diff --git a/lib/handlers/peer-to-peer-message-handler.js b/lib/handlers/peer-to-peer-message-handler.js
--- a/lib/handlers/peer-to-peer-message-handler.js
+++ b/lib/handlers/peer-to-peer-message-handler.js
@@ -2,7 +2,10 @@
 
 import _isEqual from 'lodash/fp/isEqual.js';
 
-import { verifyAndGetDeviceList } from '../shared/device-list-utils.js';
+import {
+  verifyAndGetDeviceList,
+  removeDeviceFromDeviceList,
+} from '../shared/device-list-utils.js';
 import type {
   IdentityServiceClient,
   DeviceOlmInboundKeys,
@@ -11,6 +14,7 @@
   peerToPeerMessageTypes,
   type PeerToPeerMessage,
 } from '../types/tunnelbroker/peer-to-peer-message-types.js';
+import { secondaryDeviceLogoutP2PMessageValidator } from '../types/tunnelbroker/user-actions-peer-to-peer-message-types.js';
 import { getConfig } from '../utils/config.js';
 import { getContentSigningKey } from '../utils/crypto-utils.js';
 import { getMessageForException } from '../utils/errors.js';
@@ -106,6 +110,24 @@
         'Decrypted message from device ' +
           `${message.senderInfo.deviceID}: ${decrypted}`,
       );
+
+      try {
+        const parsedMessageToDevice = JSON.parse(decrypted);
+        if (
+          !secondaryDeviceLogoutP2PMessageValidator.is(parsedMessageToDevice)
+        ) {
+          return;
+        }
+        const { userID, deviceID: deviceIDToLogOut } = message.senderInfo;
+        await removeDeviceFromDeviceList(
+          identityClient,
+          userID,
+          deviceIDToLogOut,
+        );
+        // TODO: broadcast device list update here
+      } catch (e) {
+        console.log(e);
+      }
     } catch (e) {
       if (e.message?.includes(olmSessionErrors.messageAlreadyDecrypted)) {
         console.log(