Add passkey credentialId to auth credential list

[DhruvPareek]

Summary:

• Add a passkey-specific auth method response schema with WebAuthn credentialId.
• Switch GET /auth/credentials list items to a discriminated union so credentialId is required only for PASSKEY rows.
• Update the list response example to show EMAIL_OTP, OAUTH, and PASSKEY credentials.

https://docs.google.com/document/d/18f3pLcXbLein9McsXxiPzVJMmXhBFGWQ-6Gys5WILLk/edit?tab=t.zg1lhkeq1hek

Test:

• npm run lint:openapi

[DhruvPareek]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Add wallet privacy endpoint to OpenAPI #452
• Add auth session refresh endpoints #451
• Add OTP email update endpoint to OpenAPI #450
• Add passkey credentialId to auth challenge response #449
• Add passkey credentialId to auth credential list #448 👈 (View in Graphite)
• Align auth session request-id contract #445 : 1 other dependent PR (#446 )
• Align auth credential create contract #444
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	May 7, 2026 11:44pm

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

feat(api): add PasskeyAuthMethod variant with credentialId to auth credentials response

openapi

feat(api): add credentialId field to passkey auth credentials

python

feat(api): add passkey auth method to auth credential list response

typescript

feat(api): add credentialId field to passkey response in auth.credentials.list

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-python studio · code · diff

Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ✅ → build ✅ → lint ✅ → test ✅

pip install https://pkg.stainless.com/s/grid-python/daef6e8831fcb703b3fed9d5bf35347034e95b0d/grid-0.0.1-py3-none-any.whl

New diagnostics (6 note)

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/ObjectHasNoProperties: Type information is missing for schema

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

✅ grid-kotlin studio · code · diff

Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ✅ → build ✅ → lint ✅ → test ✅

New diagnostics (16 note)

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/ObjectHasNoProperties: Type information is missing for schema

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/EnumHasOneMember: Confirm intentional use of `enum` with single member.

💡 Schema/EnumHasOneMember: Confirm intentional use of `enum` with single member.

💡 Schema/EnumHasOneMember: Confirm intentional use of `enum` with single member.

💡 Schema/EnumHasOneMember: Confirm intentional use of `enum` with single member.

⚠️ grid-typescript studio · code · diff

Your SDK build had a failure in the build CI job, which is a regression from the base state.
generate ✅ → build ❗ (prev: build ✅) → lint ❗ → test ❗ (prev: test ✅)

New diagnostics (6 note)

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/ObjectHasNoProperties: Type information is missing for schema

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

✅ grid-openapi studio · code · diff

Your SDK build had at least one new note diagnostic, which is a regression from the base state.
generate ✅

New diagnostics (8 note)

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/ObjectHasNoProperties: Type information is missing for schema

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/RequiredPropertyNotDefined: This schema marks `type` as `required`, but it isn't defined in `properties`, so it will be ignored.

💡 Schema/EnumHasOneMember: Confirm intentional use of `enum` with single member.

💡 Schema/EnumHasOneMember: Confirm intentional use of `enum` with single member.

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-05-07 23:48:01 UTC

[greptile-apps]

Greptile Summary

This PR extends the GET /auth/credentials list response to expose the WebAuthn credentialId for passkey credentials, enabling clients to target a specific registered passkey in navigator.credentials.get(). It introduces PasskeyAuthMethod (a new schema extending AuthMethod with required credentialId) and AuthCredentialListItem (a discriminated oneOf routing EMAIL_OTP/OAUTH to the existing AuthMethodResponse and PASSKEY to the new schema).

• New schemas: PasskeyAuthMethod.yaml adds credentialId as a required field on top of AuthMethod; AuthCredentialListItem.yaml wires the three credential types through a discriminator keyed on type.
• Discriminator correctness: AuthMethodResponse's unevaluatedProperties: false prevents a PASSKEY object (with the extra credentialId field) from inadvertently matching the EMAIL_OTP/OAUTH branch, and PasskeyAuthMethod's required: credentialId prevents EMAIL_OTP/OAUTH objects from matching the PASSKEY branch — so the oneOf is unambiguous.
• Scope: credentialId is intentionally scoped to the list endpoint only; the POST /auth/credentials create response continues to use AuthMethodResponse without credentialId, consistent with the PR description.

Confidence Score: 5/5

Safe to merge — the changes are additive and well-scoped to the GET /auth/credentials list response without touching any other endpoint schemas.

The discriminated union is correctly constructed: unevaluatedProperties: false on AuthMethodResponse prevents PASSKEY objects from matching that branch, and the required credentialId on PasskeyAuthMethod prevents EMAIL_OTP/OAUTH objects from matching the PASSKEY branch. The bundled files are in sync with the source. No existing endpoint contracts are broken.

No files require special attention.

Important Files Changed

Filename	Overview
openapi/components/schemas/auth/AuthCredentialListItem.yaml	New discriminated union routing EMAIL_OTP/OAUTH to AuthMethodResponse and PASSKEY to PasskeyAuthMethod; discriminator mapping is complete and correct
openapi/components/schemas/auth/PasskeyAuthMethod.yaml	New schema extending AuthMethod with required credentialId; correctly uses allOf and restricts type to PASSKEY for discriminator routing
openapi/components/schemas/auth/AuthCredentialListResponse.yaml	Single-line change swapping the list item ref from AuthMethod to AuthCredentialListItem, correctly delegating to the new discriminated union
openapi/paths/auth/auth_credentials.yaml	GET /auth/credentials example updated to show all three credential types (EMAIL_OTP, OAUTH, PASSKEY) with credentialId present only on the PASSKEY entry
openapi.yaml	Bundled file regenerated consistently with source changes; AuthMethodResponse relocated earlier, PasskeyAuthMethod and AuthCredentialListItem added in correct position
mintlify/openapi.yaml	Mintlify bundled file mirrors openapi.yaml changes; doc-site schema and example are updated in sync

Sequence Diagram

sequenceDiagram
    participant Client
    participant API as Grid API

    Client->>API: POST /auth/credentials (type: PASSKEY, attestation)
    API-->>Client: 201 AuthMethodResponse (id, type, nickname — no credentialId)

    Client->>API: "GET /auth/credentials?accountId=..."
    API-->>Client: 200 AuthCredentialListResponse
    note over Client,API: data[] = AuthCredentialListItem (oneOf)
    note over Client,API: EMAIL_OTP/OAUTH → AuthMethodResponse
    note over Client,API: PASSKEY → PasskeyAuthMethod (+ credentialId)

    Client->>Client: "navigator.credentials.get({allowCredentials: [{id: credentialId}]})"

Loading

_{Reviews (2): Last reviewed commit: "Add passkey credentialId to auth credent..." | Re-trigger Greptile}