OAuth Token audit log

The OAuth Token audit log records every time a third-party mobile or web application is authorized to access Google account data (such as Contacts, Calendar, and Drive files) for users in your organization.

For example, when a user starts a Google Marketplace app you've installed in your domain, the Token log records the name of the app, the person using it, and the scope of data access requested by the app. This lets you track which users are using which apps, and when.

To access the OAuth Token audit log, sign in to your Admin console and click Reports > Audit > Token. The page displays the following information:

  • Event Description—A summary of the event, such as "Super Admin David authorized access to Google Chrome for https://www.google.com/accounts/OAuthLogin scopes"
  • Event Name—The action performed: Authorize or Revoke.
  • Application Name—The application for which access was authorized or revoked.
  • Scope—Scopes to which access was authorized or revoked.
  • Date—The date the event occurred (displayed in your domain's default timezone).

Use the Filters section to configure the page to only display data that meets certain criteria. For example, filter by application name or user name to see activity just for that app or user.

You can also use the Filters section to create and configure a custom alert. Custom alerts do not use the Date Range. Choose an event name from the drop-down list and your other filters, then click the SET ALERT button. In the Set alert: window you can add a custom alert name, check the Super Administrator(s) box, or add additional recipient user emails. After you configure your custom alert click the SAVE button. To edit your custom alerts, refer to Account activity alerts.

Filter log entries

You can filter log entries by various criteria, say, to find all revoked tokens, authorized tokens for a particular application, or tokens authorized by specific users. At the top of the OAuth token audit log, click the Filters icon (next to the Select columns icon). Then filter by any of the following criteria:

  • Event name—The action the user performed, such as Authorize or Revoke.
  • User name—The ldap of the user for whom access was authorized or revoked.
  • Application name—The application for which access was authorized or revoked.
  • Client id—The OAuth client id of the application for which access was authorized or revoked.
  • Scope—Scopes to which access was authorized or revoked.
  • IP address—The IP address of the user for whom access was authorized or revoked.
  • Date and time range—A start and end date and time for listing events.

Note the following:

  • If you don't see the Filters section, click filter.
  • Each entry in the log is associated with a single event.
  • To change the columns the log displays, click column picker. The page remembers the columns you choose and shows the same ones the next time you sign in.
  • The log shows data delayed by a few hours and keeps data from up to six months ago.


Name of Log or Report Retention Time
Audit Log 6 months
Calendar audit log 6 months
OAuth Token audit log 6 months
Drive audit log (Google Apps Unlimited) 6 months
Account activity reports 6 months
Security reports 6 months
Groups audit log 6 months
API audit data 6 months
API reporting data 15 months

For other audit logs and reports not mentioned above the retention time should be 6 months.

Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.