OAuth Token audit log

Track 3rd-party application usage and data access requests

As your organization's administrator,  you can use the OAuth Token audit log to track which users are using which third-party mobile or web applications in your domain. For example, when a user starts a Google Marketplace app, the Token log records the name of the app, and the person using it. 

The log also records each time a third-party application is authorized to access Google account data, such as Contacts, Calendar, and Drive files (G Suite only).

Step 1: Open the OAuth Token audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click Token.
  4. (Optional) Next to the columns, click Manage columns Manage columns and select the columns that you want to see or hide.

Step 2: Understand Token audit log data

Data you can view

The Admin console bases its OAuth Token audit logs on the following user data:

Data Type Description
Event name Activity, Authorize, and Revoke events are logged.
  • Activity event descriptions include: 1) the name of the app making an API call, 2) the specific API method called, and 3) the user on whose behalf the call was made.
  • Authorize or Revoke event descriptions include: 1) user, 2) application granted access, and 3) API scope authorized.
Event description Summary of the event, such as "Super Admin David authorized access to Google Chrome for https://www.google.com/accounts/OAuthLogin scopes".
User Email address of the user for whom access was authorized or revoked.
Application name Application for which access was authorized or revoked.
Client ID OAuth client ID of the application for which access was authorized or revoked.
Scope Scopes to which access was authorized or revoked.
Date Date and time the event occurred (displayed in your browser's default time zone).
IP address Internet Protocol (IP) address of the user for whom access was authorized or revoked. This might reflect their physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when users authorized or revoked access by a specified application, or find all OAuth token authorization activity for a particular user.

  1. Open your OAuth Token audit log as shown above.
  2. Click Add a filter.
  3. Select and enter the criteria for your filter and if needed, click Apply.
  4. (Optional) To filter by organizational unit, at the top right, click Organization filter, select the organizational unit, and click Apply.
  5. (Optional) To specify a date range to search, click Date range and select a period from the list or enter a start and end date and time. If needed, click Apply.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your report as shown above.
  2. At the top, click Organization filter.
  3. Select an organizational unit and click Apply.

Filter by date

  1. Open your report as shown above.
  2. At the top, click Date range.
  3. Select a period from the list or enter a start and end date and time.
  4. If needed, click Apply.

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, click Manage columns Manage columns, select or remove the columns that you want to export, and click Save.
  3. Click Download Download.
  4. Under Select columns, click Currently selected columns or All columns.
  5. Under Select format, click Google Sheets or Comma-separated values (.csv).
  6. Click Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Audit logs to Sheets are limited to 10,000 rows, while CSV exports can include up to 500,000 rows.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can easily track specific OAuth token activities by setting up alerts. For example, get an alert whenever someone authorizes or revokes access by a specified application.

  1. Open your audit log as shown above.
  2. Click Add a filter.
  3. Enter or select the criteria for your filter and click Create Alert.
  4. Enter a name for the alert.
  5. (Optional) To send the alert to all super administrators, under Recipients, click Turn on Turn on.
  6. Enter the email addresses of alert recipients.
  7. Click Create.

To edit your custom alerts, see Administrator email alerts.

Was this helpful?
How can we improve it?