How to Revoke Token Approvals on Solana (and Why You Should)
If you have used a few Solana dapps, you have almost certainly granted permissions you have since forgotten about. A token approval is a standing permission for some program or address to move tokens out of your wallet. Most of the time those permissions are harmless. Sometimes they are not. This guide explains what a token approval actually is on Solana, why Solana's model is different from the Ethereum "infinite approval" pattern you may have read about, and how to check, revoke, and clean up the permissions sitting in your wallet right now.
What a token approval actually is
A token approval, also called a delegate, is permission you grant so that another address or program can move a specific token out of your wallet without you signing each individual transfer. On Solana, this is built into the SPL token program through an "approve" instruction. When you approve a delegate, you are saying: this address is allowed to transfer or burn up to a set amount of this one token from this one account.
Why does this exist? Plenty of legitimate features rely on it. A staking program might need a delegate to move your tokens into a pool. A limit-order or DCA tool needs permission to swap your tokens when your price condition hits, because you are not online to sign at that exact moment. A marketplace may need a delegate so it can transfer an asset the instant a sale clears. In all of these cases, the approval is the mechanism that lets automation work on your behalf.
The trade-off is simple. Every active delegate is a key to a door. Most doors lead somewhere safe. But a delegate granted to a malicious or compromised program is a standing invitation to drain whatever it was approved to touch, and it keeps working until you revoke it.
How Solana differs from Ethereum approvals
If you have come from Ethereum, you have probably been warned about "infinite approvals" and long lists of token contracts you have authorized. Solana's model is genuinely different, and understanding the difference changes how you think about risk.
On Ethereum, an ERC-20 approval is stored on the token contract itself. You can approve many different spenders for the same token, each with its own allowance, and a lot of them are set to an unlimited amount for convenience. That is why Ethereum revoke tools tend to show a sprawling list of contracts and spender addresses you have authorized over the years.
On Solana, an SPL approval lives on your individual token account, and a standard token account stores only one active delegate and one delegated amount at a time. Approve a new delegate on that same account and it replaces the old one. So you will not usually find dozens of stacked allowances per token the way you would on Ethereum. The surface area is smaller and easier to reason about.
Here is the part that matters most: on Solana, the more common way wallets get drained is not a lingering blanket approval. It is signing a single malicious transaction. A fake mint, a "claim your airdrop" page, or a spoofed site presents you with a transaction that, when you sign it, transfers your tokens or hands over an authority on the spot. There is no allowance to revoke afterward because the damage happened in that one signature. This is why approval hygiene is necessary but not sufficient. Cleaning up stale delegates closes one category of risk; refusing to sign blind closes the bigger one. For how those signature-based attacks work, see our guide on Solana wallet drainer scams.
Why stale approvals and connections are a risk
Even though Solana's model is tidier than Ethereum's, stale permissions still matter, for a few reasons.
Programs change hands. A protocol you trusted a year ago might be abandoned, sold, or exploited. A delegate you granted to it is still live. If the program is later compromised, your old approval becomes an open door you forgot you left unlocked.
You forget what you signed. After a few months of using launchpads, DEXs, NFT marketplaces, and random "connect wallet" buttons, almost nobody remembers the full list of permissions they granted. Unknown is the same as unmanaged.
Connected dapps are their own surface. Separate from on-chain approvals, your wallet keeps a list of sites you have connected to. A connection by itself cannot move funds, but it lets a site repeatedly prompt you for transactions and signatures. If that site is later hijacked or its domain is taken over, those prompts come from a place you have already learned to trust. Pruning connections you no longer use removes a convenient launchpad for a future phishing attempt.
Clutter hides the real thing. When your wallet is full of dead token accounts and forgotten approvals, a genuinely dangerous one is easy to miss. A clean wallet is one you can actually audit.
How to check and revoke approvals
There are three separate jobs here, and people often conflate them: revoking on-chain delegates, disconnecting dapps in your wallet, and closing unused token accounts. Do all three.
1. Revoke on-chain delegates. The cleanest way is a dedicated Solana revoke tool. Reputable token-approval checkers connect to your wallet, read which of your token accounts have an active delegate, and let you send a "revoke" instruction that clears the delegate and resets the delegated amount to zero. Each revoke is a normal transaction and costs a tiny fraction of a SOL in fees. Before you connect to any such tool, verify the URL carefully and reach it from a source you trust, not from a search ad or a link in your DMs. A fake "revoke" site is a classic trap precisely because security-conscious people go looking for one.
2. Disconnect dapps in your wallet. Your wallet has a connected-sites or connected-apps view in its settings. Open it and remove anything you do not actively use. In Phantom, for example, this lives under the settings menu as a list of connected applications you can revoke individually. This does not touch on-chain approvals; it just stops a site from being able to prompt your wallet. If you are still setting your wallet up, our walkthrough on how to set up a Phantom wallet covers where these controls live.
