docs: document Global Account sandbox magic values#405
Merged
Conversation
Adds a new shared snippet listing the four sandbox magic values that
unblock the embedded-wallet auth flows without real Turnkey/WebAuthn/
OIDC plumbing, and wires it into the four product-area sandbox-testing
pages (payouts-and-b2b, ramps, rewards, global-p2p):
| Value | Where it goes | Used by |
|------------------------------------|----------------------------------------------|----------------------------------------------------------------|
| 000000 | request body otp | POST /auth/credentials/{id}/verify (EMAIL_OTP) |
| sandbox-valid-oidc-token | request body oidcToken | POST /auth/credentials (OAUTH create) and verify (OAUTH) |
| sandbox-valid-passkey-signature | request body assertion.signature | POST /auth/credentials/{id}/verify (PASSKEY) |
| sandbox-valid-signature | HTTP header Grid-Wallet-Signature | All signed-retry flows + /quotes/{id}/execute on EMBEDDED_WALLET |
Includes integrator notes on JWT-shape requirement for OAUTH create,
the 401 error responses on a wrong magic value, that these are
sandbox-only, and that clientPublicKey is still required on every
verify (magic values bypass credential checks, not HPKE plumbing).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Splits the single magic-values table into four flow-keyed sections — email OTP, passkey assertion, OAuth (OIDC) token, and Grid-Wallet-Signature header — to match the look and feel of the api-reference sandbox-testing page (each section is a curl example, the field placement, and the specific 401 reason on a wrong value). Inlines the relevant integrator notes per section instead of stacking them in a closing block: - OAUTH create JWT-structure caveat lives in the OAuth section - clientPublicKey reminder lives in the Passkey section (it applies to any verify call but is most surprising for passkey users) - The "sandbox-only / production enforces real verification" framing is now the lead-in instead of a trailing bullet Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
carsonp6
approved these changes
Apr 28, 2026
pengying
deleted the
04-27-docs_document_global_account_sandbox_magic_values
branch
Contributor
Greptile SummaryThis PR adds a new shared Mintlify snippet (
Confidence Score: 3/5The P1 contradiction in the OAUTH section will cause integrators to get a 401 error if they follow the opening sentence for OAUTH create; should be fixed before publishing. One P1 finding (contradictory statement about which endpoint sandbox-valid-oidc-token is valid for) that will actively mislead developers, plus one P2 style note. The five consumer pages are all clean. mintlify/snippets/sandbox-global-account-magic.mdx — specifically the OAuth (OIDC) token section around line 48.
|
| Filename | Overview |
|---|---|
| mintlify/snippets/sandbox-global-account-magic.mdx | New shared snippet documenting four sandbox magic values; the OAUTH section has a direct contradiction — the opening sentence claims the magic value works for both create and verify, while the inline Note correctly states it only works for verify. |
| mintlify/api-reference/sandbox-testing.mdx | Adds import and section for the new Global Account magic values snippet; change is minimal and correct. |
| mintlify/payouts-and-b2b/platform-tools/sandbox-testing.mdx | Adds import and section for the magic values snippet; placement before "Sandbox Limitations" is appropriate. |
| mintlify/ramps/platform-tools/sandbox-testing.mdx | Adds import and section for the magic values snippet; placement before "Moving to Production" is appropriate. |
| mintlify/rewards/platform-tools/sandbox-testing.mdx | Adds import and section for the magic values snippet; placement before "Sandbox Limitations" is appropriate. |
| mintlify/global-p2p/platform-tools/sandbox-testing.mdx | Adds import and section for the magic values snippet; placement before "Production vs Sandbox" is appropriate. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Sandbox Auth Request] --> B{Credential Type}
B -- EMAIL_OTP --> C[body otp - magic OTP code]
B -- PASSKEY --> D[assertion.signature - magic passkey value]
B -- OAUTH create --> E[body oidcToken - must be JWT-shaped]
B -- OAUTH verify --> F[body oidcToken - magic OIDC value]
B -- Signed retry --> G[Grid-Wallet-Signature header - magic sig value]
C --> H[Skips OTP delivery check]
D --> I[Skips WebAuthn signature check]
E --> J[Skips OIDC signature verification]
F --> J
G --> K[Skips wallet signature check]
Prompt To Fix All With AI
This is a comment left during a code review.
Path: mintlify/snippets/sandbox-global-account-magic.mdx
Line: 48
Comment:
**Contradictory claim about OAUTH create magic value**
The opening sentence says `sandbox-valid-oidc-token` works on **both** `POST /auth/credentials` (OAUTH create) and verify, but the Note immediately below corrects this and states it does **not** work for create — a properly structured JWT is required there. A developer reading the first sentence and using the magic value for the create call will get a `401 UNAUTHORIZED` without any obvious reason until they read the Note carefully.
