When a passkey is registered with residentKey=required on an Apple device, iOS/macOS stores it in iCloud Keychain; it is automatically synced to other devices signed in with the same Apple ID under the same iCloud Keychain access group.
On Android, passkeys registered via the Credential Manager API are stored in Google Password Manager and synced across Android devices signed in with the same Google Account.
The credentialBackedUp flag (bit 3 of authenticatorData flags byte) indicates the passkey is synced/backed up; credentialSourceType is discoverable-credential.
From a relying party perspective, synced passkeys behave identically to device-bound passkeys — the same credential ID and public key work on all synced devices; no special server-side handling is needed.
To distinguish synced from hardware-bound credentials, check the credentialBackedUp flag during registration and store it; use this metadata to apply risk policy (e.g. high-value operations may require hardware-bound credentials).
Known gotchas
Sign counters are not reliably incremented across synced passkey instances — counter-based clone detection will produce false positives; see the clone detection route for policy guidance.
Passkey sync only occurs within the same ecosystem (Apple-to-Apple, Google-to-Google); cross-ecosystem sharing is not currently supported by the platform providers.
Deleting a passkey from the relying party server does not automatically delete it from the user's cloud keychain; surface UI to guide users to remove it from their device/cloud settings as well.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp