diff --git a/authenticate/handlers.go b/authenticate/handlers.go
index 4c3fba7a1..523febac1 100644
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@@ -29,7 +29,6 @@ import (
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
-	"github.com/pomerium/pomerium/pkg/grpc/device"
 	"github.com/pomerium/pomerium/pkg/grpc/directory"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
@@ -490,24 +489,40 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
 		return fmt.Errorf("invalid webauthn url: %w", err)
 	}
 
-	var deviceCredentials []*device.Credential
+	type DeviceCredentialInfo struct {
+		ID string
+	}
+	var currentDeviceCredentials, otherDeviceCredentials []DeviceCredentialInfo
 	for _, id := range pbUser.GetDeviceCredentialIds() {
-		deviceCredentials = append(deviceCredentials, &device.Credential{
-			Id: id,
-		})
+		selected := false
+		for _, c := range pbSession.GetDeviceCredentials() {
+			if c.GetId() == id {
+				selected = true
+			}
+		}
+		if selected {
+			currentDeviceCredentials = append(currentDeviceCredentials, DeviceCredentialInfo{
+				ID: id,
+			})
+		} else {
+			otherDeviceCredentials = append(otherDeviceCredentials, DeviceCredentialInfo{
+				ID: id,
+			})
+		}
 	}
 
 	input := map[string]interface{}{
-		"IsImpersonated":    isImpersonated,
-		"State":             s,         // local session state (cookie, header, etc)
-		"Session":           pbSession, // current access, refresh, id token
-		"User":              pbUser,    // user details inferred from oidc id_token
-		"DeviceCredentials": deviceCredentials,
-		"DirectoryUser":     pbDirectoryUser, // user details inferred from idp directory
-		"DirectoryGroups":   groups,          // user's groups inferred from idp directory
-		"csrfField":         csrf.TemplateField(r),
-		"SignOutURL":        signoutURL,
-		"WebAuthnURL":       webAuthnURL,
+		"IsImpersonated":           isImpersonated,
+		"State":                    s,         // local session state (cookie, header, etc)
+		"Session":                  pbSession, // current access, refresh, id token
+		"User":                     pbUser,    // user details inferred from oidc id_token
+		"CurrentDeviceCredentials": currentDeviceCredentials,
+		"OtherDeviceCredentials":   otherDeviceCredentials,
+		"DirectoryUser":            pbDirectoryUser, // user details inferred from idp directory
+		"DirectoryGroups":          groups,          // user's groups inferred from idp directory
+		"csrfField":                csrf.TemplateField(r),
+		"SignOutURL":               signoutURL,
+		"WebAuthnURL":              webAuthnURL,
 	}
 	return a.templates.ExecuteTemplate(w, "userInfo.html", input)
 }
diff --git a/authenticate/handlers/webauthn/helpers.go b/authenticate/handlers/webauthn/helpers.go
new file mode 100644
index 000000000..319e8952f
--- /dev/null
+++ b/authenticate/handlers/webauthn/helpers.go
@@ -0,0 +1,32 @@
+package webauthn
+
+import "github.com/pomerium/pomerium/pkg/grpc/session"
+
+func containsString(elements []string, value string) bool {
+	for _, element := range elements {
+		if element == value {
+			return true
+		}
+	}
+	return false
+}
+
+func removeString(elements []string, value string) []string {
+	dup := make([]string, 0, len(elements))
+	for _, element := range elements {
+		if element != value {
+			dup = append(dup, element)
+		}
+	}
+	return dup
+}
+
+func removeSessionDeviceCredential(elements []*session.Session_DeviceCredential, id string) []*session.Session_DeviceCredential {
+	dup := make([]*session.Session_DeviceCredential, 0, len(elements))
+	for _, element := range elements {
+		if element.GetId() != id {
+			dup = append(dup, element)
+		}
+	}
+	return dup
+}
diff --git a/authenticate/handlers/webauthn/webauthn.go b/authenticate/handlers/webauthn/webauthn.go
index 389f42406..bf95f9ad2 100644
--- a/authenticate/handlers/webauthn/webauthn.go
+++ b/authenticate/handlers/webauthn/webauthn.go
@@ -37,8 +37,14 @@ import (
 const maxAuthenticateResponses = 5
 
 var (
-	errMissingDeviceType  = httputil.NewError(http.StatusBadRequest, errors.New("device_type is a required parameter"))
-	errMissingRedirectURI = httputil.NewError(http.StatusBadRequest, errors.New("pomerium_redirect_uri is a required parameter"))
+	errMissingDeviceCredentialID = httputil.NewError(http.StatusBadRequest, errors.New(
+		urlutil.QueryDeviceCredentialID+" is a required parameter"))
+	errMissingDeviceType = httputil.NewError(http.StatusBadRequest, errors.New(
+		urlutil.QueryDeviceType+" is a required parameter"))
+	errMissingRedirectURI = httputil.NewError(http.StatusBadRequest, errors.New(
+		urlutil.QueryRedirectURI+" is a required parameter"))
+	errInvalidDeviceCredential = httputil.NewError(http.StatusBadRequest, errors.New(
+		"invalid device credential"))
 )
 
 // State is the state needed by the Handler to handle requests.