3. Close unused token accounts. This is distinct from revoking. On Solana, every token you have ever held created an associated token account, and each one holds a small amount of SOL as rent. Closing an empty token account removes it from the blockchain entirely and returns that rent to you, typically a tiny amount per account that adds up across a busy wallet. More importantly for security, it shrinks the list of accounts anyone has to think about. Many wallets and explorers offer a "close account" or "reclaim rent" feature; an account must be empty before it can be closed. Closing an account also removes any delegate that was on it, since the account itself no longer exists. To understand exactly what these accounts are, see what an SPL token is.
An approval hygiene routine
None of this needs to be a constant chore. A short, periodic pass keeps your wallet clean without turning into paranoia. A reasonable rhythm looks like this.
- Once a month, or after a heavy week of aping into new mints: open a revoke tool and clear any delegates you do not recognize. If you are not sure what a delegate is for, revoking it is almost always safe. The worst case is that a tool you use asks for the approval again next time.
- Same pass: open your wallet's connected-sites list and disconnect everything you have not used recently. You lose nothing by reconnecting later.
- Quarterly, or whenever your account list feels bloated: close empty token accounts to reclaim rent and cut clutter.
- Immediately, no waiting: if you ever suspect you signed something you should not have, interacted with a site that felt off, or clicked a "claim" link, revoke approvals and disconnect that site right away. If real funds may be exposed, the safest move is to move your remaining assets to a fresh wallet, because revoking does not undo a signature you already gave.
The goal is not zero approvals. It is known approvals. Every active delegate should map to a tool you actually use and trust.
The bigger picture: limit your exposure
Revoking is cleanup. The stronger move is structuring your wallets so a mistake costs you a little instead of everything.
Use a burner for risky activity. Aping into brand-new mints, claiming airdrops, and connecting to unaudited sites are exactly the activities that lead to bad approvals and malicious signatures. Do them from a separate wallet that holds only what you are willing to lose. If it gets compromised, your main holdings were never in the room. Our guide on Solana burner wallet setup walks through this.
Keep your serious funds separate and cold. The wallet holding the bulk of your assets should rarely, if ever, connect to a dapp at all. The fewer signatures it gives, the fewer chances anything has to go wrong. Choosing the right setup is covered in best Solana wallets 2026.
Never sign blind. Read what a transaction actually does before approving. If a wallet or simulation tool shows that a "mint" or "claim" is really trying to transfer your tokens or hand over an authority, stop. Most drains end at the signature screen if you are paying attention.
Protect the master key. No amount of approval hygiene matters if your seed phrase leaks, because that exposes everything at once with no revoke that can help. If you are unclear on why, read what a seed phrase is.
How MoonHydra fits
MoonHydra is a non-custodial Solana trading bot that runs in Telegram. It is worth being precise about where it sits in all of this, because approval hygiene is fundamentally about the wallets you connect to dapps, and a non-custodial bot changes that picture.
MoonHydra generates a wallet for you and encrypts the key with AES-256-GCM. It is non-custodial, so you hold your keys and can withdraw at any time. It executes trades by routing through Jupiter and runs no custom smart contracts of its own, which means there is no MoonHydra contract sitting in your approvals list to manage. You pay a flat 1% per trade on both buys and sells, with no subscription.
The practical takeaway is the same advice this whole post makes: separate your funds by risk. Use a dedicated trading wallet for active, fast-moving memecoin trading, and keep your long-term holdings in a wallet that you never connect to risky sites. A bot wallet you fund deliberately, and that you can drain back to cold storage whenever you like, limits how much is ever exposed, which is exactly what good approval hygiene is trying to achieve in the first place.
Bottom line
Token approvals on Solana are smaller in scope than Ethereum's, but they are not nothing. A standing delegate to a program that later turns malicious is a real drain path, stale dapp connections are a phishing launchpad, and forgotten token accounts are clutter that hides the dangerous ones. The fix is a short, regular routine: revoke delegates you do not recognize, disconnect dapps you no longer use, and close empty accounts. The bigger lever is structural. Keep risky activity in a burner, keep serious money cold, and never sign a transaction you have not read. Approval hygiene plugs one hole; not signing blind plugs the rest.
Next: learn the attacks this protects against in Solana wallet drainer scams, set up a low-exposure wallet with Solana burner wallet setup, and run through the full Solana trading bot security checklist. Ready to trade with a separate, non-custodial wallet? Start at t.me/moonhydrabot.
Ready to put this into practice?
MoonHydra is a multi-wallet Solana memecoin trading bot on Telegram. 1% per trade. AES-256-GCM encrypted. Non-custodial.
Open MoonHydra