OAuth Token audit log

Track 3rd-party application usage and data access requests

As your organization's administrator,  you can use the OAuth Token audit log to track which users are using which third-party mobile or web applications in your domain. For example, when a user opens a Google Workspace Marketplace app, the log records the name of the app and the person using it. 

The log also records each time a third-party application is authorized to access Google Account data, such as Google Contacts, Calendar, and Drive files (Google Workspace only).

Forward log event data to the Google Cloud Platform

This feature is available with Cloud Identity Premium edition. Compare editions 

You can opt in to share the log event data with Google Cloud Platform. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.

Open the OAuth Token audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, click Auditand thenToken.
  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

Data you can view

The Admin console bases its OAuth Token audit logs on the following user data:

Data Type Description
Event description Summary of the event, such as Super Admin David authorized access to Google Chrome for https://www.google.com/accounts/OAuthLogin scopes
Event name The name of the event that was logged. For example, Activity, Authorize, Revoke.
User User for whom access was authorized or revoked
Application name Application for which access was authorized or revoked
Client ID OAuth client ID of the application for which access was authorized or revoked
Scope Scopes to which access was authorized or revoked
Date Date and time the event occurred (displayed in your browser's default time zone)
IP address Internet Protocol (IP) address of the user for whom access was authorized or revoked. This might reflect their physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.

Event names

At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time the particular event occurred during the time range that you set. 

Name Description
Activity This feature is available with Cloud Identity Premium edition. Compare editions 

Each time an API call was made. Event descriptions include the name of the app making an API call, the specific API method called, and the user on whose behalf the call was made.
Authorize Each time an application was authorized. Descriptions include user, application granted access, and API scope authorized.
Revoke Each time an application's access was revoked. Descriptions include user, application name, and API scope authorized.

Related topics

Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false