opencode-provider-litellm 0.4.0 → 0.5.1

package/README.md

@@ -26,6 +26,8 @@ All models and MCP tools from your LiteLLM proxy appear in OpenCode automaticall
 | `LITELLM_URL` | Your LiteLLM proxy base URL |
 | `LITELLM_KEY` | API key for the proxy |
 | `LITELLM_PROVIDER_ID` | Provider ID in OpenCode (defaults to `LiteLLM`) |
+| `LITELLM_GCLOUD_TOKEN_AUTH` | Set to `1` to use Google ADC for auth (makes `LITELLM_KEY` optional) |
+| `GOOGLE_APPLICATION_CREDENTIALS` | Path to a Google ADC JSON file (used when `LITELLM_GCLOUD_TOKEN_AUTH=1`) |
 
 ### Inline config
 
@@ -42,9 +44,29 @@ Alternatively, provide `url` and `apiKey` directly in your `opencode.json`:
 }
 ```
 
-:::tip
-Environment variables take precedence over inline config. Use env vars to keep secrets out of checked-in files.
-:::
+> **Tip:** Environment variables take precedence over inline config. Use env vars to keep secrets out of checked-in files.
+
+### Google Vertex AI (gcloud token auth)
+
+When your LiteLLM proxy is backed by Google Vertex AI, you can skip `LITELLM_KEY` and let the plugin automatically fetch a gcloud OAuth token:
+
+```bash
+# 1. Authenticate with gcloud (creates an ADC JSON file)
+gcloud auth application-default login
+
+# 2. Set env vars (LITELLM_KEY is optional)
+export LITELLM_URL="https://your-litellm-proxy.example.com"
+export LITELLM_GCLOUD_TOKEN_AUTH=1
+
+# 3. Install and restart OpenCode
+opencode plugin opencode-provider-litellm
+```
+
+The plugin reads your [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials) JSON file and exchanges the refresh token for an access token before every LLM request. Tokens are cached for 50 minutes.
+
+To use a custom credentials file, set `GOOGLE_APPLICATION_CREDENTIALS` to its path.
+
+> **Note:** Only `authorized_user` credentials (from `gcloud auth application-default login`) are supported. Service account keys are not yet supported.
 
 ### /connect flow
 
@@ -94,6 +116,7 @@ The plugin uses three OpenCode hooks:
 | `config` | Discovers models from LiteLLM and injects them into OpenCode |
 | `auth` | Provides a `/connect` entry point for pasting an API key |
 | `tool` | Exposes discovered MCP tools as native OpenCode tools |
+| `chat.headers` | Injects `Authorization: Bearer <token>` when `LITELLM_GCLOUD_TOKEN_AUTH=1` |
 
 ## Troubleshooting
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-provider-litellm",
-  "version": "0.4.0",
+  "version": "0.5.1",
   "description": "OpenCode plugin for any LiteLLM proxy — auto-discovers models, auth, and capabilities",
   "type": "module",
   "exports": {

package/src/gcloud-token.test.ts

@@ -0,0 +1,255 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
+import { getGcloudToken, resetTokenCache, CACHE_TTL } from './gcloud-token.js'
+
+const mockReadFileSync = vi.hoisted(() => vi.fn())
+const mockExistsSync = vi.hoisted(() => vi.fn())
+const mockFetch = vi.hoisted(() => vi.fn())
+
+vi.mock('fs', () => ({
+  get readFileSync() { return mockReadFileSync },
+  get existsSync() { return mockExistsSync },
+}))
+
+// Mock global fetch
+beforeEach(() => {
+  vi.stubGlobal('fetch', mockFetch)
+})
+
+afterEach(() => {
+  vi.unstubAllGlobals()
+  vi.unstubAllEnvs()
+})
+
+const authorizedUserCredentials = {
+  type: 'authorized_user',
+  client_id: 'test-client-id.apps.googleusercontent.com',
+  client_secret: 'test-client-secret',
+  refresh_token: 'test-refresh-token',
+  account: 'test@example.com',
+}
+
+const serviceAccountCredentials = {
+  type: 'service_account',
+  private_key_id: 'key123',
+  private_key: '-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----\n',
+  client_email: 'test@project.iam.gserviceaccount.com',
+  client_id: '123456789',
+  auth_uri: 'https://accounts.google.com/o/oauth2/auth',
+  token_uri: 'https://oauth2.googleapis.com/token',
+}
+
+describe('getGcloudToken', () => {
+  afterEach(() => {
+    vi.clearAllMocks()
+    vi.unstubAllEnvs()
+    resetTokenCache()
+  })
+
+  it('returns token from authorized_user credentials', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'exchanged-access-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('exchanged-access-token')
