Connect Domain
Concepts

Ownership and setup types

The ask gate, value-checked verification, and the three ways a connection reaches live.

Ownership (the ask gate)

Before the edge will request a certificate for a hostname, ownership must be proven. The customer publishes a TXT record at _customdomain-challenge.<host> equal to the challenge value. Verification is value-checked: the TXT must equal the expected value, and address records (A/AAAA) must contain the exact desired value — "the name resolves to something" is never accepted, because the record set is attacker-controlled.

Only after a connection reaches verified does GET /internal/ask return allow: true, which is what lets the edge obtain a cert on demand. This is the central safety gate.

Setup types

  • automatic — the application has a delegated DNS credential; the control-plane writes the records itself (the scoped token is implicit proof of control) and skips the manual TXT step.
  • manual — the customer copies the records into their DNS provider.
  • Domain Connect — a redirect-based flow where the provider applies a template (no server-to-server token).

Other setup types (semiautomatic, shared_login, async, api) exist in the data model but are not implemented in the widget yet.

On this page