Clarify authentication flows in wallet API docs

[0xFirekeeper]

Updated the documentation to distinguish between two-step authentication for email, phone, passkey, and SIWE, and single-step flows for guest, custom, and social authentication. Added details and endpoint references for each flow to improve clarity for API users.

---

PR-Codex overview

This PR updates the API Authentication documentation to clarify the authentication processes, including a new section on social authentication.

Detailed summary

• Revised the explanation of the authentication process for clarity.
• Added details about skipping the first step for guest or custom authentication.
• Introduced a new section on Social Authentication with a single-step flow.
• Updated the endpoint descriptions for clarity.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• Documentation
  • Clarified API Authentication flows: explicit two-step flow for email, phone, passkey, or SIWE (initiate to get a challenge, then complete) and a skip-first-step path for guest/custom auth.
  • Updated headings and examples to reflect the revised two-step flow.
  • Added Social Authentication section describing a single-step OAuth flow via a dedicated endpoint with links to provider details and code samples.
  • Moved Get Wallet Information after authentication for clearer sequencing.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 175aeea

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Ready	Preview	Comment	Aug 23, 2025 0:39am

4 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
nebula	Skipped			Aug 23, 2025 0:39am
thirdweb_playground	Skipped			Aug 23, 2025 0:39am
thirdweb-www	Skipped			Aug 23, 2025 0:39am
wallet-ui	Skipped			Aug 23, 2025 0:39am

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[coderabbitai]

Walkthrough

Documentation updates to the wallets page clarifying authentication: two-step challenge/response for email, phone, passkey, or SIWE; guests/custom (jwt/auth-payload) may skip initiation and call /v1/auth/complete directly; added single-step Social Authentication via GET /v1/auth/social. Headings and notes adjusted.

Changes

Cohort / File(s)	Summary
Docs: Auth flow clarifications and social auth addition apps/portal/src/app/wallets/page.mdx	Rewrote API Authentication to distinguish two-step vs skip-enabled flows; renamed initiate heading to include SIWE; added Social Authentication section with single-step GET /v1/auth/social and reference pointers; retained Get Wallet Information section after updated flows.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant API as Auth API
  note over Client,API: Two-step flow (Email/Phone/Passkey/SIWE)
  Client->>API: POST /v1/auth/initiate (identifier/method)
  API-->>Client: 200 { challenge, challengeId, ... }
  Client->>API: POST /v1/auth/complete (challengeId, response)
  API-->>Client: 200 { session, wallet, ... }

  opt Skip init (Guest/Custom jwt/auth-payload)
    note over Client,API: Guest/Custom can directly complete
    Client->>API: POST /v1/auth/complete (required params)
    API-->>Client: 200 { session, wallet, ... }
  end

Loading

sequenceDiagram
  autonumber
  actor Client
  participant API as Auth API
  participant OAuth as OAuth Provider
  note over Client,API: Social Authentication (single step)
  Client->>API: GET /v1/auth/social?provider=...&redirect_uri=...
  API->>OAuth: Initiate OAuth (authorize)
  OAuth-->>Client: Redirect / callback
  Client->>API: Callback hit (provider code/state)
  API-->>Client: 200 { session, wallet, ... }

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch firekeeper/oauth

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[0xFirekeeper]

Merge activity

• Aug 23, 12:03 AM UTC: The merge label 'merge-queue' was detected. This PR will be added to the Graphite merge queue once it meets the requirements.
• Aug 23, 12:36 AM UTC: 0xFirekeeper added this pull request to the Graphite merge queue.
• Aug 23, 12:40 AM UTC: Merged by the Graphite merge queue.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.53%. Comparing base (98fab93) to head (4cda30a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7899   +/-   ##
=======================================
  Coverage   56.53%   56.53%           
=======================================
  Files         904      904           
  Lines       58592    58592           
  Branches     4143     4143           
=======================================
  Hits        33126    33126           
  Misses      25360    25360           
  Partials      106      106           

Flag	Coverage Δ
packages	56.53% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

apps/portal/src/app/wallets/page.mdx (3)

75-77: Clarify the “challenge” per method (OTP vs WebAuthn vs SIWE nonce).

