Fix passkey verify example

[DhruvPareek]

Remove clientPublicKey from the passkey verify example so it matches the handler/schema. Tested with npm run lint:openapi.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	May 5, 2026 0:45am

[DhruvPareek]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Fix passkey verify example #438 👈 (View in Graphite)
• Require clientPubkey in OTP verify flow #437
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

chore(internal): regenerate SDK with no functional changes

openapi

docs(api): remove clientPublicKey from authentication examples

python

chore(internal): regenerate SDK with no functional changes

typescript

chore(internal): regenerate SDK with no functional changes

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-openapi studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗

✅ grid-kotlin studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

✅ grid-python studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ✅) → test ✅

✅ grid-typescript studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ⏭️ (prev: build ✅) → lint ⏭️ (prev: lint ❗) → test ✅

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-05-05 00:49:23 UTC

[greptile-apps]

Greptile Summary

This PR removes clientPublicKey from the passkey verify request example across all three spec files (openapi.yaml, mintlify/openapi.yaml, and the source auth_credentials_{id}_verify.yaml), aligning the example with the PasskeyCredentialVerifyRequestFields schema which only requires type and assertion. The fix is correct — clientPublicKey belongs only to the EMAIL_OTP and OAUTH verify flows.

Confidence Score: 4/5

The example fix is accurate and consistent across all three spec files; the only remaining concern is that the endpoint description prose still mentions clientPublicKey in the PASSKEY flow.

All three spec files are updated consistently, and the change correctly aligns the passkey example with its schema. The description text in the source YAML still references clientPublicKey for PASSKEY, which could mislead developers reading the docs.

openapi/paths/auth/auth_credentials_{id}_verify.yaml — the description prose (lines 14–29) still references clientPublicKey in the PASSKEY flow context.

Important Files Changed

Filename	Overview
openapi/paths/auth/auth_credentials_{id}_verify.yaml	Removes clientPublicKey from the passkey example, aligning it with the schema; description prose still incorrectly mentions clientPublicKey in the PASSKEY flow.
openapi.yaml	Removes clientPublicKey from the passkey example in the bundled openapi spec, matching the change in the source YAML.
mintlify/openapi.yaml	Removes clientPublicKey from the passkey example in the Mintlify copy of the spec, matching the other two files.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Grid API

    Note over Client,Grid API: PASSKEY verify flow (this PR)
    Client->>Grid API: POST /auth/credentials/{id}/verify
    Note right of Client: { type: PASSKEY,<br/> assertion: { credentialId,<br/> clientDataJson,<br/> authenticatorData,<br/> signature } }
    Grid API-->>Client: 200 { encryptedSessionSigningKey, expiresAt }

    Note over Client,Grid API: EMAIL_OTP / OAUTH verify flow (unchanged)
    Client->>Grid API: POST /auth/credentials/{id}/verify
    Note right of Client: { type: EMAIL_OTP, otp, clientPublicKey }<br/>or { type: OAUTH, oidcToken, clientPublicKey }
    Grid API-->>Client: 200 { encryptedSessionSigningKey (encrypted to clientPublicKey), expiresAt }

Loading

Comments Outside Diff (1)

1. openapi/paths/auth/auth_credentials_{id}_verify.yaml, line 14-29 (link)

   Stale description still references clientPublicKey for PASSKEY

   The endpoint description says PASSKEY callers submit "the resulting assertion along with the client-generated public key" (lines 16–19), and the closing sentence (lines 24–29) states the encryptedSessionSigningKey is "encrypted to the supplied clientPublicKey" without scoping that to EMAIL_OTP/OAUTH. Since PasskeyCredentialVerifyRequestFields does not include clientPublicKey, both sentences are misleading and should be updated to reflect that clientPublicKey is only required for EMAIL_OTP and OAUTH flows.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: openapi/paths/auth/auth_credentials_{id}_verify.yaml
   Line: 14-29
   
   Comment:
   **Stale description still references `clientPublicKey` for PASSKEY**
   
   The endpoint description says PASSKEY callers submit "the resulting `assertion` along with the client-generated public key" (lines 16–19), and the closing sentence (lines 24–29) states the `encryptedSessionSigningKey` is "encrypted to the supplied `clientPublicKey`" without scoping that to EMAIL_OTP/OAUTH. Since `PasskeyCredentialVerifyRequestFields` does not include `clientPublicKey`, both sentences are misleading and should be updated to reflect that `clientPublicKey` is only required for `EMAIL_OTP` and `OAUTH` flows.
   
   How can I resolve this? If you propose a fix, please make it concise.

   

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
openapi/paths/auth/auth_credentials_{id}_verify.yaml:14-29
**Stale description still references `clientPublicKey` for PASSKEY**

The endpoint description says PASSKEY callers submit "the resulting `assertion` along with the client-generated public key" (lines 16–19), and the closing sentence (lines 24–29) states the `encryptedSessionSigningKey` is "encrypted to the supplied `clientPublicKey`" without scoping that to EMAIL_OTP/OAUTH. Since `PasskeyCredentialVerifyRequestFields` does not include `clientPublicKey`, both sentences are misleading and should be updated to reflect that `clientPublicKey` is only required for `EMAIL_OTP` and `OAUTH` flows.

_{Reviews (1): Last reviewed commit: "Fix passkey verify example" | Re-trigger Greptile}