curl --request POST \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id}/challenge \
--header 'Authorization: Basic <encoded-value>'{
"id": "AuthMethod:019542f5-b3e7-1d02-0000-000000000001",
"accountId": "InternalAccount:019542f5-b3e7-1d02-0000-000000000002",
"type": "EMAIL_OTP",
"nickname": "example@lightspark.com",
"createdAt": "2026-04-08T15:30:01Z",
"updatedAt": "2026-04-08T15:35:00Z"
}Re-issue an authentication credential challenge
Re-issue the challenge for an existing authentication credential.
For EMAIL_OTP credentials, this triggers a new one-time password email to the address on file. The response is a plain AuthMethod; there is no challenge body to surface because the OTP is delivered out-of-band via email. After the user receives the new OTP, call POST /auth/credentials/{id}/verify to complete verification and issue a session.
For PASSKEY credentials, this issues a fresh Grid-generated WebAuthn challenge for reauthentication. The response is a PasskeyAuthChallenge — the base AuthMethod fields plus the new challenge, requestId, and expiresAt. The client passes the challenge into navigator.credentials.get() and submits the resulting assertion to POST /auth/credentials/{id}/verify with Request-Id: <requestId> to receive a session.
curl --request POST \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id}/challenge \
--header 'Authorization: Basic <encoded-value>'{
"id": "AuthMethod:019542f5-b3e7-1d02-0000-000000000001",
"accountId": "InternalAccount:019542f5-b3e7-1d02-0000-000000000002",
"type": "EMAIL_OTP",
"nickname": "example@lightspark.com",
"createdAt": "2026-04-08T15:30:01Z",
"updatedAt": "2026-04-08T15:35:00Z"
}Authorizations
API token authentication using format <api token id>:<api client secret>
Path Parameters
The id of the authentication credential to re-challenge (the id field of the AuthMethod returned from POST /auth/credentials).
Response
Challenge re-issued for the authentication credential. For EMAIL_OTP the body is a plain AuthMethod and a new OTP email has been sent. For PASSKEY the body is a PasskeyAuthChallenge carrying the freshly issued challenge, requestId, and expiresAt required to complete reauthentication via POST /auth/credentials/{id}/verify.
- Auth Method Response
- Passkey Auth Challenge
Strict wrapper around AuthMethod used inside AuthCredentialResponseOneOf for the EMAIL_OTP and OAUTH branches. The only difference from AuthMethod is unevaluatedProperties: false, which disambiguates the oneOf against PasskeyAuthChallenge — without the strictness, an AuthMethod with extra fields would ambiguously match both branches.
System-generated unique identifier for the authentication credential.
"AuthMethod:019542f5-b3e7-1d02-0000-000000000001"
Identifier of the internal account that this credential authenticates.
"InternalAccount:019542f5-b3e7-1d02-0000-000000000002"
The type of authentication credential.
OAUTH: OpenID Connect (OIDC) token issued by an identity provider such as Google or Apple.EMAIL_OTP: A one-time password delivered to the user's email address.PASSKEY: A WebAuthn passkey bound to the user's device.
OAUTH, EMAIL_OTP, PASSKEY Human-readable identifier for this credential. For EMAIL_OTP credentials this is the email address; for OAUTH credentials it is typically the email claim from the OIDC token; for PASSKEY credentials it is the nickname provided at registration time.
"example@lightspark.com"
Creation timestamp.
"2026-04-08T15:30:01Z"
Last update timestamp.
"2026-04-08T15:35:00Z"
Was this page helpful?