Canary Tokens

Purpose

Canary tokens are decoy credentials planted in the repository. If someone clones the repo and attempts to use them, an alert is triggered. They serve as an early warning system for unauthorized access.

Active Canary Tokens

Token	Location	Type	Alert Method
CrowdStrike API	config/.env.crowdstrike	API credentials	canarytokens.org HTTP callback

How It Works

1. Fake credentials are placed in realistic-looking locations
2. The credentials are registered with canarytokens.org
3. If anyone attempts to authenticate with them, the canary service fires an alert
4. Credentials are added to the Gitleaks allowlist (.gitleaks.toml) to prevent false positive alerts in CI

Rules

• Canary tokens must never be used for actual authentication
• All canary tokens must be registered in this document
• All canary tokens must be added to .gitleaks.toml allowlist
• Canary tokens should be reviewed quarterly to ensure alert endpoints are still active
• Do not label files as "canary" or "fake" — the point is to look real

Related Content

• Cloudflare Security Posture
• Web Security Configuration
• Incident Response Runbook
• Network Egress Audit
• Secret Rotation Schedule