As your organization's administrator, you can use the OAuth Token audit log to track which users are using which third-party mobile or web applications in your domain. For example, when a user starts a G Suite Marketplace app, the log records the name of the app and the person using it.
The log also records each time a third-party application is authorized to access Google Account data, such as Google Contacts, Calendar, and Drive files (G Suite only).
Open the OAuth Token audit log
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Reports.
- On the left, under Audit, click Token.
-
(Optional) To customize what you review, on the right, click Manage columns
, select the columns that you want to see or hide, and click Save.
-
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The Admin console bases its OAuth Token audit logs on the following user data:
| Data Type | Description |
|---|---|
| Event name | Activity, Authorize, and Revoke events are logged.
|
| Event description | Summary of the event, such as "Super Admin David authorized access to Google Chrome for https://www.google.com/accounts/OAuthLogin scopes". |
| User | User for whom access was authorized or revoked. |
| Application name | Application for which access was authorized or revoked. |
| Client ID | OAuth client ID of the application for which access was authorized or revoked. |
| Scope | Scopes to which access was authorized or revoked. |
| Date | Date and time the event occurred (displayed in your browser's default time zone). |
| IP address | Internet Protocol (IP) address of the user for whom access was authorized or revoked. This might reflect their physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address. |
When and how long is data available?
Go to Data retention and lag times.