Consider updating the opening sentence to be accurate upfront, for example:
```suggestion
Pass `sandbox-valid-oidc-token` as the body `oidcToken` on `POST /auth/credentials/{id}/verify` (OAUTH). For `POST /auth/credentials` (OAUTH create), you must supply a JWT-shaped token — see the note below.
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: mintlify/snippets/sandbox-global-account-magic.mdx
Line: 50-60
Comment:
**Missing curl example for OAUTH create flow**
The section states the magic value applies to both `POST /auth/credentials` (OAUTH create) and verify, but only provides a curl example for the verify endpoint. Given that the Note flags a meaningful gotcha for the create path (requiring a JWT-shaped token), a companion example showing how to construct the dummy JWT for create would substantially help developers avoid confusion.
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "docs: restructure Global Account magic v..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
|
||
| ### OAuth (OIDC) token | ||
|
|
||
| Pass `sandbox-valid-oidc-token` as the body `oidcToken` on both `POST /auth/credentials` (OAUTH create) and `POST /auth/credentials/{id}/verify` (OAUTH). |
Contributor
There was a problem hiding this comment.
The opening sentence says sandbox-valid-oidc-token works on both POST /auth/credentials (OAUTH create) and verify, but the Note immediately below corrects this and states it does not work for create — a properly structured JWT is required there. A developer reading the first sentence and using the magic value for the create call will get a 401 UNAUTHORIZED without any obvious reason until they read the Note carefully.
Consider updating the opening sentence to be accurate upfront, for example:
Suggested change
| Pass `sandbox-valid-oidc-token` as the body `oidcToken` on both `POST /auth/credentials` (OAUTH create) and `POST /auth/credentials/{id}/verify` (OAUTH). | |
| Pass `sandbox-valid-oidc-token` as the body `oidcToken` on `POST /auth/credentials/{id}/verify` (OAUTH). For `POST /auth/credentials` (OAUTH create), you must supply a JWT-shaped token — see the note below. |
Prompt To Fix With AI
This is a comment left during a code review.
Path: mintlify/snippets/sandbox-global-account-magic.mdx
Line: 48
Comment:
**Contradictory claim about OAUTH create magic value**
The opening sentence says `sandbox-valid-oidc-token` works on **both** `POST /auth/credentials` (OAUTH create) and verify, but the Note immediately below corrects this and states it does **not** work for create — a properly structured JWT is required there. A developer reading the first sentence and using the magic value for the create call will get a `401 UNAUTHORIZED` without any obvious reason until they read the Note carefully.
Consider updating the opening sentence to be accurate upfront, for example:
```suggestion
Pass `sandbox-valid-oidc-token` as the body `oidcToken` on `POST /auth/credentials/{id}/verify` (OAUTH). For `POST /auth/credentials` (OAUTH create), you must supply a JWT-shaped token — see the note below.
```
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+50
to
+60
| ```bash | ||
| curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \ | ||
| -u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \ | ||
| -H "Content-Type: application/json" \ | ||
| -H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \ | ||
| -d '{ | ||
| "type": "OAUTH", | ||
| "oidcToken": "sandbox-valid-oidc-token", | ||
| "clientPublicKey": "04f45f2a..." | ||
| }' | ||
| ``` |
Contributor
There was a problem hiding this comment.
The section states the magic value applies to both POST /auth/credentials (OAUTH create) and verify, but only provides a curl example for the verify endpoint. Given that the Note flags a meaningful gotcha for the create path (requiring a JWT-shaped token), a companion example showing how to construct the dummy JWT for create would substantially help developers avoid confusion.
Prompt To Fix With AI
This is a comment left during a code review.
Path: mintlify/snippets/sandbox-global-account-magic.mdx
Line: 50-60
Comment:
**Missing curl example for OAUTH create flow**
The section states the magic value applies to both `POST /auth/credentials` (OAUTH create) and verify, but only provides a curl example for the verify endpoint. Given that the Note flags a meaningful gotcha for the create path (requiring a JWT-shaped token), a companion example showing how to construct the dummy JWT for create would substantially help developers avoid confusion.
How can I resolve this? If you propose a fix, please make it concise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new shared snippet listing the four sandbox magic values that
unblock the embedded-wallet auth flows without real Turnkey/WebAuthn/
OIDC plumbing, and wires it into the four product-area sandbox-testing
pages (payouts-and-b2b, ramps, rewards, global-p2p):
Includes integrator notes on JWT-shape requirement for OAUTH create,
the 401 error responses on a wrong magic value, that these are
sandbox-only, and that clientPublicKey is still required on every
verify (magic values bypass credential checks, not HPKE plumbing).
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com