@@ -91,6 +97,8 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) error {
 		return h.handleAuthenticate(w, r, s)
 	case r.FormValue("action") == "register":
 		return h.handleRegister(w, r, s)
+	case r.FormValue("action") == "unregister":
+		return h.handleUnregister(w, r, s)
 	}
 
 	return httputil.NewError(http.StatusNotFound, errors.New(http.StatusText(http.StatusNotFound)))
@@ -297,6 +305,49 @@ func (h *Handler) handleRegister(w http.ResponseWriter, r *http.Request, state *
 	return h.saveSessionAndRedirect(w, r, state, redirectURIParam)
 }
 
+func (h *Handler) handleUnregister(w http.ResponseWriter, r *http.Request, state *State) error {
+	ctx := r.Context()
+
+	// get the user information
+	u, err := user.Get(ctx, state.Client, state.Session.GetUserId())
+	if err != nil {
+		return err
+	}
+
+	deviceCredentialID := r.FormValue(urlutil.QueryDeviceCredentialID)
+	if deviceCredentialID == "" {
+		return errMissingDeviceCredentialID
+	}
+
+	// ensure we only allow removing a device credential the user owns
+	if !containsString(u.GetDeviceCredentialIds(), deviceCredentialID) {
+		return errInvalidDeviceCredential
+	}
+
+	// delete the credential
+	deviceCredential, err := device.DeleteCredential(ctx, state.Client, deviceCredentialID)
+	if err != nil {
+		return err
+	}
+
+	// delete the corresponding enrollment
+	_, err = device.DeleteEnrollment(ctx, state.Client, deviceCredential.GetEnrollmentId())
+	if err != nil {
+		return err
+	}
+
+	// remove the credential from the user
+	u.DeviceCredentialIds = removeString(u.DeviceCredentialIds, deviceCredentialID)
+	_, err = user.Put(ctx, state.Client, u)
+	if err != nil {
+		return err
+	}
+
+	// remove the credential from the session
+	state.Session.DeviceCredentials = removeSessionDeviceCredential(state.Session.DeviceCredentials, deviceCredentialID)
+	return h.saveSessionAndRedirect(w, r, state, "/.pomerium")
+}
+
 func (h *Handler) handleView(w http.ResponseWriter, r *http.Request, state *State) error {
 	ctx := r.Context()
 
diff --git a/internal/frontend/assets/html/userInfo.html b/internal/frontend/assets/html/userInfo.html
index d010a4066..4615cc84e 100644
--- a/internal/frontend/assets/html/userInfo.html
+++ b/internal/frontend/assets/html/userInfo.html
@@ -182,10 +182,10 @@
         <div class="messages">
           <div class="box-inner">
             <div class="category-header clearfix">
-              <span class="category-title">Device Credentials</span>
+              <span class="category-title">Current Session Device Credentials</span>
             </div>
             </ul>
-            {{if .DeviceCredentials}}
+            {{if .CurrentDeviceCredentials}}
             <table>
               <thead>
               <tr>
@@ -193,9 +193,17 @@
               </tr>
               </thead>
               <tbody>
-              {{range .DeviceCredentials}}
+              {{range .CurrentDeviceCredentials}}
               <tr>
-                <td>{{.Id}}</td>
+                <td>{{.ID}}</td>
+                <td>
+                  <form action="{{$.WebAuthnURL}}" method="POST">
+                    {{$.csrfField}}
+                    <input type="hidden" name="action" value="unregister">
+                    <input type="hidden" name="pomerium_device_credential_id" value="{{.ID}}">
+                    <button type="submit">Delete</button>
+                  </form>
+                </td>
               </tr>
               {{end}}
               </tbody>
@@ -204,6 +212,35 @@
             No device credentials found!
