If you have connected a third-party app, bot, or automated script to your Mastodon account, an API token was generated to grant that service access. Over time, you might forget about these tokens, leaving your account exposed to potential misuse if the app is compromised or abandoned. Revoking an old API token immediately cuts off that service without affecting your password or other connections. This article explains where to find active tokens in your Mastodon account settings and how to revoke them one at a time or in bulk.
Key Takeaways: Revoking Mastodon API Tokens
- Preferences > Account > Authorized apps: Lists every app with an active token, including the app name, scope, and last used date.
- Revoke button next to each app: Deletes the token immediately and blocks future API calls from that service.
- No undo or recovery: Once revoked, the app must be reauthorized from scratch to obtain a new token.
Why Revoking Old API Tokens Matters for Your Mastodon Account
Every time you authorize a third-party app on Mastodon, the server issues an OAuth token. This token acts like a key that lets the app read your timeline, post on your behalf, or follow accounts, depending on the scopes you approved. Unlike a password, the token does not expire unless you explicitly revoke it or change your password.
Old tokens accumulate when you test new clients, connect automation tools, or grant access to mobile apps you no longer use. If any of those services suffer a data breach, the token could be used to impersonate you. Mastodon does not notify you when a token is used, so the only way to stay secure is to periodically audit and revoke unused tokens.
The Authorized apps page inside your account settings shows every active token. Each entry includes the app name, the permissions it was granted, and the last time it made an API call. This information helps you decide which tokens are safe to keep and which should be revoked.
Steps to Revoke an Old Mastodon API Token From Account Settings
The process is identical on all Mastodon instances, including mastodon.social, mastodon.online, and self-hosted servers. You must be logged into your account in a web browser. Mobile app settings do not expose the Authorized apps page.
- Open your Mastodon preferences
Click the gear icon or your profile picture in the upper-right corner of the web interface. From the dropdown menu, select Preferences. This opens the settings sidebar on the left side of the screen. - Navigate to the Authorized apps page
In the left sidebar, scroll down to the Account section. Click Authorized apps. A table appears listing every app that has an active token for your account. - Review the list of apps and their permissions
Each row shows the app name, the permission scopes granted (for example, read, write, follow), and the last time the token was used. If you do not recognize an app or no longer use it, that token is a candidate for revocation. - Click the Revoke button for the app you want to remove
Directly to the right of each app entry, a red button labeled Revoke is visible. Click it. A confirmation dialog appears asking if you are sure. Click Yes, revoke to confirm. - Verify the app is removed from the list
After confirmation, the page reloads and the app no longer appears in the table. The token is now invalid. Any API call made with that old token returns a 401 Unauthorized error.
If you want to revoke multiple tokens, repeat steps 3 through 5 for each app. There is no bulk revoke option, so you must remove tokens one at a time.
Common Issues When Revoking API Tokens on Mastodon
Revoke button is grayed out or missing
Some self-hosted Mastodon instances restrict the Authorized apps page to admins only. If you are on a personal or small instance, check with your instance admin. On standard public instances, all users can revoke their own tokens.
App reappears after revocation
If the third-party app is still running and tries to use the old token, it will fail. However, some apps automatically request a new token when the old one is rejected. To prevent this, remove the app from your phone or computer first, then revoke the token. Otherwise the app may silently reauthorize itself.
Cannot find the Authorized apps page
The menu path differs slightly on mobile browsers. Use a desktop or laptop browser for the full settings layout. On mobile, open the hamburger menu, tap your profile picture, select Preferences, then Account, and finally Authorized apps.
Mastodon Account Settings: Manual Token Revocation vs Changing Password
| Item | Revoke Token via Authorized Apps | Change Password |
|---|---|---|
| Effect on third-party apps | Only the revoked app loses access | All apps lose access and must be reauthorized |
| Ease of use | Selective, one app at a time | Single action revokes everything |
| Account security | Lets you keep trusted apps active | Resets all tokens, including legitimate ones |
| Recovery for the revoked app | App must be authorized again from scratch | All apps must be authorized again from scratch |
Changing your password is a nuclear option that invalidates every token at once. Use it only if you suspect your password is compromised. For routine cleanup, revoking individual tokens from the Authorized apps page is safer and faster.
You can now audit your Mastodon account and remove any API tokens that belong to apps you no longer use. Check the Authorized apps page once every few months to keep your account clean. For extra security, enable two-factor authentication in Preferences > Account > Two-factor Auth, which prevents token misuse even if a token is leaked.