Skip to main content

Search

How to Set Up a Gmail Canarytoken

This article provides a step-by-step guide to creating and deploying Gmail Canarytokens within your organization. It includes instructions for configuring the necessary API access in G Suite and tokenizing mailboxes to detect unauthorized access.

Create tokened mails in gmail/gsuite mailboxes across your org.

Note

Once the Gmail tokening is complete, please remember to remove the "Client ID" and "Client Scopes" entries from your G Suite OAuth client's dashboard found at:

https://admin.google.com/

From the Admin Console Home page, go to Menu Security API control. Under App access control, select MANAGE THIRD-PARTY APP ACCESS.

Follow the steps below to Tokenise a Google mailbox.

Step 1: Log in to your Console

Console Login.png

Step 2: Add New Canarytoken

Click Add a new Canarytoken.

tile.png

Step 3: Select Gmail Canarytoken

Create a new Gmail Canarytoken from the drop-down list.

CleanShot 2024-07-23 at 10.43.18@2x.png

Step 4: Start Process

Click on Let's begin (1 of 4).

CleanShot 2024-07-23 at 10.44.01@2x.png

Step 5: Modify token options and save the template

Modify the Token's options and paragraph text if you'd like and click on Save Template (2 of 4).

  1. Mail From: is the email address of who the message is from.
  2. Mail Subject: this can be changed to whatever you want the subject of the mail to be.
  3. Mail Content: you can change the content of this mail, we have given you a template to work from.
  4. Click on Save Template (2 of 4) when done.
CleanShot 2024-07-23 at 10.44.13@2x.png

Step 6: Login to G Suite

Login to your G Suite admin Console here.

Screenshot 2025.png

Step 7: Access API Controls in G Suite Admin

In the G Suite admin Console, click on Security > Access and data control > API controls.

Or click the link here.

CleanShot 2024-07-23 at 10.45.20@2x.png

Step 8: Access Manage Third-party App

Click on MANAGE THIRD-PARTY APP ACCESS.

CleanShot 2024-07-23 at 10.45.31@2x.png

Step 9: Add the Canarytoken client ID

Click on Add app > Oath App Name Or Client ID

CleanShot 2024-07-23 at 10.45.46@2x.png

Step 10: Assign OAuth scopes and authorize.

Enter your Client ID and hit SEARCH.

Then Select the Thinkst Gsuite Tokener.

CleanShot 2024-07-23 at 10.45.58@2x.png

Select the Client ID again and hit SELECT.

CleanShot 2024-07-23 at 10.46.10@2x.png

Select your preferred organisation scope then select CONTINUE.

CleanShot 2024-07-23 at 10.46.23@2x.png

Select Trusted then select CONTINUE.

CleanShot 2024-07-23 at 10.46.33@2x.png

Review your configuration and select FINISH when done.

CleanShot 2024-07-23 at 10.46.46@2x.png

Head back to API controls, and select MANAGE DOMAIN WIDE DELEGATION.

CleanShot 2024-07-23 at 10.47.02@2x.png

Add a new API Client, by selecting Add new, then enter your following details:

Client ID: ABC123

First OAuth Scope: https://www.googleapis.com/auth/admin.directory.user.readonly

Second OAuth Scope: https://www.googleapis.com/auth/gmail.insert

Finally click AUTHORIZE when complete.

Image2.png

Step 11: Complete Gmail Tokening Setup in Canary Console

Back on your Canary Console, select All set! (3 of 4).

Image.png

Select Search Gmail for users, then enter your Google Admin email address; finally select Search.

CleanShot 2024-07-23 at 10.48.36@2x.png

You'll be presented with a list of users to Token, which can be selected. When ready, select Insert Tokened Email (4 of 4) to start the Tokening process.

CleanShot 2024-07-23 at 10.48.46@2x.png

Alternatively, larger organisations can provide a comma-separated email list and then click on Insert Tokened Email (4 of 4).

CleanShot 2024-07-23 at 10.48.55@2x.png

Once the Gmail tokening is complete, the Canary API client can be revoked from the DOMAIN WIDE DELEGATION UI.

Was this article helpful?
5 out of 6 found this helpful
Return to top