku-latest, anthropic/claude-haiku-4-5, anthropic/claude-sonnet-4-6

Auth overview
Auth store    : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env     : off
Providers w/ OAuth/tokens (1): google-gemini-cli (1)
- anthropic ...
- google-gemini-cli effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=1, token=0, api_key=0) | google-gemini-cli:EMAIL@gmail.com=OAuth (EMAIL@gmail.com)

Missing auth
- google Run `openclaw models auth login --provider google`, `openclaw configure`, or set an API key env var.

OAuth/token status
- google-gemini-cli usage: Pro 100% left · Flash 100% left
  - google-gemini-cli:EMAIL@gmail.com (EMAIL@gmail.com) expiring expires in 50m

│ google-gemini-cli/-       │ google-gemini-cli:EMAIL@gmail.com (EMAIL@gmail.com) (oauth) │ no_model · 
Probed 1 target in 284.3s

Yep, this confirms the mismatch.

Your OAuth login worked: OpenClaw sees google-gemini-cli:EMAIL@gmail.com and even reads the Gemini CLI quota. But your default is:

google/gemini-3.1-pro-preview

and there is no runtime policy telling OpenClaw to run that google/* model through Gemini CLI OAuth. So it tries normal Google Gemini API auth, then reports:

Missing auth - google

If you want all google/* agent models to use Gemini CLI OAuth, set a provider-wide runtime binding:

openclaw config set models.providers.google.agentRuntime '{"id":"google-gemini-cli"}' --strict-json
openclaw config get models.providers.google.agentRuntime --json

Then restart the gateway/session process and try again. If you only want this one model bound, use model-scoped config instead:

openclaw config set agents.defaults.models '{"google/gemini-3.1-pro-preview":{"agentRuntime":{"id":"google-gemini-cli"}}}' --strict-json --merge

The google-gemini-cli/- ... no_model probe line is also consistent with this: the CLI OAuth profile exists, but the configured model list is canonical google/..., not legacy google-gemini-cli/.... Current docs say that’s expected; the missing piece is the agentRuntime.id: "google-gemini-cli" binding.

Docs for this exact split:
https://docs.openclaw.ai/providers/google
https://docs.openclaw.ai/gateway/config-agents#runtime-policy

lj50@raspberrypi:~ $ openclaw gateway restart

🦞 OpenClaw 2026.5.12 (f066dd2) — I'll butter your workflow like a lobster roll: messy, delicious, effective.

Restarted systemd service: openclaw-gateway.service
lj50@raspberrypi:~ $ openclaw tui

🦞 OpenClaw 2026.5.12 (f066dd2) — Say "stop" and I'll stop—say "ship" and we'll both learn a lesson.

 openclaw tui - ws://127.0.0.1:18789 - agent main - session main                                                                                                                              
 connecting | idle                                                                                                                                                                            

 session agent:main:main                                                                                                                                                                      

⚠️ Agent failed before reply: No API key found for provider "google". Auth store: /home/lj50/.openclaw/agents/main/agent/auth-profiles.json (agentDir:                                        
/home/lj50/.openclaw/agents/main/agent). Configure auth for this agent (openclaw agents add <id>) or copy only portable static auth profiles from the main agentDir. | No API key found for   
provider "google". Auth store: /home/lj50/.openclaw/agents/main/agent/auth-profiles.json (agentDir: /home/lj50/.openclaw/agents/main/agent). Configure auth for this agent (openclaw agents   
add <id>) or copy only portable static auth profiles from the main agentDir.                                                                                                                                                                     

⚠️ Agent failed before reply: No 

Shoud I try to rename models from google/gemini-3.1-pro-preview to google-gemini-cli/gemini-3.1-pro-preview in config ?

I wouldn’t rename the model refs yet. google-gemini-cli/* is the legacy compatibility form; on 2026.5.12 the intended shape is still google/* + runtime policy.

The error after restart means either the runtime binding did not get written where we expect, or this session is still resolving without it. Can you run these and paste the output?

openclaw config get models.providers.google.agentRuntime --json
openclaw config get agents.defaults.models --json
openclaw models status

If the first command is empty/null, apply the provider-wide binding again:

openclaw config set models.providers.google.agentRuntime '{"id":"google-gemini-cli"}' --strict-json
openclaw gateway restart

If the first command does show {"id":"google-gemini-cli"} but TUI still says provider google needs an API key, then yes, I’d try the legacy model ref as a temporary workaround:

openclaw models set google-gemini-cli/gemini-3.1-pro-preview
openclaw gateway restart

But I’d treat that as a workaround, not the preferred config, because the 2026.5.12 docs explicitly say new configs should keep google/* and bind agentRuntime.id: "google-gemini-cli".

@agile imp have you tried the terminal command openclaw models auth login --provider google-gemini-cli --set-default

Yeah, just tried again now with a restart, but it doesn't seems to work, I complete the authentication process, but still can't access the models

when you run the terminal command openclaw models list --provider google-gemini-cli --plain do you see it? assuming you restarted the gateway

I get the same. no models.

