[samples] fix passkey challenge encoding in frontend sample

[claude]

Summary

• Fixed incorrect passkey challenge encoding in AuthenticateAndSign.tsx
• The Grid-issued authentication challenge is a lowercase hex string that should be UTF-8 encoded, not base64url decoded
• This aligns the sample code with the schema clarification from [grid] fix passkey reauth challenge docs #561

Changes

Frontend Sample:

• Changed base64urlToBytes(challenge.challenge) to new TextEncoder().encode(challenge.challenge) for the WebAuthn assertion
• Updated comment to clarify that the challenge is a hex string requiring UTF-8 encoding

Context

PR #561 clarified that the passkey challenge field from POST /auth/credentials/{id}/challenge is:

"Lowercase hex-encoded SHA-256 digest... Do not base64url-decode this field; pass UTF-8 bytes of the string (for example, new TextEncoder().encode(challenge)) as the WebAuthn challenge"

The Mintlify documentation already correctly describes this encoding (showing new TextEncoder().encode(gridChallenge)), but the frontend sample was using the wrong encoding method.

Test plan

• Verify the frontend sample compiles without errors
• Test passkey authentication flow in sandbox mode
• Verify the change matches the documentation in mintlify/snippets/global-accounts/authentication.mdx

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ignored		Jun 10, 2026 9:21am

[greptile-apps]

Greptile Summary

Corrects the WebAuthn challenge encoding in the embedded-wallet frontend sample so it uses TextEncoder().encode() (UTF-8 bytes of the hex string) instead of base64urlToBytes(), matching both the Mintlify documentation and the API schema clarification in #561.

• Single-line change in AuthenticateAndSign.tsx: swaps base64urlToBytes(challenge.challenge) for new TextEncoder().encode(challenge.challenge) so the challenge bytes fed to navigator.credentials.get() are the UTF-8 encoding of the lowercase hex string Grid returns, not an incorrect base64url decode.
• Comment updated to explain that the challenge is a hex string requiring UTF-8 encoding, closing the documentation gap for future readers.

Confidence Score: 4/5

Safe to merge — the encoding change is a straightforward one-liner that matches the documented API contract, and the only remaining concern is a dead base64urlToBytes helper that should be cleaned up.

The core fix is correct and validated against both the Mintlify docs and the API schema clarification. The base64urlToBytes function is now unreachable dead code — no functional impact, but it should be removed to avoid confusion.

samples/frontend/src/steps/embeddedWallet/AuthenticateAndSign.tsx — the now-unused base64urlToBytes function at the bottom of the file.

Important Files Changed

Filename	Overview
samples/frontend/src/steps/embeddedWallet/AuthenticateAndSign.tsx	Fixes challenge encoding from base64url-decode to UTF-8 TextEncoder, matching docs and the schema clarification from #561. The now-unused base64urlToBytes helper remains as dead code.

Sequence Diagram

sequenceDiagram
  participant C as Client (Browser)
  participant G as Grid API
  participant A as Authenticator (OS)

  C->>G: "POST /auth/credentials/{id}/challenge { clientPublicKey }"
  G-->>C: "{ challenge (hex string), requestId }"
  Note over C: new TextEncoder().encode(challenge)<br/>(UTF-8 bytes of hex string — this PR's fix)
  C->>A: "navigator.credentials.get({ challenge: utf8Bytes })"
  A-->>C: WebAuthn assertion
  C->>G: "POST /auth/credentials/{id}/verify { assertion }<br/>Request-Id: requestId"
  G-->>C: "{ encryptedSessionSigningKey }"

Loading

Comments Outside Diff (1)

1. samples/frontend/src/steps/embeddedWallet/AuthenticateAndSign.tsx, line 204-212 (link)

   The base64urlToBytes helper is now unreferenced — its only call site was the challenge field that this PR migrated to TextEncoder. Removing it eliminates dead code and avoids confusing future readers who might wonder whether base64url decoding is still part of any path.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: samples/frontend/src/steps/embeddedWallet/AuthenticateAndSign.tsx
   Line: 204-212
   
   Comment:
   The `base64urlToBytes` helper is now unreferenced — its only call site was the `challenge` field that this PR migrated to `TextEncoder`. Removing it eliminates dead code and avoids confusing future readers who might wonder whether base64url decoding is still part of any path.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
samples/frontend/src/steps/embeddedWallet/AuthenticateAndSign.tsx:204-212
The `base64urlToBytes` helper is now unreferenced — its only call site was the `challenge` field that this PR migrated to `TextEncoder`. Removing it eliminates dead code and avoids confusing future readers who might wonder whether base64url decoding is still part of any path.

```suggestion

```

_{Reviews (1): Last reviewed commit: "[samples] fix passkey challenge encoding..." | Re-trigger Greptile}