Initialization with Service Key fails with Bad Credentials

[florian-richter]

Describe the Bug

I am getting a ErrorWithCause: Failed to fetch the list of deployments. caused by Error: Could not fetch client credentials token for service of type aicore: HTTP response from https://llm-access-iek0ljt7.authentication.sap.hana.ondemand.com/oauth/token was 401: {"error":"invalid_client","error_description":"Bad credentials"}. during the creation of a new OrchestrationClient.

Steps to Reproduce

See code below. Error occurs when calling the endpoint.

I checked with "@sap-ai-sdk/orchestration": "^2.0.0", as well as "@sap-ai-sdk/orchestration": "^1.18.0",. I verified the credentials by manually calling the oauth/token endpoint and got a valid access_token. The python SDK also works as intended with the same credentials.

Expected Behavior

The SDK should correctly authenticate with the credentials provided in the environment.

Screenshots

No response

Used Versions

• Node version via node -v: v22.17.0
• NPM version via npm -v: 11.4.2
• SAP Cloud SDK for AI version: both 2.0.0 and 1.18.0

Code Examples

This is the route.ts file in my NextJS project.

import { OrchestrationClient } from "@sap-ai-sdk/orchestration";

export async function POST(req: Request) {
  const model = new OrchestrationClient({
    promptTemplating: {
      model: {
        name: "gpt-4o",
      },
    },
  });

  const response = await model.chatCompletion({
    messages: [
      {
        role: "user",
        content:
          "Write a 100 word explanation about SAP Cloud SDK and its capabilities",
      },
    ],
  });
  return response;
}

.env file (with sensitive data redacted):

AICORE_SERVICE_KEY = '{
    "clientid": "sb-b199...d3fb!b111123|xsuaa_std!b12345",
    "clientsecret": "c674...9dd7$XgEC...4X4=",
    "url": "https://llm-access-iek0ljt7.authentication.sap.hana.ondemand.com",
    "identityzone": "llm-access-iek0ljt7",
    "identityzoneid": "8c9c...f49b",
    "appname": "b199...152|xsuaa_std!b12345",
    "credential-type": "binding-secret",
    "serviceurls": {
        "AI_API_URL": "https://api.ai.internalprod.eu-central-1.aws.ml.hana.ondemand.com"
    }
}'

Log File

When sending a request I get the following logs:

