A honeytoken is a piece of planted data — a hidden link, a fake credential, a decoy API key, a canary record — that has no legitimate purpose. No real user can find it; no honest crawler will follow it. So any interaction with it is deterministic proof of automation or intrusion.

Why determinism matters

Most bot detection is probabilistic: signals are scored, thresholds are tuned, and there’s always a gray zone. A honeytoken hit is different in kind — it’s a fact, not a score. The client requested a URL that exists nowhere a human could see it. No fingerprint quality, no residential proxy, no browser-perfect automation changes that.

That certainty is what makes honeytokens ideal triggers for enforcement: acting on a honeytoken hit carries none of the false-positive risk that makes site owners hesitant to act on behavioral scores.

How WebDecoy uses them

WebDecoy plants honeytoken decoy links that are off-screen, aria-hidden, and nofollow — invisible to users, skipped by search engines, found only by scrapers parsing raw HTML. A hit produces a detection with ground-truth confidence, and under session clearance, it’s what revokes a bot’s access on every IP it rotates to. The same primitive is available in the open-source SDK as a tripwire you can run in your own Express app — and an SDK tripwire hit feeds the identical clearance deny path as a hosted decoy, forwarding the session’s token so the lockout is durable and rotation-proof.

Frequently Asked Questions

What's the difference between a honeypot and a honeytoken? +

A honeypot is a decoy system or endpoint that attracts attackers; a honeytoken is a decoy piece of data — a link, credential, API key, or record — planted inside a real system. Both work on the same principle: no legitimate activity ever touches them, so any interaction is a true positive.

Can honeytokens cause false positives? +

Properly deployed, effectively none. A well-placed honeytoken link is invisible to humans (off-screen, aria-hidden) and marked nofollow so search engines skip it. The only clients that find it are the ones parsing your page in ways no browser renders — which is exactly the population you want to catch.

See these concepts in action

WebDecoy puts deterministic detection and rotation-proof enforcement behind a 5-minute setup.

Start Free Trial