Table of contents
Google login events give WorkSights a reliable signal of when a user actively authenticates with their Google account. These events come directly from Google Workspace’s audit logs and reflect real user-driven authentication, not background system activity.
What WorkSights Receives
WorkSights ingests login audit events from Google Workspace. These events appear when a user is prompted to authenticate again because of session expiry, a new browser, an OAuth grant, or an elevated-permission action.
Each login entry includes:
- Timestamp
- User identity
- Metadata Google provides, such as IP address and location
WorkSights does not receive passwords, tokens, or any sensitive credential data.
How Login Activity Appears in WorkSights
Login events appear as short entries on the timeline. They help clarify:
- When a user started their working session
- When an action required re-authentication
- Whether work was performed across multiple devices or locations
Login events use WorkSights's green activity color for fast visual recognition.
How WorkSights Interprets Login Activity
WorkSights treats a login as a one-minute activity.
The purpose is to surface authentication behavior without overstating effort or generating noise.
These entries support:
- Security awareness
- Context for the start of a work session
- Authentication traceability when elevated actions occur
Data Notes
WorkSights records only login events Google provides through its Admin Audit logs. These include timestamps, IP metadata, and authentication methods.
Google does not expose session duration or active presence, so WorkSights reflects logins as discrete authentication moments rather than ongoing sessions.
Login visibility cannot be disabled for specific users.
WorkSights only displays login events for mapped users.
Setup
For configuration steps, see Gmail Forwarding Setup (Google Workspace).