Canary tokens, used by Grafana Labs during a security incident involving a GitHub Action workflow, serve as digital decoys that alert security teams to potential intrusions by mimicking valuable assets. These tokens, which can appear as API keys, files, URLs, or DNS entries, triggered an alert when an attacker used an AWS API key, allowing for rapid containment of the breach without any compromise to production systems or customer data. The strategic placement and integration of canary tokens within Grafana Labs' infrastructure, using Thinkst's platform, enabled real-time alerts through Slack and facilitated an effective response by the Detection & Response team. The blog emphasizes the importance of careful token placement, integration with automated response workflows, and the use of metadata for efficient triage, while also addressing potential limitations such as false positives and infrastructure vulnerabilities. Additionally, Grafana Labs highlights best practices for implementing a canary token strategy, including mixing token types, automating placement, and educating teams to enhance overall security posture.