[2025-09-25T12:25:28.480Z] INFO     (context): Found a service key in environment variable "AICORE_SERVICE_KEY". Using a service key is recommended for local testing only. Bind the AI Core service to the application for productive usage.
ErrorWithCause: Failed to fetch the list of deployments.
    at getAllDeployments (../../src/utils/deployment-resolver.ts:171:11)
    at async resolveDeploymentId (../../src/utils/deployment-resolver.ts:120:21)
    at async OrchestrationClient.executeRequest (../src/orchestration-client.ts:115:26)
    at async OrchestrationClient.chatCompletion (../src/orchestration-client.ts:62:22)
    at async POST (src/app/api/chat/route.ts:30:20)
    at serviceToken (../../src/scp-cf/token-accessor.ts:67:11)
    at async Object.aicoreToDestination [as aicore] (../../../src/scp-cf/destination/service-binding-to-destination.ts:83:17)
    at async getAiCoreDestination (../src/context.ts:59:29)
    at async executeRequest (../src/http-client.ts:64:29)
    at async OpenApiRequestBuilder.execute (../src/openapi-request-builder.ts:59:22)
    at async getAllDeployments (../../src/utils/deployment-resolver.ts:158:27)
    at async resolveDeploymentId (../../src/utils/deployment-resolver.ts:120:21)
    at async OrchestrationClient.executeRequest (../src/orchestration-client.ts:115:26)
    at async OrchestrationClient.chatCompletion (../src/orchestration-client.ts:62:22)
    at async POST (src/app/api/chat/route.ts:30:20)
    at <unknown> (../../src/scp-cf/xsuaa-service.ts:61:11)
    at async serviceToken (../../src/scp-cf/token-accessor.ts:55:19)
    at async Object.aicoreToDestination [as aicore] (../../../src/scp-cf/destination/service-binding-to-destination.ts:83:17)
    at async getAiCoreDestination (../src/context.ts:59:29)
    at async executeRequest (../src/http-client.ts:64:29)
    at async OpenApiRequestBuilder.execute (../src/openapi-request-builder.ts:59:22)
    at async getAllDeployments (../../src/utils/deployment-resolver.ts:158:27)
    at async resolveDeploymentId (../../src/utils/deployment-resolver.ts:120:21)
    at async OrchestrationClient.executeRequest (../src/orchestration-client.ts:115:26)
    at async OrchestrationClient.chatCompletion (../src/orchestration-client.ts:62:22)
    at async POST (src/app/api/chat/route.ts:30:20)
  28 |   //   controller.signal
  29 |   // );
> 30 |   const response = await model.chatCompletion({
     |                    ^
  31 |     messages: [
  32 |       {
  33 |         role: "user", {
  [cause]: ErrorWithCause: Could not fetch client credentials token for service of type "aicore".
      at serviceToken (../../src/scp-cf/token-accessor.ts:67:11)
      at async Object.aicoreToDestination [as aicore] (../../../src/scp-cf/destination/service-binding-to-destination.ts:83:17)
      at async getAiCoreDestination (../src/context.ts:59:29)
      at async executeRequest (../src/http-client.ts:64:29)
      at async OpenApiRequestBuilder.execute (../src/openapi-request-builder.ts:59:22)
      at async getAllDeployments (../../src/utils/deployment-resolver.ts:158:27)
      at async resolveDeploymentId (../../src/utils/deployment-resolver.ts:120:21)
      at async OrchestrationClient.executeRequest (../src/orchestration-client.ts:115:26)
      at async OrchestrationClient.chatCompletion (../src/orchestration-client.ts:62:22)
      at async POST (src/app/api/chat/route.ts:30:20)
      at <unknown> (../../src/scp-cf/xsuaa-service.ts:61:11)
      at async serviceToken (../../src/scp-cf/token-accessor.ts:55:19)
      at async Object.aicoreToDestination [as aicore] (../../../src/scp-cf/destination/service-binding-to-destination.ts:83:17)
      at async getAiCoreDestination (../src/context.ts:59:29)
      at async executeRequest (../src/http-client.ts:64:29)
      at async OpenApiRequestBuilder.execute (../src/openapi-request-builder.ts:59:22)
      at async getAllDeployments (../../src/utils/deployment-resolver.ts:158:27)
      at async resolveDeploymentId (../../src/utils/deployment-resolver.ts:120:21)
      at async OrchestrationClient.executeRequest (../src/orchestration-client.ts:115:26)
      at async OrchestrationClient.chatCompletion (../src/orchestration-client.ts:62:22)
      at async POST (src/app/api/chat/route.ts:30:20)
    28 |   //   controller.signal
    29 |   // );
  > 30 |   const response = await model.chatCompletion({
       |                    ^
    31 |     messages: [
    32 |       {
    33 |         role: "user", {
    [cause]: Error: Could not fetch client credentials token for service of type aicore: HTTP response from https://llm-access-ie...t7.authentication.sap.hana.ondemand.com/oauth/token was 401: {"error":"invalid_client","error_description":"Bad credentials"}.
        at <unknown> (../../src/scp-cf/xsuaa-service.ts:61:11)
        at async serviceToken (../../src/scp-cf/token-accessor.ts:55:19)
        at async Object.aicoreToDestination [as aicore] (../../../src/scp-cf/destination/service-binding-to-destination.ts:83:17)
        at async getAiCoreDestination (../src/context.ts:59:29)
        at async executeRequest (../src/http-client.ts:64:29)
        at async OpenApiRequestBuilder.execute (../src/openapi-request-builder.ts:59:22)
        at async getAllDeployments (../../src/utils/deployment-resolver.ts:158:27)
        at async resolveDeploymentId (../../src/utils/deployment-resolver.ts:120:21)
        at async OrchestrationClient.executeRequest (../src/orchestration-client.ts:115:26)
        at async OrchestrationClient.chatCompletion (../src/orchestration-client.ts:62:22)
        at async POST (src/app/api/chat/route.ts:30:20)
      28 |   //   controller.signal
      29 |   // );
    > 30 |   const response = await model.chatCompletion({
         |                    ^
      31 |     messages: [
      32 |       {
      33 |         role: "user",
  }
}
 POST /api/chat 500 in 1513ms

