Account Deletion
1pass lets you permanently delete your own account at any time (in compliance with Apple App Store Guideline 5.1.1(v)).
Where do I do it?
In the iOS / macOS app: Settings → Delete Account.
Tap "Delete Permanently" in the confirmation dialog, and the deletion is processed immediately.
What gets deleted
The following data is all deleted:
- Linked logins (Apple, Google)
- Every registered device and device secret
- Passkeys (WebAuthn credentials)
- OTP/TOTP settings and backup codes
- Personal API Keys
- Connection records for every external app (RP) you consented to, plus their access tokens
- Sign-in activity (login logs)
- Profile information (nickname, email, custom claims)
What happens after deletion
The moment you delete your account:
- Every login session ends, including those on other devices.
- The access tokens, refresh tokens, and consent for external apps (RPs) issued through 1pass are revoked immediately.
- If an RP has registered a webhook URL,
token.revoked/consent.revokedevents are dispatched immediately. When the RP processes them, you are logged out of that app automatically. (If the RP has no webhook or fails to process the event, the token is treated as expired the next time it is validated.) - Signing up again immediately with the same Apple/Google account is blocked for 30 days.
30-day grace period
- Within 30 days: Contact our operations team (support@1pass.dev — you can also use Developer Console → Support) to recover your account.
- After 30 days: Your account and the user data listed above are permanently deleted. You can then sign up fresh with the same Apple/Google account.
Automatic permanent deletion is handled by a background job (PurgeUserJob), with no further action required from you.
What is retained in anonymized form
The following audit and security logs remain in the database, but with the user identifier (user_id) anonymized to NULL — they are kept to satisfy security and legal requirements such as tracking anomalous logins, investigating abuse, and meeting audit obligations toward external app (RP) operators. These logs do not include your email, name, contact details, or device information, and cannot be traced back to who created them.
- Authentication event audit logs (
authentication_audit_logs) - Apple server notification records (
apple_server_notifications) - Developer portal audit logs (
developer_audit_logs) - CLI authorization records (
cli_grants) - QR login session records for logins you approved from another device (
qr_login_sessions)
How this differs from "log out" and "reset account"
| Action | Server data | Other devices | External apps (RP) |
|---|---|---|---|
| Log out | Retained | No effect | No effect |
| Reset account (anonymous accounts only) | Retained (an anonymous user row remains on the server) | Continues as a new anonymous user | No effect |
| Delete account | Unusable immediately, permanently deleted after 30 days | Forced logout immediately | Webhook dispatched immediately |
Frequently asked questions
Q. I deleted my account by mistake. Can I recover it?
If it has been less than 30 days, recovery is automatic — just sign in again with SSO using the same Apple/Google account, and the server finds the soft-deleted user whose apple_sub (or google_sub) matches and restores it automatically (find_restorable_within_grace). Even without the same SSO, you can recover through the same path as long as the email address you used at deletion time matches (for example, an email/password account). Once 30 days have passed, PurgeUserJob has already hard-deleted the account, so recovery is no longer possible — you proceed as a new sign-up.
For cases where automatic recovery does not apply (for example, signing up fresh with the same email through a different provider, or triggering hijack detection), contact our operations team (support@1pass.dev — you can also use Developer Console → Support) with the Apple/Google ID or nickname you used to sign up, and we will verify it manually.
Q. How do I sign up again right away with the same Apple ID?
Sign in with SSO using the same Apple/Google account within the 30-day grace period → the automatic recovery above brings the same user back to life. Only after the 30-day grace period ends are you treated as a "new" sign-up. Before then, you will see either a "this account is being deleted" message or automatic recovery.
Q. What happens to the external apps I connected through 1pass?
The access tokens and consent for those apps are revoked immediately on the 1pass server. If an app has registered a webhook, token.revoked / consent.revoked events are dispatched immediately, and you are logged out of that app as well. If no webhook is registered or there is a temporary outage, that app receives a 401 the next time it validates the token and logs you out.
Q. Does deletion apply across all platforms?
Yes. Once you delete, all data is removed regardless of where it was created — iOS, macOS, Android, or CLI.
How the 30-day grace period interacts with merges
When a soft-deleted user becomes the target of a merge:
- A merge that would restore a deleted user — if
MergeServicereceives a user withpurge_stateset, whether as the absorbed user or the survivor, it returns:user_in_purgeand the merge fails. Operator intervention is required — since the user deliberately deleted the account, it is not brought back to life through an automatic merge. - SSO automatic recovery during the grace period — after a soft-deleted user is restored via
find_restorable_within_grace, if that user has the same email as another active user, a T2 trigger can fire at that point. This is intended behavior.
Deleting a merged user
When a request comes in to delete the row of a user that has already been absorbed (linked_user_id):
- That user's row is a forensic-tracking target in
identity_links, so it is not hard-deleted immediately. - Instead, the personally-identifying fields (email, name, provider sub) are anonymized and
deleted_atis set. user.grants_revokedis emitted to the affected RPs — but the survivor's grants remain alive.
This is because an absorbed user is "still part of another person's merge history," and it is a trade-off between GDPR's data-minimization principle and audit obligations. For the procedure when a user asks to "undo the merge itself," see Rollback Policy.
Two-tier purge state machine
[active]
│ user request →
▼
[soft_deleted] ← 30-day grace period. Automatically recovered on SSO re-login.
│ 30 days elapse →
▼
[purge_queued] ← PurgeUserJob starts cleanup.
│ all credentials/sessions/grants revoked →
▼
[purged] ← Only anonymized rows remain. Recovery impossible.Each state transition is recorded in the audit log, and operators can look up the current state of any user from the operator console.