Honeytoken
A honeytoken is a planted link, credential, or record no legitimate user should ever touch — any access to it is deterministic proof of a bot or intruder.
A honeytoken is a piece of planted data — a hidden link, a fake credential, a decoy API key, a canary record — that has no legitimate purpose. No real user can find it; no honest crawler will follow it. So any interaction with it is deterministic proof of automation or intrusion.
Why determinism matters
Most bot detection is probabilistic: signals are scored, thresholds are tuned, and there’s always a gray zone. A honeytoken hit is different in kind — it’s a fact, not a score. The client requested a URL that exists nowhere a human could see it. No fingerprint quality, no residential proxy, no browser-perfect automation changes that.
That certainty is what makes honeytokens ideal triggers for enforcement: acting on a honeytoken hit carries none of the false-positive risk that makes site owners hesitant to act on behavioral scores.
How WebDecoy uses them
WebDecoy plants honeytoken decoy links that are off-screen, aria-hidden, and nofollow — invisible to users, skipped by search engines, found only by scrapers parsing raw HTML. A hit produces a detection with ground-truth confidence, and under session clearance, it’s what revokes a bot’s access on every IP it rotates to. The same primitive is available in the open-source SDK as a tripwire you can run in your own Express app — and an SDK tripwire hit feeds the identical clearance deny path as a hosted decoy, forwarding the session’s token so the lockout is durable and rotation-proof.
Related terms
- Session Clearance — the enforcement a honeytoken hit triggers
- JA4 Fingerprint — probabilistic identity, complementary to deterministic traps
Frequently Asked Questions
What's the difference between a honeypot and a honeytoken? +
A honeypot is a decoy system or endpoint that attracts attackers; a honeytoken is a decoy piece of data — a link, credential, API key, or record — planted inside a real system. Both work on the same principle: no legitimate activity ever touches them, so any interaction is a true positive.
Can honeytokens cause false positives? +
Properly deployed, effectively none. A well-placed honeytoken link is invisible to humans (off-screen, aria-hidden) and marked nofollow so search engines skip it. The only clients that find it are the ones parsing your page in ways no browser renders — which is exactly the population you want to catch.
See these concepts in action
WebDecoy puts deterministic detection and rotation-proof enforcement behind a 5-minute setup.