Files
Anthropic-Cybersecurity-Skills/skills/implementing-honeytokens-for-breach-detection/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.5 KiB

API Reference: Implementing Honeytokens for Breach Detection

Canarytokens.org API

import requests

# Create DNS canary token
resp = requests.post("https://canarytokens.org/generate", data={
    "type": "dns",
    "email": "soc@company.com",
    "memo": "Prod DB honeytoken",
    "webhook_url": "https://hooks.slack.com/...",  # optional
})
token = resp.json()  # {"hostname": "xxx.canarytokens.com", ...}

# Available token types
# dns, web_image, aws_keys, cloned_web, doc_msword,
# slack_api, svn, sql_server, qr_code

Token Deployment Locations

Type Location Trigger
AWS keys ~/.aws/credentials Key used in API call
DNS Config files, code DNS resolution
Web image Wiki, docs, shares Image HTTP request
Document File shares Document opened
Database User/config tables Record queried

Webhook Alert Payload

{
  "manage_url": "https://canarytokens.org/manage?...",
  "memo": "Production honeytoken",
  "additional_data": {
    "src_ip": "203.0.113.50",
    "useragent": "..."
  },
  "channel": "DNS",
  "time": "2025-01-15 14:23:00"
}

Thinkst Canary API (Enterprise)

# List triggered tokens
resp = requests.get("https://console.canary.tools/api/v1/canarytokens/alerts",
    params={"auth_token": "<api_key>"})

References