← All posts

How canary tokens work: a technical deep dive

DNS callbacks, HTTP beacons, document tracking pixels, and the architecture behind reliable breach detection. A developer's guide to canary token internals.

Canary tokens are deceptively simple from the outside: plant a fake credential, get an alert when someone uses it. But the engineering behind reliable, stealthy breach detection involves DNS protocol mechanics, HTTP beacon design, document format internals, and callback infrastructure that must work across every network configuration an attacker might be operating from.

This post breaks down how each token type works at the protocol level — and why certain design decisions matter for detection reliability.

The callback model

Every canary token follows the same fundamental pattern:

1. Token contains a unique identifier
2. Attacker interacts with token
3. Interaction triggers a network request to a callback server
4. Callback server logs the event and fires an alert

The unique identifier is embedded differently depending on the token type, but the principle is constant: the attacker's action causes an outbound network request that the defender controls.

The callback server is the central piece of infrastructure. It must:

  • Accept connections on standard ports (80, 443, 53)
  • Extract the unique token ID from the request
  • Log metadata: source IP, timestamp, user agent, request headers
  • Enrich the IP with geolocation data
  • Fire alerts through configured channels (email, Slack, webhook)
  • Respond in a way that does not reveal it is a canary system

That last point matters. If an attacker hits a URL and gets a response like {"error": "canary token detected"}, they know they triggered a trap and will change their approach. The response must look like a normal server — a generic 404, a timeout, or a plausible API response.

HTTP tokens

HTTP tokens are the simplest type. The token is a URL that, when visited, triggers a callback.

How they work

  1. Generate a UUID: a3f8c291-7b4e-4d1a-9e5f-2c8d6b1a4e7f
  2. Construct a callback URL: https://callback.example.com/t/a3f8c291
  3. Plant the URL somewhere it should not be accessed
  4. When accessed, the callback server logs:
{
  "token_id": "a3f8c291",
  "source_ip": "198.51.100.42",
  "user_agent": "Mozilla/5.0 ...",
  "referer": "https://internal-wiki.company.com/secrets",
  "timestamp": "2026-04-09T14:32:01Z"
}

Where HTTP tokens excel

The referer header is particularly valuable — it tells you where the attacker found the URL. If the referer is your internal wiki, you know the wiki was compromised. If it is a paste site, you know credentials were leaked publicly.

HTTP tokens work well as fake API endpoints in .env files:

STRIPE_SECRET_KEY=sk_live_a3f8c291...
DATABASE_URL=https://callback.example.com/t/a3f8c291

An attacker who finds this file will test the URLs. Automated scanners will follow them immediately.

Limitations

HTTP tokens require the attacker to make an outbound HTTP request. If the attacker is operating in an air-gapped environment or behind a strict egress firewall that blocks unknown domains, the callback will not fire. In practice, this is rare — most attackers operate from environments with full internet access.

DNS tokens

DNS tokens exploit the fact that DNS resolution is one of the most universally allowed network operations. Almost every environment permits outbound DNS queries, making DNS tokens harder to block than HTTP tokens.

How they work

  1. Generate a unique subdomain: a3f8c291.callback.example.com
  2. Configure the callback server as the authoritative nameserver for callback.example.com
  3. Plant the hostname in a config file, database connection string, or SSH config
  4. When any system resolves the hostname, the DNS query reaches the callback server
Client → Recursive Resolver → Root NS → .com NS → callback.example.com NS → Callback Server

The callback server receives the DNS query and logs:

{
  "token_id": "a3f8c291",
  "source_ip": "203.0.113.10",
  "query_type": "A",
  "timestamp": "2026-04-09T14:32:01Z"
}

Why DNS tokens are powerful

DNS resolution happens automatically in many contexts:

  • A developer opens a config file in an IDE that pre-resolves hostnames
  • A script reads a database connection string and attempts to connect
  • An attacker runs nslookup or dig to check if a hostname is real
  • A browser prefetches DNS for URLs in a page
  • Email clients resolve hostnames in message bodies

The attacker does not need to consciously visit a URL. Simply having the hostname processed by any DNS-aware tool is enough to trigger the callback.

Implementation detail: the authoritative nameserver

For DNS callbacks to work, you need to be the authoritative nameserver for the callback domain. This means:

  1. Register a domain (e.g., svccdns.com)
  2. Set the domain's NS records to point to your callback server
  3. Run a DNS server on port 53 (UDP and TCP) on the callback server
  4. For every query to *.svccdns.com, log the query and respond with a valid DNS answer

The response should be a valid A record pointing to a plausible IP address. Returning NXDOMAIN or SERVFAIL might tip off a careful attacker that the domain is not real.

Web image tokens (tracking pixels)

Image tokens embed a unique callback URL inside an image file. When the image is rendered by a browser, email client, or document viewer, it fetches the URL to load the image.

How they work

  1. Generate a 1x1 transparent PNG or a plausible-looking image
  2. The image URL contains the token ID: https://callback.example.com/img/a3f8c291.png
  3. When loaded, the callback server returns a valid image and logs the request
  4. The viewer sees nothing unusual — just a normal image load

Where image tokens shine

Email tracking: Embed the image in an HTML email. When the recipient opens the email, their client loads the image and you know the email was read. This same technique detects if someone forwards a sensitive email to an unauthorized party.

