Prepare passkey deletion

Delete passkeys from your vault and prepare a short-lived token that lets the browser signal local passkey removal.

Delete by explicit Passlock passkey IDs:

1
POST https://api.passlock.dev/v2/{tenancyId}/passkeys/delete HTTP/1.1
2
Authorization: Bearer {apiKey}
3
Accept: application/json
4
Content-Type: application/json
5

6
{
7
  "passkeyIds": ["passkey_123", "passkey_456"]
8
}

Or delete every passkey for one application user:

1
POST https://api.passlock.dev/v2/{tenancyId}/passkeys/delete HTTP/1.1
2
Authorization: Bearer {apiKey}
3
Accept: application/json
4
Content-Type: application/json
5

6
{
7
  "userId": "tenant-user-id"
8
}

1
HTTP/1.1 202 Accepted
2
Content-Type: application/json
3

4
{
5
  "_tag": "PreparedPasskeyDeletion",
6
  "deletePasskeysToken": "opaque-random-token",
7
  "expiresAt": 1770123593000,
8
  "warnings": []
9
}

The request must include exactly one selector: passkeyIds or userId. Empty passkeyIds lists are invalid. Missing passkeys are returned as warnings when they do not prevent deletion.

Browser exchange

Send only deletePasskeysToken to your frontend, then call @passlock/browser’s deletePasskeys helper. The browser helper exchanges the token with:

1
POST https://api.passlock.dev/v2/{tenancyId}/passkeys/delete/exchange HTTP/1.1
2
Accept: application/json
3
Content-Type: application/json
4

5
{
6
  "deletePasskeysToken": "opaque-random-token"
7
}

1
HTTP/1.1 200 OK
2
Content-Type: application/json
3

4
{
5
  "_tag": "PasskeyDeletionInstructions",
6
  "instructions": [
7
    {
8
      "rpId": "example.com",
9
      "userId": "MTVkMTFmdHM1Yzg0bDN0anpieG9w",
10
      "credentialId": "bW9wN3IzenE0enJ5OXVnZXoxOWF4"
11
    }
12
  ],
13
  "warnings": []
14
}

Server helper

Prefer @passlock/server where possible:

1
import { Passlock } from "@passlock/server";
2

3
const passlock = new Passlock({ tenancyId, apiKey });
4

5
const result = await passlock.deletePasskeys({
6
  passkeyIds: ["passkey_123"],
7
});