Connect Domain
DNS

Provider setup

Exactly what to do at each DNS provider to create the credential its adapter needs.

Exactly what a customer (or you, on their behalf) must do to create the credential each adapter needs, plus any account-eligibility gates. Store the resulting value via POST /v1/applications/{id}/credentials with the matching provider key (see DNS providers); it is encrypted at rest.

Scope every credential to the minimum needed (edit rights on the target zone). Never reuse an account-wide admin token.

BYO API token

Providerprovider keyHow to create the credentialGate
CloudflarecloudflareMy Profile → API Tokens → Create Token → Edit zone DNS scoped to the zone.none
DigitalOceandigitaloceanAPI → Tokens → Generate (write scope).none
GandigandiAccount → Security → API key (LiveDNS).none
deSECdesecAccount → generate a token.none
HetznerhetznerDNS Console → API tokens.none
VercelvercelAccount Settings → Tokens.none
DNSimplednsimpleAccount → Automation → API tokens.none
PorkbunporkbunAccount → API Access → enable + create key/secret → credential apikey:secretapikey.must enable API per domain
LinodelinodeCloud Manager → API Tokens (Domains: read/write).none
VultrvultrAccount → API → enable + key.IP allowlist optional
Name.comnamecomAccount → API → token → credential user:token.none
NetlifynetlifyUser Settings → Applications → Personal access token.domain must be a Netlify DNS zone
GoDaddygodaddyDeveloper portal → API Keys → production key → credential key:secret.Production API access is gated by account tier (historically ≥10 domains / eligible reseller/pro). Verify current eligibility.

Machine credential (cloud / OAuth2)

These are still "bring your own credential" — the customer creates a machine identity in their cloud console. No approval of your service is required, but the customer needs cloud-admin access.

Amazon Route 53 — route53

  • Create an IAM user/role with a policy allowing route53:ChangeResourceRecordSets and route53:ListResourceRecordSets/GetHostedZone on the target hosted zone.
  • Credential: accessKeyId:secretAccessKey (optionally :region).
  • The connection's zone is the Hosted Zone ID (e.g. Z123ABC), not the name.
  • Auth is AWS SigV4 (implemented in-adapter; no AWS SDK).

Google Cloud DNS — gcpdns

  • Create a service account with role roles/dns.admin (or narrower) on the project.
  • Download its JSON key. Credential = that JSON with a managed_zone field added (the Cloud DNS zone name). project_id is read from the key.
  • Auth is OAuth2 via a signed (RS256) JWT assertion (implemented in-adapter).

Azure DNS — azuredns

  • Register an app in Entra ID; create a client secret; grant it DNS Zone Contributor on the resource group holding the zone.
  • Credential JSON: {tenant_id, client_id, client_secret, subscription_id, resource_group}.
  • Auth is the Entra client-credentials flow (implemented in-adapter).

Namecheap — namecheap

  • Enable API access (Profile → Tools → API Access) and whitelist your server's public IP.
  • Credential: apiUser:apiKey:clientIp.
  • Gate: API access requires meeting Namecheap's threshold (e.g. 20+ domains, or a balance/spend minimum). Verify eligibility.

Redirect / no-token

  • Domain Connect (domain-connect) — no stored credential; the customer is redirected to their provider to apply a template. See DNS providers.
  • Squarespace — no third-party write API; use Domain Connect or guided-manual.

The frictionless "connect account" UX

The one-click "Log in with your provider, click Allow" experience needs a 3-legged OAuth app registered and approved with each provider under your company's identity — a business/legal step, not code. Until then, BYO-token, machine-credential, and Domain Connect cover the same providers without it.

On this page