refactor: migrate AuthCredentialAdditionalChallenge onto SignedRequestChallenge base

[DhruvPareek]

Retrofits the add-additional-credential 202 challenge (on POST /auth/credentials) to compose the shared SignedRequestChallenge base introduced earlier in this stack. Brings the add-credential flow to match the other flows that use the http 202 signed ppayload challenge: delete-credential, delete-session, and export-wallet challenges.

What changed

• AuthCredentialAdditionalChallenge.yaml — rewritten from a flat { type, payloadToSign, requestId, expiresAt } object to allOf(../common/SignedRequestChallenge.yaml, { type: AuthMethodType }).

What stays the same

• Wire shape of 202 responses is unchanged — still { type, payloadToSign, requestId, expiresAt } plus any per-variant fields.
• The discriminated oneOf wrapper AuthCredentialAdditionalChallengeOneOf and the three variant schemas (EmailOtp…, Oauth…, Passkey…) are untouched
• payloadToSign, requestId, expiresAt descriptions shift to the slightly more generic phrasing already in SignedRequestChallenge, but the semantics are identical

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	Apr 23, 2026 3:26am

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

chore(internal): regenerate SDK with no functional changes

openapi

chore(types): refactor AuthCredentialAdditionalChallenge to use allOf composition

python

chore(internal): regenerate SDK with no functional changes

typescript

chore(internal): regenerate SDK with no functional changes

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-python studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ✅ → lint ✅ → test ✅

pip install https://pkg.stainless.com/s/grid-python/647e7ed7c20edc12085942b172f0e655dd583a4c/grid-0.0.1-py3-none-any.whl

⏳ grid-typescript studio · code · diff

generate ❗ → build ✅ → lint ⏳ → test ⏳

npm install https://pkg.stainless.com/s/grid-typescript/e3a3208960eacd55d98007411801ecdf25b05112/dist.tar.gz

✅ grid-openapi studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗

⏳ grid-kotlin studio · code · diff

generate ❗ → build ⏳ → lint ✅ → test ✅

⏳ These are partial results; builds are still running.

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-04-23 03:33:39 UTC

[DhruvPareek]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• refactor: migrate AuthCredentialAdditionalChallenge onto SignedRequestChallenge base #373 👈 (View in Graphite)
• add POST /internal-accounts/{id}/export to export wallet credentials #372
• add DELETE /auth/sessions/{id} to revoke authentication sessions #371
• add GET /auth/sessions to list authentication sessions #370
• add DELETE /auth/credentials/{id} to revoke authentication credentials #369
• add GET /auth/credentials to list authentication credentials #368
• add Embedded Wallet PASSKEY reauth #377
• add Embedded Wallet PASSKEY credential to additional credential flow #365
• add Embedded Wallet PASSKEY auth credential verify #364
• add Embedded Wallet PASSKEY auth credential create #363
• add Embedded Wallet OAUTH credential to additional credential flow #362
• add Embedded Wallet OAUTH credential verify #361
• add Embedded Wallet OAUTH credential create #360
• modify /quotes and /quote/{quoteId}/execute for Embedded Wallet transfers #356
• add Embedded Wallet Auth endpoint for Email OTP challenge #350
• add Embedded Wallet Auth endpoints for Email OTP create + verify #349
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Greptile Summary

This PR refactors AuthCredentialAdditionalChallenge to compose SignedRequestChallenge via allOf, matching the pattern already used by AuthCredentialDeleteChallenge, SessionDeleteChallenge, and InternalAccountExportChallenge. The wire shape (type, payloadToSign, requestId, expiresAt) is unchanged, the discriminated oneOf wrapper and variant schemas are untouched, and the stainless.yml JSONPath is correctly updated to allOf[1].properties.

Confidence Score: 5/5

Safe to merge — pure schema refactor with identical wire shape and correct tooling update.

All findings are P2 (documentation/example quality). No logic, wire shape, or discriminator regressions were found. The stainless.yml path update is correct.

No files require special attention.

Important Files Changed

Filename	Overview
openapi/components/schemas/auth/AuthCredentialAdditionalChallenge.yaml	Refactored from a flat object schema to allOf(SignedRequestChallenge, {type}), matching sibling schemas; wire shape is preserved but the payloadToSign example becomes a generic placeholder.
.stainless/stainless.yml	JSONPath target correctly updated from .properties to .allOf[1].properties to reach the type field now nested inside the allOf composition.
openapi.yaml	Generated file mirrors the YAML source change; discriminator, variant schemas, and AuthCredentialAdditionalChallengeOneOf are all unchanged and remain consistent.
mintlify/openapi.yaml	Mintlify copy of the spec updated identically to openapi.yaml; no issues found.

