feat: add PASSKEY branch to auth credential create

.stainless/stainless.yml

@@ -350,6 +350,9 @@ resources:
           oauth_credential_verify_request_fields: '#/components/schemas/OauthCredentialVerifyRequestFields'
           oauth_credential_additional_challenge: '#/components/schemas/OauthCredentialAdditionalChallenge'
           oauth_credential_additional_challenge_fields: '#/components/schemas/OauthCredentialAdditionalChallengeFields'
+          passkey_attestation: '#/components/schemas/PasskeyAttestation'
+          passkey_credential_create_request: '#/components/schemas/PasskeyCredentialCreateRequest'
+          passkey_credential_create_request_fields: '#/components/schemas/PasskeyCredentialCreateRequestFields'
   exchange_rates:
     methods:
       list:

openapi/components/schemas/auth/AuthCredentialCreateRequestOneOf.yaml

@@ -1,8 +1,10 @@
 oneOf:
   - $ref: ./EmailOtpCredentialCreateRequest.yaml
   - $ref: ./OauthCredentialCreateRequest.yaml
+  - $ref: ./PasskeyCredentialCreateRequest.yaml
 discriminator:
   propertyName: type
   mapping:
     EMAIL_OTP: ./EmailOtpCredentialCreateRequest.yaml
     OAUTH: ./OauthCredentialCreateRequest.yaml
+    PASSKEY: ./PasskeyCredentialCreateRequest.yaml

openapi/components/schemas/auth/PasskeyAttestation.yaml

@@ -0,0 +1,48 @@
+title: Passkey Attestation
+type: object
+required:
+  - credentialId
+  - clientDataJson
+  - attestationObject
+  - transports
+properties:
+  credentialId:
+    type: string
+    description: >-
+      Base64url-encoded credential identifier produced by the authenticator
+      at registration time. Typically the base64url of
+      `PublicKeyCredential.rawId`.
+    example: AQIDBAUGBwgJCgsMDQ4PEA
+  clientDataJson:
+    type: string
+    description: >-
+      Base64url-encoded CBOR/JSON client data collected by the browser
+      during the WebAuthn `navigator.credentials.create()` call.
+      Corresponds to `AuthenticatorAttestationResponse.clientDataJSON`.
+    example: eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiLi4uIiwib3JpZ2luIjoiaHR0cHM6Ly9leGFtcGxlLmNvbSJ9
+  attestationObject:
+    type: string
+    description: >-
+      Base64url-encoded attestation object produced by the authenticator
+      during registration. Corresponds to
+      `AuthenticatorAttestationResponse.attestationObject`.
+    example: o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NdAAAAAA
+  transports:
+    type: array
+    items:
+      type: string
+      enum:
+        - usb
+        - nfc
+        - ble
+        - internal
+        - hybrid
+        - smart-card
+    description: >-
+      WebAuthn transports as returned by
+      `AuthenticatorAttestationResponse.getTransports()`. Values follow
+      the W3C `AuthenticatorTransport` enum. Pass the raw values through
+      to Grid; provider-specific translation is handled server-side.
+    example:
+      - internal
+      - hybrid

openapi/components/schemas/auth/PasskeyCredentialCreateRequest.yaml

@@ -0,0 +1,4 @@
+title: Passkey Credential Create Request
+allOf:
+  - $ref: ./AuthCredentialCreateRequest.yaml
+  - $ref: ./PasskeyCredentialCreateRequestFields.yaml

openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml

@@ -0,0 +1,30 @@
+type: object
+required:
+  - type
+  - nickname
+  - challenge
+  - attestation
+properties:
+  type:
+    type: string
+    enum:
+      - PASSKEY
+    description: Discriminator value identifying this as a passkey credential.
+  nickname:
+    type: string
+    description: >-
+      Human-readable identifier for the passkey, chosen by the user at
+      registration time (e.g. "Peng's Pixel", "YubiKey 5C"). Shown back
+      on `AuthMethod` responses and in credential listings.
+    example: Peng's Pixel
+  challenge:
+    type: string
+    description: >-
+      Base64url-encoded WebAuthn challenge that the authenticator signed
+      during registration. The challenge is generated and issued by the
+      platform backend (not by Grid), bound to the user and the pending
+      registration, and discarded after this call. Grid uses this value
+      to verify the assertion that the client just completed.
+    example: Y2hhbGxlbmdlLWZyb20tcGxhdGZvcm0tYmFja2VuZA
+  attestation:
+    $ref: ./PasskeyAttestation.yaml

openapi/paths/auth/auth_credentials.yaml

@@ -17,7 +17,12 @@ post:
     `oidcToken` is validated inline against the issuer's `.well-known`
     OpenID configuration (the token's `iat` must be less than 60 seconds
     before the request); activation still happens via
-    `POST /auth/credentials/{id}/verify`.
+    `POST /auth/credentials/{id}/verify`. For `PASSKEY` credentials, the
+    client completes a WebAuthn registration (`navigator.credentials.create()`)
+    using a `challenge` issued by the platform backend and submits the
+    resulting `attestation` here; the credential must still be activated
+    via `POST /auth/credentials/{id}/verify` by completing a WebAuthn
+    assertion against a fresh challenge.
 
 
     **Adding an additional credential**
@@ -84,6 +89,20 @@ post:
               type: OAUTH
               accountId: InternalAccount:019542f5-b3e7-1d02-0000-000000000002
               oidcToken: eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiYzEyMyIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTIyMzM0NDU1IiwiYXVkIjoiMTIzNDU2Ny5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSIsImlhdCI6MTc0NjczNjUwOSwiZXhwIjoxNzQ2NzQwMTA5fQ.signature
+          passkey:
+            summary: Register a passkey credential
+            value:
+              type: PASSKEY
+              accountId: InternalAccount:019542f5-b3e7-1d02-0000-000000000002
+              nickname: Peng's Pixel
+              challenge: Y2hhbGxlbmdlLWZyb20tcGxhdGZvcm0tYmFja2VuZA
+              attestation:
+                credentialId: AQIDBAUGBwgJCgsMDQ4PEA
+                clientDataJson: eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiLi4uIiwib3JpZ2luIjoiaHR0cHM6Ly9leGFtcGxlLmNvbSJ9
+                attestationObject: o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NdAAAAAA
+                transports:
+                  - internal
+                  - hybrid
   responses:
     '201':
       description: Authentication credential created successfully