[Bug]: LiteLLM provider should not require a mandatory API Key

[source-yongyi]

Problem (one or two sentences)

The extension UI enforces a mandatory API Key for the LiteLLM provider, but LiteLLM supports and is often used without authentication in self-hosted or local environments.

Context (who is affected and when)

This affects users who host their own LiteLLM proxy (e.g., on a local network or private server) without an API Key configured. Currently, they cannot save the configuration or use the provider without entering a "dummy" key.

Reproduction steps

1. Open the Roo Code Settings page.
2. Select LiteLLM from the API Provider dropdown.
3. Enter a valid Base URL but leave the API Key field empty.
4. Observe that the UI marks the field as required and prevents the configuration from being active.

Expected result

The API Key field for LiteLLM should be optional. If left blank, the extension should send requests to the Base URL without an Authorization header.

Actual result

The UI validation forces a non-empty string for the API Key, making it impossible to use no-auth LiteLLM instances directly.

Variations tried (optional)

Entering a placeholder string (e.g., "none" or "dummy-key" or " ") does not works as a workaround.

App Version

3.51.1 (7c9722b)

API Provider (optional)

LiteLLM

Model Used (optional)

No response

Roo Code Task Links (optional)

No response

Relevant logs or errors (optional)

[roomote-v0]

I've analyzed this issue and here's my proposed implementation plan:

The API key for LiteLLM is enforced as mandatory in several places across the codebase. To make it optional, the following changes are needed:

1. webview-ui/src/utils/validate.ts (lines 56-60): Remove the case "litellm" block that returns a validation error when litellmApiKey is missing. Instead, only require litellmBaseUrl for LiteLLM.

2. webview-ui/src/components/settings/providers/LiteLLM.tsx:

   • Line 89: Change handleRefreshModels to only require url (not key) before proceeding.
   • Line 125: Change the disabled condition on the Refresh Models button to only check !apiConfiguration.litellmBaseUrl (remove !apiConfiguration.litellmApiKey).

3. src/shared/api.ts (line 174): Change the LiteLLM type from { apiKey: string; baseUrl: string } to { apiKey?: string; baseUrl: string } so the API key is optional at the type level.

4. src/core/webview/webviewMessageHandler.ts (line 1008): Change the condition from if (litellmApiKey && litellmBaseUrl) to if (litellmBaseUrl) so model fetching works without an API key.

5. src/api/providers/fetchers/litellm.ts (line 14): Change the apiKey parameter type from string to string | undefined and conditionally include the Authorization header only when an API key is provided.

The provider handler in src/api/providers/lite-llm.ts already falls back to "dummy-key" when no API key is set (line 29), but we should also update it to pass an empty string or omit the key entirely when none is configured, so no unnecessary Authorization header is sent.

This approach ensures:

• Users can save LiteLLM configurations without entering an API key
• The Refresh Models button works with just a Base URL
• Requests to no-auth LiteLLM proxies are sent without an Authorization header
• Existing behavior for authenticated LiteLLM instances is unchanged

Please mention @roomote in a comment saying that you approve this plan, and I'll proceed with the implementation.

[source-yongyi]

@roomote I approve this plan. Please proceed with the implementation. Thank you!

[roomote-v0]

Thanks for the approval! I've seen your comment and will proceed with the implementation now. I'll open a draft PR to share progress shortly.

[roomote-v0]

Opened a draft PR with my attempt at addressing this: #11920

The API Key field for LiteLLM is now optional -- only the Base URL is required. Requests to no-auth LiteLLM proxies will be sent without an Authorization header. Feedback welcome!

[roomote-v0]

Opened a draft PR with my attempt at addressing this: #11921

The API key is now optional for LiteLLM - only the base URL is required. Requests to no-auth LiteLLM proxies will be sent without an Authorization header. Feedback welcome!