How to Create an API Honey Token

Read more about “How to Create an API Honey Token” and the most important cybersecurity news to stay up to date with

An API honey token is a decoy API key designed to detect unauthorized access, monitor breaches, and identify malicious activity. These tokens act as silent alarms: when someone tries to use them, they trigger alerts or logs for forensic analysis. This guide provides detailed, technical steps to create, deploy, and monitor API honey tokens effectively.


Step 1: Analyze the Attack Surface

Identify the points in your API environment where attackers might search for credentials. Common areas include:

  • Code repositories: Public or private Git repositories.
  • Configuration files: .env, JSON, or YAML files.
  • Documentation: Internal or public API guides.
  • CI/CD pipelines: Build and deployment configurations.

By understanding your environment’s vulnerabilities, you can deploy tokens strategically.


Step 2: Generate the Honey Token

2.1 Crafting a Realistic API Key

Create a token that closely resembles legitimate API keys. Mimic the format of your production keys, including length, prefixes, and encoding.

For example:

If your system uses JSON Web Tokens (JWTs), you can generate a realistic-looking decoy JWT. Below is an example written in Python:

python

import jwt

secret_key = “fake-secret”
payload = {
“iss”: “fake-issuer”,
“sub”: “fake-user-id”,
“exp”: 1672531199 # Expiration timestamp in the future
}

fake_jwt = jwt.encode(payload, secret_key, algorithm="HS256")
print(fake_jwt)


Step 3: Add Metadata for Tracking

Add traceable metadata to your token so you can identify its origin if it is used. For instance:

  • Unique identifier: Use a UUID or a hash to associate the token with a specific deployment.
  • Embedded signature: Use cryptographic methods like HMAC to verify authenticity.
Example: Metadata in a JWT
python
from hashlib import sha256

def generate_tracking_token(location):
unique_id = "fake-token-" + location
metadata = sha256(unique_id.encode()).hexdigest()
payload = {
"metadata": metadata,
"source": location
}
return jwt.encode(payload, "fake-secret", algorithm="HS256")


Step 4: Deploy the Honey Token Strategically

4.1 Placement Locations

Strategically place honey tokens in areas where attackers are likely to find them:

  • Configuration files: Include the token in .env or config.json files.
  • Code repositories: Insert the token in sensitive-looking locations.
  • Documentation: Add tokens in example API requests or developer guides.
4.2 Decoy API Endpoint

Create a non-functional API endpoint that logs any requests made using the honey token. For example, using Python and Flask:

python

from flask import Flask, request

app = Flask(__name__)

@app.route(“/api”, methods=[“GET”, “POST”])
def monitor_token():
auth_header = request.headers.get(“Authorization”)
if “fake-api-key” in auth_header:
with open(“honey_token_log.txt”, “a”) as log_file:
log_file.write(f”Request detected: {request.remote_addr}, {auth_header}\n”)
return {“message”: “Honey token accessed”}, 200
return {“error”: “Invalid token”}, 403

if __name__ == "__main__":
app.run(debug=True)


Step 5: Monitor and Alert on Token Usage

5.1 Logging Requests

Log all token activity using centralized services like the ELK Stack or Splunk. Include key request data, such as:

  • IP address
  • User-agent string
  • Timestamp
  • Geolocation
5.2 Real-Time Alerting

Set up alerts for token misuse. Tools like AWS CloudWatch, PagerDuty, or Slack Webhooks can notify your security team when the honey token is accessed.

Here’s an example using AWS Lambda and SNS for alerting:

python

import boto3

def lambda_handler(event, context):
sns = boto3.client("sns")
message = f"Honey token used! Details: {event}"
sns.publish(
TopicArn="arn:aws:sns:region:account-id:topic-name",
Message=message
)
return {"status": "Alert sent"}


Step 6: Test and Validate

After deploying the honey token, test its functionality by simulating unauthorized access. This ensures proper alerting and logging.

Example Test Request
bash
curl -X GET -H "Authorization: Bearer fake-api-key-1234567890" https://your-api-endpoint.com

Verify that your logging and alerting systems capture the simulated activity accurately.


Step 7: Analyze and Iterate

Regularly analyze honey token activity to detect and respond to potential threats.

  • Trend analysis: Look for patterns in token usage, such as repeated access from specific IPs.
  • Incident response: Investigate alerts to determine the scope of unauthorized access.
  • Rotation: Replace honey tokens periodically to maintain their effectiveness.

API honey tokens are a powerful tool for detecting unauthorized access and monitoring suspicious activity in your API environments. By generating realistic tokens, deploying them strategically, and setting up robust monitoring systems, you can strengthen your security posture and gain valuable insights into potential threats. Regularly update and test your honey tokens to ensure they remain effective against evolving threats.


Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “How to Create an API Honey Token”  by clicking the links below