Skip to main content

How to Revoke AI Client Access to CrossTrade MCP

Revoking an authorized AI client cuts its access immediately. The next tool call from that client returns 401. This tutorial covers the revocation flow and the situations that justify it.

Direct answer

  1. Open the CrossTrade AI Clients page.
  2. Find the client.
  3. Click Revoke.
  4. Confirm.

The client's token is invalidated immediately. Any future MCP request from that client returns 401 until the user reauthorizes.

When to revoke

  • The client device is lost.
  • You no longer use that AI client.
  • A token may have been exposed (terminal screenshot, log line, copied-and-pasted to a teammate).
  • You want to downgrade an agent from mcp:trade to mcp:read. Revoke and reauthorize at the new scope.
  • A funded account session has ended and you do not want any future request to reach the account.
  • You are switching machines.

Prerequisites

  • A CrossTrade account with at least one authorized AI client.

Step 1: Open the AI Clients page

Navigate to the AI Clients page. You will see a list of authorized clients with:

  • The client display name
  • The scope (mcp:read or mcp:trade)
  • Last activity
  • Created date
  • A Revoke button

Step 2: Identify the client

If you have multiple clients (for example, Claude Desktop on a laptop and Claude Code on a server), pick the one you want to revoke. The display name comes from what the client told CrossTrade during registration.

Step 3: Click Revoke

A confirmation prompt appears. Confirm.

Step 4: Verify the revocation

In the client, try a tool call:

Call GetMcpCapabilities.

Expected: a 401 error. The token is gone.

Step 5: Decide whether to reauthorize

If you revoked to upgrade or downgrade scope, reauthorize in the client. The client opens a new browser tab for OAuth consent. Choose the new scope and click Allow.

If you revoked because the device was lost or the token may have been exposed, do not reauthorize until you have addressed the underlying issue.

What revocation does not do

  • It does not remove any data the agent has already retrieved or stored locally.
  • It does not roll back trades already placed.
  • It does not log out of CrossTrade in any browser; only the MCP token is invalidated.

Refresh tokens

If the client uses a refresh token, revocation invalidates that too. The client must complete a full OAuth flow again to get new tokens.

Programmatic revocation

For automated revocation, the OAuth token endpoint supports RFC 7009 at /v1/oauth/mcp/revoke. This is mostly useful for developer scripts; normal users use the AI Clients page.

FAQ

Will revoking break the client?

The client will get 401 on the next call. Reauthorization restores it. Some clients prompt for reauthorization automatically; others require you to remove and re-add the MCP server.

Can I revoke a specific scope only?

No. Revoke the token and reauthorize at the new scope.

What if I see a client I do not recognize?

Revoke it. If you want to investigate, capture the display name, scope, and created date before revoking, then contact CrossTrade support.