Class Diagram

%%{init: {'theme': 'neutral'}}%%
classDiagram
    class SignedRequestChallenge {
        +string payloadToSign
        +string requestId
        +string expiresAt
    }
    class AuthCredentialAdditionalChallenge {
        +AuthMethodType type
    }
    class EmailOtpCredentialAdditionalChallenge {
        +string type = "EMAIL_OTP"
        +string email
    }
    class OauthCredentialAdditionalChallenge {
        +string type = "OAUTH"
    }
    class PasskeyCredentialAdditionalChallenge {
        +string type = "PASSKEY"
    }
    class AuthCredentialAdditionalChallengeOneOf {
        <<oneOf discriminator: type>>
    }
    SignedRequestChallenge <|-- AuthCredentialAdditionalChallenge : allOf
    AuthCredentialAdditionalChallenge <|-- EmailOtpCredentialAdditionalChallenge : allOf
    AuthCredentialAdditionalChallenge <|-- OauthCredentialAdditionalChallenge : allOf
    AuthCredentialAdditionalChallenge <|-- PasskeyCredentialAdditionalChallenge : allOf
    AuthCredentialAdditionalChallengeOneOf --> EmailOtpCredentialAdditionalChallenge
    AuthCredentialAdditionalChallengeOneOf --> OauthCredentialAdditionalChallenge
    AuthCredentialAdditionalChallengeOneOf --> PasskeyCredentialAdditionalChallenge

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: openapi/components/schemas/auth/AuthCredentialAdditionalChallenge.yaml
Line: 1-9

Comment:
**`payloadToSign` example loses endpoint-specific fidelity**

The inherited `SignedRequestChallenge.payloadToSign` example (`Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg`) is an opaque base64-like placeholder, whereas the old example was the literal JSON that callers must sign byte-for-byte:

```json
{"requestId":"7c4a8d09-…","type":"EMAIL_OTP","accountId":"InternalAccount:01HF3Z4QWERTY","expiresAt":"2026-04-08T15:35:00Z"}
```

Developers who need to implement signing for `POST /auth/credentials` now lose the concrete hint about the payload structure. The variant schemas (`EmailOtpCredentialAdditionalChallengeFields`, etc.) don't override the example either. Consider overriding `payloadToSign` in the `allOf[1]` object with a challenge-specific example, the same way the old schema did.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "refactor: migrate AuthCredentialAddition..." | Re-trigger Greptile}

[greptile-apps]

payloadToSign example loses endpoint-specific fidelity

The inherited SignedRequestChallenge.payloadToSign example (Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg) is an opaque base64-like placeholder, whereas the old example was the literal JSON that callers must sign byte-for-byte:

{"requestId":"7c4a8d09-…","type":"EMAIL_OTP","accountId":"InternalAccount:01HF3Z4QWERTY","expiresAt":"2026-04-08T15:35:00Z"}

Developers who need to implement signing for POST /auth/credentials now lose the concrete hint about the payload structure. The variant schemas (EmailOtpCredentialAdditionalChallengeFields, etc.) don't override the example either. Consider overriding payloadToSign in the allOf[1] object with a challenge-specific example, the same way the old schema did.

Prompt To Fix With AI

This is a comment left during a code review.
Path: openapi/components/schemas/auth/AuthCredentialAdditionalChallenge.yaml
Line: 1-9

Comment:
**`payloadToSign` example loses endpoint-specific fidelity**

The inherited `SignedRequestChallenge.payloadToSign` example (`Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg`) is an opaque base64-like placeholder, whereas the old example was the literal JSON that callers must sign byte-for-byte:

```json
{"requestId":"7c4a8d09-…","type":"EMAIL_OTP","accountId":"InternalAccount:01HF3Z4QWERTY","expiresAt":"2026-04-08T15:35:00Z"}
```

Developers who need to implement signing for `POST /auth/credentials` now lose the concrete hint about the payload structure. The variant schemas (`EmailOtpCredentialAdditionalChallengeFields`, etc.) don't override the example either. Consider overriding `payloadToSign` in the `allOf[1]` object with a challenge-specific example, the same way the old schema did.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!