docs(openapi): keep pending auth on funding source

[DhruvPareek]

Summary

• remove card-level PENDING_AUTH from CardState
• describe embedded-wallet delegated authorization as a funding-source prerequisite
• include fundingSourceId in DelegatedKey responses/examples

Validation

• npm run lint:openapi

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ignored	Preview	Jun 23, 2026 12:19am
grid-wallet-demo	Ignored	Preview	Jun 23, 2026 12:19am

[github-actions]

⚠️ Breaking OpenAPI changes detected

This PR introduces breaking changes to openapi.yaml:

API Changelog 2025-10-13 vs. 2025-10-13

API Changes

GET /cards

• ⚠️ removed the enum value PENDING_AUTH from the query request parameter state

POST webhook:card-funding-source-change

• ⚠️ removed the enum value PENDING_AUTH of the request property allOf[subschema #2]/data/state

POST webhook:card-state-change

• ⚠️ removed the enum value PENDING_AUTH of the request property allOf[subschema #2]/data/state

---

Detected by oasdiff. This PR will need approval from an API reviewer before merge.

[github-actions]

✱ Stainless preview builds for grid

This PR will update the grid SDKs with the following commit messages.

cli

chore(internal): regenerate SDK with no functional changes

csharp

fix(types): remove PendingAuth state from card state enums

go

fix(types): remove PENDING_AUTH from card state enums

kotlin

fix(types): remove PENDING_AUTH from Card state enum

openapi

feat(api): add fundingSourceId to DelegatedKey, remove PENDING_AUTH from CardState

php

fix(types): remove PENDING_AUTH state from cards

python

fix(types): remove PENDING_AUTH state from cards

ruby

fix(api): remove PENDING_AUTH state from card and card list params

typescript

fix(types): remove PENDING_AUTH state from cards model and list params

✅ grid-openapi studio · code

Your SDK build had at least one "note" diagnostic.
generate ✅

✅ grid-ruby studio · code

Your SDK build had at least one "note" diagnostic.
generate ✅ → build ✅ → lint ✅ → test ✅

⚠️ grid-go studio · code

Your SDK build had a failure in the lint CI job, which is a regression from the base state.
generate ✅ → build ✅ → lint ❗ → test ❗

go get github.com/stainless-sdks/grid-go@a27cace47cfaa93ff7d6052bc7aceb489f20175f

✅ grid-kotlin studio · code

Your SDK build had at least one "note" diagnostic.
generate ✅ → build ✅ → lint ✅ → test ✅

⚠️ grid-python studio · code

Your SDK build had a failure in the lint CI job, which is a regression from the base state.
generate ✅ → build ✅ → lint ❗ → test ❗

pip install https://pkg.stainless.com/s/grid-python/32ddfb226fd7c617501f80ff64676726ce32e885/grid-0.0.1-py3-none-any.whl

⚠️ grid-csharp studio · code

Your SDK build had a failure in the build CI job, which is a regression from the base state.
generate ⚠️ → build ❗ → lint ✅ → test ❗

✅ grid-php studio · code

Your SDK build had at least one "note" diagnostic.
generate ✅ → lint ✅ → test ✅

✅ grid-typescript studio · code

Your SDK build had at least one "note" diagnostic.
generate ✅ → build ✅ → lint ✅ → test ✅

npm install https://pkg.stainless.com/s/grid-typescript/df34d0ffec870c6bf53d7928c020723e74a85960/dist.tar.gz

⚠️ grid-cli studio · code

Your SDK build had a failure in the test CI job, which is a regression from the base state.
generate ⚠️ → build ⏭️ → lint ⏭️ → test ❗

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-06-23 00:31:46 UTC

[greptile-apps]

Greptile Summary

This PR moves delegated-authorization tracking from the card level to the funding-source level: PENDING_AUTH is removed from CardState, fundingSourceId is added as a required field on DelegatedKey, and all endpoint descriptions are updated to reflect that authorization is a per-funding-source prerequisite rather than a card-wide state.

