[grid] fix passkey registration samples

[DhruvPareek]

Summary

• Update the frontend passkey registration sample to handle Grid’s 202 signed-retry response before expecting an auth method id.
• Forward Grid-Wallet-Signature and Request-Id through the Kotlin sample’s CredentialCreateParams on the signed retry.
• Keep the local WebAuthn registration challenge valid through the signed retry and consume it only when registration completes.

Validation

• npm run build in samples/frontend
• Inspected the published Grid Kotlin SDK classes to confirm CredentialCreateParams supports gridWalletSignature and requestId
• Kotlin compile was not run locally because this machine has Java 17 while the sample Gradle config requires Java 21

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ignored	Preview	Jun 10, 2026 6:28pm

[DhruvPareek]

• [grid] fix Global Account sandbox docs #567
• [grid] fix Global Account auth snippets #566
• [grid] fix passkey registration samples #565 👈 (View in Graphite)
• [grid] fix Global Account HPKE docs #564
• [grid] fix Global Account frontend auth sample #563
• [grid] clarify email OTP registration bundle docs #562
• [grid] fix passkey reauth challenge docs #561
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Greptile Summary

This PR updates the passkey registration samples to handle Grid's two-phase 202 signed-retry flow, forwarding Grid-Wallet-Signature and Request-Id on the retry, and preserving the WebAuthn challenge in the Kotlin backend until registration actually completes.

• Frontend (RegisterPasskey.tsx): Splits the single-POST flow into a conditional two-phase call: if the first response contains payloadToSign and requestId, a signed retry is made with the same attestation body plus the two new headers; the registrationSignature helper resolves the signature from env var, sandbox default, or throws in production.
• Kotlin (AuthCredentials.kt): Switches from atomic consume to non-consuming isValid on first validation, defers consume until Grid returns any non-202 status (success or error), and forwards Grid-Wallet-Signature / Request-Id through the new CredentialCreateParams builder; the raw-response adapter is used so the backend can proxy the actual Grid HTTP status back to the client.

Confidence Score: 5/5

Safe to merge — both the frontend retry logic and the Kotlin challenge-lifecycle change are correct for the two-phase registration flow.

The two-phase flow is handled correctly end-to-end: apiPost returns normally for all 2xx responses (including 202), the isValid/deferred-consume pattern keeps the challenge alive exactly through the signed-retry round-trip, and the raw-response adapter accurately proxies Grid's status code back to the browser. No logic gaps or data-loss paths were found.

No files require special attention.

Important Files Changed

Filename	Overview
samples/frontend/src/steps/embeddedWallet/RegisterPasskey.tsx	Adds two-phase 202-signed-retry handling; registrationSignature helper resolves wallet signature from env var or sandbox default. Logic is correct — apiPost returns normally for all 2xx including 202, so the payloadToSign/requestId check reliably detects the retry case.
samples/kotlin/src/main/kotlin/com/grid/sample/routes/AuthCredentials.kt	Introduces isValid (non-consuming peek) alongside the existing consume, defers challenge removal until Grid returns non-202, and threads gridWalletSignature/requestId through CredentialCreateParams. Raw-response adapter correctly proxies Grid's HTTP status back to the client.

Sequence Diagram

sequenceDiagram
    participant Browser
    participant KotlinBackend
    participant Grid

    Browser->>KotlinBackend: POST /api/auth/credentials/registration-challenge
    KotlinBackend->>KotlinBackend: RegistrationChallengeStore.mint()
    KotlinBackend-->>Browser: "{challenge, rp, user}"

    Browser->>Browser: navigator.credentials.create()
    Browser->>KotlinBackend: "POST /api/auth/credentials {attestation, challenge}"
    KotlinBackend->>KotlinBackend: isValid(challenge) → true (no consume)
    KotlinBackend->>Grid: credentials.create(params)
    alt Grid requires signed retry
        Grid-->>KotlinBackend: "202 {payloadToSign, requestId}"
        KotlinBackend-->>Browser: "202 {payloadToSign, requestId}"
        Note over Browser: registrationSignature(payloadToSign)
        Browser->>KotlinBackend: "POST /api/auth/credentials {attestation, challenge} + Grid-Wallet-Signature + Request-Id"
        KotlinBackend->>KotlinBackend: isValid(challenge) → true (still alive)
        KotlinBackend->>Grid: credentials.create(params + signature + requestId)
        Grid-->>KotlinBackend: "201 {id, ...}"
        KotlinBackend->>KotlinBackend: consume(challenge)
        KotlinBackend-->>Browser: "201 {id, ...}"
    else Direct success
        Grid-->>KotlinBackend: "201 {id, ...}"
        KotlinBackend->>KotlinBackend: consume(challenge)
        KotlinBackend-->>Browser: "201 {id, ...}"
    end
    Browser->>Browser: "onComplete({authMethodId})"

Loading

_{Reviews (3): Last reviewed commit: "[grid] fix passkey registration samples" | Re-trigger Greptile}

[restamp-bot]

c14ff52 is a pure rebase onto 93849f9. Approving based on @carsonp6's previous approval of 167fdf7.

[restamp-bot]

c14ff52 is a pure rebase onto 93849f9. Approving based on @carsonp6's previous approval of 167fdf7.

[restamp-bot]

bf8ca05 is a pure rebase onto 34cacac. Approving based on @carsonp6's previous approval of 167fdf7.

[restamp-bot]

bf8ca05 is a pure rebase onto 34cacac. Approving based on @carsonp6's previous approval of 167fdf7.

The base branch was changed.

[restamp-bot]

bf8ca05 is a pure rebase onto 34cacac. Approving based on @carsonp6's previous approval of 167fdf7.

[restamp-bot]

2bf47ea is a pure rebase onto 34cacac. Approving based on @carsonp6's previous approval of 167fdf7.

[DhruvPareek]

Merge activity

• Jun 10, 6:33 PM UTC: @DhruvPareek merged this pull request with Graphite.