feat: add SMS authentication to signup/login

[broody]

Summary

• Add "sms" as a new authentication method in the signup/login flow
• Create useSmsAuthentication hook implementing the SMS OTP flow:
  1. POST /oauth2/sms (backend) → sends OTP, returns otpId
  2. Frontend collects OTP code from user via SmsOtpForm overlay
  3. POST /oauth2/sms/verify (backend) → verifies code + logs in, returns credentialBundle
  4. Frontend injects credentialBundle into Turnkey iframe → gets wallet
• Follows the same architecture as OAuth: backend handles Turnkey API calls, frontend injects credentials and manages wallet
• Add MobileIcon to signup/auth buttons
• SMS signer registered as EIP-191 with provider "sms"

Dependencies

• Backend: internal#4225 (SMS verify+login endpoint)

Test plan

• SMS option appears in signup method selection
• Phone number input → sends OTP → code input → verifies → creates account
• Login flow works for existing SMS-authenticated accounts
• Existing auth methods (passkey, social, password) unaffected
• Sandbox testing: phone +19999999999, code 000000

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
controller-example-next	Ready	Preview	Mar 24, 2026 7:39pm
keychain	Ready	Preview	Mar 24, 2026 7:39pm
keychain-storybook	Ready	Preview	Mar 24, 2026 7:39pm

[claude]

Claude finished @broody's task —— View job

---

Documentation Analysis Complete

• Analyze PR changes to determine if documentation updates are needed
• Locate canonical authentication documentation
• Update documentation with SMS authentication details
• Document changes for commit

Summary

This PR adds SMS authentication as a new user-facing authentication method. I've updated the documentation in the docs repository.

Changes Made

Updated /src/pages/controller/headless-authentication.md in the cartridge-gg/docs repository:

1. Added SMS Authentication section with code example showing signer: "sms" usage
2. Updated Supported Signer Options list to include sms
3. Updated validation function example to include sms in the validSigners array
4. Added technical note explaining SMS uses OTP verification and is registered as EIP-191 with provider "sms"

File Modified

docs-repo/src/pages/controller/headless-authentication.md - The canonical location for authentication method documentation (already staged for commit)

Technical Details

The documentation follows the established pattern:

• Single canonical location (headless-authentication.md owns authentication methods)
• Minimal, focused edits (only SMS-related sections updated)
• One code example in the appropriate section
• Consistent formatting with existing authentication methods

Next Steps

The documentation changes are staged in the docs repository at /home/runner/work/controller/controller/docs-repo and ready to be committed by the team. The changes align with the PR's implementation of SMS authentication via Turnkey with OTP flow.

--- | Branch: claude/pr-2500-20260324-1946