That “no models” result from --provider google-gemini-cli may be a bit misleading here. The current docs tell users to verify Gemini CLI OAuth with:

openclaw models list --provider google --plain

not --provider google-gemini-cli, because the model refs are canonical google/... and google-gemini-cli is the runtime/auth path.

For this thread, the useful checks are still:

openclaw config get models.providers.google.agentRuntime --json
openclaw config get agents.defaults.models --json
openclaw models status

If models.providers.google.agentRuntime is empty/null, bind Google models to the Gemini CLI runtime:

openclaw config set models.providers.google.agentRuntime '{"id":"google-gemini-cli"}' --strict-json
openclaw gateway restart

If that binding is present and it still tries provider google API-key auth, then this is likely a 2026.5.12 bug/regression and the temporary workaround to test is:

openclaw models set google-gemini-cli/gemini-3.1-pro-preview
openclaw gateway restart

If the workaround is required, that’s worth filing with the exact models status output: https://github.com/openclaw/openclaw/issues

lj50@raspberrypi:~ $ openclaw config get models.providers.google.agentRuntime --json
openclaw config get agents.defaults.models --json
openclaw models status
Config path not found: models.providers.google.agentRuntime. Run openclaw config validate to inspect config shape.
{
  "google-gemini-cli/gemini-3.1-pro-preview": {},
  "google-gemini-cli/gemini-3-flash-preview": {},
  "anthropic/claude-opus-4-7": {
    "alias": "opus"
  },
  "google/gemini-3.1-pro-preview": {
    "alias": "gemini"
  }
}

:lobster: OpenClaw 2026.5.12 (f066dd2) — I autocomplete your thoughts—just slower and with more API calls.

Config        : ~/.openclaw/openclaw.json
Agent dir     : ~/.openclaw/agents/main/agent
Default       : google/gemini-3.1-pro-preview
Fallbacks (0) : -
Image model   : -
Image fallbacks (0): -
Aliases (3)   : opus -> anthropic/claude-opus-4-7, sonnet -> anthropic/claude-sonnet-4-6, gemini -> google/gemini-3.1-pro-preview
Configured models (7): google-gemini-cli/gemini-3.1-pro-preview, google-gemini-cli/gemini-3-flash-preview, anthropic/claude-opus-4-7, anthropic/claude-3-5-haiku-latest, anthropic/claude-haiku-4-5, anthropic/claude-sonnet-4-6, google/gemini-3.1-pro-preview

Auth overview
Auth store    : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env     : off
Providers w/ OAuth/tokens (1): google-gemini-cli (1)
- anthropic ...
- google-gemini-cli effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=1, token=0, api_key=0) | google-gemini-cli:EMAIL@gmail.com=OAuth (EMAIL@gmail.com)

Missing auth
- google Run `openclaw models auth login --provider google`, `openclaw configure`, or set an API key env var.

OAuth/token status
- google-gemini-cli usage: Pro 100% left · Flash 100% left
  - google-gemini-cli:EMAIL@gmail.com (EMAIL@gmail.com) expiring expires in 48m

I then ran

openclaw config set models.providers.google.agentRuntime '{"id":"google-gemini-cli"}' --strict-json
openclaw gateway restart

Still the same

Thanks, that output is useful. Since the provider-wide binding still leaves TUI trying plain google, use the more direct model-scoped binding on the actual selected model:

openclaw config set agents.defaults.models '{"google/gemini-3.1-pro-preview":{"alias":"gemini","agentRuntime":{"id":"google-gemini-cli"}}}' --strict-json --merge
openclaw config get agents.defaults.models --json
openclaw gateway restart

You should see the google/gemini-3.1-pro-preview entry include:

"agentRuntime": { "id": "google-gemini-cli" }

If that still fails with No API key found for provider "google", then I’d switch to the legacy ref as a workaround:

openclaw models set google-gemini-cli/gemini-3.1-pro-preview
openclaw gateway restart

At that point it’s looking like a 2026.5.12 bug/regression: OAuth exists, quota is detected, but runtime routing isn’t being applied to the canonical google/* default. If the model-scoped binding fails too, please file it with this thread’s outputs: https://github.com/openclaw/openclaw/issues

I have this:

lj50@raspberrypi:~ openclaw models list --provider google-gemini-cli --plain

🦞 OpenClaw 2026.5.12 (f066dd2) — I've survived more breaking changes than your last three relationships.

google-gemini-cli/gemini-3.1-pro-preview
google-gemini-cli/gemini-3-flash-preview

I tried to use google-gemini-cli/ and google/ but both are failing

I can atleast see it after running openclaw models status

Good, that means discovery/catalog is not the blocker. The blocker is runtime/auth routing during the actual agent run.

