Delete passkey

Delete a passkey from your vault.

Note

Passkeys are composed of a server-side and client-side component. This REST endpoint will only delete the server-side element. You should also try to programmatically delete the credential from the user’s browser, or instruct them to do so themselves.

HTTP

Request

DELETE https://api.passlock.dev/{tenancyId}/passkeys/{passkeyId} HTTP/1.1
Authorization: Bearer {apiKey}
Accept: application/json

HTTP Response:

Response

HTTP/1.1 202 Accepted
Content-Type: application/json

{
  "_tag": "Passkey",
  "id": "sewqeeqx69cr7axut7kat",
  "userId": "puubifsmidah0f8c0y9bm",
  "enabled": true,
  "credential": {
    "id": "bW9wN3IzenE0enJ5OXVnZXoxOWF4",
    "userId": "MTVkMTFmdHM1Yzg0bDN0anpieG9w",
    "username": "jdoe@example.com",
    "aaguid": "0000-0000-0000-0000",
    "backedUp": true,
    "counter": 0,
    "deviceType": "multiDevice",
    "transports": ["internal"],
    "publicKey": "dGhpcy1pcy1hLWNib3ItcHVibGljLWtleQ",
    "rpId": "example.com"
  },
  "platform": {
    "icon": "https://api.passlock.dev/aaguid/0000-0000-0000/icon.svg",
    "name": "Apple Passwords"
  },
  "createdAt": 1770123293,
  "updatedAt": 1770123293
}

Node JS

import { deletePasskey } from "@passlock/server";

const tenancyId = "myTenancyId";
const apiKey = "myApiKey";

const result = await deletePasskey({ passkeyId, tenancyId, apiKey });

// result.deleted = { credentialId, userId, rpId }

HTTP response properties

The raw HTTP response has the same payload as Get passkey.

Tip

If you use the @passlock/server helper instead of raw HTTP, the library normalizes the response to DeletedPasskey with result.deleted = { credentialId, userId, rpId }. You can pass result.deleted directly to the client delete helper.
See backend and frontend deletion