Alibaba Coding Plan: INTL accounts cannot fetch usage — no working auth path

[zombopanda]

Problem

The Alibaba Coding Plan provider does not work for International (INTL) accounts. Both fetch strategies (web/cookie and API key) fail with different errors.

Environment

• CodexBar 0.19.0
• Alibaba Cloud account registered as INTL (Ukraine, aliyun_site=INTL)
• Region: ap-southeast-1 (Singapore)
• API key format: sk-sp-* (Coding Plan specific)
• Browser: Zen Browser (Firefox-based) on macOS

Symptoms

[alibaba] fetch strategies:
  - alibaba-coding-plan.web (web) error=Alibaba Coding Plan console login is required.
  - alibaba-coding-plan.api (api) error=This Alibaba endpoint requires a console session for this account/region.

Root Cause Analysis

1. API key mode fails — console gateway rejects sk-sp-* keys

The API key strategy POSTs to modelstudio.console.alibabacloud.com/data/api.json with the sk-sp-* key in Authorization, x-api-key, and X-DashScope-API-Key headers. The console gateway returns:

{"code":"ConsoleNeedLogin","message":"You need to log in."}

This endpoint is a console gateway, not a DashScope API. It only accepts browser console sessions, not inference API keys. The sk-sp-* keys work exclusively on the inference endpoint (coding-intl.dashscope.aliyuncs.com).

2. Web/cookie mode fails — INTL accounts don't have login_aliyunid_ticket

The cookie strategy hits bailian-singapore-cs.alibabacloud.com/data/api.json. For this to work, resolveConsoleSECToken fetches the dashboard HTML, and the request includes CSRF tokens extracted from cookies.

The critical finding: INTL accounts do not set the login_aliyunid_ticket cookie. This cookie is CN-only (set by signin.aliyun.com for China mainland accounts). INTL accounts authenticate through passport.alibabacloud.com which uses a different cookie/token scheme.

I verified this exhaustively:

• document.cookie — no login_aliyunid_ticket
• cookieStore.getAll() — no login_aliyunid_ticket
• Firefox cookies.sqlite (persistent cookies) — no login_aliyunid_ticket
• Firefox Services.cookies (Browser Console, includes HttpOnly + session cookies) — no login_aliyunid_ticket

The INTL passport cookies that ARE present (login_current_pk, login_aliyunid_pk, login_aliyunid, aliyunid_third_login_state, cr_token, help_csrf) are insufficient for the console gateway. Requests with these cookies return 302 redirect (to login page).

3. No DashScope quota API exists

I probed every plausible DashScope endpoint with a valid sk-sp-* key:

Endpoint	Result
dashscope-intl.aliyuncs.com/api/v1/policies	404
dashscope-intl.aliyuncs.com/api/v1/usage	404
dashscope-intl.aliyuncs.com/api/v1/subscriptions	404
dashscope-intl.aliyuncs.com/api/v1/models	401 (key not accepted)
coding-intl.dashscope.aliyuncs.com/compatible-mode/v1/usage	404
coding-intl.dashscope.aliyuncs.com/api/v1/quota	404
coding-intl.dashscope.aliyuncs.com/v1/models	404

The inference endpoint (coding-intl.dashscope.aliyuncs.com/apps/anthropic/v1/messages) returns no rate-limit headers (x-ratelimit-*) — only basic response headers.

4. The sk-sp-* key is valid and works for inference

Confirmed working:

curl -H "Authorization: Bearer sk-sp-xxx" \
  -H "Content-Type: application/json" \
  "https://coding-intl.dashscope.aliyuncs.com/apps/anthropic/v1/messages" \
  -d '{"model":"qwen3-coder-plus","messages":[{"role":"user","content":"hi"}],"max_tokens":5}'
# → 200 OK, valid response

Suggested Solutions

Short-term: Better error messaging

When the INTL API key mode fails with ConsoleNeedLogin, the error message should explain that INTL quota monitoring is not yet supported and link to this issue.

Medium-term: INTL cookie auth investigation

The INTL console auth flow through passport.alibabacloud.com needs to be reverse-engineered. The relevant cookies may include:

• x5sec (hex-encoded security token on passport.alibabacloud.com)
• last_u_intl-aliyun_intl-aliyun (base64 user identity)
• Session cookies from passport.alibabacloud.com that may not persist to disk

Long-term: Alibaba quota API

The ideal fix is for Alibaba to expose a /v1/usage or /v1/quota endpoint on the Coding Plan inference domain (coding-intl.dashscope.aliyuncs.com) that accepts sk-sp-* keys. This would bypass the console gateway entirely.

Dashboard URL fix

Minor: the INTL dashboard URL uses #/efm/detail but the correct path appears to be #/efm/coding_plan.

Additional Notes

• The existing cookie importer's isAuthenticatedSession likely requires login_aliyunid_ticket to consider cookies valid — this should be relaxed for INTL accounts
• The CN flow likely works correctly (untested, but the code was clearly written for CN cookies)
• Original feature request: Feature Request: Bailian / Alibaba coding plan provider #418
• Implementation PR: Add Alibaba Coding Plan provider #574 (merged 2026-03-19)

[zombopanda]

This bug was introduced in #574 (merged 2026-03-19) which added the Alibaba Coding Plan provider. The implementation works for CN accounts but not INTL — the auth flow for modelstudio.console.alibabacloud.com differs between CN and INTL Alibaba Cloud accounts.

Key code locations in #574:

• AlibabaCodingPlanUsageFetcher.swift — fetchUsageOnce(apiKey:) POSTs to console gateway which rejects sk-sp-* keys
• AlibabaCodingPlanUsageFetcher.swift — fetchUsageOnce(cookieHeader:) requires login_aliyunid_csrf / SEC token — neither exists for INTL sessions
• AlibabaCodingPlanCookieImporter.swift — cookie detection likely requires CN-specific cookies
• AlibabaCodingPlanAPIRegion.swift — INTL dashboard URL uses #/efm/detail instead of #/efm/coding_plan