Skip to content

python-genai is incompatible with mTLS #1956

New issue
New issue
Open
Open
python-genai is incompatible with mTLS#1956
Assignees
agrawalradhika-cell
Labels
priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@andyrzhao

Description

@andyrzhao
andyrzhao
opened on Jan 14, 2026

We recently launched mTLS bound tokens for Agentic workloads. However, it was discovered that the python-genai library is incompatible with mTLS and therefore incompatible with bound tokens. The problem is multi-folds:

  1. Unlike python-pubsub or python-aiplatform which are gapic based, the python-genai library is "handwritten" and is missing logic for "automatically enabling mTLS" when workload identity is detected. (https://github.com/googleapis/python-pubsub/pull/1566/files)
  2. python-genai uses hard-coded non-mTLS endpoints in several locations (example in _api_client.py), a potential source of 401 rejections.
  3. python-genai cannot use "AuthorizedSession" from the core google python api lib (https://github.com/googleapis/google-auth-library-python/blob/main/google/auth/transport/requests.py) due to Async requirements. Currently designed to support httpx and aiohttp, which are also overridable by end user.

We need a comprehensive plan to address these gaps to make python-genai compatible with mTLS.

Metadata

Metadata

Assignees

Labels

priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions