[grid] Document passkey nickname validation

[DhruvPareek]

Summary

• Documents the new passkey nickname validation rules.
• Clarifies that PASSKEY AuthMethod nicknames are validated before storage.
• Regenerates the OpenAPI and Mintlify bundles.
• Backend companion: https://github.com/lightsparkdev/webdev/pull/26941

Test Plan

• npm run lint:openapi

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	Apr 30, 2026 11:11pm

[DhruvPareek]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• [grid] Document passkey nickname validation #428 👈 (View in Graphite)
• [grid] Clarify auth challenge rate limit docs #427
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

✱ Stainless preview builds

This PR will update the grid SDKs with the following commit messages.

kotlin

docs(api): update nickname field descriptions in credential models

openapi

docs(api): update passkey nickname field descriptions

python

docs(types): update nickname field documentation in auth types

typescript

docs(api): clarify nickname validation in auth credentials

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-openapi studio · code · diff

Your SDK build had at least one "warning" diagnostic, but this did not represent a regression.
generate ⚠️

✅ grid-kotlin studio · code · diff

Your SDK build had at least one "warning" diagnostic, but this did not represent a regression.
generate ⚠️ → build ✅ (prev: build ⏭️) → lint ✅ (prev: lint ⏭️) → test ✅

⚠️ grid-typescript studio · code · diff

Your SDK build had a failure in the lint CI job, which is a regression from the base state.
generate ⚠️ → build ✅ (prev: build ⏭️) → lint ❗ (prev: lint ⏭️) → test ✅

npm install https://pkg.stainless.com/s/grid-typescript/eae4867aa2f25d8de29eef2f9f8ceeca541beb42/dist.tar.gz

✅ grid-python studio · code · diff

Your SDK build had at least one "warning" diagnostic, but this did not represent a regression.
generate ⚠️ → build ✅ (prev: build ⏭️) → lint ✅ (prev: lint ⏭️) → test ✅

pip install https://pkg.stainless.com/s/grid-python/9db43dca7a650be33e676c3641aef5454da8f9d8/grid-0.0.1-py3-none-any.whl

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-04-30 23:16:50 UTC

[greptile-apps]

Greptile Summary

This documentation-only PR adds passkey nickname validation rules to the OpenAPI spec — specifically that nicknames are 1–100 characters, allow Unicode letters/numbers/spaces/select separators, and have leading/trailing whitespace ignored. Both the source schema and the regenerated bundles (openapi.yaml, mintlify/openapi.yaml) are updated consistently.

Confidence Score: 4/5

Safe to merge — documentation-only change with no logic or breaking schema modifications.

Only P2 findings: missing machine-readable minLength/maxLength constraints and a minor wording ambiguity around whitespace handling. No functional or correctness issues.

openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml — consider adding minLength/maxLength alongside the prose validation rules.

Important Files Changed

Filename	Overview
openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml	Added validation rules to the nickname description (1-100 chars, allowed character classes, whitespace handling); no machine-readable schema constraints added.
openapi/components/schemas/auth/AuthMethod.yaml	Minor wording update: "nickname provided" → "validated nickname provided" for PASSKEY credential type.
openapi.yaml	Regenerated bundle — reflects the same description changes from the source files correctly.
mintlify/openapi.yaml	Regenerated Mintlify bundle — identical changes to openapi.yaml, consistent with source.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Client submits passkey nickname] --> B[Strip leading & trailing whitespace]
    B --> C{1–100 characters?}
    C -- No --> D[Reject: validation error]
    C -- Yes --> E{Only allowed characters?\nUnicode letters, numbers, spaces,\nperiod, underscore, hyphen,\napostrophe, parentheses}
    E -- No --> D
    E -- Yes --> F[Store validated nickname]
    F --> G[AuthMethod response\nreturns validated nickname]

Loading

Comments Outside Diff (1)

1. openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml, line 13-22 (link)

   Add minLength/maxLength constraints to complement prose validation rules

   The description now correctly states "Must be 1-100 characters", but the schema itself has no minLength or maxLength keywords. Without these, OpenAPI validators and generated client SDKs won't enforce the constraint automatically. Consider adding them alongside the description:

     nickname:
       type: string
       minLength: 1
       maxLength: 100
       description: >-
         Human-readable identifier for the passkey, ...

