lightsparkdev · DhruvPareek · May 7, 2026
diff --git a/mintlify/openapi.yaml b/mintlify/openapi.yaml
diff --git a/openapi.yaml b/openapi.yaml
diff --git a/openapi/components/schemas/auth/AuthCredentialResponseOneOf.yaml b/openapi/components/schemas/auth/AuthCredentialResponseOneOf.yaml
@@ -4,9 +4,10 @@ description: >-
   `POST /auth/credentials/{id}/challenge`. For `EMAIL_OTP` credentials the
   body is a plain `AuthMethod` (wrapped as `AuthMethodResponse` to
   disambiguate the oneOf). For `PASSKEY` credentials the body is a
-  `PasskeyAuthChallenge` — the base `AuthMethod` fields plus the
-  Grid-issued `challenge`, `requestId`, and `expiresAt` that drive the
-  subsequent assertion. OAuth credentials do not use the challenge endpoint.
+  `PasskeyAuthChallenge` — the passkey auth method fields plus the
+  WebAuthn `credentialId`, Grid-issued `challenge`, `requestId`, and
+  `expiresAt` that drive the subsequent assertion. OAuth credentials do not
+  use the challenge endpoint.
   Registration responses from `POST /auth/credentials` use the simpler
   `AuthMethodResponse` shape directly for all three credential types.
 oneOf:

diff --git a/openapi/components/schemas/auth/PasskeyAuthChallenge.yaml b/openapi/components/schemas/auth/PasskeyAuthChallenge.yaml
@@ -1,14 +1,13 @@
 title: Passkey Auth Challenge
 description: >-
-  Extended `AuthMethod` shape returned for `PASSKEY` credentials from
-  `POST /auth/credentials` (first-authentication case) and
-  `POST /auth/credentials/{id}/challenge` (reauthentication case). Adds a
-  Grid-issued `challenge`, the corresponding `requestId`, and the
-  challenge's `expiresAt` to the base `AuthMethod` fields. The client signs
-  the challenge with the passkey to produce the assertion submitted to
-  `POST /auth/credentials/{id}/verify`.
+  Extended passkey auth method shape returned for `PASSKEY` credentials from
+  `POST /auth/credentials/{id}/challenge`. Includes the WebAuthn
+  `credentialId` needed to target the passkey, plus the Grid-issued
+  `challenge`, corresponding `requestId`, and challenge `expiresAt`. The
+  client signs the challenge with the passkey to produce the assertion
+  submitted to `POST /auth/credentials/{id}/verify`.
 allOf:
-  - $ref: ./AuthMethod.yaml
+  - $ref: ./PasskeyAuthMethod.yaml
   - type: object
     required:
       - challenge

diff --git a/openapi/paths/auth/auth_credentials_{id}_challenge.yaml b/openapi/paths/auth/auth_credentials_{id}_challenge.yaml
@@ -23,11 +23,13 @@ post:
     client's ephemeral `clientPublicKey` so Grid can bake it into the
     Turnkey session-creation payload the returned challenge is computed
     from — this seals the resulting session signing key to the client.
-    The response is a `PasskeyAuthChallenge` — the base `AuthMethod`
-    fields plus the new `challenge`, `requestId`, and `expiresAt`. The
-    client passes the `challenge` into `navigator.credentials.get()` and
-    submits the resulting assertion to `POST /auth/credentials/{id}/verify`
-    with `Request-Id: <requestId>` to receive a session.
+    The response is a `PasskeyAuthChallenge` — the passkey auth method
+    fields plus the WebAuthn `credentialId`, new `challenge`, `requestId`,
+    and `expiresAt`. The client passes `credentialId` as
+    `allowCredentials[].id` and `challenge` as the WebAuthn challenge in
+    `navigator.credentials.get()`, then submits the resulting assertion to
+    `POST /auth/credentials/{id}/verify` with `Request-Id: <requestId>` to
+    receive a session.
   operationId: challengeAuthCredential
   tags:
     - Embedded Wallet Auth
@@ -67,9 +69,9 @@ post:
         Challenge re-issued for the authentication credential. For
         `EMAIL_OTP` the body is a plain `AuthMethod` and a new OTP email
         has been sent. For `PASSKEY` the body is a `PasskeyAuthChallenge`
-        carrying the freshly issued `challenge`, `requestId`, and
-        `expiresAt` required to complete reauthentication via
-        `POST /auth/credentials/{id}/verify`.
+        carrying the passkey `credentialId`, freshly issued `challenge`,
+        `requestId`, and `expiresAt` required to complete reauthentication
+        via `POST /auth/credentials/{id}/verify`.
       content:
         application/json:
           schema:
@@ -90,6 +92,7 @@ post:
                 id: AuthMethod:019542f5-b3e7-1d02-0000-000000000001
                 accountId: InternalAccount:019542f5-b3e7-1d02-0000-000000000002
                 type: PASSKEY
+                credentialId: KEbWNCc7NgaYnUyrNeFGX9_3Y-8oJ3KwzjnaiD1d1LVTxR7v3CaKfCz2Vy_g_MHSh7yJ8yL0Pxg6jo_o0hYiew
                 nickname: iPhone Face-ID
                 createdAt: '2026-04-08T15:30:01Z'
                 updatedAt: '2026-04-08T15:35:00Z'