+
+    expect(mockFetch).toHaveBeenCalledWith(
+      'https://oauth2.googleapis.com/token',
+      expect.objectContaining({
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      }),
+    )
+  })
+
+  it('caches token within TTL', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'cached-token' }),
+    })
+
+    await getGcloudToken()
+    const cached = await getGcloudToken()
+    expect(cached).toBe('cached-token')
+    expect(mockFetch).toHaveBeenCalledTimes(1)
+  })
+
+  it('returns null when ADC file not found (no env, no default)', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', undefined)
+    vi.stubEnv('HOME', undefined)
+    vi.stubEnv('USERPROFILE', undefined)
+    vi.stubEnv('APPDATA', undefined)
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null when ADC file is invalid JSON', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue('not valid json{{{')
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null and warns for service_account type', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(serviceAccountCredentials))
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalledWith(
+      '[opencode-provider-litellm] Service account credentials are not yet supported. Use an authorized_user credential or set GOOGLE_APPLICATION_CREDENTIALS to an authorized_user JSON file.',
+    )
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null on token exchange failure', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: false,
+      status: 400,
+      text: async () => '{"error":"invalid_grant"}',
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null on token exchange network error', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockRejectedValue(new Error('network error'))
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('reads default ADC location when GOOGLE_APPLICATION_CREDENTIALS is not set', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', undefined)
+    vi.stubEnv('HOME', '/home/test')
+    vi.stubEnv('APPDATA', undefined)
+
+    mockExistsSync.mockReturnValue(true)
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'default-loc-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('default-loc-token')
+    expect(mockReadFileSync).toHaveBeenCalledWith(
+      expect.stringContaining('application_default_credentials.json'),
+      'utf-8',
+    )
+  })
+
+  it('reads Windows APPDATA ADC location', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', undefined)
+    vi.stubEnv('HOME', undefined)
+    vi.stubEnv('APPDATA', 'C:\\Users\\test\\AppData\\Roaming')
+
+    mockExistsSync.mockImplementation((path: string) => {
+      return typeof path === 'string' && path.includes('AppData') && path.includes('gcloud')
+    })
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'windows-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('windows-token')
+    // On Linux, path.join mixes slashes; just check it contains the key parts
+    expect(mockReadFileSync).toHaveBeenCalledWith(
+      expect.stringContaining('gcloud'),
+      'utf-8',
+    )
+  })
+
+  it('respects GOOGLE_APPLICATION_CREDENTIALS path over default', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/custom/path/creds.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'custom-path-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('custom-path-token')
+    expect(mockReadFileSync).toHaveBeenCalledWith('/custom/path/creds.json', 'utf-8')
+  })
+
+  it('stale cache triggers new token fetch', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ access_token: 'token-v1' }),
+      })
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ access_token: 'token-v2' }),
+      })
+
+    const first = await getGcloudToken()
+    expect(first).toBe('token-v1')
+
+    // Stub the cache to be stale
+    vi.spyOn(Date, 'now').mockReturnValue(Date.now() + CACHE_TTL + 1000)
+
+    const second = await getGcloudToken()
+    expect(second).toBe('token-v2')
+    expect(mockFetch).toHaveBeenCalledTimes(2)
+
+    vi.restoreAllMocks()
+  })
+})

package/src/gcloud-token.ts

@@ -0,0 +1,145 @@
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+