   This makes the constraint machine-readable, not just human-readable.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml
   Line: 13-22
   
   Comment:
   **Add `minLength`/`maxLength` constraints to complement prose validation rules**
   
   The description now correctly states "Must be 1-100 characters", but the schema itself has no `minLength` or `maxLength` keywords. Without these, OpenAPI validators and generated client SDKs won't enforce the constraint automatically. Consider adding them alongside the description:
   
   ```yaml
     nickname:
       type: string
       minLength: 1
       maxLength: 100
       description: >-
         Human-readable identifier for the passkey, ...
   ```
   
   This makes the constraint machine-readable, not just human-readable.
   
   How can I resolve this? If you propose a fix, please make it concise.

   

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml:13-22
**Add `minLength`/`maxLength` constraints to complement prose validation rules**

The description now correctly states "Must be 1-100 characters", but the schema itself has no `minLength` or `maxLength` keywords. Without these, OpenAPI validators and generated client SDKs won't enforce the constraint automatically. Consider adding them alongside the description:

```yaml
  nickname:
    type: string
    minLength: 1
    maxLength: 100
    description: >-
      Human-readable identifier for the passkey, ...
```

This makes the constraint machine-readable, not just human-readable.

### Issue 2 of 2
openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml:16-19
**"Whitespace is ignored" is ambiguous about the stored value**

"Leading and trailing whitespace is ignored" could mean (a) whitespace is stripped before storage, so the stored `nickname` has no leading/trailing whitespace, or (b) the API accepts whitespace but callers should trim it themselves. The `AuthMethod` response description says "validated nickname", which implies (a), but a reader of this field alone can't tell. A small wording tweak removes the ambiguity:

```suggestion
      registration time (e.g. "iPhone Face-ID", "YubiKey 5C"). Leading
      and trailing whitespace is stripped before storage. Must be 1-100 characters and may
```

_{Reviews (1): Last reviewed commit: "[grid] Document passkey nickname validat..." | Re-trigger Greptile}

[greptile-apps]

"Whitespace is ignored" is ambiguous about the stored value

"Leading and trailing whitespace is ignored" could mean (a) whitespace is stripped before storage, so the stored nickname has no leading/trailing whitespace, or (b) the API accepts whitespace but callers should trim it themselves. The AuthMethod response description says "validated nickname", which implies (a), but a reader of this field alone can't tell. A small wording tweak removes the ambiguity:

Suggested change

	Human-readable identifier for the passkey, chosen by the user at
	registration time (e.g. "iPhone Face-ID", "YubiKey 5C"). Shown
	back on `AuthMethod` responses and in credential listings.
	registration time (e.g. "iPhone Face-ID", "YubiKey 5C"). Leading
	and trailing whitespace is ignored. Must be 1-100 characters and may
	contain Unicode letters, numbers, spaces, and the following separators:
	registration time (e.g. "iPhone Face-ID", "YubiKey 5C"). Leading
	and trailing whitespace is stripped before storage. Must be 1-100 characters and may

Prompt To Fix With AI

This is a comment left during a code review.
Path: openapi/components/schemas/auth/PasskeyCredentialCreateRequestFields.yaml
Line: 16-19

Comment:
**"Whitespace is ignored" is ambiguous about the stored value**

"Leading and trailing whitespace is ignored" could mean (a) whitespace is stripped before storage, so the stored `nickname` has no leading/trailing whitespace, or (b) the API accepts whitespace but callers should trim it themselves. The `AuthMethod` response description says "validated nickname", which implies (a), but a reader of this field alone can't tell. A small wording tweak removes the ambiguity:

```suggestion
      registration time (e.g. "iPhone Face-ID", "YubiKey 5C"). Leading
      and trailing whitespace is stripped before storage. Must be 1-100 characters and may
```

How can I resolve this? If you propose a fix, please make it concise.