release: 6.36.0

[stainless-app]

Automated Release PR

6.36.0 (2026-04-30)

Full Changelog: v6.35.0...v6.36.0

Features

• api: add support for Admin API Keys per endpoint (770d187)
• api: manual updates (6af2b6d)
• api: manual updates (f2dceda)

Bug Fixes

• api: support admin api key auth (e3862a3)
• api: tighten auth header selection (f1203bd)

Chores

• format: run eslint and prettier separately (104543a)
• internal: codegen related update (05d86da)
• internal: codegen related update (f184586)

---

This pull request is managed by Stainless's GitHub App.

The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.

For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.

🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions

[stainless-app]

🧪 Testing

To try out this version of the SDK:

npm install 'https://pkg.stainless.com/s/openai-typescript/f184586fbcb8c7c07bf439455d6317aba62719ec/dist.tar.gz'

Expires at: Thu, 28 May 2026 15:55:25 GMT
Updated at: Tue, 28 Apr 2026 15:55:25 GMT

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c41a6ef577

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve HeadersLike when merging OPENAI_CUSTOM_HEADERS

Merging with options.defaultHeaders via object spread breaks valid HeadersLike inputs whenever OPENAI_CUSTOM_HEADERS is set: spreading a Headers instance produces {} and spreading tuple-form headers produces numeric keys, so caller-provided default headers are dropped or malformed for all requests in those environments. Since ClientOptions.defaultHeaders explicitly supports these non-object forms, this is a regression in runtime behavior; the merge should preserve header semantics (e.g., by using buildHeaders/header iteration) instead of plain object spread.

Useful? React with 👍 / 👎.

[apcha-oai]

@codex review pls

[chatgpt-codex-connector]

💡 Codex Review

openai-node/src/realtime/ws.ts

Line 35 in c087df5

...(isAzure(client) && !props.__resolvedApiKey ? {} : { Authorization: `Bearer ${client.apiKey}` }),

Reject realtime connections when apiKey is missing

After allowing apiKey: null, non-Azure realtime paths still unconditionally format Authorization: Bearer ${client.apiKey} (and browser variants append protocol tokens with ...${client.apiKey}). Admin-only clients now send Bearer null/...null instead of failing fast, causing opaque handshake/auth failures.

---

openai-node/src/client.ts

Line 639 in c087df5

await this._callApiKey();

Skip apiKey provider calls for admin-only requests

prepareOptions always invokes _callApiKey() even when route security is admin-only. If apiKey is a function and it throws/returns invalid data, admin-key requests fail before adminAPIKey auth is used. Gate token resolution on options.__security?.bearerAuth to avoid breaking valid admin-only traffic.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Mark checkpoint permission routes with admin auth scheme

These APIs are documented as admin-key-only, but the generated calls force __security: { bearerAuth: true }. With new OpenAI({ apiKey: null, adminAPIKey: '...' }), buildRequest cannot emit auth for these methods and throws "Could not resolve authentication method", making admin-only clients unable to call checkpoint permission endpoints.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve non-object defaultHeaders when loading env headers

defaultHeaders accepts HeadersLike (e.g., Headers or tuple arrays), but this merge uses object spread. Spreading a Headers instance drops entries, so enabling OPENAI_CUSTOM_HEADERS can silently erase caller-provided default headers and change request behavior.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Scope fallback auth to avoid admin key on bearer-only routes

The new fallback options.__security ?? { bearerAuth: true, adminAPIKeyAuth: true } applies both schemes when a resource omits __security. src/resources/beta/realtime/sessions.ts and .../transcription-sessions.ts omit it, so clients with both keys send admin auth (last Authorization wins) to bearer-only endpoints, causing auth failures.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Allow explicit api-key omission in header validation

validateHeaders lets callers intentionally omit auth only via nulls.has('authorization'). Azure clients clear auth with 'api-key': null; that path still throws "Could not resolve authentication method" even though omission was explicit. This blocks legitimate header overrides for Azure requests.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Check file-list contents before invoking prettier

The condition tests FILE_LIST (the path string), which is always non-empty after arg parsing. When the list file has no lines, xargs still invokes prettier once with no targets, causing unnecessary failures or full-run behavior. Guard on file contents (or use xargs -r) instead.

Useful? React with 👍 / 👎.