Canary Token
What is Canary Token?
Canary TokenA specific type of honeytoken that quietly beacons home when triggered, providing a tripwire alert for unauthorized access or data handling.
A canary token is a small, embeddable tripwire — a URL, document, DNS hostname, file, executable, or cloud credential — that calls back to a control server the moment it is opened, executed, or used. Because the token has no legitimate role, every callback is, by construction, a high-confidence signal of intrusion, insider activity, or data leakage. Security teams scatter canary tokens across file shares, source code, mailboxes, and SaaS apps to obtain early warning long before a breach reaches noisy detection layers. Tokens should be unique per location so that an alert immediately identifies where the compromise occurred.
● Examples
- 01
A canary PDF placed in a CFO mailbox that calls home when opened.
- 02
A canary AWS access key in a CI/CD config repository that alerts on any STS use.
● Frequently asked questions
What is Canary Token?
A specific type of honeytoken that quietly beacons home when triggered, providing a tripwire alert for unauthorized access or data handling. It belongs to the Network Security category of cybersecurity.
What does Canary Token mean?
A specific type of honeytoken that quietly beacons home when triggered, providing a tripwire alert for unauthorized access or data handling.
How do you defend against Canary Token?
Defences for Canary Token typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Canary Token?
Common alternative names include: Canarytoken, Tripwire token.