Cloud Computing Done Right
Call Us Toll Free: (855)55-4APPS

The first steps with Google Apps Admin Audit API

Pin It
UPDATE (2013-05-27): The Admin Audit API has been deprecated. Use the Admin SDK, Reports API.

In this post, we’ll cover how to perform the first step in order to use the Google Apps Admin Audit API. Before you begin to use the API, you need to obtain theorganization’s CustomerID, which is the most difficult part in using any of the API’s calls. This post features a sample code in Java illustrating the 3-legged OAuth process required in order to get an authentication token that will give us access to the Customer ID.

IntroductionGoogle Apps Administration Console - Audit Logs

Google Apps is a popular service from Google that allows organizations to use cloud-based messaging and collaboration services. One or more accounts in a Google Apps domain are designated as administrators allowing them elevated privileges to create new users, change passwords, and other administrative activities. Many organizations have a requirement to audit the administrators activities. While this can be done from the Google Apps administrative console, Google also provides an API for programmatic access to the admin audit logs.

The Google Apps Admin Audit API allows for the following features as of this writing:

  • Retrieving a customerId
  • Retrieving all administrative activities
  • Retrieving all activities by an administrator
  • Retrieving all activities by event name
  • Retrieving all activities by event name and administrator

In this post we only cover the customerId operation for applications that are meant to be installed.

To run the sample code in this posting, you need the google-api-java-client libraries.

Obtaining Credentials

The customerId operation is special in that it requires 3-legged OAuth authentication

Google Diagram of 3LOA Process

Google Diagram of 3LOA Process

(3-LOA) with Google, where the user’s explicit permission and interactions is required. Other calls in this API accept the customerId and don’t require additional explicit interaction with the user. In order to work with many Google APIs, it is almost a requirement to have a basic understanding of OAuth 2.0, the authentication protocol by which Google grants third party applications permission to Google data.

In order to successfully authenticate, you need to perform the following steps:

  • Enable the Provisioning API in the Google Apps admin console.
  • Enable the use of the “Audit API” in the Google Apps Developer Console.
  • Obtain an API key from the dev console.  A very good graphical tutorial on the developer console is available here.
Developer Console API Key

Developer Console API Key

Specifically, you need the following pieces of information in order to plug-in to our code sample:

  • Client ID
  • Client Secret
  • Redirect URL

In addition to the above 3 pieces of information, you also need to provide a “scope” for your credential request. Information about the “scope” is available with the documentation for each API. In our case, these are the scopes we’re concerned with:

  •  (For CustomerID operation)
  •  (For remaining operations)

Here is the code to generate a Credential object in the Google Java client API:

private static Credential buildCredential(
                        String client_id,
                        String client_secret,
                        String redirect_url,
                        Iterable scopes) {

                String code;
                GoogleTokenResponse tokenResponse;
                Credential cred = null;

                JsonFactory jsonFactory = new JacksonFactory();
                HttpTransport httpTransport = new NetHttpTransport();

                // Create the authentication flow builder.
                Builder flowBuilder =
                                new GoogleAuthorizationCodeFlow.Builder(httpTransport,

                // Build the flow.
                GoogleAuthorizationCodeFlow flow =

                // Obtain the authorization URL
                String url = flow.newAuthorizationUrl().setRedirectUri(redirectUri).build();

                // Normally, for installed programs, you may decide to launch your own
                // local web server and redirect Google's response in order to avoid
                // the manual process below.
                System.out.println("AUTHORIZATION URL: " + url);

                BufferedReader br = new BufferedReader(new InputStreamReader(;
                System.out.println("Open the URL above and paste the code (Access Token) here.");

                // Obtain token response, generate token, and save.
                try {
                        code = br.readLine();
                        tokenResponse = flow.newTokenRequest(code)
                        cred = flow.createAndStoreCredential(tokenResponse, null);
                } catch (IOException e) {
                        // TODO Auto-generated catch block

                return cred;

The CustomerID Operation

Once a “Credential” has been retrieved using the 3LOA process, all that is required is to make an HTTP GET request to the following URL:

  • ATOM
    • GET
  • JSON
    • GET

The output will be either in ATOM or JSON. Our code sample uses JSON, as we find it easier to parse.

Output of customerID in JSON format.

Output of customerID in JSON format. Courtesy of

Full Code Listing

Here is the listing of our working sample that performs the following:

  • Authenticates and stores OAuth credentials
  • Retrieves the customerID JSON output
  • Parses the JSON to obtain the customer ID.

For a working sample, you can download the source code file here. The code is only for illustrative purposes and should not be used in production environments.

Other Useful Resources

And here is a Google video on OAuth and OpenID:

If you liked this post, say thanks by sharing it:
Pin It
Hovik (15 Posts)

Hovik Manucharyan is former founder and CEO of Linkgard.

Related Posts

Latest News

Twitter Feed

Social Networks

Get Our Newsletter