The most useful next split is:

1. If openclaw models set google-gemini-cli/gemini-3.1-pro-preview still fails with No API key found for provider "google", then the legacy ref is being normalized back to google/* but the Gemini CLI runtime is not being carried through. That’s a bug/regression candidate.

2. If model-scoped runtime binding works, the fix is just config:

openclaw config set agents.defaults.models '{"google/gemini-3.1-pro-preview":{"alias":"gemini","agentRuntime":{"id":"google-gemini-cli"}}}' --strict-json --merge
openclaw gateway restart

After restart, openclaw models status should still show the default as google/gemini-3.1-pro-preview, but the actual agent run should stop asking for google API-key auth.

If both google-gemini-cli/* and the model-scoped agentRuntime binding fail, I’d file this with:

• openclaw --version

• openclaw models status
• openclaw config get agents.defaults.models --json
• the exact TUI error

Issue link: https://github.com/openclaw/openclaw/issues

openclaw config get agents.defaults.models --json
openclaw gateway restart

🦞 OpenClaw 2026.5.12 (f066dd2) — Built by lobsters, for humans. Don't question the hierarchy.

Config overwrite: /home/lj50/.openclaw/openclaw.json (sha256 356bf312497964a170586af581cbb7f17e870ebc95591751274ec152fa9493e0 -> ed548b44e1d686d24347880019bd6d756f9b52649fee66e7a39078feff5399dd, backup=/home/lj50/.openclaw/openclaw.json.bak)
Updated agents.defaults.models. Restart the gateway to apply.
{
  "google-gemini-cli/gemini-3.1-pro-preview": {},
  "google-gemini-cli/gemini-3-flash-preview": {},
  "anthropic/claude-opus-4-7": {
    "alias": "opus"
  },
  "anthropic/claude-3-5-haiku-latest": {},
  "anthropic/claude-haiku-4-5": {},
  "anthropic/claude-sonnet-4-6": {
    "alias": "sonnet"
  },
  "google/gemini-3.1-pro-preview": {
    "alias": "gemini",
    "agentRuntime": {
      "id": "google-gemini-cli"
    }
  }
}

🦞 OpenClaw 2026.5.12 (f066dd2) — If you can describe it, I can probably automate it—or at least make it funnier.

Restarted systemd service: openclaw-gateway.service
lj50@raspberrypi:~ $ openclaw tui

🦞 OpenClaw 2026.5.12 (f066dd2) — Self-hosted, self-updating, self-aware (just kidding... unless?).

 openclaw tui - ws://127.0.0.1:18789 - agent main - session main                                                                                                                        
 connecting | idle                                                                                                                                                                      

 session agent:main:main                                                                         
                                                        
Logs: openclaw logs --follow

Still not working

The config write landed correctly. At this point I’d stop changing model config for a moment and check whether TUI is using stale session state.

Try a fresh session key:

openclaw tui --session gemini-test

If that works, the old main session likely has stale model/runtime route state. You can keep using the new session, or run doctor to inspect/repair stale session metadata:

openclaw doctor
openclaw doctor --fix
openclaw gateway restart

If openclaw tui --session gemini-test still fails, please paste the fresh error from:

openclaw logs --follow

Right now the latest screenshot only shows TUI connected/idle, not the actual failure. The config now has the expected agentRuntime.id: "google-gemini-cli", so the next useful evidence is whether the run is still routing to plain google, or whether it’s now failing inside the Gemini CLI runtime.

sorry, @agile imp. Not trying to make your thread noisy here. I just know I had it working before for sure

Don't worry about it, thanks for your help !
Maybe something is wrong with my installation, so I will try to reset everything
If still not working, I'll just wait for an update or something

You seem close though, You get models showing after that plain models status command you ran. I am wondering if

• you have an env for GEMINI_API_KEY since I believe it takes presedence
• your agents auth profile json file has a different auth default, BUT, openclaw.json would override it.
• stuck/stale session?

i'd try reset and new comands a couple times in youe channel before taking a break on it. @molten berry can correct me if my assumptions were wrong or need correcting.

@agile imp mine worked in TUI after I selected gemini-3.1-pro-preview:

openclaw tui - ws://127.0.0.1:18789 - agent main - session gemini-test

 session agent:main:gemini-test

 model set to google/gemini-3.1-pro-preview


What auth are you using for ge
mini?


You are currently using OAuth for Gemini authentication. It is configured under the google-gemini-cli provider with the account [redacted]
@gmail.com.
 connected | idle
 agent main | session gemini-test | google/gemini-3.1-pro-preview | tokens ?/250k

Just tried, but that's still not working 🥲
:warning: Agent failed before reply: No API key found for provider "google"
I'll just reset the whole thing, I don't have anything too important configured anyway
Again, thanks for your help with this !

One last update, it's still not working after a full reset, I guess something is broken with Gemini Cli, so i'll wait an update or something before trying again 🥲