37 Continuous OAuth re-authorization sweeps
A scheduled sweep that snapshots every live OAuth grant in the tenant, diffs it against the approved-app register, sets the access decision in the console for anything unapproved so the grant cannot simply be re-issued, and then revokes it per user. It catches the app a user consented to last week and the malicious client an attacker authorised after a phish — neither of which shows up in any settings screen. The diff is routed to the security mailbox, so the sweep is continuous rather than a one-off.
Documentation: How authorized access works ↗ · OAuth log events ↗
Caveats
Setup steps
-
gam all users print tokens > tokens-$(date +%F).csv - open ↗

https://admin.google.com/ac/owl · captured 2026-07-15
comm -13 <(sort apps-register.csv) <(cut -d, -f<clientid-column> tokens-$(date +%F).csv | sort -u)
- open ↗

https://admin.google.com/ac/owl/list?tab=configuredApps · captured 2026-07-15
Security › Access and data control › API controls › Manage Third-Party App Access- App access
Blocked (or Limited to unrestricted Google services)
- open ↗

https://admin.google.com/ac/sc/investigation · captured 2026-07-15
gam user <user> delete token clientid <clientid> -
cron: daily or weekly; output diffed against apps-register.csv (optionally: git commit + scheduled Claude review of the diff)
Ongoing maintenance
- automatable: script Weekly: run the token snapshot and diff against the approved-app register.
- automatable: AI agent Weekly: review the diff for new grants with broad scopes or re-grants of blocked clients.
- requires a human Per finding: decide block/revoke and execute it.
How to verify
Check the newest sweep artifact is within the cadence and the diff was reviewed — then re-run the snapshot and confirm it matches.
gam all users print tokens > tokens-verify.csv && diff <(sort tokens-verify.csv) <(sort tokens-<last-date>.csv)
Further screens
Screen 1 of 1: Directory > Users > [user] > Security > Connected applications (per-user token review)
open ↗
v0.1.2Detect policy #29 · #19, #33 ↗