From cb9bfd0d63b387ff9705894cec4ba7007f46bb91 Mon Sep 17 00:00:00 2001
From: SanskaarUndale21 <sanskaarundale@gmail.com>
Date: Tue, 19 May 2026 20:38:31 +0530
Subject: [PATCH 1/2] fix: allow api_key="" to bypass credential validation for
 local servers

Fixes #3224 - v2.34.0 changed the credential check from an identity
check to a truthiness check, breaking api_key="" used by local
OpenAI-compatible servers (llama.cpp, LM Studio, vLLM, etc.).

Track _api_key_explicitly_provided before env var fallback so an
explicit empty string is treated as intentional and skips the error,
while omitting api_key entirely with no env var still raises.
---
 src/openai/_client.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/openai/_client.py b/src/openai/_client.py
index 499a62dfe5..b369928f34 100644
--- a/src/openai/_client.py
+++ b/src/openai/_client.py
@@ -163,6 +163,7 @@ def __init__(
 
         self.workload_identity = workload_identity
 
+        _api_key_explicitly_provided = False
         if workload_identity is not None:
             self.api_key = WORKLOAD_IDENTITY_API_KEY_PLACEHOLDER
             self._api_key_provider = None
@@ -170,6 +171,7 @@ def __init__(
                 workload_identity=workload_identity,
             )
         else:
+            _api_key_explicitly_provided = api_key is not None
             if api_key is None:
                 api_key = os.environ.get("OPENAI_API_KEY")
             if callable(api_key):
@@ -187,6 +189,7 @@ def __init__(
         if (
             _enforce_credentials
             and not self.api_key
+            and not _api_key_explicitly_provided
             and self._api_key_provider is None
             and workload_identity is None
             and self.admin_api_key is None
@@ -669,6 +672,7 @@ def __init__(
 
         self.workload_identity = workload_identity
 
+        _api_key_explicitly_provided = False
         if workload_identity is not None:
             self.api_key = WORKLOAD_IDENTITY_API_KEY_PLACEHOLDER
             self._api_key_provider = None
@@ -676,6 +680,7 @@ def __init__(
                 workload_identity=workload_identity,
             )
         else:
+            _api_key_explicitly_provided = api_key is not None
             if api_key is None:
                 api_key = os.environ.get("OPENAI_API_KEY")
             if callable(api_key):
@@ -693,6 +698,7 @@ def __init__(
         if (
             _enforce_credentials
             and not self.api_key
+            and not _api_key_explicitly_provided
             and self._api_key_provider is None
             and workload_identity is None
             and self.admin_api_key is None

From c11d4069e04eb58663385acc9fe704124998d881 Mon Sep 17 00:00:00 2001
From: SanskaarUndale21 <sanskaarundale@gmail.com>
Date: Tue, 19 May 2026 20:55:16 +0530
Subject: [PATCH 2/2] fix: persist _api_key_explicitly_provided to skip
 request-time auth validation for api_key=""

Copilot flagged that bypassing the init-time credential check was incomplete --
_validate_headers still raised TypeError on every request when api_key="" because
_bearer_auth returns {} for falsy keys. Store the flag as an instance variable and
check it in _validate_headers for both OpenAI and AsyncOpenAI.
---
 src/openai/_client.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/openai/_client.py b/src/openai/_client.py
index b369928f34..6cf42e099c 100644
--- a/src/openai/_client.py
+++ b/src/openai/_client.py
@@ -182,6 +182,8 @@ def __init__(
                 self._api_key_provider = None
             self._workload_identity_auth = None
 
+        self._api_key_explicitly_provided = _api_key_explicitly_provided
+
         if admin_api_key is None:
             admin_api_key = os.environ.get("OPENAI_ADMIN_KEY")
         self.admin_api_key = admin_api_key
@@ -492,6 +494,9 @@ def _validate_headers(self, headers: Headers, custom_headers: Headers) -> None:
         if _has_header(headers, "Authorization") or _has_omitted_header(custom_headers, "Authorization"):
             return
 
+        if self._api_key_explicitly_provided:
+            return
+
         raise TypeError(
             '"Could not resolve authentication method. Expected either api_key or admin_api_key to be set. Or for one of the `Authorization` or `Authorization` headers to be explicitly omitted"'
         )
@@ -691,6 +696,8 @@ def __init__(
                 self._api_key_provider = None
             self._workload_identity_auth = None
 
+        self._api_key_explicitly_provided = _api_key_explicitly_provided
+
         if admin_api_key is None:
             admin_api_key = os.environ.get("OPENAI_ADMIN_KEY")
         self.admin_api_key = admin_api_key
@@ -1001,6 +1008,9 @@ def _validate_headers(self, headers: Headers, custom_headers: Headers) -> None:
         if _has_header(headers, "Authorization") or _has_omitted_header(custom_headers, "Authorization"):
             return
 
+        if self._api_key_explicitly_provided:
+            return
+
         raise TypeError(
             '"Could not resolve authentication method. Expected either api_key or admin_api_key to be set. Or for one of the `Authorization` or `Authorization` headers to be explicitly omitted"'
         )