Sometimes you want to automate the creation of Canarytokens across your fleet. Perhaps you want every EC2 instance to reach out and fetch a token on creation (or startup). The Canary Console API allows for automation, but it seems a bad idea to use your API key on every host.
The Canarytoken factory gives you a limited-use key that can create other tokens. You can leave this key on a host knowing that even if an attacker were able to grab it, he'd be able to create new tokens but not remove (or alter) anything else.
If this sounds like something you would like to try out, please contact us and we will enable it for you with pleasure.
How to create a factory auth key
Make a POST request to https://xxxxxxxx.canary.tools/api/v1/canarytoken/create_factory
using your Canary Console API key as the parameter "auth_token" and a reminder of which environment or application will be using this factory as the parameter "memo". You will receive a "factory_auth" value in the response (if it is successful).
How to generate Canarytokens
Generate Canarytokens by making a POST request to https://xxxxxxxx.canary.tools/api/v1/canarytoken/factory
with "factory_auth", "memo" and "kind" of Canarytoken you would like to generate. You will receive the Canarytoken's details in the response.
You can also delete this factory auth value (in the event you think it is being abused or has fulfilled its duties).
How to delete a factory auth key
Make a DELETE request to https://xxxxxxxx.canary.tools/api/v1/canarytoken/delete_factory
using your Canary Console API key and specifying the "factory_auth" value that you would like to delete.
Please note that this does not delete the Canarytokens that you have created with this "factory_auth" value.