The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	May 28, 2026 9:42pm

✱ Stainless preview builds for grid

This PR will update the grid SDKs with the following commit messages.

cli

chore(internal): regenerate SDK with no functional changes

csharp

docs(api): update OAuth credential verification documentation in auth

go

docs(api): clarify OAuth token verification in authcredential

kotlin

docs(api): update OAuth credential verification documentation

openapi

docs(api): clarify OAuth token validation requirements for auth credentials

php

docs(api): update OAuth credential verification documentation

python

docs(api): clarify OAuth token requirements in credentials methods

ruby

docs(api): update oidc_token documentation in OAuth credential models

typescript

docs(api): update OAuth token requirements in auth credentials

⏳ These are partial results; builds are still running.

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-05-28 21:54:33 UTC

• docs: explain realistic OIDC sandbox tokens #487 : 2 dependent PRs (#488 , #489 ) 👈 (View in Graphite)
• docs: align auth endpoint docs with PDF #481
• docs: allow multiple passkey credentials #479
• docs: update auth signed retry examples #477
• docs: fix auth account identifiers #476
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Greptile Summary

This PR updates the Global Accounts sandbox and OpenAPI docs to replace the old fixed sandbox-valid-oidc-token magic value with the new realistic OIDC token model, where the sandbox validates JWT structure, claim freshness, credential identity, and (on verify) a nonce = sha256(clientPublicKey) binding — while skipping real IdP signature verification.

• Sandbox testing page & magic snippet — rewrites the OAuth section to list all required claims for both create and verify, adds a copyable Node.js snippet that generates a compliant sandbox JWT with the correct nonce, and deprecates the old literal token.
• OpenAPI source schemas and path files — updates oidcToken descriptions in OauthCredentialCreateRequestFields, OauthCredentialVerifyRequestFields, and both auth path files to document the production-vs-sandbox split and the new identity/nonce checks; regenerated bundles (openapi.yaml, mintlify/openapi.yaml) are included.
• Authentication snippet — adds identity-matching prose and a <Note> callout pointing to the sandbox testing page.

Confidence Score: 3/5

Docs-only change; no application logic is touched. The main risk is integrators picking up the wrong example shape from the spec.

The OpenAPI example JWT for OauthCredentialVerifyRequestFields has no nonce field, directly contradicting the description text that sandbox requires one. An integrator who uses this schema example as a starting point in sandbox will receive a 401 nonce failure with no clear pointer to the cause. The nonce hash encoding (hex vs. base64) is also undocumented in prose — only visible in the Node.js code block — which could trip up developers writing equivalent code in other languages. Everything else in the PR is accurate and internally consistent.

openapi/components/schemas/auth/OauthCredentialVerifyRequestFields.yaml — the verify example JWT needs a nonce claim to match the documented sandbox requirement

sequenceDiagram
    participant Dev as Integrator
    participant SB as Grid Sandbox

    Note over Dev,SB: OAuth Credential Registration (POST /auth/credentials)
    Dev->>Dev: "Generate JWT with iss, aud, sub, iat, exp (signature = dummy value)"
    Dev->>SB: "POST /auth/credentials { type: OAUTH, oidcToken }"
    SB->>SB: Validate JWT structure and iss support
    SB->>SB: Verify iat freshness (60s window)
    SB->>SB: Store iss + aud + sub as credential identity
    SB-->>Dev: "200 { id: AuthMethod:... }"

    Note over Dev,SB: OAuth Credential Verification (POST /auth/credentials/{id}/verify)
    Dev->>Dev: Generate ephemeral P-256 key pair
    Dev->>Dev: "Compute nonce = sha256(clientPublicKey) hex-encoded"
    Dev->>Dev: Generate fresh JWT with iss, aud, sub, iat, exp, nonce
    Dev->>SB: "POST /auth/credentials/{id}/verify { type: OAUTH, oidcToken, clientPublicKey }"
    SB->>SB: Validate JWT structure and iss support
    SB->>SB: Verify iat freshness (60s window)
    SB->>SB: Match iss + aud + sub against stored credential identity
    SB->>SB: "Verify nonce == sha256(clientPublicKey)"
    SB->>SB: Encrypt session signing key to clientPublicKey (HPKE)
    SB-->>Dev: "200 { encryptedSessionSigningKey, expiresAt }"

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
mintlify/snippets/sandbox-global-account-magic.mdx:68
**`nonce` hash encoding not specified — developers not using the Node.js example may compute it incorrectly**

The prose says `nonce` must equal `sha256(clientPublicKey)` but doesn't say the output is hex-encoded. The code example uses `.digest("hex")`, producing a lowercase hex string. A developer writing a Python or Go integration might reach for base64 or raw bytes instead, producing a nonce the backend won't match, and getting a 401 with no obvious pointer to the encoding mismatch. Specifying "(hex-encoded)" inline removes the ambiguity.

```suggestion
Grid stores the OAuth credential's registered identity from `iss`, `aud`, and `sub`. On `POST /auth/credentials/{id}/verify`, the fresh `oidcToken` must carry the same `iss`, `aud`, and `sub` as the credential being verified. It must also include `nonce` equal to `sha256(clientPublicKey)` (hex-encoded lowercase), where `clientPublicKey` is the exact hex public key sent in the verify request.
```

### Issue 2 of 2
openapi/components/schemas/auth/OauthCredentialVerifyRequestFields.yaml:24
**Verify example JWT is missing the `nonce` claim now required in sandbox**

The static `example` value shared between create and verify schemas has no `nonce` field in its payload. The description directly above it states that sandbox requires `nonce = sha256(clientPublicKey)` for verify. An integrator who models their token on this example and tests in sandbox will immediately get a 401 nonce-mismatch error with no obvious clue why, since the example shape itself passes no nonce. The same example is intentionally correct for the create operation (where nonce is not required), but a verify-specific example — or a note on the example — is needed to avoid this mismatch.

_{Reviews (1): Last reviewed commit: "docs: explain realistic OIDC sandbox tok..." | Re-trigger Greptile}