I'd like to let users disconnect their Twitter credentials - aka revoke application access - from my application. When they look at their user profiles, and they see "your account is currently linked to your twitter profile @abc", I'd like to allow them to remove that connection.
It's possible on Foursquare and some other applications. Any ideas what the proper API call is for this?
Depending on your application, you might be able to use account/end_session.
Or, simply delete the user's saved key and secret from your application's datastore (this is how my desktop Twitter application handles removing user accounts).
When an application says it's linked to a user's Twitter profile, the application most likely confirms this via account/verify_credentials.
Twitter does not control which applications a user has given their credentials to. Perhaps Twitter could block access from a user/application if abuse occurred, but this isn't really the case.
When a user first authenticates with an application, the application can save the retrieved key and secret from the initial oAuth authentication process to its own datastore. Then, when the application makes a request on the user's behalf, it sends along their saved key and secret.
These values (key and secret) should be saved in the application's own datastore; this is not "saved" on Twitter anywhere.
To revoke application access, merely removing the user's stored key and secret from your application's datastore will mean your application can no longer send requests to Twitter as that user; the user would have to reauthenticate first.