feat: add PASSKEY branch to additional-credential challenge flow#365
Conversation
Adds the PASSKEY branch to `AuthCredentialAdditionalChallengeOneOf`, letting platforms register a second (or third, etc.) passkey credential on an internal account that already has one. Completes the "add another credential" challenge/retry pattern for passkeys, matching the EMAIL_OTP and OAUTH flows already in the stack.
**Flow**
1. `POST /auth/credentials` with `{ type: "PASSKEY", accountId, nickname, challenge, attestation }` on an account that already has a credential.
2. Response is 202 with `{ type: "PASSKEY", payloadToSign, requestId, expiresAt }`.
3. Client signs `payloadToSign` with the session private key of an existing verified credential on the same internal account and retries the request with `Grid-Wallet-Signature` + `Request-Id` headers.
4. Signed retry returns 201 with the created `AuthMethod`.
**Schemas added**
- `PasskeyCredentialAdditionalChallengeFields` — `{ type: "PASSKEY" }` (variant single-value enum on `type`; no per-type extra fields, same shape as the OAUTH variant).
- `PasskeyCredentialAdditionalChallenge` — `allOf(AuthCredentialAdditionalChallenge, PasskeyCredentialAdditionalChallengeFields)`; wire shape is `{ type, payloadToSign, requestId, expiresAt }` (signing fields inherited from the base).
**Wire-up**
- `AuthCredentialAdditionalChallengeOneOf.yaml` discriminator map extended with `PASSKEY → PasskeyCredentialAdditionalChallenge`.
- PASSKEY example added to the 202 response on `POST /auth/credentials`.
- `.stainless/stainless.yml` registers the two new schemas under `auth.credentials`.
**Notes**
- Multiple passkey credentials per internal account are allowed (no `PASSKEY_CREDENTIAL_ALREADY_EXISTS`); this PR documents the concrete wire shape Grid returns when the client hits that branch.
- Final PR in the PASSKEY sub-stack on top of the OAUTH stack; together with the two prior PASSKEY PRs it covers create, verify, and additional-credential registration.
- Bundled `openapi.yaml` and `mintlify/openapi.yaml` regenerated via `make build`.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
✱ Stainless preview buildsThis PR will update the kotlin openapi python typescript Edit this comment to update them. They will appear in their respective SDK's changelogs. ✅ grid-openapi studio · code · diff
✅ grid-typescript studio · code · diff
✅ grid-python studio · code · diff
✅ grid-kotlin studio · code · diff
This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push. |
1 participant
Adds the PASSKEY branch to
AuthCredentialAdditionalChallengeOneOf, letting platforms register a second (or third, etc.) passkey credential on an internal account that already has one. Completes the "add another credential" challenge/retry pattern for passkeys, matching the EMAIL_OTP and OAUTH flows already in the stack.Flow
POST /auth/credentialswith{ type: "PASSKEY", accountId, nickname, challenge, attestation }on an account that already has a credential.{ type: "PASSKEY", payloadToSign, requestId, expiresAt }.payloadToSignwith the session private key of an existing verified credential on the same internal account and retries the request withGrid-Wallet-Signature+Request-Idheaders.AuthMethod.Schemas added
PasskeyCredentialAdditionalChallengeFields—{ type: "PASSKEY" }(variant single-value enum ontype; no per-type extra fields, same shape as the OAUTH variant).PasskeyCredentialAdditionalChallenge—allOf(AuthCredentialAdditionalChallenge, PasskeyCredentialAdditionalChallengeFields); wire shape is{ type, payloadToSign, requestId, expiresAt }(signing fields inherited from the base).Wire-up
AuthCredentialAdditionalChallengeOneOf.yamldiscriminator map extended withPASSKEY → PasskeyCredentialAdditionalChallenge.POST /auth/credentials..stainless/stainless.ymlregisters the two new schemas underauth.credentials.Notes
PASSKEY_CREDENTIAL_ALREADY_EXISTS); this PR documents the concrete wire shape Grid returns when the client hits that branch.openapi.yamlandmintlify/openapi.yamlregenerated viamake build.