Superkabe LogoSuperkabe

Disconnecting Integrations

How to revoke API keys, disconnect clients, remove mailboxes, and delete your account

Every integration in Superkabe can be disconnected at any time. This page walks through every disconnect path — from the smallest (revoking a single API key) to the largest (full account deletion under GDPR right-to-erasure) — with the exact UI location, what happens server-side, and the user-visible behavior of any in-flight work. Sections are ordered from least destructive to most destructive.

Quick Reference

API key — Dashboard → API & MCP → API Keys tab
Claude / OAuth-MCP — Dashboard → Integrations → Claude
Mailbox — Dashboard → Sequencer → Accounts
Slack — Dashboard → Integrations → Slack
Migration keys — Dashboard → Migration → from-Smartlead / from-Instantly
Webhook endpoint — Dashboard → Integrations → Webhooks
Team member — Dashboard → Settings → Team
Pause account — /pricing → cancel subscription
Delete account — Dashboard → Data Rights

1. Revoking a Superkabe API Key

Superkabe API keys are issued from the dashboard and used by your scripts, your MCP server processes, or any third-party automation hitting api.superkabe.com. Each key is stored as a SHA-256 hash — Superkabe never holds the plaintext after issuance, which means a revoked key cannot be restored. If you need to rotate a key, issue a new one before revoking the old one.

Where to revoke:

  1. 1. Open Dashboard → API & MCP
  2. 2. Switch to the API Keys tab
  3. 3. Click the trash icon next to the key you want to revoke
  4. 4. Confirm in the modal — revocation is immediate

What happens after revocation

  • Any in-flight HTTP request authenticated with the key returns 401 Unauthorized on the next call
  • Long-running processes that hold the key (e.g. an MCP server on your laptop) start failing — you'll need to issue a new key and update the process's environment
  • The key's usage history (call counts, last-seen timestamps) is preserved for audit purposes

Irreversible

Keys are stored as SHA-256 hashes. Once revoked, the original token cannot be reconstructed — even by Superkabe. Always issue and deploy the replacement key before revoking the old one.

2. Disconnecting Claude / OAuth-MCP Clients

When you connect Claude (or any OAuth-MCP client) to Superkabe, an OAuth grant is issued for that client and stored against your organization. Disconnecting revokes every access token and refresh token for the(org, client_id)pair atomically — there is no half-state where access is gone but refresh still works.

Where to disconnect:

  1. 1. Open Dashboard → Integrations
  2. 2. Find the Claude card and click Manage
  3. 3. Click Disconnect

Behind the scenes this calls POST /api/oauth/connections/revoke with the client_id, which sets revoked_at on every token row in that grant.

What happens to Claude

  • Claude.ai will receive a 401 on its next call to /mcp
  • The user is prompted by Claude to re-authorize Superkabe — the standard OAuth consent flow
  • Re-authorizing creates a fresh grant; the old grant remains in the audit log marked revoked

3. Disconnecting a Gmail / Microsoft / SMTP Mailbox

Disconnecting a mailbox removes the OAuth token (Gmail and Microsoft 365) or the encrypted SMTP credentials from the database. The mailbox is detached from any campaigns it was attached to, and the routing engine stops considering it for new sends.

Where to disconnect:

  1. 1. Open Dashboard → Sequencer → Accounts
  2. 2. Click the mailbox you want to remove
  3. 3. Click Disconnect

What happens to active campaigns

  • If the campaign has other mailboxes attached: ESP-aware routing simply skips the disconnected mailbox and dispatches through the remaining ones. Sends that were already in-flight on the disconnected mailbox finish their batch before it stops accepting new work.
  • If the disconnected mailbox was the only one in a campaign: the campaign auto-pauses with reason no available mailboxes and an alert is sent to the operator's Slack channel.

Reconnecting later

Reconnecting a previously-disconnected mailbox is a fresh OAuth flow (Gmail/Microsoft) or a brand-new set of SMTP credentials. There is no resumption of the old session — health history, warmup state, and mailbox identity are reset from the moment the new connection is made.

4. Disconnecting Slack

Slack is used to broadcast every significant infrastructure event — auto-pauses, healings, threshold breaches, campaign pauses. Disconnecting it removes the encrypted bot token and clears theSLACK_CONNECTEDorganization setting.

Where to disconnect:

  1. 1. Open Dashboard → Integrations
  2. 2. Find the Slack card and click Manage
  3. 3. Click Disconnect Slack

What happens to alerts

  • Future alerts have no Slack channel to fire into
  • Superkabe falls back to in-app notifications (visible in the dashboard nav)
  • If Resend is configured for your org, alerts are also delivered by email
  • Alert history continues to be recorded in the audit log regardless

5. Revoking Smartlead / Instantly Migration Keys

Migration keys are short-lived credentials you paste into Superkabe to import campaigns and mailbox metadata from Smartlead or Instantly. They are auto-discarded 24 hours after the last activity, but you can also clear them manually at any time.

