diff --git a/index.ts b/index.ts
index 918d49c..8a0fb4a 100644
--- a/index.ts
+++ b/index.ts
@@ -147,13 +147,20 @@ type PromptFiles = PromptFile[]
 // ─── Auth config ─────────────────────────────────────────────────────────────
 
 async function createAuthConfig(): Promise<string> {
-  const nomyoApiKey = process.env["NOMYO_API_KEY"]
-  const nomyoApiUrl = process.env["NOMYO_API_URL"] || "https://chat.nomyo.ai/api"
+  // Trim surrounding whitespace/newlines: a stray "\n" in the stored secret
+  // makes the "Authorization: Bearer <key>" header an invalid HTTP header value.
+  const nomyoApiKey = process.env["NOMYO_API_KEY"]?.trim()
+  const nomyoApiUrl = (process.env["NOMYO_API_URL"] || "https://chat.nomyo.ai/api").trim()
   const modelEnv = process.env["MODEL"]
 
   if (!nomyoApiKey) {
     throw new Error('Environment variable "NOMYO_API_KEY" is not set')
   }
+  // Reject any remaining character that is illegal in an HTTP header value
+  // (control chars / non-ASCII) before it reaches opencode's Authorization header.
+  if (/[^\x20-\x7E]/.test(nomyoApiKey)) {
+    throw new Error('NOMYO_API_KEY contains characters that are invalid in an HTTP header (control or non-ASCII). Check the secret for stray whitespace or hidden characters.')
+  }
   if (!modelEnv) {
     throw new Error('Environment variable "MODEL" is not set')
   }