Provider setup
Exactly what to do at each DNS provider to create the credential its adapter needs.
Exactly what a customer (or you, on their behalf) must do to create the
credential each adapter needs, plus any account-eligibility gates. Store the
resulting value via POST /v1/applications/{id}/credentials with the matching
provider key (see DNS providers); it is encrypted at rest.
Scope every credential to the minimum needed (edit rights on the target zone). Never reuse an account-wide admin token.
BYO API token
| Provider | provider key | How to create the credential | Gate |
|---|---|---|---|
| Cloudflare | cloudflare | My Profile → API Tokens → Create Token → Edit zone DNS scoped to the zone. | none |
| DigitalOcean | digitalocean | API → Tokens → Generate (write scope). | none |
| Gandi | gandi | Account → Security → API key (LiveDNS). | none |
| deSEC | desec | Account → generate a token. | none |
| Hetzner | hetzner | DNS Console → API tokens. | none |
| Vercel | vercel | Account Settings → Tokens. | none |
| DNSimple | dnsimple | Account → Automation → API tokens. | none |
| Porkbun | porkbun | Account → API Access → enable + create key/secret → credential apikey:secretapikey. | must enable API per domain |
| Linode | linode | Cloud Manager → API Tokens (Domains: read/write). | none |
| Vultr | vultr | Account → API → enable + key. | IP allowlist optional |
| Name.com | namecom | Account → API → token → credential user:token. | none |
| Netlify | netlify | User Settings → Applications → Personal access token. | domain must be a Netlify DNS zone |
| GoDaddy | godaddy | Developer portal → API Keys → production key → credential key:secret. | Production API access is gated by account tier (historically ≥10 domains / eligible reseller/pro). Verify current eligibility. |
Machine credential (cloud / OAuth2)
These are still "bring your own credential" — the customer creates a machine identity in their cloud console. No approval of your service is required, but the customer needs cloud-admin access.
Amazon Route 53 — route53
- Create an IAM user/role with a policy allowing
route53:ChangeResourceRecordSetsandroute53:ListResourceRecordSets/GetHostedZoneon the target hosted zone. - Credential:
accessKeyId:secretAccessKey(optionally:region). - The connection's
zoneis the Hosted Zone ID (e.g.Z123ABC), not the name. - Auth is AWS SigV4 (implemented in-adapter; no AWS SDK).
Google Cloud DNS — gcpdns
- Create a service account with role
roles/dns.admin(or narrower) on the project. - Download its JSON key. Credential = that JSON with a
managed_zonefield added (the Cloud DNS zone name).project_idis read from the key. - Auth is OAuth2 via a signed (RS256) JWT assertion (implemented in-adapter).
Azure DNS — azuredns
- Register an app in Entra ID; create a client secret; grant it DNS Zone Contributor on the resource group holding the zone.
- Credential JSON:
{tenant_id, client_id, client_secret, subscription_id, resource_group}. - Auth is the Entra client-credentials flow (implemented in-adapter).
Namecheap — namecheap
- Enable API access (Profile → Tools → API Access) and whitelist your server's public IP.
- Credential:
apiUser:apiKey:clientIp. - Gate: API access requires meeting Namecheap's threshold (e.g. 20+ domains, or a balance/spend minimum). Verify eligibility.
Redirect / no-token
- Domain Connect (
domain-connect) — no stored credential; the customer is redirected to their provider to apply a template. See DNS providers. - Squarespace — no third-party write API; use Domain Connect or guided-manual.
The frictionless "connect account" UX
The one-click "Log in with your provider, click Allow" experience needs a 3-legged OAuth app registered and approved with each provider under your company's identity — a business/legal step, not code. Until then, BYO-token, machine-credential, and Domain Connect cover the same providers without it.