+let cachedToken: string | null = null
+let cachedAt: number = 0
+export const CACHE_TTL = 50 * 60 * 1000 // 50 minutes in ms
+
+interface AuthorizedUserCredentials {
+  type: 'authorized_user'
+  client_id: string
+  client_secret: string
+  refresh_token: string
+  account?: string
+  universe_domain?: string
+}
+
+interface ServiceAccountCredentials {
+  type: 'service_account'
+}
+
+type GoogleCredentials = AuthorizedUserCredentials | ServiceAccountCredentials
+
+const ADC_FILENAME = 'application_default_credentials.json'
+
+function getAdcPath(): string | null {
+  // 1. GOOGLE_APPLICATION_CREDENTIALS env var (all platforms)
+  const envPath = typeof process !== 'undefined' ? process.env.GOOGLE_APPLICATION_CREDENTIALS : undefined
+  if (envPath) {
+    return envPath
+  }
+
+  // 2. Default ADC locations (Google's official search order)
+  const candidates: string[] = []
+
+  // Linux / macOS: ~/.config/gcloud/
+  const home = typeof process !== 'undefined' ? process.env.HOME : undefined
+  if (home) {
+    candidates.push(join(home, '.config', 'gcloud', ADC_FILENAME))
+  }
+
+  // Windows: %APPDATA%/gcloud/
+  const appData = typeof process !== 'undefined' ? process.env.APPDATA : undefined
+  if (appData) {
+    candidates.push(join(appData, 'gcloud', ADC_FILENAME))
+  }
+
+  for (const path of candidates) {
+    if (existsSync(path)) {
+      return path
+    }
+  }
+
+  return null
+}
+
+function readCredentials(path: string): GoogleCredentials | null {
+  try {
+    const content = readFileSync(path, 'utf-8')
+    return JSON.parse(content) as GoogleCredentials
+  } catch {
+    return null
+  }
+}
+
+async function exchangeRefreshToken(credentials: AuthorizedUserCredentials): Promise<string | null> {
+  const body = new URLSearchParams({
+    grant_type: 'refresh_token',
+    client_id: credentials.client_id,
+    client_secret: credentials.client_secret,
+    refresh_token: credentials.refresh_token,
+  }).toString()
+
+  try {
+    const response = await fetch('https://oauth2.googleapis.com/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body,
+      signal: AbortSignal.timeout(10_000),
+    })
+
+    if (!response.ok) {
+      const text = await response.text()
+      console.warn(`[opencode-provider-litellm] Token exchange failed (${response.status}): ${text}`)
+      return null
+    }
+
+    const data = await response.json()
+    return data.access_token || null
+  } catch (error) {
+    console.warn(`[opencode-provider-litellm] Token exchange failed: ${error}`)
+    return null
+  }
+}
+
+/**
+ * Gets a Google OAuth access token from the ADC JSON file, cached with a 50-minute TTL.
+ * Returns null if credentials are not available or the token cannot be fetched.
+ * Logs a warning on failure.
+ */
+export async function getGcloudToken(): Promise<string | null> {
+  // Return cached token if still valid
+  if (cachedToken && (Date.now() - cachedAt) < CACHE_TTL) {
+    return cachedToken
+  }
+
+  const adcPath = getAdcPath()
+  if (!adcPath) {
+    console.warn(
+      '[opencode-provider-litellm] No Google ADC file found. Set GOOGLE_APPLICATION_CREDENTIALS or run `gcloud auth application-default login`.',
+    )
+    return null
+  }
+
+  const credentials = readCredentials(adcPath)
+  if (!credentials) {
+    console.warn(`[opencode-provider-litellm] Failed to read ADC file: ${adcPath}`)
+    return null
+  }
+
+  if (credentials.type === 'authorized_user') {
+    const token = await exchangeRefreshToken(credentials)
+    if (token) {
+      cachedToken = token
+      cachedAt = Date.now()
+    }
+    return token
+  }
+
+  if (credentials.type === 'service_account') {
+    console.warn('[opencode-provider-litellm] Service account credentials are not yet supported. Use an authorized_user credential or set GOOGLE_APPLICATION_CREDENTIALS to an authorized_user JSON file.')
+    return null
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+  console.warn(`[opencode-provider-litellm] Unknown credential type: ${(credentials as { type: string }).type}`)
+  return null
+}
+
+/**
+ * Resets the token cache. Exported for testing purposes.
