Published: December 5, 2025
Starting with Chrome 144, the Signal API is available on Chrome for Android. This API allows relying parties (RPs) keep the passkeys stored in a user's passkey provider consistent with the credentials on the server.
Why use the Signal API?
When a user creates a passkey, the passkey provider (such as Google Password Manager) saves the private key and metadata (like username and display name), while your server saves the public key.
Over time, these can get out of sync. For example:
- Deleted passkey: A user deletes their credential on your website, but the passkey remains in their passkey provider. The next time they try to sign in, the passkey provider offers a passkey that no longer works.
- Name changes: A user updates their username on your site, but the passkey provider still shows the old name.
The Signal API solves this by allowing your website to "signal" the current state of credentials to the passkey provider. You can tell the provider to delete invalid passkeys or update metadata, ensuring a seamless sign-in experience.
What's new
The Signal API on Chrome for Android works identically to the desktop implementation, with specific enhancements for the mobile ecosystem.
Support for third-party password managers
The Signal API is available for Google Password Manager on all supported Android versions. On Android 14 and later, the Signal API also integrates with the system's passkey provider. When Chrome broadcasts a signal on these devices, it is not limited to Google Password Manager. Chrome sends the signal to all enabled passkey providers on the device.
If a user manages passkeys with a third-party provider that supports the Signal API, that provider receives the update and keeps the user's credentials in sync.
Safer syncing with passkey restoration
Google Password Manager supports a safety mechanism for Signal API updates on both Android and desktop.
Previously, when an RP signaled that a credential was unknown or removed, the passkey was permanently deleted. Now, Google Password Manager hides the passkey instead of deleting it.
- Hidden passkeys: The passkey no longer appears in autofill or sign-in dialogs, preventing sign-in failures.
- Restoration: If the signal was sent in error, the passkey can be restored.
Use Signal the API
Signal API exposes three methods to keep credentials in sync:
- Use
signalUnknownCredentialwhen a passkey sign-in fails because the credential ID is not found on your server. This signals the provider to remove (or hide) the invalid passkey. - Use
signalAllAcceptedCredentialsafter a user signs in or manages their account settings. You provide a list of all valid credential IDs for that user. The passkey provider compares the list against its local storage for that relying party. Any passkey found in the passkey provider that is not included in theallAcceptedCredentialIdslist is marked as "hidden." These hidden passkeys are no longer offered for sign-in or autofill, but they are not permanently deleted immediately, allowing for restoration if necessary. Conversely, passkeys present inallAcceptedCredentialIdsthat are marked as "hidden" in the passkey provider are restored. This allows your website to restore passkeys that had been hidden in error. - Use
signalCurrentUserDetailswhen a user updates their profile (such as their display name) on your website, and after every sign-in. This ensures the passkey provider displays the correct information during future sign-ins.
Summary
The Signal API helps you build a reliable and user-friendly authentication experience. By implementing these signals, you prevent confusion caused by outdated passkeys and ensure that users always see accurate account information.
With support now available on Chrome for Android, you can deliver this synchronized experience across devices and passkey providers and password managers.
Learn more
- Follow updates at Chrome Developers blog
- Start learning passkeys from Using passkeys on the web