Add passkey credentialId to auth challenge response

[DhruvPareek]

Summary:

• Make PasskeyAuthChallenge extend the passkey auth method shape so challenge responses include credentialId.
• Document using credentialId as allowCredentials[].id when calling navigator.credentials.get().
• Update the passkey challenge response example.

https://docs.google.com/document/d/18f3pLcXbLein9McsXxiPzVJMmXhBFGWQ-6Gys5WILLk/edit?tab=t.zg1lhkeq1hek

Test:

• npm run lint:openapi

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	May 7, 2026 11:44pm

[DhruvPareek]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Add wallet privacy endpoint to OpenAPI #452
• Add auth session refresh endpoints #451
• Add OTP email update endpoint to OpenAPI #450
• Add passkey credentialId to auth challenge response #449 👈 (View in Graphite)
• Add passkey credentialId to auth credential list #448
• Align auth session request-id contract #445 : 1 other dependent PR (#446 )
• Align auth credential create contract #444
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

feat(api): add credentialId field and Type enum to PasskeyAuthChallenge

openapi

feat(api): add credentialId field to passkey auth challenge response

python

feat(api): add credential_id and type fields to PasskeyAuthChallenge

typescript

feat(api): add credentialId and type fields to passkey auth challenge response

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-python studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

✅ grid-kotlin studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

✅ grid-typescript studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ❗ → lint ❗ → test ❗

✅ grid-openapi studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-05-07 23:50:34 UTC

[greptile-apps]

Greptile Summary

This PR extends PasskeyAuthChallenge to inherit from PasskeyAuthMethod (instead of the base AuthMethod) so that the challenge response carries credentialId alongside the existing challenge, requestId, and expiresAt fields. Documentation across the challenge endpoint description, response description, and the PasskeyAuthChallenge schema are updated consistently to guide clients on using credentialId as allowCredentials[].id in navigator.credentials.get().

• PasskeyAuthChallenge.yaml swaps its allOf base from AuthMethod to PasskeyAuthMethod, inheriting credentialId without duplicating its definition.
• The passkey challenge example in auth_credentials_{id}_challenge.yaml (and the bundled openapi.yaml / mintlify/openapi.yaml) is updated to include a sample credentialId value, completing the response shape.

Confidence Score: 5/5

Safe to merge — the change is a clean schema inheritance swap and documentation update with no structural risks.

The schema change is minimal and well-scoped: PasskeyAuthChallenge now inherits credentialId from PasskeyAuthMethod rather than from a separate definition. The oneOf discriminator in AuthCredentialResponseOneOf continues to work correctly because AuthMethodResponse's unevaluatedProperties: false will reject any PasskeyAuthChallenge response (which now carries credentialId in addition to the challenge fields). Documentation and examples are consistent across all three changed surfaces (modular YAML, root bundle, Mintlify bundle).

No files require special attention.

Important Files Changed

Filename	Overview
openapi/components/schemas/auth/PasskeyAuthChallenge.yaml	Swaps allOf base from AuthMethod to PasskeyAuthMethod, correctly inheriting credentialId; description updated to match narrowed usage (challenge endpoint only).
openapi/components/schemas/auth/AuthCredentialResponseOneOf.yaml	Description-only update reflecting the new credentialId field in PasskeyAuthChallenge; oneOf logic unchanged and still correctly disambiguated by unevaluatedProperties: false on AuthMethodResponse.
openapi/paths/auth/auth_credentials_{id}_challenge.yaml	Endpoint description, 200-response description, and passkey example updated to surface credentialId; no structural or schema reference changes.
openapi.yaml	Bundled spec kept in sync with the modular sources; changes mirror PasskeyAuthChallenge and path-level updates exactly.
mintlify/openapi.yaml	Mintlify-targeted bundle kept in sync with openapi.yaml; diff is identical to the root bundle.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Grid API

    Client->>Grid API: POST /auth/credentials/{id}/challenge\n(clientPublicKey)
    Grid API-->>Client: PasskeyAuthChallenge\n{ credentialId, challenge, requestId, expiresAt, ...PasskeyAuthMethod fields }

    Note over Client: Pass credentialId as allowCredentials[].id\nPass challenge as WebAuthn challenge\nto navigator.credentials.get()

    Client->>Client: navigator.credentials.get()\n→ assertion

    Client->>Grid API: POST /auth/credentials/{id}/verify\n(assertion, Request-Id: requestId)
    Grid API-->>Client: Session

Loading

_{Reviews (1): Last reviewed commit: "Add passkey credentialId to auth challen..." | Re-trigger Greptile}