+ */
+export function resetTokenCache(): void {
+  cachedToken = null
+  cachedAt = 0
+}

package/src/plugin.test.ts

@@ -1,4 +1,4 @@
-import { vi, describe, it, expect, beforeEach } from 'vitest'
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest'
 import type { PluginInput } from '@opencode-ai/plugin'
 import type { OpencodeModelConfig } from './types.js'
 
@@ -20,6 +20,12 @@ vi.mock('./mcp-tools.js', () => ({
   createMcpToolDefinitions: vi.fn(),
 }))
 
+// Mock the gcloud token module
+vi.mock('./gcloud-token.js', () => ({
+  getGcloudToken: vi.fn(),
+  resetTokenCache: vi.fn(),
+}))
+
 import { LiteLLMPlugin } from './plugin.js'
 import { discoverModels, injectModelsIntoConfig } from './discovery.js'
 import { resolvePluginConfig } from './utils.js'
@@ -48,6 +54,7 @@ describe('LiteLLMPlugin', () => {
 
   beforeEach(() => {
     vi.resetAllMocks()
+    delete process.env.LITELLM_GCLOUD_TOKEN_AUTH
 
     mockInput = createMockInput()
     logFn = mockInput.client.app.log as ReturnType<typeof vi.fn>
@@ -74,6 +81,10 @@ describe('LiteLLMPlugin', () => {
     })
   })
 
+  afterEach(() => {
+    delete process.env.LITELLM_GCLOUD_TOKEN_AUTH
+  })
+
   it('throws on missing config', async () => {
     vi.mocked(resolvePluginConfig).mockReturnValue(null)
 
@@ -84,6 +95,28 @@ describe('LiteLLMPlugin', () => {
     )
   })
 
+  it('throws gcloud-specific error when LITELLM_GCLOUD_TOKEN_AUTH is set but config is missing', async () => {
+    vi.mocked(resolvePluginConfig).mockReturnValue(null)
+    process.env.LITELLM_GCLOUD_TOKEN_AUTH = '1'
+
+    await expect(
+      LiteLLMPlugin(mockInput, {})
+    ).rejects.toThrow(
+      'LITELLM_KEY is optional when LITELLM_GCLOUD_TOKEN_AUTH=1',
+    )
+  })
+
+  it('throws generic error when LITELLM_GCLOUD_TOKEN_AUTH is not set and config is missing', async () => {
+    vi.mocked(resolvePluginConfig).mockReturnValue(null)
+    delete process.env.LITELLM_GCLOUD_TOKEN_AUTH
+
+    await expect(
+      LiteLLMPlugin(mockInput, {})
+    ).rejects.toThrow(
+      "Plugin config error: set 'url' and 'apiKey'",
+    )
+  })
+
   it('config hook calls discoverModels and injects models into config', async () => {
     const hooks = await LiteLLMPlugin(mockInput, {
       url: 'https://litellm.example.com',
@@ -252,4 +285,35 @@ describe('LiteLLMPlugin', () => {
     delete process.env.LITELLM_URL
     delete process.env.LITELLM_KEY
   })
+
+  it('registers chat.headers hook when LITELLM_GCLOUD_TOKEN_AUTH is set', async () => {
+    process.env.LITELLM_GCLOUD_TOKEN_AUTH = '1'
+
+    const { getGcloudToken } = await import('./gcloud-token.js')
+    vi.mocked(getGcloudToken).mockResolvedValue('mock-gcloud-token')
+
+    const hooks = await LiteLLMPlugin(mockInput, {
+      url: 'https://litellm.example.com',
+      apiKey: 'test-api-key',
+    })
+
+    expect(hooks['chat.headers']).toBeDefined()
+    expect(typeof hooks['chat.headers']).toBe('function')
+
+    // Verify the hook injects the token
+    const output = { headers: {} as Record<string, string> }
+    await (hooks['chat.headers'] as Function)({}, output)
+    expect(output.headers['Authorization']).toBe('Bearer mock-gcloud-token')
+  })
+
+  it('does not register chat.headers hook when LITELLM_GCLOUD_TOKEN_AUTH is unset', async () => {
+    delete process.env.LITELLM_GCLOUD_TOKEN_AUTH
+
+    const hooks = await LiteLLMPlugin(mockInput, {
+      url: 'https://litellm.example.com',
+      apiKey: 'test-api-key',
+    })
+
+    expect(hooks['chat.headers']).toBeUndefined()
+  })
 })

package/src/plugin.ts

@@ -2,6 +2,7 @@ import type { Plugin, PluginInput, PluginOptions } from '@opencode-ai/plugin'
 import { resolvePluginConfig, getProviderId } from './utils.js'
 import { discoverModels, injectModelsIntoConfig } from './discovery.js'
 import { createMcpToolDefinitions } from './mcp-tools.js'
+import { getGcloudToken } from './gcloud-token.js'
 
 export const LiteLLMPlugin: Plugin = async (
   input: PluginInput,
@@ -9,27 +10,45 @@ export const LiteLLMPlugin: Plugin = async (
 ) => {
   const pluginConfig = resolvePluginConfig(options)
   if (pluginConfig === null) {
+    const isGcloudAuth = process.env.LITELLM_GCLOUD_TOKEN_AUTH &&
+      process.env.LITELLM_GCLOUD_TOKEN_AUTH !== '' &&
+      process.env.LITELLM_GCLOUD_TOKEN_AUTH !== '0'
+
     throw new Error(
-      "Plugin config error: set 'url' and 'apiKey' in plugin options, " +
-      "or set LITELLM_URL and LITELLM_KEY environment variables.",
+      isGcloudAuth
+        ? "Plugin config error: set LITELLM_URL (LITELLM_KEY is optional when LITELLM_GCLOUD_TOKEN_AUTH=1)."