Region

EU10 Canary

Affected Development Phase

Development

Impact

Blocked

Timeline

No response

Additional Context

No response

[florian-richter]

I was able to further diagnose the issue. Running the logic of the endpoint in a standalone js file with node --env-file=.env index.js was working. Therefore the SDK just seems to incorrectly handle the environment variable which is loaded by NextJS.

In the non-working example from above, I logged the environment variable before calling new OrchestrationClient and the AICORE_SERVICE_KEY is correctly set and still I get a bad credentials error. Therefore I assume the SDK copies some of the environment variables by value before they are loaded and before I initialize the OrchestrationClient.

Loading the environment (e.g. via direnv) before starting the NextJS server, solves the issue and I can connect to AI Core. Nonetheless I would expect that the SDK would not need this workaround, as I would really prefer to just use the integrated convenience of NextJS.

---

Working test:

import { OrchestrationClient } from "@sap-ai-sdk/orchestration";

console.log(process.env.AICORE_SERVICE_KEY);

const orchestrationClient = new OrchestrationClient({
  promptTemplating: {
    model: {
      name: "gpt-4o",
    },
    prompt: {
      template: [
        { role: "user", content: "Answer the question: {{?question}}" },
      ],
    },
  },
});

const response = await orchestrationClient.chatCompletion({
  placeholderValues: {
    question: 'Why is the phrase "Hello world!" so famous?',
  },
});
console.log(response.getContent());

[ZhongpinWang]

Update:

Forgot to ask. Before we do the actual change, can you verify if process.env['AICORE_SERVICE_KEY'] is really undefined in your non-working example? And it would be nice if you can prove this fix by changing the SDK package @sap-ai-sdk/core in node_modules and use dot instead of [] in the context.ts.

---

Hi @florian-richter ,

Great to hear from you! 😁

I did some research and it turns out those env variables loaded by Next.js should only be accessed via dot, i.e. process.env.AICORE_SERVICE_KEY works but not process.env['AICORE_SERVICE_KEY'] which we are using here...

Here is the detailed explanation found in Next.js repo: vercel/next.js#19420 (comment)

Strictly it is not really a bug but I guess we can switch to dot access instead of dynamic access since Next.js is such a popular framework. I will bring this to the team.

Thanks a lot for the detailed debugging! It was very helpful.

Best regards

[florian-richter]

Thanks @ZhongpinWang for the quick reply and investigation. I agree it may not be a bug with your SDK. But since you mention NextJS in your docs, I would assume it is supported and should work.

Before we do the actual change, can you verify if process.env['AICORE_SERVICE_KEY'] is really undefined

I always seem to get the correct service key when logging the env variable. I tried a bunch of different ways (including deleting .next/ and node_modules to really have no incorrectly cached changes), but it always returns the service key, no matter if I use dot or brackets.

prove this fix by changing the SDK package @sap-ai-sdk/core in node_modules and use dot instead of [] in the context.ts

It's called context.js in node_modules, but I found the correct line and adjusted it. It did not seem to change the behavior. The linked issue seems promising, but I suspect it only applies to env vars used in the frontend (which need to be prefixed with NEXT_PUBLIC_).

[JordanMad]

Hi @florian-richter,
Not sure if you resolved that, but I had similar issue with NextJS application and it turned out to be the $ sign in the client secret, where I just had to escape it like so:

"clientsecret": "...bf\$HU4no..."

Source: https://nextjs.org/docs/pages/guides/environment-variables#referencing-other-variables

BR