Right now “challenge” is generic. Being explicit reduces confusion and support load.

-For email, phone, passkey, or SIWE authentication, a two-step process is used:
-- Initiate authentication to get a challenge
-- Complete authentication with the challenge response
+For email, phone, passkey, or SIWE authentication, a two-step process is used:
+- Initiate authentication to get a challenge:
+  - email/phone → one-time code (OTP)
+  - passkeys → WebAuthn challenge
+  - SIWE → nonce in the SIWE message
+- Complete authentication by returning the appropriate response:
+  - OTP code
+  - WebAuthn assertion
+  - SIWE signature (over the provided nonce)

---

82-82: Minor copy/grammar: pluralize “passkeys” and add terminal punctuation.

Also aligns with static analysis hint.

-Start authentication with email, phone, passkey, or SIWE
+Start authentication with email, phone, passkeys, or SIWE.

---

75-82: Consistency with intro and related guides.

Top-of-page line 37 mentions “social OAuth” while the two-step list here excludes “social” and the Initiate section title removed it. Confirm that social providers are only via the single-step endpoint and not via /v1/auth/initiate; if so, consider a brief note here linking to the Social section to prevent skimming confusion.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 98fab93 and 175aeea.

📒 Files selected for processing (1)

• apps/portal/src/app/wallets/page.mdx (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to packages/thirdweb/src/wallets/** : Support for in-app wallets (social/email login)

🪛 LanguageTool

apps/portal/src/app/wallets/page.mdx

[grammar] ~81-~81: There might be a mistake here.
Context: ...parameters. ### Initiate Authentication Start authentication with email, phone, ...

(QB_NEW_EN)

---

[grammar] ~93-~93: There might be a mistake here.
Context: ...ial Authentication ### Single Step Flow OAuth is done in a single step using a d...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Size
• GitHub Check: Unit Tests
• GitHub Check: Build Packages
• GitHub Check: Lint Packages
• GitHub Check: Analyze (javascript)

🔇 Additional comments (2)

apps/portal/src/app/wallets/page.mdx (2)

91-99: Verify HTTP method and document query parameters for /v1/auth/social

I didn’t find any route or OpenAPI definitions for this endpoint in the repo, so please confirm the actual HTTP method (GET vs. POST) and surface all required query parameters in the docs to ensure accuracy.

• File: apps/portal/src/app/wallets/page.mdx (lines 91–99)

Suggested diff to mark this TODO and update once you’ve verified:

 ## Social Authentication

 ### Single-step flow
 OAuth is performed in a single step using a dedicated endpoint.

-<OpenApiEndpoint path="/v1/auth/social" method="GET" />
+<!-- TODO: confirm HTTP method and list required query parameters for social OAuth -->
+<OpenApiEndpoint path="/v1/auth/social" method="<METHOD>" />

Once verified, replace <METHOD> with the real HTTP verb and add a params list, for example:

• provider (e.g. google, apple, discord, …)
• redirect_uri (must match the allow-listed URI)
• state (CSRF protection value)
• code (OAuth code returned by provider)
• code_verifier (for PKCE, if applicable)

---

79-79: Clarify request bodies for guest and custom flows

The generic MDX snippet currently says “guest or custom (jwt/auth-payload)” but doesn’t show the exact request schemas. Please expand it to list each valid payload for /v1/auth/complete:

- For guest or custom (jwt/auth-payload) authentication, you can skip the first step and directly use the `/v1/auth/complete` endpoint with the required parameters.
+ For guest or custom flows, skip Step 1 and POST to `/v1/auth/complete` with one of:
+
+ ```json
+ // Guest (no credentials required)
+ { "type": "guest" }
+
+ // Custom—JWT issued by your server
+ { "type": "jwt", "payload": "<your-jwt>" }
+
+ // Custom—server-signed payload + signature
+ { "type": "auth-payload", "payload": "<your-auth-payload>" }
+ ```
+
+ See the API reference for full request schemas and error codes.

