diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -22,7 +22,8 @@
   InboundKeyInfo, InboundKeysForUserRequest, InboundKeysForUserResponse,
   KeyserverKeysResponse, LinkFarcasterAccountRequest, OutboundKeyInfo,
   OutboundKeysForUserRequest, OutboundKeysForUserResponse,
-  PeersDeviceListsRequest, PeersDeviceListsResponse, RefreshUserPrekeysRequest,
+  PeersDeviceListsRequest, PeersDeviceListsResponse,
+  PrimaryDeviceLogoutRequest, RefreshUserPrekeysRequest,
   UpdateDeviceListRequest, UpdateUserPasswordFinishRequest,
   UpdateUserPasswordStartRequest, UpdateUserPasswordStartResponse,
   UploadOneTimeKeysRequest, UserDevicesPlatformDetails, UserIdentitiesRequest,
@@ -429,6 +430,15 @@
     Ok(Response::new(response))
   }
 
+  #[tracing::instrument(skip_all)]
+  async fn log_out_primary_device(
+    &self,
+    request: tonic::Request<PrimaryDeviceLogoutRequest>,
+  ) -> Result<tonic::Response<Empty>, tonic::Status> {
+    let response = Empty {};
+    Ok(Response::new(response))
+  }
+
   #[tracing::instrument(skip_all)]
   async fn log_out_secondary_device(
     &self,
diff --git a/shared/protos/identity_auth.proto b/shared/protos/identity_auth.proto
--- a/shared/protos/identity_auth.proto
+++ b/shared/protos/identity_auth.proto
@@ -53,6 +53,10 @@
   // Called by a ssecondary device to log out (clear its keys and access token)
   rpc LogOutSecondaryDevice(identity.unauth.Empty) returns
     (identity.unauth.Empty) {}
+  // Called by a primary device to log out (clear all devices' keys and tokens)
+  rpc LogOutPrimaryDevice(PrimaryDeviceLogoutRequest) returns
+    (identity.unauth.Empty) {}
+
   // Called by a user to delete their own account
   rpc DeletePasswordUserStart(DeletePasswordUserStartRequest) returns
     (DeletePasswordUserStartResponse) {}
@@ -197,6 +201,23 @@
   bytes opaque_login_response = 3;
 }
 
+// LogOutPrimaryDevice
+
+message PrimaryDeviceLogoutRequest {
+  // A stringified JSON object of the following format:
+  // {
+  //   "rawDeviceList": JSON.stringify({
+  //     "devices": [<primary_device_id: string>]
+  //     "timestamp": <UTC timestamp in milliseconds: int>,
+  //   }),
+  //   "curPrimarySignature": "base64-encoded primary device signature"
+  // }
+  // When the primary device logs out, it removes all secondary devices from
+  // the device list, and sends up a new singleton device list consisting of
+  // just itself.
+  string signed_device_list = 1;
+}
+
 // DeletePasswordUser
 
 // First user must log in
diff --git a/web/protobufs/identity-auth-client.cjs b/web/protobufs/identity-auth-client.cjs
--- a/web/protobufs/identity-auth-client.cjs
+++ b/web/protobufs/identity-auth-client.cjs
@@ -627,6 +627,67 @@
 };
 
 
+/**
+ * @const
+ * @type {!grpc.web.MethodDescriptor<
+ *   !proto.identity.auth.PrimaryDeviceLogoutRequest,
+ *   !proto.identity.unauth.Empty>}
+ */
+const methodDescriptor_IdentityClientService_LogOutPrimaryDevice = new grpc.web.MethodDescriptor(
+  '/identity.auth.IdentityClientService/LogOutPrimaryDevice',
+  grpc.web.MethodType.UNARY,
+  proto.identity.auth.PrimaryDeviceLogoutRequest,
+  identity_unauth_pb.Empty,
+  /**
+   * @param {!proto.identity.auth.PrimaryDeviceLogoutRequest} request
+   * @return {!Uint8Array}
+   */
+  function(request) {
+    return request.serializeBinary();
+  },
+  identity_unauth_pb.Empty.deserializeBinary
+);
+
+
+/**
+ * @param {!proto.identity.auth.PrimaryDeviceLogoutRequest} request The
+ *     request proto
+ * @param {?Object<string, string>} metadata User defined
+ *     call metadata
+ * @param {function(?grpc.web.RpcError, ?proto.identity.unauth.Empty)}
+ *     callback The callback function(error, response)
+ * @return {!grpc.web.ClientReadableStream<!proto.identity.unauth.Empty>|undefined}
+ *     The XHR Node Readable Stream
+ */
+proto.identity.auth.IdentityClientServiceClient.prototype.logOutPrimaryDevice =
+    function(request, metadata, callback) {
+  return this.client_.rpcCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/LogOutPrimaryDevice',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_LogOutPrimaryDevice,
+      callback);
+};
+
+
+/**
+ * @param {!proto.identity.auth.PrimaryDeviceLogoutRequest} request The
+ *     request proto
+ * @param {?Object<string, string>=} metadata User defined
+ *     call metadata
+ * @return {!Promise<!proto.identity.unauth.Empty>}
+ *     Promise that resolves to the response
+ */
+proto.identity.auth.IdentityClientServicePromiseClient.prototype.logOutPrimaryDevice =
+    function(request, metadata) {
+  return this.client_.unaryCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/LogOutPrimaryDevice',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_LogOutPrimaryDevice);
+};
+
+
 /**
  * @const
  * @type {!grpc.web.MethodDescriptor<
diff --git a/web/protobufs/identity-auth-client.cjs.flow b/web/protobufs/identity-auth-client.cjs.flow
--- a/web/protobufs/identity-auth-client.cjs.flow
+++ b/web/protobufs/identity-auth-client.cjs.flow
@@ -74,6 +74,13 @@
                response: identityStructs.Empty) => void
   ): grpcWeb.ClientReadableStream<identityStructs.Empty>;
 
