If you’ve ever tapped “Continue with Google” or “Log in with Facebook,” you’ve granted a third-party app a set of permissions, sometimes far more than you expected. That access can outlive password changes, and in some cases it keeps working quietly through long-lived tokens.
A good OAuth audit checklist isn’t about panic. It’s basic account upkeep, like checking which keys you’ve handed out, and taking back the ones you don’t recognize or no longer need.
Quick-start OAuth audit checklist (10 minutes)
Menu names can vary by device, app version, and browser. If you don’t see an option, try the alternate path listed in the platform section.
- Open your connected apps list for Google, Apple, Microsoft, and Meta (Facebook and Instagram).
- Sort mentally by trust: apps you still use and recognize vs. everything else.
- Check the publisher name and whether it matches the brand you expect (watch for lookalikes).
- Scan permissions for high-risk scopes: email, contacts, calendar, drive/files, Pages or ads, and “offline access.”
- Look for “last used” or “last accessed” dates, revoke anything you have not used in 90 days (or immediately if you don’t recognize it).
- Revoke first, troubleshoot later: if something breaks, you can re-connect with fewer permissions.
- For work or school accounts, confirm with your admin before removing business integrations (CRM, email archiving, SSO).
- After revocation, do cleanup: remove the app account at the vendor, delete stored data, and check mail forwarding and security logs.
Risk signals: what to check before hitting “Remove access”
OAuth abuse often looks “normal” because it uses real login screens and legit permissions prompts. The safest habit is to review access like you’d review bank autopay: not every month, but often enough that surprises don’t pile up.
Use this quick risk read when reviewing any connected app:
| What you see | Why it’s risky | What to do |
|---|---|---|
| App asks for mailbox access (read, send, delete) | Email access can expose invoices, password resets, and client messages | Revoke unless it’s a known mail client or required tool |
| Drive/Files read-write or “all files” | Enables bulk downloads and silent copying | Keep only if essential, prefer read-only |
| Contacts or calendar access | Expands the blast radius to your network and schedule | Revoke if the app’s core purpose doesn’t need it |
| Pages, ads, or business assets access (Meta) | Can publish posts, run ads, or change roles | Treat as admin-level risk, remove quickly if unknown |
| “Offline access” or “maintain access” | Refresh tokens can keep working even after you log out | Remove unless you fully trust the vendor and need background sync |
| Publisher looks wrong or vague | Lookalike apps are a common trick | Revoke, then search the vendor’s official site before reconnecting |
When you can, validate legitimacy with signals the platform provides. Microsoft work accounts may show “verified publisher” details. Google consent screens may show whether an app is verified or unverified. If you want a deeper set of investigation questions for suspicious grants, see an OAuth risk investigation checklist.
Platform steps to review and revoke third-party access (web and mobile)
Below are the most common paths as of January 2026. If you land on a page that looks right but uses different wording, look for “Connected apps,” “Apps with access,” “Apps and websites,” or “Third-party access.”
| Platform | Web path | Mobile path (common) |
|---|---|---|
| Google Account | Security, then Third-party access | Device settings, then Manage your Google Account, then Security |
| Apple Account (Sign in with Apple) | Limited web management, most control is on-device | Settings or System Settings, then Sign in with Apple |
| Microsoft | Consumer account pages, privacy and app permissions | Often easiest in a mobile browser, work accounts also use My Apps |
| Meta (Facebook, Instagram) | Settings, then Apps and Websites (or Website permissions) | In-app settings, then Permissions or Apps and websites |
Google: remove risky third-party access (personal and Workspace)
On the web, go to your Google Account security area and open the third-party access manager. Google’s official steps are summarized in Manage connections between your Google Account and third parties. Review each app’s access level and remove anything you don’t need.
On Android, you can usually reach the same area through Settings, Google, Manage your Google Account, Security, then look for third-party access. On iPhone, it’s typically easiest to use a browser and sign in to your Google Account.
