Sometimes you want to automate the creation of Canarytokens across your fleet. Perhaps you want every EC2 instance to reach out and fetch a token on creation (or startup). The Canary console API allows for the automation, but it seems a bad idea to use your API key on every host.

The Canarytoken factory gives you a limited use key that is able to create other tokens. You can leave this key on a host knowing that even if an attacker were able to grab it, he'd be able to create new tokens but not remove (or alter) anything else.

Here's how it works:

1) Make a POST request to using your Canary console API key. You will receive a "factory_auth" value in the response (if it is successful).

2) Generate Canarytokens by making a POST request to with "factory_auth" and "kind" of Canarytoken you would like to generate. Currently, the factory endpoint only supports "aws-id" Canarytokens. You will receive the Canarytoken's details in the response.

You also have the ability to delete this factory auth value (in the event you think it is being abused or has fulfilled its duties).

3) Make a DELETE request to using your Canary console API key and specifying the "factoryauth" value that you would like to delete. Please note that this does not delete the Canarytokens that you have created with this "factoryauth" value.