+  logOutPrimaryDevice(
+    request: identityAuthStructs.PrimaryDeviceLogoutRequest,
+    metadata: grpcWeb.Metadata | void,
+    callback: (err: grpcWeb.RpcError,
+               response: identityStructs.Empty) => void
+  ): grpcWeb.ClientReadableStream<identityStructs.Empty>;
+
   deletePasswordUserStart(
     request: identityAuthStructs.DeletePasswordUserStartRequest,
     metadata: grpcWeb.Metadata | void,
@@ -195,6 +202,11 @@
     metadata?: grpcWeb.Metadata
   ): Promise<identityStructs.Empty>;
 
+  logOutPrimaryDevice(
+    request: identityAuthStructs.PrimaryDeviceLogoutRequest,
+    metadata?: grpcWeb.Metadata
+  ): Promise<identityStructs.Empty>;
+
   deletePasswordUserStart(
     request: identityAuthStructs.DeletePasswordUserStartRequest,
     metadata?: grpcWeb.Metadata
diff --git a/web/protobufs/identity-auth-structs.cjs b/web/protobufs/identity-auth-structs.cjs
--- a/web/protobufs/identity-auth-structs.cjs
+++ b/web/protobufs/identity-auth-structs.cjs
@@ -42,6 +42,7 @@
 goog.exportSymbol('proto.identity.auth.PeersDeviceListsRequest', null, global);
 goog.exportSymbol('proto.identity.auth.PeersDeviceListsResponse', null, global);
 goog.exportSymbol('proto.identity.auth.PlatformDetails', null, global);
+goog.exportSymbol('proto.identity.auth.PrimaryDeviceLogoutRequest', null, global);
 goog.exportSymbol('proto.identity.auth.RefreshUserPrekeysRequest', null, global);
 goog.exportSymbol('proto.identity.auth.UpdateDeviceListRequest', null, global);
 goog.exportSymbol('proto.identity.auth.UpdateUserPasswordFinishRequest', null, global);
@@ -345,6 +346,27 @@
    */
   proto.identity.auth.UpdateUserPasswordStartResponse.displayName = 'proto.identity.auth.UpdateUserPasswordStartResponse';
 }
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.identity.auth.PrimaryDeviceLogoutRequest, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.identity.auth.PrimaryDeviceLogoutRequest.displayName = 'proto.identity.auth.PrimaryDeviceLogoutRequest';
+}
 /**
  * Generated by JsPbCodeGenerator.
  * @param {Array=} opt_data Optional initial data array, typically from a
@@ -3565,6 +3587,136 @@
 
 
 
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.identity.auth.PrimaryDeviceLogoutRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.identity.auth.PrimaryDeviceLogoutRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    signedDeviceList: jspb.Message.getFieldWithDefault(msg, 1, "")
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.identity.auth.PrimaryDeviceLogoutRequest}
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.identity.auth.PrimaryDeviceLogoutRequest;
+  return proto.identity.auth.PrimaryDeviceLogoutRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.identity.auth.PrimaryDeviceLogoutRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.identity.auth.PrimaryDeviceLogoutRequest}
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setSignedDeviceList(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.identity.auth.PrimaryDeviceLogoutRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.identity.auth.PrimaryDeviceLogoutRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getSignedDeviceList();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional string signed_device_list = 1;
+ * @return {string}
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.prototype.getSignedDeviceList = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.identity.auth.PrimaryDeviceLogoutRequest} returns this
+ */
+proto.identity.auth.PrimaryDeviceLogoutRequest.prototype.setSignedDeviceList = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+
+
+
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
  * Creates an object representation of this proto.
diff --git a/web/protobufs/identity-auth-structs.cjs.flow b/web/protobufs/identity-auth-structs.cjs.flow
--- a/web/protobufs/identity-auth-structs.cjs.flow
+++ b/web/protobufs/identity-auth-structs.cjs.flow
@@ -361,6 +361,22 @@
   opaqueLoginResponse: Uint8Array | string,
 };
 
+declare export class PrimaryDeviceLogoutRequest extends Message {
+  getSignedDeviceList(): string;
+  setSignedDeviceList(value: string): PrimaryDeviceLogoutRequest;
+
+  serializeBinary(): Uint8Array;
+  toObject(includeInstance?: boolean): PrimaryDeviceLogoutRequestObject;
+  static toObject(includeInstance: boolean, msg: PrimaryDeviceLogoutRequest): PrimaryDeviceLogoutRequestObject;
+  static serializeBinaryToWriter(message: PrimaryDeviceLogoutRequest, writer: BinaryWriter): void;
+  static deserializeBinary(bytes: Uint8Array): PrimaryDeviceLogoutRequest;
+  static deserializeBinaryFromReader(message: PrimaryDeviceLogoutRequest, reader: BinaryReader): PrimaryDeviceLogoutRequest;
+}
+
+export type PrimaryDeviceLogoutRequestObject = {
+  signedDeviceList: string,
+}
+
 declare export class DeletePasswordUserStartRequest extends Message {
   getOpaqueLoginRequest(): Uint8Array | string;
   getOpaqueLoginRequest_asU8(): Uint8Array;