Check & Revoke Token Approvals (Allowances) Safely

Quick summary

This guide explains how to check and revoke token approvals (allowances) when you use MetaMask as a software wallet. I walk through the difference between MetaMask’s site permissions and the on‑chain token allowance that actually lets contracts move your tokens, and then show practical, hands‑on ways to find and revoke approvals safely. I’ve been using this daily for months and have a few war stories to share (including one time I approved an unlimited allowance by mistake). But the fix is usually straightforward.

Why token approvals matter (short primer)

When you interact with DeFi, many ERC‑20 tokens require you to call approve(spender, amount). That creates a token allowance: the contract can transfer up to that amount from your address without another signature. Approving large or unlimited allowances is convenient for frequent swaps, but it also widens the attack surface if the dApp or its router is compromised. Simple question: how does a token still move after you "disconnect" a dApp? Because allowances live on‑chain, not in the wallet UI.

MetaMask: connected sites vs on‑chain allowances

MetaMask lets you remove website connections (the UI item usually found under Settings → Security & Privacy → Connected Sites), which stops that site from accessing the injected provider in future sessions. That is helpful for privacy. It does not, however, change any token approvals already recorded on the blockchain.

In other words: disconnecting a dApp from MetaMask is not the same as revoking an on‑chain token allowance. (Yes, that’s confusing.)

How to check token allowances (MetaMask + on‑chain tools)

You can’t reliably see a full allowance list inside MetaMask alone. So most workflows combine MetaMask with an on‑chain viewer that reads your address and lists allowances by spender contract. The typical steps I use when auditing an account are:

Copy your MetaMask account address (Account → Copy address).
Visit an on‑chain token approval checker and paste your address. The tool will list tokens and spenders with current allowances.
Inspect the spender contract page (open the contract address in the explorer). Check whether it’s a router, staking contract, or a suspicious address.

(If you prefer to avoid third‑party UIs you can also use the token contract's "Read" function on a block explorer and inspect allowance(owner, spender) per token; that’s more manual but it’s fully transparent.)

How to revoke token approvals in MetaMask — step-by-step

Here’s a safe, repeatable flow for revoking an allowance using MetaMask as your signer. This assumes the token lives on an EVM‑compatible chain (Ethereum mainnet, Arbitrum, Optimism, Polygon, etc.).

Find the allowance you want to remove using a token approval checker (or the token contract Read interface on a block explorer).
Confirm the spender contract address and token symbol. Never revoke or approve based only on a friendly name.
From the approval tool or the token contract's Write interface, call approve(spenderAddress, 0) (this sets allowance to zero). Many approval tools provide a one‑click "Revoke" that constructs this transaction for you.
MetaMask will open to sign the transaction. Confirm the details: the transaction target should be the token contract, not the spender. (Look at the input data if you want to inspect the method signature.)
If you use a hardware wallet with MetaMask, confirm on the device.
Wait for the transaction to be mined and verify the allowance is now zero.

A few practical notes: revoking costs gas. So if you have dozens of tiny allowances you may choose to prioritize the largest or the most risky. And yes, double‑check domains before connecting to any approval UI — phishing clones exist.

Practical checklist before you revoke

Verify the spender contract address on a block explorer (look for verified source code and a reasonable contract name).
Confirm the token contract address and decimals.
Prefer a hardware wallet for signing high‑value revoke transactions.
Beware multisig or smart‑contract wallets; the revoke flow may require a different UI or an additional signature.
If you plan to replace an unlimited approval with a limited one, revoke first (approve 0), then approve the specific amount you need.

Common pitfalls and advanced tips

Disconnecting a dApp in MetaMask does not revoke allowances. Don’t rely on it.
Some tokens require approve(0) before setting a new allowance; attempting to overwrite an unlimited approval directly can fail for certain token implementations.
Batch revokers or services that combine multiple revokes into one transaction can save gas but add a trust step; read the transaction request carefully.
On L2s use the chain’s explorer (e.g., the L2’s block explorer) to check allowances — the process is the same but on a different network.

When I first set this up I accidentally approved an unlimited allowance for a test token; I learned to check the spender contract before ever hitting "confirm." That lesson stuck.

Quick comparison: methods to revoke approvals

Method	Pros	Cons	When to use
Block‑explorer Write (manual approve to 0)	Fully transparent, no middleman	Manual, one token at a time	When you want maximum control
Approval‑checker UI (one‑click revoke)	Convenient, lists many allowances	Requires wallet connection; trust the site	Fast audits for active accounts
In‑wallet disconnect (MetaMask "Connected Sites")	Removes site access quickly	Does not change on‑chain allowances	Privacy cleanup after dApp sessions

Who this guide is for (and who should look elsewhere)

Who this guide is for:

Daily DeFi users who connect to multiple dApps and want to limit exposure.
People using MetaMask on desktop and mobile (this workflow uses MetaMask only as the signer).
Hardware wallet owners who route transactions through MetaMask.

Who should look elsewhere:

If you use a smart‑contract wallet that supports session keys and gasless transactions, revocation patterns may differ — see smart‑contract wallets & account abstraction.
If most of your crypto lives on a non‑EVM chain, follow that chain’s native tooling (see solana‑limitations).

FAQ

Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets are practical for daily DeFi use but they increase online exposure. For small‑value, active funds a software wallet is fine. For long‑term storage or very large balances, consider a hardware wallet or multisig arrangement. See hardware‑wallets overview and backup & recovery.

Q: How do I revoke token approvals MetaMask? A: MetaMask itself shows connected sites but not a full on‑chain allowance list. To revoke an allowance you typically use a token approval checker or a block explorer, then sign an approve(spender, 0) transaction in MetaMask. This article shows the detailed steps above.

Q: How do I check token allowances MetaMask? A: Copy your MetaMask address and paste it into a token approval checker or inspect token contract Read functions on a block explorer to see allowance(owner, spender).

Q: What happens if I lose my phone? A: Losing your phone doesn’t automatically lose funds if you have your seed phrase backed up. But if someone finds the phone and it’s unlocked, they can use MetaMask. See lost phone recovery and backup options for recommended practices.

Conclusion and next steps

Token approvals are a small on‑chain setting with outsized real‑world consequences. Regularly auditing allowances removes an easy attack vector and keeps your DeFi activity safer. Start by checking your most active account today: copy your MetaMask address, run a quick allowance audit, and revoke any unknown or unlimited approvals that you don’t need.

If you want a deeper walkthrough of connecting tools or using MetaMask on mobile, see the guides on connect dApps, token management, and security best practices.

Ready to check your allowances? (It usually takes less than five minutes.)