             {{end}}
           </div>
+          {{if .OtherDeviceCredentials}}
+          <div class="box-inner">
+            <div class="category-header clearfix">
+              <span class="category-title">Other Device Credentials</span>
+            </div>
+            <table>
+              <thead>
+              <tr>
+                <th>ID</th>
+              </tr>
+              </thead>
+              <tbody>
+              {{range .OtherDeviceCredentials}}
+              <tr>
+                <td>{{.ID}}</td>
+                <td>
+                  <form action="{{$.WebAuthnURL}}" method="POST">
+                    {{$.csrfField}}
+                    <input type="hidden" name="action" value="unregister">
+                    <input type="hidden" name="pomerium_device_credential_id" value="{{.ID}}">
+                    <button type="submit">Delete</button>
+                  </form>
+                </td>
+              </tr>
+              {{end}}
+              </tbody>
+            </table>
+          </div>
+          {{end}}
           <div class="category-link">
             Register device with <a href="{{.WebAuthnURL}}">WebAuthn</a>.
           </div>
diff --git a/internal/frontend/assets/style/main.css b/internal/frontend/assets/style/main.css
index 86cadb832..67d2cf22b 100644
--- a/internal/frontend/assets/style/main.css
+++ b/internal/frontend/assets/style/main.css
@@ -147,6 +147,9 @@ body {
 .box-inner {
   padding: 35px;
 }
+.box-inner ~ .box-inner {
+  padding-top: 0;
+}
 
 .white {
   background: white;
diff --git a/internal/frontend/templates_test.go b/internal/frontend/templates_test.go
index f0dce44b6..f88a2e2b0 100644
--- a/internal/frontend/templates_test.go
+++ b/internal/frontend/templates_test.go
@@ -16,9 +16,5 @@ func TestNewTemplates(t *testing.T) {
 	err = tpl.ExecuteTemplate(&buf, "header.html", nil)
 	require.NoError(t, err)
 
-	assert.Equal(t, `
-<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
-<link rel="stylesheet" type="text/css" href="data:text/css;%20charset=utf-8;base64,LyoqKioqKiogR2xvYmFsICoqKioqKiovCgpib2R5LApkaXYsCmRsLApkdCwKZGQsCnVsLApvbCwKbGksCmgxLApoMiwKaDMsCmg0LApoNSwKaDYsCnByZSwKY29kZSwKZm9ybSwKZmllbGRzZXQsCmxlZ2VuZCwKaW5wdXQsCmJ1dHRvbiwKdGV4dGFyZWEsCnAsCmJsb2NrcXVvdGUsCnRoLAp0ZCB7CiAgbWFyZ2luOiAwOwogIHBhZGRpbmc6IDA7Cn0KCmZpZWxkc2V0LAppbWcgewogIGJvcmRlcjogMDsKfQphZGRyZXNzLApjYXB0aW9uLApjaXRlLApjb2RlLApkZm4sCmVtLApzdHJvbmcsCnRoLAp2YXIsCm9wdGdyb3VwIHsKICBmb250LXN0eWxlOiBpbmhlcml0OwogIGZvbnQtd2VpZ2h0OiBpbmhlcml0Owp9CmRlbCwKaW5zIHsKICB0ZXh0LWRlY29yYXRpb246IG5vbmU7Cn0KbGkgewogIGxpc3Qtc3R5bGU6IG5vbmU7Cn0KY2FwdGlvbiwKdGggewogIHRleHQtYWxpZ246IGxlZnQ7Cn0KaDEsCmgyLApoMywKaDQsCmg1LApoNiB7CiAgZm9udC1zaXplOiAxMDAlOwogIGZvbnQtd2VpZ2h0OiBub3JtYWw7Cn0KcTpiZWZvcmUsCnE6YWZ0ZXIgewogIGNvbnRlbnQ6ICIiOwp9CmFiYnIsCmFjcm9ueW0gewogIGJvcmRlcjogMDsKICBmb250LXZhcmlhbnQ6IG5vcm1hbDsKfQpzdXAgewogIHZlcnRpY2FsLWFsaWduOiBiYXNlbGluZTsKfQpzdWIgewogIHZlcnRpY2FsLWFsaWduOiBiYXNlbGluZTsKfQpsZWdlbmQgewogIGNvbG9yOiAjMDAwOwp9CmlucHV0LApidXR0b24sCnRleHRhcmVhLApzZWxlY3QsCm9wdGdyb3VwLApvcHRpb24gewogIGZvbnQtZmFtaWx5OiBpbmhlcml0OwogIGZvbnQtc2l6ZTogaW5oZXJpdDsKICBmb250LXN0eWxlOiBpbmhlcml0OwogIGZvbnQtd2VpZ2h0OiBpbmhlcml0Owp9CmlucHV0LApidXR0b24sCnRleHRhcmVhLApzZWxlY3QgewogICpmb250LXNpemU6IDEwMCU7Cn0KCmFzaWRlLApkaWFsb2csCmZpZ3VyZSwKZm9vdGVyLApoZWFkZXIsCmhncm91cCwKbWVudSwKbmF2LApzZWN0aW9uIHsKICBkaXNwbGF5OiBibG9jazsKfQoKaHRtbCwKYm9keSB7CiAgbWFyZ2luOiAwOwogIHBhZGRpbmc6IDA7Cn0KCmh0bWwgewogIGJhY2tncm91bmQ6ICNmNmY5ZmM7Cn0KCmJvZHkgewogIGZvbnQtZmFtaWx5OiAtYXBwbGUtc3lzdGVtLCBCbGlua01hY1N5c3RlbUZvbnQsICJTZWdvZSBVSSIsIFJvYm90bywKICAgICJIZWx2ZXRpY2EgTmV1ZSIsIHNhbnMtc2VyaWY7CiAgLXdlYmtpdC1mb250LXNtb290aGluZzogYW50aWFsaWFzZWQ7CiAgLW1vei1vc3gtZm9udC1zbW9vdGhpbmc6IGdyYXlzY2FsZTsKfQoKLmlubmVyIHsKICB3aWR0aDogNjE0cHg7CiAgbWFyZ2luOiBhdXRvOwogIG1hcmdpbi1ib3R0b206IDJlbTsKfQoKLmJveCB7CiAgb3ZlcmZsb3c6IGhpZGRlbjsKICBib3JkZXItcmFkaXVzOiA0cHg7CiAgYm94LXNoYWRvdzogMCAxNXB4IDM1cHggcmdiYSg1MCwgNTAsIDkzLCAwLjEpLCAwIDVweCAxNXB4IHJnYmEoMCwgMCwgMCwgMC4wNyk7Cn0KCi5ib3gtaW5uZXIgewogIHBhZGRpbmc6IDM1cHg7Cn0KCi53aGl0ZSB7CiAgYmFja2dyb3VuZDogd2hpdGU7Cn0KCmgyIHsKICBmb250LXNpemU6IDEuNWVtOwogIGZvbnQtc3R5bGU6IG5vcm1hbDsKICBjb2xvcjogIzQ0NDsKICBtYXJnaW46IDAgMCAwLjhlbSAwOwogIHBhZGRpbmctYm90dG9tOiAwLjJlbTsKICBib3JkZXItYm90dG9tOiAxcHggc29saWQgI2VlZTsKfQoKdWwucGxhaW4gewogIGxpc3Qtc3R5bGU6IG5vbmU7CiAgLXdlYmtpdC1wYWRkaW5nLXN0YXJ0OiAwOwogIHBhZGRpbmctbGVmdDogMDsKfQoKYSB7CiAgY29sb3I6ICM2ZTQzZTg7CiAgdGV4dC1kZWNvcmF0aW9uOiBub25lOwp9CmE6aG92ZXIgewogIGNvbG9yOiAjMzIzMjVkOwp9CgovKioqKioqKiBTdGF0dXMvR3JhcGggQ29sb3JzICoqKioqKiovCgouc3RhdHVzLXVwIC5zdGF0dXMtdGltZSB7CiAgY29sb3I6ICMzZWNmOGU7Cn0KCi5zdGF0dXMtdXAgewogIGJhY2tncm91bmQ6ICMzZWNmOGU7Cn0KCi5zdGF0dXMtZG93biAuc3RhdHVzLXRpbWUgewogIGNvbG9yOiAjZmZlN2NiOwp9Cgouc3RhdHVzLWRvd24gewogIGJhY2tncm91bmQ6ICNlMjU5NTA7Cn0KCi8qKioqKioqIENsZWFyZml4ICoqKioqKiovCgouY2xlYXJmaXg6YWZ0ZXIgewogIHZpc2liaWxpdHk6IGhpZGRlbjsKICBkaXNwbGF5