I found out the hard way that a food delivery app I deleted two years ago still had full read access to my Google Contacts. I only noticed after a friend’s Instagram got hijacked through an old quiz app she’d forgotten about. If you want to revoke third-party app access to your Google account and your social accounts, it takes about five minutes and no technical skill beyond clicking the right menu.
Most people sign up for a new app with “Continue with Google” and never think about it again. The real risk isn’t the app you use today — it’s every app you stopped using but never disconnected, because each one still holds a live key to your account.
Quick Answer
To revoke third-party app access, open your Google Account’s Security page and remove apps under “Third-party apps with account access.” On Facebook, Instagram, or Microsoft, go to Settings, find Apps and Websites (or Connected Experiences), and remove anything you don’t recognize or no longer use.
What Is Third-Party App Access, and Why Does It Matter?
Third-party app access is the permission you grant when you use “Sign in with Google” or “Continue with Facebook” instead of creating a new password. The app asks your account to vouch for you, and in exchange you hand it a scope of data: your email, contacts, calendar, or even the ability to post on your behalf.
That connection doesn’t expire when you stop using the app. I’ve found abandoned quiz apps, old resume builders, and a defunct budgeting tool still listed as “active” on my own accounts, each one a standing door into my inbox or photos. A stale connection is riskier than a stale password, because you can’t rotate it out of habit — you have to remove it yourself. It’s the same blind spot I cover in my 10-minute Google Security Checkup.
Every app you connected and forgot about is a live credential nobody is watching but you.
How Do I Revoke Third-Party App Access on Google?
Step 1: Open Your Google Account Security Page
Go to myaccount.google.com/permissions while signed in, or navigate manually: Google Account > Security > “Third-party apps with account access.”
Step 2: Review Each Connected App
You’ll see every app with access, plus a short description of what it can see or do. Tap any entry to expand the exact permissions — some only read your email address, others can read your Drive files or send email as you.
Step 3: Remove Access You Don’t Recognize or Need
Select the app, click “Delete all connections,” and confirm. This immediately revokes the app’s OAuth token, so it can no longer pull data from your account even if you never open it again.
Pro tip: Sort by permission scope, not app name. An app you use weekly but that only reads your basic profile is lower risk than a forgotten app with access to Gmail or Drive.
Google’s own permissions page is the single fastest place to see and cut every third-party connection at once.
How Do I Revoke Connected Apps on Facebook, Instagram, Microsoft, and Apple?
Facebook and Instagram
On Facebook, go to Settings & Privacy > Settings > Apps and Websites. On Instagram, go to Settings > Security > Apps and Websites. Both list active sessions; tap “Remove” on anything you no longer trust. I cover the rest of that lockdown in my social media privacy checkup.
Microsoft Account
Visit account.microsoft.com, sign in, and open Privacy > App access. Microsoft groups apps by what they can access, so you can spot over-permissioned apps quickly.
Apple ID
On an iPhone, open Settings > [your name] > Sign in with Apple. This shows every app using Sign in with Apple and lets you stop sharing your relay email or full identity with a tap.
| Account | Where to Check | What You Can Revoke |
|---|---|---|
| myaccount.google.com/permissions | OAuth tokens, Drive/Gmail/Contacts scopes | |
| Facebook/Instagram | Settings > Apps and Websites | Login sessions, posting permissions |
| Microsoft | account.microsoft.com > Privacy | Profile, email, and file access |
| Apple ID | Settings > Sign in with Apple | Relay email, shared identity data |
Troubleshooting tip: If an app you still use suddenly logs you out after you revoke it, that’s expected — reconnect it deliberately and check the permission list it requests this time before approving.
Every major platform hides its connected-apps list under Settings, and clearing it takes the same three steps everywhere: find, review, remove.
Common Mistakes to Avoid
- Assuming deleting the app deletes the connection. Uninstalling from your phone does nothing to the OAuth token on Google’s or Facebook’s servers — you must revoke it separately.
- Only checking Google and skipping social accounts. I’ve seen more abuse through forgotten Instagram quiz apps than through Google itself; check every account you use to sign in elsewhere.
- Revoking access without checking what breaks. If a smart-home or fitness app relies on that connection, removing it may stop syncing until you reconnect. On Android, this overlaps with the tracking permissions in my Android privacy settings guide.
- Ignoring the permission scope shown before you connect a new app. If a simple game asks for contacts and calendar access, that’s a red flag worth declining at signup, not cleaning up later.
- Doing this once and forgetting it. New connections pile up every time you sign up for something with an existing account, so treat this as a recurring check, not a one-time fix.
Most mistakes here come from treating app access as a one-time setup step instead of an ongoing habit.
Frequently Asked Questions
Does revoking third-party access delete my data from that app?
No, it only cuts off future access; any data already copied to the app’s own servers stays there. When I revoked access for an old resume tool, I still had to email support separately to delete my stored resume.
Will revoking access log me out of the app immediately?
Usually yes, the next time the app tries to refresh its connection. I’ve had apps stay logged in for a session before finally prompting me to sign in again.
Is it safe to remove an app I don’t recognize?
Yes — if you don’t recognize the name, you aren’t using it, and removing it carries no downside beyond reconnecting if you were wrong. I remove anything I can’t place within five seconds.
How often should I check my connected apps?
Every three to six months, or right after a major password reset or a friend’s account gets compromised. That second trigger is what got me checking mine in the first place. If you haven’t already, pair this with switching to a passkey so the accounts you’re protecting are harder to phish in the first place.
Can a revoked app still send me spam email?
If it already has your email address stored, revoking access won’t stop emails sent to that address — unsubscribe or block the sender separately.
Conclusion
Revoking third-party app access closes doors you forgot were ever open, and it takes less time than reading this article. Open your Google permissions page now, remove anything you don’t recognize, then do the same on Facebook, Instagram, Microsoft, or Apple before you close the tab.