This guide explains how to check and revoke token approvals (allowances) when you use MetaMask as a software wallet. I walk through the difference between MetaMask’s site permissions and the on‑chain token allowance that actually lets contracts move your tokens, and then show practical, hands‑on ways to find and revoke approvals safely. I’ve been using this daily for months and have a few war stories to share (including one time I approved an unlimited allowance by mistake). But the fix is usually straightforward.
When you interact with DeFi, many ERC‑20 tokens require you to call approve(spender, amount). That creates a token allowance: the contract can transfer up to that amount from your address without another signature. Approving large or unlimited allowances is convenient for frequent swaps, but it also widens the attack surface if the dApp or its router is compromised. Simple question: how does a token still move after you "disconnect" a dApp? Because allowances live on‑chain, not in the wallet UI.
MetaMask lets you remove website connections (the UI item usually found under Settings → Security & Privacy → Connected Sites), which stops that site from accessing the injected provider in future sessions. That is helpful for privacy. It does not, however, change any token approvals already recorded on the blockchain.
In other words: disconnecting a dApp from MetaMask is not the same as revoking an on‑chain token allowance. (Yes, that’s confusing.)
You can’t reliably see a full allowance list inside MetaMask alone. So most workflows combine MetaMask with an on‑chain viewer that reads your address and lists allowances by spender contract. The typical steps I use when auditing an account are:
(If you prefer to avoid third‑party UIs you can also use the token contract's "Read" function on a block explorer and inspect allowance(owner, spender) per token; that’s more manual but it’s fully transparent.)
Here’s a safe, repeatable flow for revoking an allowance using MetaMask as your signer. This assumes the token lives on an EVM‑compatible chain (Ethereum mainnet, Arbitrum, Optimism, Polygon, etc.).
A few practical notes: revoking costs gas. So if you have dozens of tiny allowances you may choose to prioritize the largest or the most risky. And yes, double‑check domains before connecting to any approval UI — phishing clones exist.
When I first set this up I accidentally approved an unlimited allowance for a test token; I learned to check the spender contract before ever hitting "confirm." That lesson stuck.
| Method | Pros | Cons | When to use |
|---|---|---|---|
| Block‑explorer Write (manual approve to 0) | Fully transparent, no middleman | Manual, one token at a time | When you want maximum control |
| Approval‑checker UI (one‑click revoke) | Convenient, lists many allowances | Requires wallet connection; trust the site | Fast audits for active accounts |
| In‑wallet disconnect (MetaMask "Connected Sites") | Removes site access quickly | Does not change on‑chain allowances | Privacy cleanup after dApp sessions |
Who this guide is for:
Who should look elsewhere:
Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets are practical for daily DeFi use but they increase online exposure. For small‑value, active funds a software wallet is fine. For long‑term storage or very large balances, consider a hardware wallet or multisig arrangement. See hardware‑wallets overview and backup & recovery.
Q: How do I revoke token approvals MetaMask? A: MetaMask itself shows connected sites but not a full on‑chain allowance list. To revoke an allowance you typically use a token approval checker or a block explorer, then sign an approve(spender, 0) transaction in MetaMask. This article shows the detailed steps above.
Q: How do I check token allowances MetaMask? A: Copy your MetaMask address and paste it into a token approval checker or inspect token contract Read functions on a block explorer to see allowance(owner, spender).
Q: What happens if I lose my phone? A: Losing your phone doesn’t automatically lose funds if you have your seed phrase backed up. But if someone finds the phone and it’s unlocked, they can use MetaMask. See lost phone recovery and backup options for recommended practices.
Token approvals are a small on‑chain setting with outsized real‑world consequences. Regularly auditing allowances removes an easy attack vector and keeps your DeFi activity safer. Start by checking your most active account today: copy your MetaMask address, run a quick allowance audit, and revoke any unknown or unlimited approvals that you don’t need.
If you want a deeper walkthrough of connecting tools or using MetaMask on mobile, see the guides on connect dApps, token management, and security best practices.
Ready to check your allowances? (It usually takes less than five minutes.)