Detection: Beta Join Token Enumeration

Catalog area: beta Severity: medium Created: 2026-06-12 UTC Refs: docs/architecture/beta-phase2-join-flow.md §12

Trigger condition

More than 10 requests to GET /api/beta/join/<token>/state from a single IP address within a 5-minute window where the token is invalid, expired, or revoked (i.e., the response is {"valid": false}).

Why this matters

The state endpoint is intentionally identical for all invalid token states (anti-enumeration). Volume probing can still leak approximate information about the token namespace density. HMAC tokens with sufficient entropy make brute force impractical, but a volume spike warrants investigation.

Detection logic

• Source: Raptor access logs (Heroku log drain) or Sentry breadcrumbs.
• Query: path LIKE '/api/beta/join/%/state' AND response_body.valid = false GROUP BY ip_address, 5-minute window, HAVING count > 10.

Response

• Log warning with IP + count to ops@raxx.app.
• If count exceeds 50 in 5 minutes: consider temporary IP-level block via CF firewall rule.
• Review jti values in the log — if tokens are sequential or clustered, escalate to operator.

False positive conditions

• Load testing from known internal IPs.
• A tester sharing a broken or truncated link via messaging app that auto-unfurls.