• CardState enum: PENDING_AUTH removed from both the enum values and the state-table description; cards now always start directly in PROCESSING.
• DelegatedKey schema: fundingSourceId added to required and properties; top-level description and accountId field description updated from "card" to "card funding source" terminology; POST create example extended with the new field.
• cards.yaml / auth_delegated-keys.yaml: Prose updated to describe the delegated-key requirement as a funding-source prerequisite, with no PENDING_AUTH state-transition language remaining anywhere in the spec or Mintlify bundle.

Confidence Score: 5/5

Safe to merge — purely documentation changes with no application code, and all references have been consistently updated.

The change is documentation-only: it removes a card-level state, adds a field to a schema, and rewrites related prose. All six files are consistent, no stray PENDING_AUTH references remain anywhere in the spec or Mintlify bundle, the previous review comment about stale card language in DelegatedKey.yaml is fully addressed, and both bundled outputs match the source changes.

No files require special attention.

Important Files Changed

Filename	Overview
openapi/components/schemas/cards/CardState.yaml	Removes PENDING_AUTH from the CardState enum and its description table; no remaining references elsewhere in the spec.
openapi/components/schemas/auth/DelegatedKey.yaml	Adds fundingSourceId as a required property; updates description and accountId field description to 'card funding source' terminology throughout; no stale 'card' language remains.
openapi/paths/auth/auth_delegated-keys.yaml	POST create example updated with fundingSourceId; endpoint description already uses funding-source terminology correctly.
openapi/paths/cards/cards.yaml	createCard description updated: PENDING_AUTH state-transition prose removed; delegated-key requirement reframed as a funding-source prerequisite that does not block card state progression.
openapi.yaml	Bundled output — mirrors all changes from the source openapi/ files as expected.
mintlify/openapi.yaml	Mintlify bundle — identical diff to openapi.yaml, correctly regenerated from source.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Client
    participant Grid

    Note over Client,Grid: Card Creation (new flow)
    Client->>Grid: POST /cards (fundingSources: [InternalAccount:...])
    Grid-->>Client: "201 Card {state: PROCESSING}"

    Note over Client,Grid: Delegated-Key Flow (per funding source)
    Client->>Grid: "POST /auth/delegated-keys {fundingSourceId}"
    Grid-->>Client: "202 {payloadToSign, requestId}"
    Client->>Grid: POST /auth/delegated-keys + Grid-Wallet-Signature (leg 2)
    Grid-->>Client: "202 {payloadToSign, requestId}"
    Client->>Grid: POST /auth/delegated-keys + Grid-Wallet-Signature (leg 3)
    Grid-->>Client: "201 DelegatedKey {fundingSourceId, status: ACTIVE}"

    Note over Client,Grid: Card transitions independently
    Grid-->>Client: webhook card.state_change to ACTIVE
    Note over Client,Grid: Authorization Decisioning can now use funding source

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Client
    participant Grid

    Note over Client,Grid: Card Creation (new flow)
    Client->>Grid: POST /cards (fundingSources: [InternalAccount:...])
    Grid-->>Client: "201 Card {state: PROCESSING}"

    Note over Client,Grid: Delegated-Key Flow (per funding source)
    Client->>Grid: "POST /auth/delegated-keys {fundingSourceId}"
    Grid-->>Client: "202 {payloadToSign, requestId}"
    Client->>Grid: POST /auth/delegated-keys + Grid-Wallet-Signature (leg 2)
    Grid-->>Client: "202 {payloadToSign, requestId}"
    Client->>Grid: POST /auth/delegated-keys + Grid-Wallet-Signature (leg 3)
    Grid-->>Client: "201 DelegatedKey {fundingSourceId, status: ACTIVE}"

    Note over Client,Grid: Card transitions independently
    Grid-->>Client: webhook card.state_change to ACTIVE
    Note over Client,Grid: Authorization Decisioning can now use funding source

Loading

_{Reviews (3): Last reviewed commit: "docs(openapi): keep pending auth off car..." | Re-trigger Greptile}

[DhruvPareek]

fixed the P2 "Stale "card" language in schema description"

[DhruvPareek]

@greptileai review