An authorized peer/client's key is removed with AuthCurveRemove. The peer/client is still able to send data until the server is stopped and restarted. Shouldn't removing credentials have the effect of blocking the now-unauthorized peer/client immediately?

AuthCurveRemove only removes the ability to authenticate. If you want to remove the authorization as well, you need to close the socket.

Couldn't this be considered a problem? When I deauthorize a client, I'll have to disconnect (potentially dozens) of other clients just to ensure the deauthorized client can no longer send data.