← Decline Codes
Hard Decline

Stripe Decline Code · Glossary

revocation_of_all_authorizations

revocation_of_all_authorizations is the nuclear version of revocation_of_authorization — the cardholder has instructed their bank to revoke every active payment authorization associated with their card, not just the one with your merchant.

Non-recoverable·20–35%·Updated May 2026

What It Means

What revocation_of_all_authorizations actually means.

revocation_of_all_authorizations is the nuclear version of revocation_of_authorization — the cardholder has instructed their bank to revoke every active payment authorization associated with their card, not just the one with your merchant. This is a sweeping, account-level action that simultaneously cancels recurring billing permissions for every merchant that card is connected to — meaning your subscription isn't uniquely targeted, but it is absolutely stopped, and the customer's bank has classified this card as having zero active merchant authorizations going forward.

Not sure if this code is recoverable for your specific situation? Use the Stripe Failure Lookup →

Why It Happens

The root causes.

  • 1Card reported as compromisedfull authorization wipe — When a cardholder suspects their card has been used fraudulently across multiple merchants, the bank performs a full authorization revocation sweep — cancelling all standing merchant permissions in one action to neutralize any unauthorized recurring charges across the board
  • 2Customer closing or switching accountsThe cardholder is closing the card account or switching banks — a full authorization revocation is standard procedure during account closure to prevent charges from hitting a dead account after closure
  • 3Mass cancellation of all subscriptions via bankSome modern banking apps (Revolut, Monzo, Chase, N26) offer a one-tap "cancel all recurring payments" feature — customers discovering forgotten subscriptions or cleaning up their spending use this feature, which triggers revocation_of_all_authorizations at every merchant simultaneously
  • 4Bank-initiated fraud protection sweepThe issuing bank detected suspicious activity on the card and proactively revoked all authorizations as a protective measure before the customer even takes action — common after data breach notifications or dark web card data detection
  • 5Regulatory compliance actionIn certain regulated markets, banks are required to perform full authorization revocation when an account enters a specific compliance or dispute resolution state — not a customer choice, but a bank-initiated regulatory action

What NOT to Do

Common mistakes that make it worse.

Never retry — not once, not ever

revocation_of_all_authorizations means the bank has voided every permission on this card. A retry attempt is not just futile — it is an unauthorized transaction attempt against a card that has had all merchant permissions explicitly wiped. The legal and chargeback exposure here is identical to retrying after revocation_of_authorization, but compounded by the fact that the bank has taken a formal account-level protective action.

Don't treat it identically to revocation_of_authorization

The critical operational difference: revocation_of_authorization targets your merchant specifically — meaning the customer had a reason related to your subscription. revocation_of_all_authorizations is a card-wide sweep — meaning the customer may have no grievance with you specifically, making win-back and recovery significantly more achievable if you move quickly and frame your outreach correctly.

Don't delay outreach waiting for the customer to contact you

Unlike codes where customers are aware they've acted against your merchant specifically, revocation_of_all_authorizations customers may not immediately realize your subscription was affected — especially if the revocation was bank-initiated (fraud protection) or triggered via a bulk "cancel all" feature. Fast, neutral outreach gets ahead of this before the customer churns passively.

Retry Timing

Optimal retry schedule.

Zero retries. The response is entirely a new payment method capture sequence — the old card is permanently unusable for any merchant authorization.

Recovery Benchmark

What good looks like.

MetricResult
Overall recovery rate20–35%
Recovery from bank-initiated sweep (fraud/compliance)40–55% — customer still wants the subscription
Recovery from customer-initiated bulk cancel10–20% — partial intent to cancel
Recovery from account closure3–8% — card is gone permanently
Recovery via alternate payment method offer+15–20% lift
Recovery with immediate, neutral Day 0 outreach+20–25% vs. delayed outreach

A 30–35% overall recovery rate is the realistic ceiling — and timing is the primary lever. revocation_of_all_authorizations has a narrow recovery window: customers who receive fast, neutral, no-blame outreach within 2 hours convert at 2–3x the rate of those contacted 24+ hours later. The bank-initiated fraud sweep subset especially — these customers actively want to continue their subscription once their card situation resolves.

At Scale

How to handle it at scale.

