Verified steps

After a user action that revokes a credential server-side (e.g. user removes a device, admin revokes, inactivity timeout), call PublicKeyCredential.signalUnknownCredential({rpId, credentialId}) during the next authenticated session to signal the browser/passkey provider to remove the stale credential
Periodically call PublicKeyCredential.signalAllAcceptedCredentials({rpId, userId, allAcceptedCredentialIds}) after successful authentication to provide the complete current list of valid credentials for that user, triggering removal of any not in the list
Call PublicKeyCredential.signalCurrentUserDetails({rpId, userId, name, displayName}) after a user updates their display name or username to keep the passkey provider's UI label current
Wrap all Signal API calls in feature detection (if ('signalUnknownCredential' in PublicKeyCredential)) as the API is not yet universally supported
Call the Signal API only after a successful authentication to ensure the user is present; calling it during unauthenticated flows could expose credential existence information
Understand that Signal API calls are hints to the platform credential store — they may not be acted upon immediately or at all on some platforms; server-side revocation is the authoritative source of truth

Known gotchas

As of early 2026, the Signal API is supported on Chrome desktop only, and for Google Password Manager credentials only; iCloud Keychain and Windows Hello support depends on OS updates — do not rely on Signal API alone for security-critical revocation
signalAllAcceptedCredentials removes passkeys from the provider's UI that are not in the list but the credentials still exist on the server in their original form — this is a UI hint, not a server-side delete
The Signal API methods may throw if the rpId does not match the current page origin's eTLD+1; always call these methods from a page on the correct RP domain

w3.org/webauthn · 6 steps · unrated

Implement a cross-device consent synchronization flow using a consent server-side API and signed JWT tokens

docs.transcend.io · 6 steps · unrated

Implement WebAuthn passkey authentication ceremony on the web

w3c.github.io/webauthn · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Manage the WebAuthn Signal API to synchronize server-side credential revocations to client passkey providers

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes