Align auth session request-id contract

openapi/paths/auth/auth_credentials_{id}_verify.yaml

@@ -12,14 +12,11 @@ post:
     public key; this is also the reauthentication path after a prior
     session expired. For `PASSKEY` credentials, the client completes a
     WebAuthn assertion (`navigator.credentials.get()`) against the
-    Grid-issued `challenge` returned from either `POST /auth/credentials`
-    (first authentication) or `POST /auth/credentials/{id}/challenge`
-    (reauthentication), and submits the resulting `assertion` along with
-    the client-generated public key. The `requestId` that accompanied
-    the challenge must be echoed in the `Request-Id` header so Grid can
-    correlate the assertion with the pending challenge; Grid verifies
-    the WebAuthn signature against the stored credential before issuing
-    the session.
+    Grid-issued `challenge` returned from
+    `POST /auth/credentials/{id}/challenge`, and submits the resulting
+    `assertion` with the `Request-Id` header. The `clientPublicKey`
+    for `PASSKEY` credentials is supplied on the challenge call, where
+    it is bound into the pending session-creation request.
 
 
     On success, the response contains an `encryptedSessionSigningKey`
@@ -46,10 +43,8 @@ post:
       required: false
       description: >-
         The `requestId` returned alongside the Grid-issued `challenge` from
-        `POST /auth/credentials` or `POST /auth/credentials/{id}/challenge`,
-        echoed back here so Grid can correlate the assertion with the
-        pending challenge. Required when `type` is `PASSKEY`; ignored for
-        `EMAIL_OTP` and `OAUTH`.
+        `POST /auth/credentials/{id}/challenge`, echoed back here so Grid
+        can correlate the assertion with the pending challenge.
       schema:
         type: string
       example: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21