Ownership and setup types
The ask gate, value-checked verification, and the three ways a connection reaches live.
Ownership (the ask gate)
Before the edge will request a certificate for a hostname, ownership must be
proven. The customer publishes a TXT record at
_customdomain-challenge.<host> equal to the challenge value. Verification is
value-checked: the TXT must equal the expected value, and address records
(A/AAAA) must contain the exact desired value — "the name resolves to something"
is never accepted, because the record set is attacker-controlled.
Only after a connection reaches verified does GET /internal/ask return
allow: true, which is what lets the edge obtain a cert on demand. This is the
central safety gate.
Setup types
- automatic — the application has a delegated DNS credential; the control-plane writes the records itself (the scoped token is implicit proof of control) and skips the manual TXT step.
- manual — the customer copies the records into their DNS provider.
- Domain Connect — a redirect-based flow where the provider applies a template (no server-to-server token).
Other setup types (semiautomatic, shared_login, async, api) exist in the
data model but are not implemented in the widget yet.