DELETE /v1/users/me/passkeys/:id
Revoke an enrolled passkey. Idempotent.
::: tip Auth Required: cookie or Bearer. :::
Request
DELETE /v1/users/me/passkeys/:id
| Path param | Type | Notes |
|---|---|---|
id | UUID | The passkey row id from GET /v1/users/me/passkeys. |
Response
204 No Content
If this was the user's last enrolled passkey, passkey_enabled is flipped
back to false on the user record.
Error responses
| Status | Code | When |
|---|---|---|
| 401 | authentication_required | No valid auth credential. |
| 404 | not_found | No such passkey, OR the passkey belongs to a different user. The SDK returns 404 in both cases so attackers can't enumerate ids. |
Example: curl
curl -X DELETE https://auth.example.com/v1/users/me/passkeys/a8f3c2d1-... -b cookies.txt
Notes
- An audit entry (
auth.passkey.removed) is recorded. - This does NOT revoke active browser sessions established via this passkey.
Use
DELETE /v1/auth/sessionsfor that. - If the user has no other auth method (password is empty AND no other passkeys AND MFA off), removing their last passkey leaves them with no way to sign in. The SDK does not prevent this — your UI should warn.