Automated

  • Webhook trigger: invoice.payment_failed → check failure_code === 'revocation_of_all_authorizations' → immediately execute: (1) cancel all future scheduled charges on this card, (2) tag as full_revocation segment — separate workflow from revocation_of_authorization
  • Absolute no-retry lock: Same as revocation_of_authorization — hardest no-retry blocklist, no override
  • Email Day 0 — neutral framing within 60 minutes: Subject: "Your card's billing permissions were reset — here's how to keep your [Product] subscription" — body explains the card needs to be re-added, shows last 4 digits, provides direct link to payment method update page with non-card options prominent
  • New card authorization flow: Because the existing card is permanently unusable, your payment update page must require a full re-authorization — not just a CVC re-entry or expiry update. Build this as a fresh card addition flow, not a card update flow
  • Parallel alternate method prompt — Day 0: Unlike most codes where alternate methods come on Day 5+, revocation_of_all_authorizations warrants immediate alternate method presentation — the card is gone and a replacement may not have arrived yet; PayPal or bank transfer captures the "want to stay but card isn't ready" segment
  • Bank-initiated vs. customer-initiated classification: Use account age, prior successful payments, and support ticket history to estimate intent — bank-initiated revocations on long-tenure accounts get a warmer, more personalized email sequence; bulk-cancel revocations on short-tenure accounts get a simpler, faster offboarding-or-stay decision prompt

Manual Escalation

  • High-ACV long-tenure accounts: Personal outreach within 2 hours — a direct founder or CSM message: "Hi [name], looks like your card's billing permissions were reset — possibly due to a bank security update. Wanted to reach out personally so you don't lose access. Can we get you set up on a new payment method quickly?" — this framing works because it's accurate, empathetic, and non-accusatory
  • Account closure sub-type (card closed permanently): Skip payment recovery entirely — focus on win-back via email: acknowledge the change, offer a pause option or a discount code for when they're ready to return, and end the relationship cleanly to maximize re-subscription probability at 30–60 days
  • Cluster of revocation_of_all_authorizations from same BIN/cohort: If multiple customers trigger this code within a short window from the same card issuer, it likely signals a bank-side security event — a BIN-level fraud sweep; escalate to your team to monitor for related chargebacks and prepare a batch outreach campaign for the affected cohort
  • Win-back sequence — 30 days: For bank-initiated revocations where recovery wasn't achieved in the immediate window, a 30-day win-back email offering a discounted first month on a new payment method recovers 15–20% of the recoverable subset

FAQs

Frequently asked questions.

What does the Stripe revocation_of_all_authorizations decline code mean?

revocation_of_all_authorizations means the cardholder's bank has revoked every active payment authorization on the card — not just yours. This is a card-wide sweep that cancels all standing merchant recurring billing permissions simultaneously. It can be triggered by the customer closing their account, using a bulk cancel feature in their banking app, or by the bank itself as a fraud protection measure.

What are the most common causes of a revocation_of_all_authorizations in Stripe?

Common causes include the bank performing a full authorization sweep after detecting card compromise, the customer closing or switching their card account, the customer using a bulk cancel all subscriptions feature in modern banking apps, a bank-initiated fraud protection sweep, or a bank compliance action placing the account in a state that voids all standing authorizations.

How is revocation_of_all_authorizations different from revocation_of_authorization?

revocation_of_authorization specifically targets your merchant — the customer had a reason related to your subscription. revocation_of_all_authorizations is a card-wide sweep that cancels all merchant authorizations simultaneously — the customer may have no specific grievance with you. This makes recovery more achievable for revocation_of_all_authorizations, particularly when the sweep was bank-initiated rather than customer-initiated.

Should I retry a payment after a revocation_of_all_authorizations decline?

Never. All payment permissions on this card have been voided. Retrying constitutes an unauthorized transaction attempt and creates direct chargeback exposure. Cancel all future scheduled charges on the card immediately and focus entirely on capturing a new payment method — new card, PayPal, bank transfer, or a local payment option — through fast, neutral outreach.

What is the recovery rate for Stripe revocation_of_all_authorizations failures?

Overall recovery rates are 20–35%. For bank-initiated fraud or compliance sweeps where the customer still wants the subscription, recovery rates of 40–55% are achievable with fast, neutral outreach within 2 hours. Customer-initiated bulk cancellations recover at 10–20%. Account closure cases have minimal recovery potential at 3–8%. Timing is the primary lever — outreach within 2 hours outperforms 24-hour-delayed contact by 2–3x.

Before you retry

Most revocation_of_all_authorizations failures are retried on the wrong schedule — which recovers the payment about 30% of the time. The other 70% leaves permanently. See what this code is actually costing at your MRR before deciding how to handle it.

See what revocation_of_all_authorizations costs me →

Stop leaving revenue on the table

revocation_of_all_authorizations can't be retried — but it can be caught earlier.

Recurflux handles code-specific retry scheduling, adaptive dunning, and dispute intelligence across all 30 Stripe decline codes. Connect in under 5 minutes.