Deleting passkeys from your backend and the user's local device

TL;DR

Passkeys are comprised of two components - a private element, which remains on the user’s device, and the public element, which is stored in your vault. You need to ensure both components remain in sync. Passlock offers tooling to help you do this.

Deleting a passkey from your vault

Use the @passlock/server library to remove a passkey from your vault:

Default

import { deletePasskey, isNotFoundError } from "@passlock/server";

// get these from your development tenancy settings
const tenancyId = "myTenancyId";
const apiKey = "myApiKey";

try {
  const result = await deletePasskey({ passkeyId, tenancyId, apiKey });
} catch (e) {
  if (isNotFoundError(e)) {
    // passkey not found in the vault
  }
}

Safe

import {
  deletePasskey,
  isNotFoundError
} from "@passlock/server/safe";

// get these from your development tenancy settings
const tenancyId = "myTenancyId";
const apiKey = "myApiKey";

const result = await deletePasskey({ passkeyId, tenancyId, apiKey });

if (result.success) {
  // success
} else if (isNotFoundError(result.error)) {
  // passkey not found in the vault
} else {
  console.error(result.error.message);
}

Deleting a passkey from a device

Use the @passlock/client library to remove a passkey from a user’s device:

Default

import { deletePasskey, isDeleteError } from "@passlock/client";

// get this from your development tenancy settings
const tenancyId = "myTenancyId";
const passkeyId = "myPasskeyId";

try {
  const result = await deletePasskey({ tenancyId, passkeyId });
} catch (e) {
  if (isDeleteError(e)) {
    console.log(e.message);
  }
}

Safe

import { deletePasskey } from "@passlock/client/safe";

// get this from your development tenancy settings
const tenancyId = "myTenancyId";
const passkeyId = "myPasskeyId";

const result = await deletePasskey({ tenancyId, passkeyId });

if (result.success) {
  // happy days
} else {
  console.log(result.error.message);
}

Tip

You can also delete a device passkey in response to an OrphanedPasskeyError, even if you don’t know the passkey id. This scenario can occur when using autofill. See deletion following an orphaned passkey error

Backend and frontend deletion

You can first delete a passkey from your vault, then pass the result to your frontend code…

Default

import { deletePasskey } from "@passlock/server";

const result = await deletePasskey({ passkeyId, tenancyId, apiKey });

// send the DeletedPasskey payload to your frontend
res.send(JSON.stringify(result));

Safe

  import { deletePasskey } from "@passlock/server/safe";

  const result = await deletePasskey({ passkeyId, tenancyId, apiKey });

  if (result.success) {
    // send the DeletedPasskey payload to your frontend
    res.send(JSON.stringify(result.value));
  }

Default

import { deletePasskey } from "@passlock/client";

// result of calling deletePasskey in your backend
const backendDeletionResult = {
  _tag: "DeletedPasskey",
  deleted: { credentialId: "...", userId: "...", rpId: "..." },
};

try {
  const result = await deletePasskey(backendDeletionResult.deleted);
} catch (e) { ... }

Safe

import { deletePasskey } from "@passlock/client/safe";

// result of calling deletePasskey in your backend
const backendDeletionResult = {
  _tag: "DeletedPasskey",
  deleted: { credentialId: "...", userId: "...", rpId: "..." },
};

const result = await deletePasskey(backendDeletionResult.deleted);

if (!result.success) {
  console.error(result.error.message);
}

Tip

This is more efficient because when you call deletePasskey({ tenancyId, passkeyId }) in frontend code, the @passlock/client library first needs to lookup metadata to pass to the device. The result of calling deletePasskey in the backend @passlock/server library already includes this metadata in result.deleted.

Tip

For bulk removal, pair @passlock/server’s deleteUserPasskeys helper with @passlock/client’s deleteUserPasskeys helper. If your backend is the source of truth for which passkeys should remain on the device, use prunePasskeys to keep only the allowed passkey IDs.

Deletion following an OrphanedPasskeyError

During client side authentication, if you receive an OrphanedPasskeyError, pass that error into the deletePasskey function:

Default

import {
  authenticatePasskey,
  deletePasskey,
  isOrphanedPasskeyError,
} from "@passlock/client";

try {
  const result = await authenticatePasskey({ ... });
} catch (e) {
  if (isOrphanedPasskeyError(e)) {
    if (confirm("Passkey invalid, remove it?")) {
      await deletePasskey(e);
    }
  }
}

Safe

import {
  authenticatePasskey,
  deletePasskey,
  isOrphanedPasskeyError,
} from "@passlock/client/safe";

const result = await authenticatePasskey({ ... });

if (!result.success && isOrphanedPasskeyError(result.error)) {
  if (confirm("Passkey invalid, remove it?")) {
    const deletion = await deletePasskey(result.error);

    if (!deletion.success) {
      console.error(deletion.error.message);
    }
  }
} else if (!result.success) {
  console.error(result.error.message);
}

Note

Programmatic passkey removal is an experimental feature that some browsers don’t yet support (as of February 2026). However it is gaining traction so it’s worth testing for it and using if supported.