When your users install an app from the Google Apps Marketplace, a page comes up asking them to agree to the terms of service of the application and to grant the application access to their Google Apps data, like Google Calendar events and contacts. When the user grants access, it's recorded through a 3-legged OAuth access token. For more details, see the diagram on how 3-legged OAuth works with Google Apps.

Once a 3-legged OAuth token is revoked for an application (for a particular user), then the application cannot access that user's information until the user reinstalls this application and reauthorizes a 3-legged OAuth token for that app. The Security tab allows you to see all active 3-legged OAuth tokens for a given user for a given application. The token listing and revocation is by user by app.

What's the difference between 2-legged OAuth and 3-legged OAuth?

Traditionally with Google Apps, 2-legged OAuth is for administrator-managed applications, in that an administrator grants access to an application like Tripit to access Google Apps data for ALL users in their domain. Common data requested for access include: Groups Provisioning, User Provisioning, Calendar, and Contacts.

3-legged OAuth usually refers to user-managed applications, where a user in a domain can download individual apps from the Google Apps Marketplace and install them with their Google Apps account. However, now this security tab gives the administrator additional control over the domain by giving you access to see what 3rd-party applications your users have granted access to their Google Apps data, and gives you the ability to Revoke 3-legged OAuth tokens.

For more information, see the diagrams on 2-legged OAuth and 3-legged OAuth.