diff --git a/packages/server/src/api/controllers/user.ts b/packages/server/src/api/controllers/user.ts
index df64ffc7d0..f37af55ee0 100644
--- a/packages/server/src/api/controllers/user.ts
+++ b/packages/server/src/api/controllers/user.ts
@@ -173,3 +173,35 @@ export async function getFlags(ctx: BBContext) {
   }
   ctx.body = doc
 }
+
+export async function removeUserFromApp(ctx: BBContext) {
+  const { id: userId, prodAppId } = ctx.params
+
+  const devAppId = dbCore.getDevelopmentAppID(prodAppId)
+  for (let appId of [prodAppId, devAppId]) {
+    if (!(await dbCore.dbExists(appId))) {
+      continue
+    }
+    await context.doInAppContext(appId, async () => {
+      const db = context.getAppDB()
+      const metadataId = generateUserMetadataID(userId)
+      let metadata
+      try {
+        metadata = await db.get(metadataId)
+      } catch (err) {
+        return
+      }
+
+      let combined = {
+        ...metadata,
+        status: constants.UserStatus.INACTIVE,
+        metadata: rolesCore.BUILTIN_ROLE_IDS.PUBLIC,
+      }
+
+      await db.put(combined)
+    })
+  }
+  ctx.body = {
+    message: `User ${userId} deleted from ${prodAppId} and ${"devapp"}.`,
+  }
+}
diff --git a/packages/server/src/api/routes/user.ts b/packages/server/src/api/routes/user.ts
index 14deb111e6..556954fd77 100644
--- a/packages/server/src/api/routes/user.ts
+++ b/packages/server/src/api/routes/user.ts
@@ -47,5 +47,10 @@ router
     authorized(PermissionType.USER, PermissionLevel.READ),
     controller.getFlags
   )
+  .delete(
+    "/api/users/metadata/:id/app/:prodAppId",
+    authorized(PermissionType.USER, PermissionLevel.WRITE),
+    controller.removeUserFromApp
+  )
 
 export default router