Deleting passkeys

TL;DR

Passkeys are comprised of two components - a private element, which remains on the user’s device, and the public element, which is stored in your vault. You need to ensure both components remain in sync. Passlock offers tooling to help you do this.

Deleting a passkey from your vault

Use the @passlock/node library to remove a passkey from your vault:

backend/passkeys.ts

import {
  deletePasskey,
  isDeletedPasskey,
  isNotFound
} from "@passlock/node";

// get these from your development tenancy settings
const tenancyId = "myTenancyId";
const apiKey = "myApiKey";

const result = await deletePasskey(passkeyId, { tenancyId, apiKey });

if (isDeletedPasskey(result)) {
  // success
} else if (isNotFound(result)) {
  // passkey not found in the vault
} else {
  ...
}

Deleting a passkey from a device

Use the @passlock/client library to remove a passkey from a user’s device:

frontend/passkeys.ts

import { isPasskeyDeletionSupport, deletePasskey } from "@passlock/client";

// get this from your development tenancy settings
const tenancyId = "myTenancyId";
const passkeyId = "myPasskeyId";

if (isPasskeyDeletionSupport()) {
  deletePasskey(passkeyId, { tenancyId });
} else {
  // tell the user to delete the passkey from their password manager
}

Tip

You can also delete a device passkey in response to a PasskeyNotFound error, even if you don’t know the passkey id. This scenario can occur when using autofill. See deletion following a not found error

Backend and frontend deletion

You can first delete a passkey from your vault, then pass the result to your frontend code…

backend/passkeys.ts

import {
  deletePasskey,
  isDeletedPasskey,
} from "@passlock/node";

const result = await deletePasskey(passkeyId, { tenancyId, apiKey });

if (isDeletedPasskey(result)) {
  // send the result to your frontend
  res.send(JSON.stringify(result))
}

frontend/passkeys.ts

import { isPasskeyDeletionSupport, deletePasskey } from "@passlock/client";

// result of calling deletePasskey in your backend
const backendDeletionResult = { credentialId: "...", rpId: "..." };

if (isPasskeyDeletionSupport()) {
  deletePasskey(backendDeletionResult, { tenancyId });
}

Tip

This is more efficient because when you simply call deletePasskey(passkeyId) in your frontend code, the @passlock/client library needs to first lookup some data to pass to the device. The result of calling deletePasskey in the backend @passlock/node library already includes this data.

Deletion following a NotFound error

If you receive a PasskeyNotFound error, pass that error into the deletePasskey function:

frontend/login.ts

import {
  authenticatePasskey,
  deletePasskey,
  isPasskeyNotFound,
  isPasskeyDeletionSupport,
} from "@passlock/client";

const result = await authenticatePasskey({ ... });

if (isPasskeyNotFound(result) && isPasskeyDeletionSupport()) {
  if (confirm("Passkey invalid, remove it?")) {
    await deletePasskey(result, { tenancyId });
  }
}

Note

Programmatic passkey removal is an experimental feature that some browsers don’t yet support (as of February 2026). However it is gaining traction so it’s worth testing for it and using if supported.