Require clientPubkey in OTP verify flow

[DhruvPareek]

Sparkcore handler explicitly requires clientPublicKey for EMAIL_OTP's verify flow and rejects the request without it. The grid api had clientPublicKey as optional in the verify flow requst body, this makes it required.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	May 4, 2026 11:02pm

[DhruvPareek]

• Fix passkey verify example #438
• Require clientPubkey in OTP verify flow #437 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

fix(types): make clientPublicKey required in EmailOtpCredentialVerifyRequest

openapi

feat(api): add clientPublicKey parameter to auth credentials verify method

python

fix(types): make client_public_key required in email OTP credential verify

typescript

fix(types): make clientPublicKey required in EmailOtpCredentialVerifyRequest

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-openapi studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗

✅ grid-kotlin studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ⏭️ (prev: test ✅)

✅ grid-python studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ⏭️ (prev: test ✅)

✅ grid-typescript studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ❗) → test ⏭️ (prev: test ✅)

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-05-04 23:08:02 UTC

[greptile-apps]

Greptile Summary

This PR makes clientPublicKey a required field in the EmailOtpCredentialVerifyRequestFields schema, matching the requirement already enforced by the Sparkcore handler. The change is applied consistently across the source schema file (openapi/components/schemas/auth/EmailOtpCredentialVerifyRequestFields.yaml) and both generated bundles (openapi.yaml, mintlify/openapi.yaml). The update also brings EMAIL_OTP into parity with the OAUTH verify flow, which already listed clientPublicKey as required.

Confidence Score: 5/5

Safe to merge — the schema change accurately reflects what the backend already requires, closing a gap between the documented contract and the actual handler.

All three changed files are consistent, the source YAML was edited in the correct location (openapi/ directory), the bundles were regenerated via make build, and the update brings EMAIL_OTP into parity with the already-required clientPublicKey in the OAUTH verify flow.

No files require special attention.

Important Files Changed

Filename	Overview
openapi/components/schemas/auth/EmailOtpCredentialVerifyRequestFields.yaml	Source schema updated to add clientPublicKey to the required array — correct edit location per repo conventions
openapi.yaml	Generated bundle updated with the same clientPublicKey required entry; consistent with the source schema change
mintlify/openapi.yaml	Mintlify-specific generated bundle updated identically to openapi.yaml; no issues

Sequence Diagram

sequenceDiagram
    participant Client
    participant GridAPI as Grid API
    participant Sparkcore

    Note over Client,Sparkcore: EMAIL_OTP Verify Flow (after this PR)

    Client->>GridAPI: POST /auth/credentials/{id}/verify
    Note right of Client: { type: EMAIL_OTP, otp: ...,
    Note right of Client: clientPublicKey: ... } now required
    GridAPI->>Sparkcore: Forward verify request
    Sparkcore-->>GridAPI: Session signing key encrypted with clientPublicKey
    GridAPI-->>Client: 200 OK encryptedSessionSigningKey

    Note over Client,GridAPI: Before this PR: missing clientPublicKey
    Note over Client,GridAPI: passed schema validation but Sparkcore rejected it

Loading

_{Reviews (1): Last reviewed commit: "Require clientPubkey in OTP verify flow" | Re-trigger Greptile}

[pengying]

I think I removed this to mvoe towards providing the clientPublicKey in the challenge step

[DhruvPareek]

The passkey challenge flow works like you're thinking but not the OTP flow right now

[DhruvPareek]

clientPublicKey is reqiured on the verify otp call because EMAIL_OTP challenge does not store clientPublicKey. We can change OTP to store it in a pending otp request but right now with the way it works, clientPublicKey should be required