add Embedded Wallet OAUTH credential verify

[DhruvPareek]

Adds the OAUTH branch to AuthCredentialVerifyRequestOneOf, completing the create + verify flow for OIDC-backed authentication credentials on Embedded Wallet internal accounts.

Request shape

• POST /auth/credentials/{id}/verify body: { type: "OAUTH", oidcToken, clientPublicKey } → 200 AuthSession.
• {id} is the AuthMethod.id returned from POST /auth/credentials.

Schemas added

• OauthCredentialVerifyRequestFields — { type: "OAUTH", oidcToken, clientPublicKey } (variant single-value enum on type).
• OauthCredentialVerifyRequest — allOf(AuthCredentialVerifyRequest, OauthCredentialVerifyRequestFields).
• AuthCredentialVerifyRequestOneOf.yaml discriminator map extended with OAUTH → OauthCredentialVerifyRequest.

Notes

• Pairs with 04-21-feat_add_oauth_branch_to_auth_credential_create (the prior PR in the stack); together they make OAuth credentials usable end-to-end. The additional-credential challenge flow gets its own OAUTH branch in the next PR in the stack.
• Bundled openapi.yaml and mintlify/openapi.yaml regenerated via make build.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	Apr 22, 2026 4:15am

[DhruvPareek]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat: add PASSKEY branch to additional-credential challenge flow #365
• feat: add PASSKEY branch to auth credential verify #364
• feat: add PASSKEY branch to auth credential create #363
• add Embedded Wallet OAUTH credential to additional credential flow #362
• add Embedded Wallet OAUTH credential verify #361 👈 (View in Graphite)
• add Embedded Wallet OAUTH credential create #360
• modify /quotes and /quote/{quoteId}/execute for Embedded Wallet transfers #356
• add Embedded Wallet Auth endpoint for Email OTP challenge #350
• add Embedded Wallet Auth endpoints for Email OTP create + verify #349
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

feat(api): add credentials create/verify/resend methods to auth resource

openapi

feat(api): add OAuth verification support to auth credentials

python

feat(api): add create/resend_challenge/verify methods to auth credentials

typescript

feat(api): add create/resendChallenge/verify methods to auth credentials

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-openapi studio · code · diff

Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ✅

New diagnostics (1 note)

💡 Method/BodyRootParamUnnamed: Confirm `body` is an appropriate name for this method's request parameters.

✅ grid-typescript studio · code · diff

Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ✅ → build ✅ → lint ✅ → test ✅

npm install https://pkg.stainless.com/s/grid-typescript/c9b7ce176e7865c86c50edce7d4be30e0552bcec/dist.tar.gz

New diagnostics (1 note)

💡 Method/BodyRootParamUnnamed: Confirm `body` is an appropriate name for this method's request parameters.

✅ grid-python studio · code · diff

Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ✅ → build ✅ (prev: build ⏭️) → lint ✅ (prev: lint ⏭️) → test ✅

pip install https://pkg.stainless.com/s/grid-python/0b288af170190def86e2a0ac3432cf9326254367/grid-0.0.1-py3-none-any.whl

New diagnostics (1 note)

💡 Method/BodyRootParamUnnamed: Confirm `body` is an appropriate name for this method's request parameters.

✅ grid-kotlin studio · code · diff

Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ✅ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

New diagnostics (1 note)

💡 Method/BodyRootParamUnnamed: Confirm `body` is an appropriate name for this method's request parameters.

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-04-22 04:20:19 UTC

[greptile-apps]

Greptile Summary

This PR adds the OAUTH discriminator branch to AuthCredentialVerifyRequestOneOf, completing the OIDC-backed credential create + verify flow for Embedded Wallet internal accounts. The new OauthCredentialVerifyRequestFields and OauthCredentialVerifyRequest schemas precisely mirror the existing EmailOtp variants, and both generated bundles (openapi.yaml, mintlify/openapi.yaml) are consistent with the source changes.

Confidence Score: 5/5

Safe to merge — schema additions are additive, well-structured, and consistent with existing patterns.

All changes are OpenAPI schema additions with no breaking modifications. The new schemas follow the exact same allOf + discriminator pattern as the EmailOtp variant, the stainless SDK config is updated correctly, and generated bundles match the source. No logic, security, or correctness issues found.

No files require special attention.

Important Files Changed

Filename	Overview
openapi/components/schemas/auth/OauthCredentialVerifyRequestFields.yaml	New schema defining the OAUTH verify request body fields (type, oidcToken, clientPublicKey) — mirrors EmailOtpCredentialVerifyRequestFields pattern exactly.
openapi/components/schemas/auth/OauthCredentialVerifyRequest.yaml	New allOf composition of AuthCredentialVerifyRequest and OauthCredentialVerifyRequestFields — consistent with EmailOtpCredentialVerifyRequest pattern.
openapi/components/schemas/auth/AuthCredentialVerifyRequestOneOf.yaml	Discriminator map extended with OAUTH → OauthCredentialVerifyRequest; both oneOf and mapping updated correctly.
openapi/paths/auth/auth_credentials_{id}_verify.yaml	Path description updated to cover OAUTH flow, OAuth example request added, and 401 description expanded to include OIDC failure conditions.
.stainless/stainless.yml	Added OauthCredentialVerifyRequest and OauthCredentialVerifyRequestFields to SDK resource mapping and transform targets — mirrors EmailOtp entries correctly.
openapi.yaml	Generated bundle updated via make build — consistent with source changes in openapi/.
mintlify/openapi.yaml	Generated Mintlify bundle updated via make build — identical changes to openapi.yaml, consistent with source.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Grid API
    participant IdP as Identity Provider

    Note over Client,IdP: Create phase (prior PR)
    Client->>IdP: Authenticate → obtain OIDC token
    Client->>Grid API: POST /auth/credentials {type: OAUTH, oidcToken}
    Grid API-->>Client: 201 AuthMethod {id}

    Note over Client,Grid API: Verify phase (this PR)
    Client->>Client: Generate ephemeral P-256 key pair
    Client->>IdP: Obtain fresh OIDC token (iat < 60s ago)
    Client->>Grid API: POST /auth/credentials/{id}/verify {type: OAUTH, oidcToken, clientPublicKey}
    Grid API->>IdP: Fetch signing key via iss/.well-known/openid-configuration
    IdP-->>Grid API: JWKS
    Grid API->>Grid API: Verify token signature, issuer, iat freshness
    alt Valid token
        Grid API-->>Client: 200 AuthSession {encryptedSessionSigningKey, expiresAt}
        Note over Client: Decrypt session key with ephemeral private key
    else Invalid/expired token
        Grid API-->>Client: 401 Unauthorized
    end

Loading

_{Reviews (1): Last reviewed commit: "feat: add OAUTH branch to auth credentia..." | Re-trigger Greptile}