Honey Tokens - Infisical

Honey tokens are decoy credentials that act as tripwires. When an attacker gains access to your secrets and attempts to use a honey token, Infisical detects the activity and immediately alerts you and your team.

Each honey token is planted alongside your real secrets so it appears genuine. Any attempt to use these credentials triggers an alert and notifies organization admins.

At this time, we only support AWS IAM credentials as honey tokens, but we're planning to support more providers in the near future.

Permissions

Honey tokens use two levels of permissions: organization-level permissions for the one-time setup, and project-level permissions for day-to-day usage.

Organization Permissions (Setup)

Action	Description
Setup	Configure honey token settings in Organization Settings (AWS connection, CloudFormation stack, etc.)

Only organization Admins have the Setup permission by default. This is required to connect, manage, and verify the honey token configuration.

Project Permissions (Usage)

Action	Description	Admin	Member	Viewer
Read	View honey tokens, their status, and trigger events	Yes	Yes	Yes
Read Credentials	View the actual decoy credential values (e.g., AWS access keys)	Yes	No	No
Create	Create new honey tokens and plant decoy secrets	Yes	No	No
Edit	Update honey token name, description, or secret mappings	Yes	No	No
Reset	Reset a triggered honey token back to active status	Yes	No	No
Revoke	Permanently deactivate and remove a honey token	Yes	No	No

<Note> By default, only project **Admins** have full honey token permissions. **Members** and **Viewers** can only view honey tokens. To grant additional honey token permissions to non-admin roles, create a [custom role](/documentation/platform/access-controls/role-based-access-controls) with the desired actions. </Note> <Note> Honey token credentials are stored as regular secrets in your project. Users also need the appropriate **Secrets** permissions (`Read`) for the relevant environment and secret path to view the planted decoy secrets in the secrets dashboard. </Note>

Getting Started

<Steps> <Step title="One-Time Setup"> An organization admin goes through a one-time setup process to configure AWS Honey Tokens. This needs to be done once per organization, and this setup process dictates which AWS account and region the honey tokens will be planted in.

Follow the [Setup Guide](/documentation/platform/honey-tokens/aws/setup) to get started with honey tokens.

</Step> <Step title="Create and Manage Tokens"> Once setup is complete, any project member with the appropriate permissions can create, monitor, and manage honey tokens across projects.

Follow the [Usage Guide](/documentation/platform/honey-tokens/aws/usage) to get started with using honey tokens.

</Step> </Steps>