Environment
Python 3.10, google-genai 2.10.0
Description
The docs say that for GCS registration the API key "is unused for the registration endpoint." But the client still sends x-goog-api-key on that request, on top of the SA bearer token from auth=. Two credentials on one request → 401 OVERLOADED_CREDENTIALS.
Repro
from google import genai
from google.oauth2.service_account import Credentials
credentials = Credentials.from_service_account_file(
"sa-key.json", scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
client = genai.Client() # GEMINI_API_KEY from env, as the docs show
client.files.register_files(auth=credentials, uris=["gs://my-bucket/object.mp3"])
Result
401 UNAUTHENTICATED - reason: OVERLOADED_CREDENTIALS
method: google.ai.generativelanguage.v1beta.FileService.RegisterFiles
Logging the outgoing request shows both headers on POST /v1beta/files:register:
x-goog-api-key : AQ.Ab8RN… (from the client)
authorization : Bearer ya29… (from register_files auth=)
Cause
BaseApiClient sets x-goog-api-key as a persistent header for every request (_api_client.py), and register_files adds the bearer token (files.py) without removing it. So both go out.
Expected
Registration should send only the auth= bearer token and succeed. Workaround for now is popping x-goog-api-key off client._api_client._http_options.headers around the call.
Environment
Python 3.10, google-genai 2.10.0
Description
The docs say that for GCS registration the API key "is unused for the registration endpoint." But the client still sends x-goog-api-key on that request, on top of the SA bearer token from auth=. Two credentials on one request → 401 OVERLOADED_CREDENTIALS.
Repro
from google import genai
from google.oauth2.service_account import Credentials
credentials = Credentials.from_service_account_file(
"sa-key.json", scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
client = genai.Client() # GEMINI_API_KEY from env, as the docs show
client.files.register_files(auth=credentials, uris=["gs://my-bucket/object.mp3"])
Result
401 UNAUTHENTICATED - reason: OVERLOADED_CREDENTIALS
method: google.ai.generativelanguage.v1beta.FileService.RegisterFiles
Logging the outgoing request shows both headers on POST /v1beta/files:register:
x-goog-api-key : AQ.Ab8RN… (from the client)
authorization : Bearer ya29… (from register_files auth=)
Cause
BaseApiClient sets x-goog-api-key as a persistent header for every request (_api_client.py), and register_files adds the bearer token (files.py) without removing it. So both go out.
Expected
Registration should send only the auth= bearer token and succeed. Workaround for now is popping x-goog-api-key off client._api_client._http_options.headers around the call.