add Embedded Wallet OAUTH credential to additional credential flow

[DhruvPareek]

Adds the OAUTH branch to AuthCredentialAdditionalChallengeOneOf, letting platforms register a second (or third, etc.) OAuth credential on an internal account that already has one. Completes the "add another credential" challenge/retry pattern for OAuth, matching the EMAIL_OTP flow already in the stack.

Flow

1. POST /auth/credentials with { type: "OAUTH", accountId, oidcToken } on an account that already has a credential.
2. Response is 202 with { type: "OAUTH", payloadToSign, requestId, expiresAt }.
3. Client signs payloadToSign with the session private key of an existing verified credential on the same internal account and retries the request with Grid-Wallet-Signature + Request-Id headers.
4. Signed retry returns 201 with the created AuthMethod.

Schemas added

• OauthCredentialAdditionalChallengeFields — { type: "OAUTH" } (variant single-value enum on type; no analogue to the email field on the EMAIL_OTP variant — providers are not distinguished at the challenge level).
• OauthCredentialAdditionalChallenge — allOf(AuthCredentialAdditionalChallenge, OauthCredentialAdditionalChallengeFields); wire shape is { type, payloadToSign, requestId, expiresAt } (signing fields inherited from the base).
• AuthCredentialAdditionalChallengeOneOf.yaml discriminator map extended with OAUTH → OauthCredentialAdditionalChallenge.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	Apr 22, 2026 3:26am

[DhruvPareek]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• add Embedded Wallet OAUTH credential to additional credential flow #362 👈 (View in Graphite)
• add Embedded Wallet OAUTH credential verify #361
• add Embedded Wallet OAUTH credential create #360
• modify /quotes and /quote/{quoteId}/execute for Embedded Wallet transfers #356
• add Embedded Wallet Auth endpoint for Email OTP challenge #350
• add Embedded Wallet Auth endpoints for Email OTP create + verify #349
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

feat(api): add create/verify/resendChallenge methods to auth credentials

openapi

feat(api): add oauth credential challenge type to auth credentials

python

feat(api): add auth credentials endpoints

typescript

feat(api): add create/verify/resendChallenge methods to auth.credentials

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-openapi studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅

✅ grid-python studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

✅ grid-typescript studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

✅ grid-kotlin studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-04-22 03:32:02 UTC

[greptile-apps]

Greptile Summary

This PR extends AuthCredentialAdditionalChallengeOneOf with an OAUTH branch, mirroring the existing EMAIL_OTP pattern. Two new schemas (OauthCredentialAdditionalChallenge and OauthCredentialAdditionalChallengeFields) are introduced, the discriminator map is updated, a 202 example is added, and the Stainless SDK config registers the new schemas — all correctly following the established structure.

Confidence Score: 5/5

This PR is safe to merge — it is a clean, additive OpenAPI schema extension with no breaking changes.

All changes are strictly additive and follow the existing EMAIL_OTP pattern exactly. Schema structure, discriminator mapping, Stainless SDK registration, and generated bundle diffs are all consistent. No logic or correctness issues found.

No files require special attention.

Important Files Changed

Filename	Overview
openapi/components/schemas/auth/OauthCredentialAdditionalChallenge.yaml	New schema combining base challenge fields and the OAUTH discriminator; correctly mirrors EmailOtpCredentialAdditionalChallenge.yaml structure.
openapi/components/schemas/auth/OauthCredentialAdditionalChallengeFields.yaml	New discriminator-narrowing schema; type: OAUTH enum correctly constrains the base schema's type field — consistent with EmailOtpCredentialAdditionalChallengeFields pattern.
openapi/components/schemas/auth/AuthCredentialAdditionalChallengeOneOf.yaml	Added OAUTH variant to oneOf list and discriminator mapping; correctly extends the existing EMAIL_OTP entry.
openapi/paths/auth/auth_credentials.yaml	Added 202 OAuth example; shape matches schema (type, payloadToSign, requestId, expiresAt) with no extraneous fields.
.stainless/stainless.yml	Registers OauthCredentialAdditionalChallenge and OauthCredentialAdditionalChallengeFields in the SDK resource map, consistent with how EMAIL_OTP variants are registered.
openapi.yaml	Generated bundle reflecting all source YAML changes; correctly in sync with openapi/ source files.
mintlify/openapi.yaml	Generated Mintlify bundle; identical changes to root openapi.yaml, correctly in sync.

Sequence Diagram

sequenceDiagram
    participant Client
    participant API as POST /auth/credentials

    Client->>API: {type: OAUTH, accountId, oidcToken}
    API-->>Client: 202 {type: OAUTH, payloadToSign, requestId, expiresAt}

    Note over Client: Sign payloadToSign with<br/>session private key of<br/>existing verified credential

    Client->>API: Retry + Grid-Wallet-Signature + Request-Id headers
    API-->>Client: 201 {AuthMethod}

Loading

_{Reviews (1): Last reviewed commit: "feat: add OAUTH branch to additional-cre..." | Re-trigger Greptile}