Where to manually discard:

  • Dashboard → Migration → from-Smartlead → click Discard API key now
  • Dashboard → Migration → from-Instantly → click Discard API key now

After discard, the migration wizard reverts to the empty state. To run another import, paste a fresh key — the previous import's record (what was imported, when) is preserved in the migration log.

6. Revoking a Webhook Endpoint

Webhook endpoints receive event payloads from Superkabe — campaign events, lead state changes, mailbox health transitions. Deleting an endpoint stops Superkabe from sending events to that URL immediately.

Where to delete:

  1. 1. Open Dashboard → Integrations → Webhooks
  2. 2. Click the endpoint you want to remove
  3. 3. Click Delete

What happens after deletion

  • No new events are dispatched to the endpoint URL
  • Pending retries (queued for previously-failed deliveries) are cancelled
  • Past delivery records remain available in the audit log for 30 days for forensic review
  • Events themselves still occur and are persisted internally — only the outbound HTTP delivery is stopped

7. Revoking Team-Member Access

Org admins can remove team members from the team settings page. Removal is immediate and effective across every tab and device that member has open.

Where to revoke (admins only):

  1. 1. Open Dashboard → Settings → Team
  2. 2. Click Remove next to the member
  3. 3. Confirm — their JWT is invalidated immediately

API keys are separate

Removing a team member invalidates their session but does not revoke any Superkabe API keys they personally created. Those keys continue to work on behalf of the organization. If the departing member had API keys, an admin must revoke each one separately on the API & MCP page (see Section 1).

8. Pausing the Entire Account (No Deletion)

If you want to stop sending without losing your data, cancel your subscription. Going to a trial-expiredor canceled subscription state pauses sending across every campaign in the organization, but every row — campaigns, sequences, leads, mailbox connections, audit logs — stays in place.

Where to cancel:

  1. 1. Open /pricing
  2. 2. Click Cancel subscription on your current plan

Resubscribing at any later date resumes sending from the same state. Mailbox tokens may need to be re-authorized if the provider rotated them during the pause window, but the rest of your configuration is restored as-is.

9. Full Account Deletion (GDPR Right to Erasure)

For a complete erasure of your data, Superkabe provides a GDPR-compliant deletion flow. Before triggering deletion, you can export everything Superkabe holds about you via the same Data Rights page — this is a one-click JSON export covering organization, user, leads, campaigns, mailbox metadata, validation results, and a 30-day usage snapshot.

Where to delete:

  1. 1. (Recommended) Open Dashboard → Data Rights and click Export my data first
  2. 2. On the same page, click Delete my account
  3. 3. Confirm — a 30-day soft-delete window begins

The 30-day soft-delete window

  • Your account is immediately marked inaccessible — no logins, no API access, no incoming webhooks accepted
  • Data is retained but locked for 30 days
  • During this window, contact support to request restoration
  • After 30 days, a sweep worker performs the irreversible hard purge

What gets erased at hard purge

  • – Organization rows and user rows
  • – Every lead, lead-history record, and validation result
  • – Every campaign, sequence, and step
  • – Mailbox connection rows and OAuth/SMTP credentials
  • – Webhook endpoints, API keys, OAuth grants, audit logs tied to the org

Backups age out per the standard retention window (90 days). After the backup window passes, the data is no longer recoverable from any source.

Irreversible after 30 days

Once the soft-delete window closes and the sweep runs, no Superkabe operator can restore the data. If you have any uncertainty, export your data first and use account pause (Section 8) instead of deletion.

10. What Happens to In-Flight Operations

Across every disconnect path, Superkabe makes the same guarantees about ongoing work:

  • In-flight sends complete. When you disconnect a mailbox, the send-queue dispatcher allows the current batch to finish before the mailbox stops accepting new work — no half-sent messages, no orphaned SMTP transcripts.
  • Queued sends route around the disconnected resource. The ESP-aware router reads the live state of every mailbox; the moment one is disconnected, queued items are re-distributed across the remaining mailboxes that can carry them.
  • Webhooks for a deleted endpoint don't fire. Events still occur and are persisted in the internal event log, but the outbound HTTP attempt is suppressed and any queued retries are cancelled.
  • API calls return 401 instantly on a revoked key. There is no grace period — the revocation is checked against the SHA-256 hash on every authenticated request.
  • A removed team member is logged out everywhere. JWT invalidation is immediate; every browser tab they have open is bounced to the login screen on the next action.

Next Steps