Incomex AI Portal
KB-3F9C

AgentData GPT Action 401 Auth Fix - 2026-05-13

3 min read Revision 1
agent-datagpt-actionauthopenapi4012026-05-13

AgentData GPT Action 401 Auth Fix

Date: 2026-05-13 12:56-12:59 +07 Agent: Codex

Conclusion

Root cause: live OpenAPI had global ApiKeyAuth, but protected operations did not carry explicit operation-level security. GPT Builder can import such schemas inconsistently; health stayed OK because it is public, while protected data endpoints hit Nginx without X-API-Key and returned 401.

Secondary finding: Authorization: Bearer <key> is not accepted for AgentData data endpoints. Nginx AgentData auth checks X-API-Key via $http_x_api_key.

Files changed

  • infra/nginx/static/openapi.json
  • automation/agent-data-openapi.json

Live VPS static OpenAPI was updated at:

/opt/incomex/docker/nginx/static/openapi.json
/usr/share/nginx/static/openapi.json
sha256: 0a8b9f5d68f659e67b5331088c4dcb7662921aa76a65546786996c21531ea7cb

Schema after fix

{
  "components": {
    "securitySchemes": {
      "ApiKeyAuth": {
        "type": "apiKey",
        "in": "header",
        "name": "X-API-Key"
      }
    }
  },
  "security": [{ "ApiKeyAuth": [] }]
}

Operation-level:

healthCheck: []
listDocuments: [{"ApiKeyAuth":[]}]
getDocument: [{"ApiKeyAuth":[]}]
createDocument: [{"ApiKeyAuth":[]}]
batchReadDocuments: [{"ApiKeyAuth":[]}]
getDocumentTruncated: [{"ApiKeyAuth":[]}]
patchDocument: [{"ApiKeyAuth":[]}]
updateDocument: [{"ApiKeyAuth":[]}]
deleteDocument: [{"ApiKeyAuth":[]}]
searchKnowledge: [{"ApiKeyAuth":[]}]

Endpoint tests

GET /api/health no auth -> HTTP 200
GET /api/kb/list no auth -> HTTP 401
GET /api/kb/list with X-API-Key:<redacted> -> HTTP 200
GET /api/kb/list with Authorization: Bearer <redacted> only -> HTTP 401
POST /api/chat no auth -> HTTP 401
POST /api/chat with X-API-Key:<redacted> -> HTTP 200
POST /api/search with X-API-Key:<redacted> -> HTTP 404
POST /api/documents/batch with X-API-Key:<redacted> -> HTTP 200

Sample successful list response:

{
  "returned_count": 1,
  "count": 1895,
  "first": "knowledge/dev"
}

Sample successful search response:

{
  "session_id": "1b5d9dcc-b59d-4f28-a48c-65e2f4732f2d",
  "qdrant_hits": 1
}

Nginx config test:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

User action required

Yes: reimport https://vps.incomexsaigoncorp.vn/api/openapi.json in ChatGPT Builder.

Authentication must be API key header:

Header name: X-API-Key
Value: <the real key>

Do not use Bearer auth, query param api_key, or lowercase custom param names in the Builder UI.