Pay special attention to anything touching Gmail or Drive. If an app has “read all mail,” “send mail,” “manage drafts,” or broad Drive scopes, treat it like you handed it a master key. Also watch for “offline access,” which signals long-lived access using refresh tokens.
If you’re in Google Workspace, there are two layers: user grants and admin controls. Admins should review and restrict app access under API controls. Google’s admin guidance starts at Control which apps access Google Workspace data. If you manage a small business tenant, this is where you stop shadow integrations from spreading across staff accounts.
Apple: audit “Sign in with Apple” and app-specific access
Apple’s connected-app view is centered on Sign in with Apple, and it’s mainly managed on your devices. Apple’s reference guide is Manage your apps with Sign in with Apple. On iPhone or iPad, look under Settings, your name, Password & Security, Apps Using Apple ID (or Sign in with Apple, depending on iOS version). On Mac, check System Settings, your name, Password & Security.
Apple’s list won’t always show a clear “last used” date, so be stricter about recognition. If you don’t remember the app, remove it. If an app is tied to an old account you no longer use, revoke and then close the vendor account separately so the relationship is fully ended.
Also remember Apple has more than one “door” into your data. Some apps use app-specific passwords for iCloud mail and calendar, while others use Sign in with Apple for login identity. If you see mail or calendar problems after revoking, verify you didn’t have a legacy setup still in place.
Microsoft: consumer accounts vs. work or school accounts
For personal Microsoft accounts, check connected apps and permissions from account settings (often under privacy and app access). Look for anything with mailbox access, OneDrive file access, or “maintain access” style permissions.
For work or school accounts, many organizations rely on Microsoft Entra ID consent and centralized controls. Users can often review and revoke grants through the My Apps portal. Microsoft documents the workflow here: Edit or revoke application permissions in the My Apps portal.
If you’re an admin, treat unfamiliar OAuth apps like you’d treat unknown browser extensions. Confirm the publisher, check requested Graph permissions, and watch for high-impact scopes (mail read-write, files read-write, directory access). If a business tool breaks after revocation, re-approve only the minimum permissions needed, and document why it’s required.
Meta: Facebook and Instagram “Apps and Websites” permissions
Meta splits this across Facebook and Instagram, but the idea is the same: apps and sites you logged into or connected. On Facebook, open Settings and privacy, then find Apps and Websites. On Instagram, the current help path is captured in Instagram’s apps and websites permissions guide. Expect to see sections like Active, Expired, and Removed.
High-risk items on Meta are anything that can touch Pages, ad accounts, or business assets. Small business owners should be extra careful here because one risky integration can mean unwanted posts, ad spend, or role changes. If your account is part of Meta Business Manager, coordinate changes with whoever manages your business settings so you don’t remove required tools (social schedulers, commerce, support inboxes).
After you revoke: close the loop (and keep it clean)
Revocation stops future access, but it doesn’t rewind what an app already copied. Think of revoking like canceling a keycard, then checking whether anything was moved while it still worked.
After you remove access, do these quick follow-ups:
- Remove the vendor-side account inside the third-party app, then request deletion of stored data if you no longer use it.
- Check mail forwarding and rules in your email service (Gmail forwarding, Outlook rules). Attackers love “silent forwarding.”
- Review recent sign-ins and security logs on each platform for odd locations, devices, or repeated token-based access.
- Sign out other sessions if the platform offers it, then rotate your password if you saw anything suspicious.
- Re-connect only when needed, and choose the smallest permission set offered (least-privilege).
- Document required business integrations (who approved them, what they do, what permissions they need) so future audits are fast.
For cadence, run a light check monthly if you connect lots of tools (small businesses, creators, admins). Otherwise, do a quarterly review, plus an extra audit after any phishing scare, device loss, or employee offboarding.
A calm, repeated OAuth audit checklist beats one big cleanup once a year. The goal is simple: fewer connections, smaller permissions, and no surprises.
