On CA API Gateway 8.1 you are probably using the policy fragment "Require OAuth 2.0 Token" on any API that is protected by requiring an access_token. That fragment is setting the variable ${session.client_id} whenever an access_token was passed in. That value represents the app that is consuming that API.
In the same policy that value could be audited to a syslog system or it could be written to a database or it could be routed to a server that knows what to do with it. Where to put it and to analyze it is up to the API developer or system administrator.