OiBibG9jazsKICBmb250LXNpemU6IDA7CiAgY29udGVudDogIiAiOwogIGNsZWFyOiBib3RoOwogIGhlaWdodDogMDsKfQoKKiBodG1sIC5jbGVhcmZpeCB7CiAgem9vbTogMTsKfSAvKiBJRTYgKi8KKjpmaXJzdC1jaGlsZCArIGh0bWwgLmNsZWFyZml4IHsKICB6b29tOiAxOwp9IC8qIElFNyAqLwoKLyoqKioqKiogSGVhZGVyICoqKioqKiovCgouaGVhZGVyIHsKICBwYWRkaW5nOiAzMHB4IDA7CiAgaGVpZ2h0OiA0MHB4OwogIHBvc2l0aW9uOiByZWxhdGl2ZTsKfQoKLmhlYWRlciBzcGFuIHsKICBjb2xvcjogIzZlNDNlODsKICBmb250LXNpemU6IDE2cHg7CiAgbGluZS1oZWlnaHQ6IDMxcHg7CiAgcG9zaXRpb246IGFic29sdXRlOwogIGxlZnQ6IDU0MHB4Owp9CgouaGVhZGluZyB7CiAgZmxvYXQ6IGxlZnQ7CiAgbWFyZ2luOiA3cHggMXB4Owp9Cgouc3RhdHVzZXMgewogIGZsb2F0OiBsZWZ0Owp9CgoubG9nbyB7CiAgZGlzcGxheTogaW5saW5lLWJsb2NrOwogIHBvc2l0aW9uOiByZWxhdGl2ZTsKICBiYWNrZ3JvdW5kOiB1cmwoLy5wb21lcml1bS9hc3NldHMvaW1nL2xvZ28tbG9uZy5zdmcpIG5vLXJlcGVhdDsKICB3aWR0aDogNjYzcHg7CiAgaGVpZ2h0OiAyNnB4OwogIGN1cnNvcjogcG9pbnRlcjsKfQoKLmxvZ286aG92ZXIgewogIG9wYWNpdHk6IDAuNzsKfQoKLyoqKioqKiogQ29udGVudCAqKioqKioqLwoubGFyZ2VzdGF0dXMgewogIGJvcmRlcjogMDsKICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgei1pbmRleDogMTA7CgogIHBhZGRpbmc6IDAgMzZweDsKICBwYWRkaW5nLWxlZnQ6IDg0cHg7CgogIG1pbi1oZWlnaHQ6IDE1NXB4Owp9CgoubGFyZ2VzdGF0dXMgLnRpdGxlIHsKICBkaXNwbGF5OiBibG9jazsKICBwYWRkaW5nLXRvcDogNDZweDsKICBtYXJnaW4tYm90dG9tOiAxMHB4OwoKICBmb250LXNpemU6IDI5cHg7CiAgY29sb3I6ICMzMjMyNWQ7Cn0KCi5sYXJnZXN0YXR1cyAuc3RhdHVzLXRpbWUgewogIGRpc3BsYXk6IGJsb2NrOwogIGZvbnQtc2l6ZTogMTRweDsKICBjb2xvcjogIzg4OThhYTsKICBwYWRkaW5nLWJvdHRvbTogNDZweDsKfQoKLmNhdGVnb3J5IHsKICBtYXJnaW4tdG9wOiA0MHB4Owp9CgovKioqKioqKiBTdGF0dXNlcyAqKioqKioqLwoKLnN0YXR1c2VzIHsKICBmb250LXNpemU6IDAuN2VtOwp9Cgouc3RhdHVzLWJ1YmJsZSB7CiAgd2lkdGg6IDQ0cHg7CiAgaGVpZ2h0OiA0NHB4OwogIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICBsZWZ0OiAyNHB4OwogIHRvcDogNTJweDsKICBiYWNrZ3JvdW5kLXBvc2l0aW9uOiBjZW50ZXI7CiAgYmFja2dyb3VuZC1yZXBlYXQ6IG5vLXJlcGVhdDsKICBib3JkZXItcmFkaXVzOiA1MCU7Cn0KCi50aXRsZS13cmFwcGVyIHsKICBkaXNwbGF5OiBpbmxpbmUtYmxvY2s7CiAgY29sb3I6ICMzMzM7CiAgbWluLWhlaWdodDogMTU1cHg7Cn0KCi5zdGF0dXMtdGltZSB7CiAgY29sb3I6ICM5OTk7Cn0KCi8qKioqKioqIGNhdGVnb3J5ICoqKioqKiovCi5jYXRlZ29yeSB7CiAgYmFja2dyb3VuZDogd2hpdGU7Cn0KCmRpdi5jYXRlZ29yeS1oZWFkZXIgewogIG1hcmdpbi1ib3R0b206IDI1cHg7Cn0KCi5jYXRlZ29yeS10aXRsZSB7CiAgY29sb3I6ICM1MjVmN2Y7CiAgZm9udC1zaXplOiAxNXB4OwogIHBhZGRpbmctcmlnaHQ6IDEwcHg7Cn0KCi5jYXRlZ29yeS1pY29uIHsKICBkaXNwbGF5OiBibG9jazsKICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgdG9wOiAycHg7CiAgZmxvYXQ6IHJpZ2h0OwogIHdpZHRoOiAyN3B4OwogIGhlaWdodDogMjVweDsKICBiYWNrZ3JvdW5kOiB1cmwoLy5wb21lcml1bS9hc3NldHMvaW1nL2p3dC5zdmcpIDEwMCUgMCBuby1yZXBlYXQ7Cn0KCmRpdi5jYXRlZ29yeS1saW5rIHsKICBiYWNrZ3JvdW5kOiAjZjZmOWZjOwoKICBwYWRkaW5nOiAyNXB4IDM2cHg7CgogIGJvcmRlci1ib3R0b20tbGVmdC1yYWRpdXM6IDRweDsKICBib3JkZXItYm90dG9tLXJpZ2h0LXJhZGl1czogNHB4OwoKICBmb250LXNpemU6IDEzcHg7CgogIGNvbG9yOiAjNmI3YzkzOwp9CgovKiBGb290ZXIgKi8KZGl2I2Zvb3RlciB7CiAgLypiYWNrZ3JvdW5kOiByZ2JhKDAsMCwwLDAuMDUpOyovCiAgbWFyZ2luOiAwIDAgMDsKICBwYWRkaW5nOiA0MHB4IDAgMHB4OwogIHBvc2l0aW9uOiByZWxhdGl2ZTsKICBmb250LXNpemU6IDEzcHg7Cn0KCmRpdiNmb290ZXIgdWwgewogIHBhZGRpbmctbGVmdDogMTBweDsKfQpkaXYjZm9vdGVyIGxpIHsKICBkaXNwbGF5OiBpbmxpbmU7CiAgcGFkZGluZy1yaWdodDogMTVweDsKfQpkaXYjZm9vdGVyIGEgewogIGNvbG9yOiAjODg5OGFhOwogIHRleHQtZGVjb3JhdGlvbjogbm9uZTsKfQpkaXYjZm9vdGVyIGE6aG92ZXIgewogIGNvbG9yOiAjMzIzMjVkOwp9CgpkaXYjZm9vdGVyIGxpLmxhc3QgewogIGJvcmRlcjogMDsKfQoKZGl2I2Zvb3RlciBwIHsKICBjb2xvcjogIzg4OThhYTsKICBwb3NpdGlvbjogYWJzb2x1dGU7CiAgcmlnaHQ6IDEwcHg7CiAgdG9wOiA0MHB4Owp9CgovKiAtIFRhYmxlcyAqLwp0YWJsZSB0Ym9keSB0ciB0ZCB7CiAgYm9yZGVyLWNvbG9yOiAjNTI1ZjdmOwogIGJvcmRlci1zdHlsZTogc29saWQ7CiAgYm9yZGVyOiAwOwogIHBhZGRpbmc6IDE2cHggMTZweDsKfQp0YWJsZSB7CiAgd2lkdGg6IDEwMCU7CiAgYm9yZGVyLWNvbGxhcHNlOiBzZXBhcmF0ZTsKICBib3JkZXItc3BhY2luZzogMDsKICBtYXJnaW46IGF1dG87Cn0KdGFibGU6bm90KDpmaXJzdC1jaGlsZCkgewogIG1hcmdpbi10b3A6IDIwcHg7Cn0KdGFibGUgdGFibGUgewogIG1hcmdpbjogMTZweCAwIDhweCAwOwp9CnRhYmxlIHRoZWFkIHRyIHRoIHsKICBmb250LXdlaWdodDogNTAwOwogIGZvbnQtc2l6ZTogMTNweDsKICBjb2xvcjogIzZlNDNlODsKICB0ZXh0LXRyYW5zZm9ybTogdXBwZXJjYXNlOwogIHRleHQtYWxpZ246IGxlZnQ7CiAgcGFkZGluZzogMCAwIDhweCAxNnB4Owp9CnRhYmxlIHRoZWFkIHRyIHRoIHAgewogIGZvbnQtc2l6ZTogMTNweDsKCiAgdGV4dC10cmFuc2Zvcm06IHVwcGVyY2FzZTsKICBwYWRkaW5nOiAwOwogIGxpbmUtaGVpZ2h0OiAxNXB4Owp9CnRhYmxlIHRib2R5LAp0YWJsZSB0Ym9keSB0ZCA&#43;ICogewogIGZvbnQtc2l6ZTogMTRweDsKICBsaW5lLWhlaWdodDogMjBweDsKICB2ZXJ0aWNhbC1hbGlnbjogdG9wOwogIHBhZGRpbmctdG9wOiAwOwogIG92ZXJmbG93LXdyYXA6IGFueXdoZXJlOwp9Cgp0YWJsZSB0Ym9keSB0ciB0ZCB7CiAgYm9yZGVyLWNvbG9yOiByZ2IoMjI3LCAyMzIsIDIzOCk7CiAgYm9yZGVyLXN0eWxlOiBzb2xpZDsKICBwYWRkaW5nOiAxNnB4IDE2cHg7CiAgbWluLXdpZHRoOiA4MHB4Owp9CnRhYmxlIHRib2R5IHRyIHRkOmZpcnN0LWNoaWxkIHsKICBib3JkZXItbGVmdC13aWR0aDogMXB4Owp9CnRhYmxlIHRib2R5IHRyIHRkOmxhc3QtY2hpbGQgewogIGJvcmRlci1yaWdodC13aWR0aDogMXB4Owp9CnRhYmxlIHRib2R5IHRyOmZpcnN0LWNoaWxkID4gdGQgewogIGJvcmRlci10b3Atd2lkdGg6IDFweDsKfQp0YWJsZSB0Ym9keSB0ciB0ZCB7CiAgYm9yZGVyLWJvdHRvbS13aWR0aDogMXB4Owp9CnRhYmxlIHRib2R5IHRyOmZpcnN0LWNoaWxkID4gdGQ6Zmlyc3QtY2hpbGQgewogIGJvcmRlci10b3AtbGVmdC1yYWRpdXM6IDFweDsKfQp0YWJsZSB0Ym9keSB0cjpmaXJzdC1jaGlsZCA&#43;IHRkOmxhc3QtY2hpbGQgewogIGJvcmRlci10b3AtcmlnaHQtcmFkaXVzOiAxcHg7Cn0KdGFibGUgdGJvZHkgdHI6bGFzdC1jaGlsZCA&#43;IHRkOmZpcnN0LWNoaWxkIHsKICBib3JkZXItYm90dG9tLWxlZnQtcmFkaXVzOiAxcHg7Cn0KdGFibGUgdGJvZHkgdHI6bGFzdC1jaGlsZCA&#43;IHRkOmxhc3QtY2hpbGQgewogIGJvcmRlci1ib3R0b20tcmlnaHQtcmFkaXVzOiAxcHg7Cn0KdGFibGUgdGJvZHkgdHI6bnRoLWNoaWxkKDJuICsgMSkgdGQgewogIGJhY2tncm91bmQ6ICNmNmY5ZmM7Cn0KCmlucHV0LApidXR0b24sCmEuYnV0dG9uIHsKICBiYWNrZ3JvdW5kOiAjNmU0M2U4OwogIGJveC1zaGFkb3c6IDAgMnB4IDVweCAwIHJnYmEoNTAsIDUwLCA5MywgMC4xKSwgMCAxcHggMXB4IDAgcmdiYSgwLCAwLCAwLCAwLjA3KTsKICBib3JkZXItcmFkaXVzOiA0cHg7CiAgaGVpZ2h0OiAzMnB4OwogIGZvbnQtc2l6ZTogMTZweDsKICBjb2xvcjogI2Y2ZjlmYzsKICBmb250LXdlaWdodDogNTAwOwogIHBhZGRpbmc6IDAgMTJweDsKICBjdXJzb3I6IHBvaW50ZXI7CiAgb3V0bGluZTogbm9uZTsKICBkaXNwbGF5OiBpbmxpbmUtYmxvY2s7CiAgdGV4dC1kZWNvcmF0aW9uOiBub25lOwogIHRleHQtdHJhbnNmb3JtOiBub25lOwogIHRyYW5zaXRpb246IGJveC1zaGFkb3cgMTUwbXMgZWFzZS1pbi1vdXQ7Cn0KCmJ1dHRvbjpkaXNhYmxlZCwgaW5wdXQ6ZGlzYWJsZWQgewogIGN1cnNvcjogZGVmYXVsdDsKICBiYWNrZ3JvdW5kOiNjY2NjY2M7CiAgY29sb3I6ICM4MzgzODM7Cn0KCi53ZWJhdXRobiAuYm94LWlubmVyIHsKICB0ZXh0LWFsaWduOiBjZW50ZXI7Cn0KCi53ZWJhdXRobiBmb3JtIHsKICBkaXNwbGF5OiBpbmxpbmUtYmxvY2s7Cn0K"/>
-<link rel="icon" type="image/png" href="data:image/svg&#43;xml;base64,PHN2ZyBpZD0iTGF5ZXJfMSIgZGF0YS1uYW1lPSJMYXllciAxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAyNjEuMTUgMTI0LjczIj48dGl0bGU&#43;bG9nby1vbmx5PC90aXRsZT48cGF0aCBkPSJNNzQyLjc2LDE2Mi44MmEyNC4zNiwyNC4zNiwwLDAsMC0yNC4zNi0yNC4zNkg1MDZhMjQuMzYsMjQuMzYsMCwwLDAtMjQuMzYsMjQuMzZWMjYzLjE5aDE2Ljgzdi0yOGgwYTM0LjExLDM0LjExLDAsMSwxLDY4LjIxLDBoMHYyOGgxMi4xOHYtMjhoMGEzNC4xMSwzNC4xMSwwLDEsMSw2OC4yMSwwaDB2MjhoMTIuMTh2LTI4aDBhMzQuMSwzNC4xLDAsMSwxLDY4LjIsMGgwdjI4aDE1LjMzWk00OTguNDQsMTg4LjEzYTM0LjExLDM0LjExLDAsMSwxLDY4LjIxLDBabTgwLjM5LDBhMzQuMTEsMzQuMTEsMCwxLDEsNjguMjEsMFptODAuMzksMGEzNC4xMSwzNC4xMSwwLDEsMSw2OC4yMSwwWiIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTQ4MS42MSAtMTM4LjQ2KSIvPjwvc3ZnPgo=" />
-`, buf.String())
+	assert.Contains(t, buf.String(), `<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />`)
 }
diff --git a/internal/urlutil/query_params.go b/internal/urlutil/query_params.go
index defdb6041..72aed1d6c 100644
--- a/internal/urlutil/query_params.go
+++ b/internal/urlutil/query_params.go
@@ -4,16 +4,17 @@ package urlutil
 // services over HTTP calls and redirects. They are typically used in
 // conjunction with a HMAC to ensure authenticity.
