canar.ai

How It Works

The 4-phase lifecycle: detect, inject, trigger, remediate.

The 4-Phase Lifecycle

1. Detect

Identify whether the visitor is an AI agent using user-agent patterns, HTTP header heuristics, and behavioral signals.

2. Inject

Embed hidden canary instructions across 12 different vectors in the page HTML and API responses.

3. Trigger

Monitor for agents that follow the instructions — by visiting a callback URL or echoing a canary phrase.

4. Remediate

Inject fix guidance into the DOM so the agent can read and act on it in real-time.

Agent Detection

Every incoming request is analyzed for signals that indicate an AI agent rather than a human browser. Detection uses three methods:

User-Agent Pattern Matching

Over 30 known AI agent user-agent strings are checked, including GPTBot, ChatGPT-User, ClaudeBot, PerplexityBot, and automation tools like Puppeteer and Playwright.

Example matches
GPTBot/1.0               → OpenAI GPTBot
ChatGPT-User/1.0         → ChatGPT Browser
ClaudeBot/1.0            → Anthropic ClaudeBot
PerplexityBot/1.0        → Perplexity
HeadlessChrome/131.0     → Headless Chrome

HTTP Header Heuristics

Certain headers indicate API clients or automation tools. Authorization headers, API key headers, and request-ID patterns are all signals.

Confidence Levels

Each detection returns a confidence level:

  • High — Known AI agent UA string (GPTBot, ClaudeBot, etc.)
  • Medium — Automation tool (Puppeteer, curl) or multiple header signals
  • Low — Single weak signal (e.g., only an API key header)

Injection Vectors

When a visitor is detected (or on every page for comprehensive testing), hidden instructions are embedded across multiple surfaces:

8 Web Vectors

Hidden divs, invisible text, HTML comments, tiny fonts, aria-hidden elements, meta tags, image alt text, and data attributes.

4 API Vectors

Response body text, HTTP headers, JSON metadata fields, and HTML nested within JSON responses.

See the full vector reference for details on each technique.

Canary Tokens

Each injection contains a unique canary token — a short hex identifier in the format CANAR-<hex>. Tokens are grouped by session so all injections from a single page load share a session ID.

Token format
CANAR-a1b2c3d4e5f6

Session grouping:
  Session: 0f1e2d3c4b5a6978
  ├── CANAR-aaa111bbb222  (hidden-div vector)
  ├── CANAR-ccc333ddd444  (html-comment vector)
  ├── CANAR-eee555fff666  (tiny-font vector)
  └── ... (one per active vector)

Tokens and session data are stored in Postgres. IP addresses are stored for forensic analysis and hashed for dashboard display.

Trigger Types

There are two ways an agent can reveal it followed an injected instruction:

Callback Trigger

The injected instruction asks the agent to visit a URL like /callback/<canary-id>. When the agent makes that HTTP request, we know it followed the instruction.

Phrase Echo Trigger

The instruction asks the agent to include a specific phrase (like CANAR-a1b2c3) in its output. If the user reports seeing the phrase, the agent followed the injection.

Privacy Model

Privacy by design

  • IP addresses are stored securely and hashed for dashboard display
  • Public dashboard shows aggregate data only — no raw IPs or site-specific information is exposed
  • All canary instructions are completely benign
  • Open source — inspect exactly what runs on your site

Next

Injection Vectors

Detailed reference for all 12 injection techniques.

Hardening Guide

Protect your AI agent from following hidden instructions.