About AppTotal

AppTotal automatically and reactively scans OAuth applications from different SaaS platforms (e.g. Azure/Office 365, Google Workspace, Slack) and produces a quantified risk score for each app based on dozens of features. These features include permissions, configuration, app activity, app resources, and much more.

Organizations and security researchers use AppTotal to assess OAuth apps they have connected or would like to connect to their SaaS platforms.

Who developed AppTotal?

Canonic Security is a business applications security platform that helps companies control and manage third-party apps, add-ons, and other platform-native integrations. We let employees connect the apps & integrations they want to IT-approved applications while giving insight into app access and vulnerability intelligence.

How do I contact with AppTotal for questions or other requests?

Just send an email to [email protected].

How do I get a report for an OAuth app?

In the search box on the AppTotal home page, you can simply type in the client ID of the OAuth app you’re looking for, or start typing the app name. Use the platform switcher for better search results.

How do I find my connected OAuth apps?

Consent pages

You can find the client ID of an OAuth app in the consent page URL. In the URL, look for the client_id parameter, and submit it to AppTotal.


How to find apps on Google


How to find apps on Azure AD


[How to find apps on Slack] (doc:how-to-find-apps-on-slack)

App Report Explained


Canonic Verified

App and publisher authenticity verification process made proactively by Canonic Security's app intelligence team.

Note: A Canonic verified app can still be malicious or pose a risk due to compromised publisher, vulnerabilities and over privileged permissions.


The app’s developer can be either an individual or an organization.

Client ID

The public identifier for OAuth apps, a unique ID across tenants. Note that some platforms may called it in different name. For example, on Azure it called Application ID.


The app’s category as specified in the marketplace, by the developer, or by AppTotal classification.


The app client type as registered on the platform, usually this one is an optional configuration. A type can be a web app, mobile, browser extension, device.


Whether the app is 3rd/1st party and other metadata tags.

  • First-party - apps represent native services owned by the SaaS provider. For example, Google Drive, Gmail, Microsoft SharePoint, and Exchange are first-party apps and have a unique client ID assigned by the SaaS provider.
  • Third-party - apps registered by a vendor other than the SaaS provider. Usually, these apps are publicly available to anyone.
  • Internal app - apps registered for internal use and integration, available only to users within the tenant it was registered. Mainly used for automation within the SaaS environment and integrations with internal systems.

Platform Verified

Whether the app went through the platform’s (e.g. Google, Microsoft, Slack) publisher verification process. Note that this process is required for very specific cases therefor most apps aren't submitted for review by the SaaS provider.


App Risk

App's risk score is calculated based on its permissions, severity of its security risks, and its publisher rating.


Risks comprised of security posture findings and risk indicators.

Permission Level

Permission level is determined by the app's requested scopes, based on the scope's operation (e.g. read/write) and the affected resources (e.g., Gmail, OneDrive, Teams).


API Calls

App's API activity as recorded by our SaaS sandbox.

IP Addresses

IP addresses that API activity was originated from.

Redirect URLs

App's redirect URLs as registered during the app registration.


Access Types

Apps that have no other access other than signing in on behalf of the authorized userApps that have access to a user's account dataApps that may read or edit system configuration or platform settingsApps that have access to anything that the authorized user has access to


The OAuth permission scopes as seen requested by the app, their description according to the SaaS platform, and their severity (low/med/high) according to the affected service/resource (e.g. Gmail, OneDrive, Teams) and the operation (read/write).


Privacy policy

The privacy policy URL as registered during the app registration. This is usually optional on app registration.

Terms of service

The terms of service URL as registered during the app registration. This is usually optional on app registration.


The app developer compliance certificates according to the publisher declaration.

Data retention

The app developer data retention policy as mentioned in the legal documents.



Detailed list of findings and risk indicators. Findings are security posture issues identified on the analyzed app. Issues related to security posture include bad security practices in app configurations, as well as vulnerabilities in app-related assets. Risk indicators are properties of the app that affect its risk score, but do not always indicate whether or not the app is malicious.

Threat Insights

Threat intelligence insights collected by Canonic Security’s app intelligence.