curl --request POST \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id}/challenge \
--header 'Authorization: Basic <encoded-value>' \
--header 'Content-Type: application/json' \
--data '
{
"clientPublicKey": "04f45f2a22c908b9ce09a7150e514afd24627c401c38a4afc164e1ea783adaaa31d4245acfb88c2ebd42b47628d63ecabf345484f0a9f665b63c54c897d5578be2"
}
'{
"id": "AuthMethod:019542f5-b3e7-1d02-0000-000000000001",
"accountId": "InternalAccount:019542f5-b3e7-1d02-0000-000000000002",
"type": "EMAIL_OTP",
"nickname": "example@lightspark.com",
"createdAt": "2026-04-08T15:30:01Z",
"updatedAt": "2026-04-08T15:35:00Z"
}Re-issue an authentication credential challenge
Re-issue the challenge for an existing authentication credential.
For EMAIL_OTP credentials, this triggers a new one-time password email to the address on file. The response is a plain AuthMethod; there is no challenge body to surface because the OTP is delivered out-of-band via email. After the user receives the new OTP, call POST /auth/credentials/{id}/verify to complete verification and issue a session.
For PASSKEY credentials, this issues a fresh Grid-generated WebAuthn challenge for reauthentication. The request body must carry the client’s ephemeral clientPublicKey so Grid can bake it into the Turnkey session-creation payload the returned challenge is computed from — this seals the resulting session signing key to the client. The response is a PasskeyAuthChallenge — the base AuthMethod fields plus the new challenge, requestId, and expiresAt. The client passes the challenge into navigator.credentials.get() and submits the resulting assertion to POST /auth/credentials/{id}/verify with Request-Id: <requestId> to receive a session.
curl --request POST \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id}/challenge \
--header 'Authorization: Basic <encoded-value>' \
--header 'Content-Type: application/json' \
--data '
{
"clientPublicKey": "04f45f2a22c908b9ce09a7150e514afd24627c401c38a4afc164e1ea783adaaa31d4245acfb88c2ebd42b47628d63ecabf345484f0a9f665b63c54c897d5578be2"
}
'{
"id": "AuthMethod:019542f5-b3e7-1d02-0000-000000000001",
"accountId": "InternalAccount:019542f5-b3e7-1d02-0000-000000000002",
"type": "EMAIL_OTP",
"nickname": "example@lightspark.com",
"createdAt": "2026-04-08T15:30:01Z",
"updatedAt": "2026-04-08T15:35:00Z"
}Authorizations
API token authentication using format <api token id>:<api client secret>
Path Parameters
The id of the authentication credential to re-challenge (the id field of the AuthMethod returned from POST /auth/credentials).
Body
Request body. Required when re-challenging a PASSKEY credential (must carry clientPublicKey). Ignored for EMAIL_OTP and OAUTH, where the credential type alone is sufficient — the OTP is delivered out-of-band (EMAIL_OTP) or there is no server-side challenge (OAUTH).
Request body for POST /auth/credentials/{id}/challenge. Required when re-challenging a PASSKEY credential — must carry clientPublicKey so Grid can bake it into the Turnkey session-creation payload the returned challenge is computed from. Ignored for EMAIL_OTP and OAUTH, where the credential type alone is sufficient (the OTP is delivered out-of-band for EMAIL_OTP; there is no server-side challenge for OAUTH).
Required for PASSKEY credentials. Client-generated P-256 public key, hex-encoded in uncompressed SEC1 format (04 prefix followed by the 32-byte X and 32-byte Y coordinates; 130 hex characters total). The matching private key must remain on the client. Grid bakes this key into the Turnkey session-creation payload that the returned challenge is computed from, so the resulting session signing key is sealed to the client. Ignored for EMAIL_OTP and OAUTH credentials.
130^04[0-9a-fA-F]{128}$"04f45f2a22c908b9ce09a7150e514afd24627c401c38a4afc164e1ea783adaaa31d4245acfb88c2ebd42b47628d63ecabf345484f0a9f665b63c54c897d5578be2"
Response
Challenge re-issued for the authentication credential. For EMAIL_OTP the body is a plain AuthMethod and a new OTP email has been sent. For PASSKEY the body is a PasskeyAuthChallenge carrying the freshly issued challenge, requestId, and expiresAt required to complete reauthentication via POST /auth/credentials/{id}/verify.
- Auth Method Response
- Passkey Auth Challenge
Strict wrapper around AuthMethod. Used directly as the registration response on POST /auth/credentials (all three credential types) and inside AuthCredentialResponseOneOf for the EMAIL_OTP and OAUTH branches of POST /auth/credentials/{id}/challenge. The only difference from AuthMethod is unevaluatedProperties: false, which disambiguates the oneOf against PasskeyAuthChallenge — without the strictness, an AuthMethod with extra fields would ambiguously match both branches.
System-generated unique identifier for the authentication credential.
"AuthMethod:019542f5-b3e7-1d02-0000-000000000001"
Identifier of the internal account that this credential authenticates.
"InternalAccount:019542f5-b3e7-1d02-0000-000000000002"
The type of authentication credential.
OAUTH: OpenID Connect (OIDC) token issued by an identity provider such as Google or Apple.EMAIL_OTP: A one-time password delivered to the user's email address.PASSKEY: A WebAuthn passkey bound to the user's device.
OAUTH, EMAIL_OTP, PASSKEY Human-readable identifier for this credential. For EMAIL_OTP credentials this is the email address; for OAUTH credentials it is typically the email claim from the OIDC token; for PASSKEY credentials it is the nickname provided at registration time.
"example@lightspark.com"
Creation timestamp.
"2026-04-08T15:30:01Z"
Last update timestamp.
"2026-04-08T15:35:00Z"
Was this page helpful?