fix(workspace): X-Session-API-Key header missing on POST requests to agent-server

[Dr1985]

HUMAN:

This PR will close issue #3574.

• A human has tested these changes.

AGENT:

---

Why

RemoteWorkspaceMixin._headers only returns {"X-Session-API-Key": api_key}
when api_key is explicitly passed as a constructor argument. There is no
fallback to the environment variables already used by the agent-server ecosystem
(OH_SESSION_API_KEYS_0 and SESSION_API_KEY).

When a caller (e.g., the Web UI) creates RemoteWorkspace(host=..., working_dir=...)
without providing api_key, every HTTP request from the SDK lacks the auth header.

Summary

-When the OpenHands Web UI creates a RemoteWorkspace without explicitly passing
api_key, the X-Session-API-Key header is never sent in HTTP requests to the
agent-server. This causes 401 Unauthorized errors on all POST endpoints.

-GET requests may incidentally succeed because the agent-server's session API key
validation is only active when OH_SESSION_API_KEYS_* environment variables are
set (i.e., config.session_api_keys is non-empty). When the validator is
active, ALL /api/* routes require the header regardless of HTTP method.

Issue Number

Closes #3574

How to Test

All 122 workspace tests pass:

uv run pytest tests/sdk/workspace/ -v

Video/Screenshots

Type

• Bug fix
• Feature
• Refactor
• Breaking change
• Docs / chore

Notes

[VascoSch92]

Hey @Dr1985

thanks for the PR.

However, i'm not sure this is the right place for the fix