Remove a Passkey Credential - Auth Energy

DELETE

/

identity-records

/

{ir}

/

credentials

/

{credentialId}

Remove a Passkey Credential

curl --request DELETE \
  --url https://api.central.consent/v1/identity-records/{ir}/credentials/{credentialId} \
  --header 'Authorization: Bearer <token>'

{
  "response": {
    "resource": "/v1/access-records/ak_691df0c788ca043403b7fa90",
    "timestamp": "2026-03-11T12:00:00Z",
    "transaction-id": "tid_691df0c788ca043403b7fa90"
  },
  "errors": [
    {
      "error-code": "VAL001",
      "message": "Field 'mpxn' does not match the required pattern."
    }
  ]
}

Authorizations

Authorization

string

header

required

JWT from GET /auth/token. Pass as Authorization: Bearer <token>. Expires after 7200s.

Path Parameters

ir

string

required

Unique opaque identifier for an Identity Record, issued by the register on creation. Referenced from record-metadata.identity-record-ref on an AccessRecord to link the two resources.

Pattern: ^ir_[0-9a-f]{24}$

Example:

"ir_a3c5e7f9b1d3a3c5e7f9b1d3"

credentialId

string

required

Unique identifier for a registered passkey credential.

Pattern: ^cred_[0-9a-f]{24}$

Example:

"cred_1a2b3c4d5e6f1a2b3c4d5e6f"

Response

Credential removed. No response body.

Last modified on March 25, 2026

Initiate Re-identificationInitiates or completes a re-identification flow for a returning customer, reconnecting them to their existing Identity Record without re-collecting all their details. **Three methods are supported:** **`magic-link`** — requires `email` to be stored on the Identity Record. The register dispatches a short-lived signed URL to the stored email address. The link expires after 15 minutes and is single-use. Supply an optional `redirect-url` (pre-registered for the Data User's DUID) to send the customer back to the Data User's application after clicking — the register appends `?dar-reid-token={token-ref}` so the application can confirm re-identification with a single call rather than polling. Without `redirect-url`, the customer lands on a confirmation page at `central.consent` and the Data User polls `GET /identity-records/{ir}/re-identify/{token-ref}` for confirmation. **`passkey-assert`** — requires at least one credential registered on the Identity Record. The register returns a WebAuthn assertion challenge. The Data User passes this to `navigator.credentials.get()`, then submits the signed assertion response back to this endpoint with `method: passkey-assert-complete` to verify and confirm re-identification. **`passkey-register`** — used when the customer has no existing passkey on the record (e.g. new device). Returns a WebAuthn registration challenge. The Data User completes the ceremony via `POST /identity-records/{ir}/credentials` to store the new public key, then the re-identification is confirmed. Re-identification does not modify the core Identity Record fields. It is a verification step confirming the returning individual is the same principal as originally recorded.

Remove a Passkey Credential

curl --request DELETE \
  --url https://api.central.consent/v1/identity-records/{ir}/credentials/{credentialId} \
  --header 'Authorization: Bearer <token>'

{
  "response": {
    "resource": "/v1/access-records/ak_691df0c788ca043403b7fa90",
    "timestamp": "2026-03-11T12:00:00Z",
    "transaction-id": "tid_691df0c788ca043403b7fa90"
  },
  "errors": [
    {
      "error-code": "VAL001",
      "message": "Field 'mpxn' does not match the required pattern."
    }
  ]
}