+        : "Plugin config error: set 'url' and 'apiKey' in plugin options, " +
+          "or set LITELLM_URL and LITELLM_KEY environment variables.",
     )
   }
 
   const providerId = getProviderId()
 
+  const isGcloudAuth = !!(process.env.LITELLM_GCLOUD_TOKEN_AUTH &&
+    process.env.LITELLM_GCLOUD_TOKEN_AUTH !== '' &&
+    process.env.LITELLM_GCLOUD_TOKEN_AUTH !== '0')
+
+  // When gcloud token auth is enabled, fetch a live token instead of using the static apiKey
+  const getToken = async (): Promise<string> => {
+    if (isGcloudAuth) {
+      return (await getGcloudToken()) ?? ''
+    }
+    return pluginConfig.apiKey
+  }
+
   let mcpTools: Record<string, any> = {}
   try {
-    mcpTools = await createMcpToolDefinitions(pluginConfig, pluginConfig.apiKey)
+    mcpTools = await createMcpToolDefinitions(pluginConfig, await getToken())
   } catch (e) {
     console.warn(`[opencode-provider-litellm] MCP tool discovery failed: ${e}`)
   }
 
-  return {
+  const result: Record<string, unknown> = {
     config: async (config: Record<string, any>) => {
       try {
         const models = await discoverModels(
           pluginConfig,
-          () => Promise.resolve(pluginConfig.apiKey),
+          getToken,
         )
 
         if (Object.keys(models).length === 0) {
@@ -41,11 +60,12 @@ export const LiteLLMPlugin: Plugin = async (
             },
           })
         } else {
+          const token = await getToken()
           injectModelsIntoConfig(
             config as Parameters<typeof injectModelsIntoConfig>[0],
             providerId,
             pluginConfig.url,
-            pluginConfig.apiKey,
+            token,
             models,
           )
           await input.client.app.log({
@@ -81,11 +101,12 @@ export const LiteLLMPlugin: Plugin = async (
               placeholder: 'sk-...',
             },
           ],
-          async authorize(inputs) {
-            if (!inputs?.apiKey || inputs.apiKey.length === 0) {
+          async authorize(inputs: Record<string, unknown> | undefined) {
+            const apiKey = inputs?.apiKey
+            if (!apiKey || typeof apiKey !== 'string' || apiKey.length === 0) {
               return { type: 'failed' as const }
             }
-            return { type: 'success' as const, key: inputs.apiKey }
+            return { type: 'success' as const, key: apiKey }
           },
         },
       ],
@@ -95,4 +116,15 @@ export const LiteLLMPlugin: Plugin = async (
       ...mcpTools,
     },
   }
+
+  if (isGcloudAuth) {
+    result['chat.headers'] = async (_input: Record<string, unknown>, output: { headers: Record<string, string> }) => {
+      const token = await getGcloudToken()
+      if (token) {
+        output.headers['Authorization'] = `Bearer ${token}`
+      }
+    }
+  }
+
+  return result
 }

package/src/utils.test.ts

@@ -55,6 +55,10 @@ describe('resolvePluginConfig', () => {
   })
 
   describe('environment variable priority', () => {
+    beforeEach(() => {
+      delete process.env.LITELLM_GCLOUD_TOKEN_AUTH
+    })
+
     it('returns config from env vars when both are set', () => {
       process.env.LITELLM_URL = 'https://env.example.com'
       process.env.LITELLM_KEY = 'env-key-123'
@@ -137,4 +141,55 @@ describe('resolvePluginConfig', () => {
       expect(resolvePluginConfig({})).toBeNull()
     })
   })
+
+  describe('gcloud token auth', () => {
+    beforeEach(() => {
+      delete process.env.LITELLM_GCLOUD_TOKEN_AUTH
+    })
+
+    it('allows missing LITELLM_KEY when LITELLM_GCLOUD_TOKEN_AUTH is set', () => {
+      process.env.LITELLM_URL = 'https://gcloud.example.com'
+      process.env.LITELLM_GCLOUD_TOKEN_AUTH = '1'
+      delete process.env.LITELLM_KEY
+
+      const config = resolvePluginConfig({})
+      expect(config).toEqual({ url: 'https://gcloud.example.com', apiKey: '' })
+    })
+
+    it('does not allow missing key when gcloud auth is disabled', () => {
+      process.env.LITELLM_URL = 'https://gcloud.example.com'
+      delete process.env.LITELLM_KEY
+      delete process.env.LITELLM_GCLOUD_TOKEN_AUTH
+
+      const config = resolvePluginConfig({})
+      expect(config).toBeNull()
+    })
+
+    it('does not allow missing key when gcloud auth is set to 0', () => {
+      process.env.LITELLM_URL = 'https://gcloud.example.com'
+      process.env.LITELLM_GCLOUD_TOKEN_AUTH = '0'
+      delete process.env.LITELLM_KEY
+
+      const config = resolvePluginConfig({})
+      expect(config).toBeNull()
+    })
+
+    it('does not allow missing key when gcloud auth is empty string', () => {
+      process.env.LITELLM_URL = 'https://gcloud.example.com'
+      process.env.LITELLM_GCLOUD_TOKEN_AUTH = ''
+      delete process.env.LITELLM_KEY
+
+      const config = resolvePluginConfig({})
+      expect(config).toBeNull()
+    })
+
+    it('prefers full env vars over gcloud fallback', () => {
+      process.env.LITELLM_URL = 'https://gcloud.example.com'
+      process.env.LITELLM_KEY = 'normal-key'
+      process.env.LITELLM_GCLOUD_TOKEN_AUTH = '1'
+
+      const config = resolvePluginConfig({})
+      expect(config).toEqual({ url: 'https://gcloud.example.com', apiKey: 'normal-key' })
+    })
+  })
 })

package/src/utils.ts

@@ -34,14 +34,23 @@ export function mapLiteLLMModel(model: LiteLLMModel): OpencodeModelConfig {
 export function resolvePluginConfig(rawConfig: unknown): PluginConfig | null {
   const envUrl = typeof process !== 'undefined' ? process.env.LITELLM_URL : undefined
   const envKey = typeof process !== 'undefined' ? process.env.LITELLM_KEY : undefined
+  const envGcloudAuth = typeof process !== 'undefined'
+    ? process.env.LITELLM_GCLOUD_TOKEN_AUTH
+    : undefined
 
   const hasEnvVars = envUrl !== undefined && envUrl.length > 0 &&
-                     envKey !== undefined && envKey.length > 0
+                      envKey !== undefined && envKey.length > 0
 
   if (hasEnvVars) {
     return { url: envUrl, apiKey: envKey }
   }
 
+  // Allow missing LITELLM_KEY when gcloud token auth is enabled
+  if (envUrl !== undefined && envUrl.length > 0 &&
+      envGcloudAuth !== undefined && envGcloudAuth !== '' && envGcloudAuth !== '0') {
+    return { url: envUrl, apiKey: envKey || '' }
+  }
+
   // Fall back to config options from opencode.json
   if (rawConfig && typeof rawConfig === 'object' && !Array.isArray(rawConfig)) {
     const obj = rawConfig as Record<string, unknown>