 const (
-	QueryCallbackURI      = "pomerium_callback_uri"
-	QueryDeviceType       = "pomerium_device_type"
-	QueryEnrollmentToken  = "pomerium_enrollment_token" //nolint
-	QueryIsProgrammatic   = "pomerium_programmatic"
-	QueryForwardAuth      = "pomerium_forward_auth"
-	QueryPomeriumJWT      = "pomerium_jwt"
-	QuerySession          = "pomerium_session"
-	QuerySessionEncrypted = "pomerium_session_encrypted"
-	QueryRedirectURI      = "pomerium_redirect_uri"
-	QueryForwardAuthURI   = "uri"
+	QueryCallbackURI        = "pomerium_callback_uri"
+	QueryDeviceCredentialID = "pomerium_device_credential_id"
+	QueryDeviceType         = "pomerium_device_type"
+	QueryEnrollmentToken    = "pomerium_enrollment_token" //nolint
+	QueryIsProgrammatic     = "pomerium_programmatic"
+	QueryForwardAuth        = "pomerium_forward_auth"
+	QueryPomeriumJWT        = "pomerium_jwt"
+	QuerySession            = "pomerium_session"
+	QuerySessionEncrypted   = "pomerium_session_encrypted"
+	QueryRedirectURI        = "pomerium_redirect_uri"
+	QueryForwardAuthURI     = "uri"
 )
 
 // URL signature based query params used for verifying the authenticity of a URL.
diff --git a/pkg/grpc/device/device.go b/pkg/grpc/device/device.go
index 4c212803e..0c51d72e8 100644
--- a/pkg/grpc/device/device.go
+++ b/pkg/grpc/device/device.go
@@ -5,11 +5,65 @@ import (
 	"context"
 	"fmt"
 
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
 	"github.com/pomerium/pomerium/pkg/encoding/base58"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/protoutil"
 )
 
+// DeleteCredential deletes a credential from the databroker.
+func DeleteCredential(
+	ctx context.Context,
+	client databroker.DataBrokerServiceClient,
+	credentialID string,
+) (*Credential, error) {
+	credential, err := GetCredential(ctx, client, credentialID)
+	if status.Code(err) == codes.NotFound {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+
+	any := protoutil.NewAny(credential)
+	_, err = client.Put(ctx, &databroker.PutRequest{
+		Record: &databroker.Record{
+			Type:      any.GetTypeUrl(),
+			Id:        credentialID,
+			Data:      any,
+			DeletedAt: timestamppb.Now(),
+		},
+	})
+	return credential, err
+}
+
+// DeleteEnrollment deletes an enrollment from the databroker.
+func DeleteEnrollment(
+	ctx context.Context,
+	client databroker.DataBrokerServiceClient,
+	enrollmentID string,
+) (*Enrollment, error) {
+	enrollment, err := GetEnrollment(ctx, client, enrollmentID)
+	if status.Code(err) == codes.NotFound {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+
+	any := protoutil.NewAny(enrollment)
+	_, err = client.Put(ctx, &databroker.PutRequest{
+		Record: &databroker.Record{
+			Type:      any.GetTypeUrl(),
+			Id:        enrollmentID,
+			Data:      any,
+			DeletedAt: timestamppb.Now(),
+		},
+	})
+	return enrollment, err
+}
+
 // GetCredential gets a credential from the databroker.
 func GetCredential(
 	ctx context.Context,