fix(knowledge): pass Gemini API key via x-goog-api-key header

waleedlatif1 · claude · waleedlatif1 · commit b73c2184a36b · 2026-04-29T23:22:25.000-07:00
URLs end up in server access logs, proxy logs, and APM tools, so embedding
the key as a query param risks accidental exposure. Google explicitly
recommends the header form for the Gemini REST API.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/lib/knowledge/embeddings.ts b/apps/sim/lib/knowledge/embeddings.ts
@@ -154,9 +154,10 @@ function l2Normalize(vector: number[]): number[] {
 
 function buildGeminiProvider(modelName: string, apiKey: string): ResolvedProvider['buildRequest'] {
   return (inputs, inputType) => ({
-    apiUrl: `https://generativelanguage.googleapis.com/v1beta/models/${modelName}:batchEmbedContents?key=${encodeURIComponent(apiKey)}`,
+    apiUrl: `https://generativelanguage.googleapis.com/v1beta/models/${modelName}:batchEmbedContents`,
     headers: {
       'Content-Type': 'application/json',
+      'x-goog-api-key': apiKey,
     },
     body: {
       requests: inputs.map((text) => ({
