diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -332,6 +332,14 @@
     Ok(Response::new(response))
   }
 
+  #[tracing::instrument(skip_all)]
+  async fn log_out_secondary_device(
+    &self,
+    request: tonic::Request<Empty>,
+  ) -> Result<tonic::Response<Empty>, tonic::Status> {
+    Err(tonic::Status::unimplemented(""))
+  }
+
   #[tracing::instrument(skip_all)]
   async fn delete_wallet_user(
     &self,
diff --git a/shared/protos/identity_auth.proto b/shared/protos/identity_auth.proto
--- a/shared/protos/identity_auth.proto
+++ b/shared/protos/identity_auth.proto
@@ -50,6 +50,9 @@
 
   // Called by user to log out (clears device's keys and access token)
   rpc LogOutUser(identity.unauth.Empty) returns (identity.unauth.Empty) {}
+  // Called by a ssecondary device to log out (clear its keys and access token)
+  rpc LogOutSecondaryDevice(identity.unauth.Empty) returns
+    (identity.unauth.Empty) {}
   // Called by a user to delete their own account
   rpc DeletePasswordUserStart(DeletePasswordUserStartRequest) returns
     (DeletePasswordUserStartResponse) {}
diff --git a/web/protobufs/identity-auth-client.cjs b/web/protobufs/identity-auth-client.cjs
--- a/web/protobufs/identity-auth-client.cjs
+++ b/web/protobufs/identity-auth-client.cjs
@@ -566,6 +566,67 @@
 };
 
 
+/**
+ * @const
+ * @type {!grpc.web.MethodDescriptor<
+ *   !proto.identity.unauth.Empty,
+ *   !proto.identity.unauth.Empty>}
+ */
+const methodDescriptor_IdentityClientService_LogOutSecondaryDevice = new grpc.web.MethodDescriptor(
+  '/identity.auth.IdentityClientService/LogOutSecondaryDevice',
+  grpc.web.MethodType.UNARY,
+  identity_unauth_pb.Empty,
+  identity_unauth_pb.Empty,
+  /**
+   * @param {!proto.identity.unauth.Empty} request
+   * @return {!Uint8Array}
+   */
+  function(request) {
+    return request.serializeBinary();
+  },
+  identity_unauth_pb.Empty.deserializeBinary
+);
+
+
+/**
+ * @param {!proto.identity.unauth.Empty} request The
+ *     request proto
+ * @param {?Object<string, string>} metadata User defined
+ *     call metadata
+ * @param {function(?grpc.web.RpcError, ?proto.identity.unauth.Empty)}
+ *     callback The callback function(error, response)
+ * @return {!grpc.web.ClientReadableStream<!proto.identity.unauth.Empty>|undefined}
+ *     The XHR Node Readable Stream
+ */
+proto.identity.auth.IdentityClientServiceClient.prototype.logOutSecondaryDevice =
+    function(request, metadata, callback) {
+  return this.client_.rpcCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/LogOutSecondaryDevice',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_LogOutSecondaryDevice,
+      callback);
+};
+
+
+/**
+ * @param {!proto.identity.unauth.Empty} request The
+ *     request proto
+ * @param {?Object<string, string>=} metadata User defined
+ *     call metadata
+ * @return {!Promise<!proto.identity.unauth.Empty>}
+ *     Promise that resolves to the response
+ */
+proto.identity.auth.IdentityClientServicePromiseClient.prototype.logOutSecondaryDevice =
+    function(request, metadata) {
+  return this.client_.unaryCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/LogOutSecondaryDevice',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_LogOutSecondaryDevice);
+};
+
+
 /**
  * @const
  * @type {!grpc.web.MethodDescriptor<
diff --git a/web/protobufs/identity-auth-client.cjs.flow b/web/protobufs/identity-auth-client.cjs.flow
--- a/web/protobufs/identity-auth-client.cjs.flow
+++ b/web/protobufs/identity-auth-client.cjs.flow
@@ -67,6 +67,13 @@
                response: identityStructs.Empty) => void
   ): grpcWeb.ClientReadableStream<identityStructs.Empty>;
 
+  logOutSecondaryDevice(
+    request: identityStructs.Empty,
+    metadata: grpcWeb.Metadata | void,
+    callback: (err: grpcWeb.RpcError,
+               response: identityStructs.Empty) => void
+  ): grpcWeb.ClientReadableStream<identityStructs.Empty>;
+
   deletePasswordUserStart(
     request: identityAuthStructs.DeletePasswordUserStartRequest,
     metadata: grpcWeb.Metadata | void,
@@ -176,6 +183,11 @@
     metadata?: grpcWeb.Metadata
   ): Promise<identityStructs.Empty>;
 
+  logOutSecondaryDevice(
+    request: identityStructs.Empty,
+    metadata?: grpcWeb.Metadata
+  ): Promise<identityStructs.Empty>;
+
   deletePasswordUserStart(
     request: identityAuthStructs.DeletePasswordUserStartRequest,
     metadata?: grpcWeb.Metadata