Shared documents: Place the image in a Google Doc, Notion page, or internal wiki. Every time the page is opened, the image loads.

File system monitoring: Place an HTML file containing the image on a shared drive. If someone opens it, the callback fires.

Limitations

Many email clients block remote image loading by default (Gmail, Outlook with "external content" disabled). Image tokens in email have a detection rate of roughly 40-60% depending on the client. In web pages and documents, the rate is much higher.

Document tokens

Document tokens embed tracking callbacks inside Word documents (.docx) and PDF files. They are particularly effective because documents are commonly shared, stored in backups, and opened without suspicion.

DOCX tokens

A .docx file is a ZIP archive containing XML files. The document's relationships file (word/_rels/document.xml.rels) can reference external resources:

<Relationship
  Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
  Target="https://callback.example.com/t/a3f8c291.png"
  TargetMode="External"
/>

When Word opens the document, it attempts to fetch the external image. The callback server receives the request with the user's IP and user agent.

Modern versions of Word may prompt before loading external content, but many corporate environments have this check disabled for trusted document types.

PDF tokens

PDF files support several mechanisms for external callbacks:

  • URI actions: Triggered when the document is opened
  • JavaScript: app.launchURL() on document open (requires Acrobat)
  • Embedded images: Remote image references in the page content stream

The most reliable method varies by PDF reader. Acrobat supports the most callback vectors; Preview on macOS and browser-based readers are more restrictive.

QR code tokens

QR codes encode a URL that triggers a callback when scanned. They bridge the physical and digital worlds.

How they work

  1. Generate a callback URL with the token ID
  2. Encode it as a QR code (PNG, SVG, or data URL)
  3. Print the QR code or embed it in a document
  4. When scanned, the user's phone opens the URL, triggering the callback

Physical security applications

QR code tokens are uniquely useful for physical breach detection:

  • Printed documents: Place a QR code on a confidential document. If someone photographs or scans it, you know.
  • Server room access: A QR code on a server rack labeled "Asset Management — Scan for inventory" will tempt unauthorized visitors.
  • USB drives: A QR code on a USB drive label. Social engineering researchers use this to test whether employees plug in unknown drives.

IP enrichment and alert context

A raw IP address is useful, but enriched metadata makes alerts actionable:

{
  "ip": "198.51.100.42",
  "geo": {
    "country": "US",
    "region": "California",
    "city": "San Francisco",
    "lat": 37.7749,
    "lng": -122.4194
  },
  "asn": {
    "number": 13335,
    "org": "Cloudflare, Inc."
  },
  "reverse_dns": "crawl-198-51-100-42.googlebot.com",
  "is_vpn": true,
  "is_tor": false
}

This context helps you determine whether the trigger is:

  • A real attacker (unfamiliar IP, VPN/Tor exit node, unexpected country)
  • An internal test (your own IP range)
  • A web crawler (Googlebot, Bingbot — if the token was accidentally indexed)

Stealth and anti-detection

A canary token system must not reveal itself. Key design principles:

Domain reputation: The callback domain should look like a legitimate service. Domains that look like canary-detect-alert.com are easy to filter. Domains like svccdns.com or cdn-assets.net blend in.

TLS everywhere: All HTTP callbacks should use HTTPS. Plaintext HTTP callbacks can be inspected by network monitoring tools.

Response plausibility: The callback server should return plausible responses — a real image for image tokens, a generic HTML page for HTTP tokens, a valid DNS A record for DNS tokens.

No client-side indicators: The token should contain nothing that identifies it as a canary. No metadata tags, no suspicious comments, no unusual file properties.

Building vs. buying

You can build your own canary token infrastructure with open-source tools. The core components are:

  1. A DNS server (dns2, CoreDNS, or BIND)
  2. An HTTP server (Nginx, Caddy, or a Node.js/Python app)
  3. A database for token metadata and alert history
  4. An alerting pipeline (email, Slack webhook, PagerDuty)

The operational overhead is real, though. You need to maintain the callback server, ensure uptime (a down callback server means missed alerts), handle TLS certificates, manage DNS infrastructure, and build the alert routing logic.

CanaryGuard handles all of this as a managed service — you create tokens, plant them, and receive alerts. The callback infrastructure, DNS resolution, IP enrichment, and alert routing are all managed for you.

What comes next

The canary token concept is evolving. Emerging techniques include:

  • Blockchain canaries: Real wallet addresses monitored for any transaction activity
  • Cloud credential canaries: Fake AWS/GCP/Azure keys that trigger CloudTrail events when used
  • API key canaries: Fake API keys for SaaS services that alert on authentication attempts
  • Smart contract canaries: Deployer keys whose usage triggers on-chain events

The principle remains the same: create something that looks real, plant it where attackers will find it, and monitor for interaction. The token types change; the detection model does not.

Deploy canary tokens for free →

Ready to protect yourself?

Deploy your first canary token in under 2 minutes. Free forever for up to 5 tokens.

Get Started Free