Please verify these field names and object shapes against the live OpenAPI spec for /v1/auth/complete.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	64.06 KB (0%)	1.3 s (0%)	511 ms (+123.2% 🔺)	1.8 s
thirdweb (cjs)	357.05 KB (0%)	7.2 s (0%)	1.9 s (+3.48% 🔺)	9 s
thirdweb (minimal + tree-shaking)	5.73 KB (0%)	115 ms (0%)	81 ms (+350.4% 🔺)	195 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	60 ms (+1139.84% 🔺)	71 ms
thirdweb/react (minimal + tree-shaking)	19.15 KB (0%)	383 ms (0%)	65 ms (+72.57% 🔺)	448 ms

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

apps/portal/src/app/wallets/page.mdx (4)

75-77: Clear separation of two-step flow; consider ordered steps and SIWE context

The clarification reads well. Minor UX copy tweak: use an ordered list and hint what the “challenge” is across methods to reduce ambiguity.

-For email, phone, passkey, or SIWE authentication, a two-step process is used:
-- Initiate authentication to get a challenge
-- Complete authentication with the challenge response
+For email, phone, passkey, or SIWE authentication, use a two-step flow:
+1. Initiate authentication to get a challenge (e.g., OTP, passkey request, or SIWE nonce).
+2. Complete authentication with the challenge response.

---

79-79: Tighten wording; capitalize JWT; reference the step explicitly

Consistent casing and explicit “step 1” reference improves scannability.

I can add a concise example of the exact parameters accepted by /v1/auth/complete for guest/custom if you confirm the fields.

-For guest or custom (jwt/auth-payload) authentication, you can skip the first step and directly use the `/v1/auth/complete` endpoint with the required parameters.
+For guest or custom (JWT/auth-payload) authentication, you can skip step 1 and call the `/v1/auth/complete` endpoint directly with the required parameters.

---

82-82: Micro copyedit for readability (addresses grammar hint)

Minor preposition tweak.

-Start authentication with email, phone, passkey, or SIWE
+Start authentication for email, phone, passkey, or SIWE.

---

91-99: Social auth section: hyphenation, clarify behavior, and verify HTTP method

• Style: “Single‑step flow” is the conventional hyphenation (also satisfies grammar hint).
• Behavior: Is this endpoint initiating a redirect (authorization request) or returning tokens directly? If it redirects, consider adding a one‑liner about configuring redirect/callback URLs.
• Method: Using GET for an auth-completing endpoint can be correct if it’s initiating OAuth (authorization endpoint), but unusual if it exchanges codes/tokens. Please confirm the intended semantics in the API reference.

Happy to add a short Callout explaining redirect/callback configuration and a minimal sequence diagram if you confirm the flow.

-## Social Authentication
+## Social Authentication

-### Single Step Flow
-OAuth is done in a single step using a dedicated endpoint.
+### Single-step flow
+Social OAuth completes in a single step via a dedicated endpoint.
+
+<Callout variant="info" title="Redirect & callback">
+Depending on the provider, this endpoint may initiate a redirect-based flow. Ensure your callback/redirect URL is configured in the dashboard.
+</Callout>

-Visit the API reference for more details on the available social providers and code snippets.
+Visit the API reference for the list of supported providers and code snippets.
 
-<OpenApiEndpoint path="/v1/auth/social" method="GET" />
+<OpenApiEndpoint path="/v1/auth/social" method="GET" />

To double-check the method and expected behavior, I can incorporate a direct link if you share the canonical API reference path for this endpoint.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 175aeea and 4cda30a.

📒 Files selected for processing (1)

• apps/portal/src/app/wallets/page.mdx (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to packages/thirdweb/src/wallets/** : Support for in-app wallets (social/email login)

🪛 LanguageTool

apps/portal/src/app/wallets/page.mdx

[grammar] ~81-~81: There might be a mistake here.
Context: ...parameters. ### Initiate Authentication Start authentication with email, phone, ...

(QB_NEW_EN)

---

[grammar] ~93-~93: There might be a mistake here.
Context: ...ial Authentication ### Single Step Flow OAuth is done in a single step using a d...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: Size
• GitHub Check: Build Packages
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: Unit Tests
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Lint Packages
• GitHub Check: Analyze (javascript)