# Docs

- [Introduction](/docs): What Connect Domain is, the connect → secure → serve → monitor loop, and where to go next.
- Getting started
  - [Quickstart](/docs/getting-started/quickstart): Connect your first custom domain end to end in about five minutes.
- Concepts
  - [Architecture](/docs/concepts/architecture): The two independent planes that share one database and talk over HTTP.
  - [Connections](/docs/concepts/connections): The connection lifecycle state machine, hostname collisions, and tenancy.
  - [Ownership and setup types](/docs/concepts/ownership-and-setup-types): The ask gate, value-checked verification, and the three ways a connection reaches live.
- Authentication
  - [Overview](/docs/authentication/overview): API keys for server-to-server calls; widget JWTs for the browser.
  - [Widget tokens](/docs/authentication/widget-tokens): Minting short-lived JWTs via POST /v1/tokens for one connect flow.
- Connect flow
  - [Overview](/docs/connect-flow/overview): The create → verify → live pipeline and where each API call fits.
  - [Create a connection](/docs/connect-flow/create-a-connection): POST /v1/connections — idempotency, setup_type, and record overrides.
  - [Verify ownership & go live](/docs/connect-flow/verify-and-go-live): The ownership TXT check, per-record propagation reporting, and cert issuance.
  - [Offboarding](/docs/connect-flow/offboarding): Archiving a domain (soft-delete, DELETE → state=archived).
- DNS
  - [DNS providers](/docs/dns/providers): The 19-provider auto-write fleet, delegated credentials, and Domain Connect.
  - [Provider setup](/docs/dns/provider-setup): Exactly what to do at each DNS provider to create the credential its adapter needs.
  - [Email DNS](/docs/dns/email-dns): Generating MX/SPF/DKIM/DMARC records for Google Workspace, Microsoft 365, and Zoho.
- Webhooks
  - [Overview](/docs/webhooks/overview): Register HTTPS endpoints to receive signed events as connections progress.
  - [Verifying signatures](/docs/webhooks/verifying-signatures): HMAC-SHA256 signature verification and replay protection.
- API reference
  - [API reference](/docs/api-reference): Base URL, auth, versioning, errors, pagination, and idempotency — plus the full generated operation reference.
  - Tokens
    - [Mint a short-lived widget JWT for one connect flow](/docs/api-reference/tokens/createWidgetToken)
  - Domains
    - [Detect provider / setup type for a domain (read-only)](/docs/api-reference/domains/checkDomain)
  - Connections
    - [Generate + write email DNS for the connection's domain](/docs/api-reference/connections/applyEmailRecords)
    - [Offboard a domain (soft-delete to state=archived)](/docs/api-reference/connections/archiveConnection)
    - [Per-record propagated/missing report](/docs/api-reference/connections/checkConnectionRecords)
    - [Start connecting a domain (idempotent via Idempotency-Key)](/docs/api-reference/connections/createConnection)
    - [Connection status (state, records desired vs observed, cert)](/docs/api-reference/connections/getConnection)
    - [List/filter connections (cursor pagination)](/docs/api-reference/connections/listConnections)
  - Email
    - [Generate email DNS records (MX/SPF/DKIM/DMARC) for a mailbox provider](/docs/api-reference/email/emailRecords)
  - Applications
    - [Create an API key — secret shown ONCE in this response](/docs/api-reference/applications/createApiKey)
    - [Create an application (integration)](/docs/api-reference/applications/createApplication)
    - [List API keys (hash never returned; last4 only)](/docs/api-reference/applications/listApiKeys)
    - [List applications](/docs/api-reference/applications/listApplications)
    - [Update allowlist / record template / name](/docs/api-reference/applications/updateApplication)
  - Webhooks
    - [Register a webhook receiver](/docs/api-reference/webhooks/createWebhookEndpoint)
  - Usage
    - [Metered counters for the current period (billing reconciliation)](/docs/api-reference/usage/getUsage)
- Widget SDK
  - [Overview](/docs/widget-sdk/overview): A drop-in "Connect your domain" modal, gated by a widget JWT, with no keys in the browser.
  - [Installation & embed](/docs/widget-sdk/installation-and-embed): Load the hosted bundle, mint a widget token server-side, and open the modal.
  - [Reference](/docs/widget-sdk/reference): Host events, token lifecycle, and accessibility behavior.
- Self-hosting
  - [Overview](/docs/self-hosting/overview): Components, local development, and deployment topology.
  - [Configuration](/docs/self-hosting/configuration): Environment variables for the control-plane and edge, production guardrails, and observability.
- Security
  - [Overview](/docs/security/overview): Tenancy, RBAC, value-checked ownership, secrets handling, and the unauthenticated surfaces.
- Billing
  - [Plans & quotas](/docs/billing/plans-and-quotas): Plan catalog, metered usage, quota enforcement, and checkout.
- [Reference](/docs/reference): Enums, environment variables, error codes, and other lookup tables.
- [Troubleshooting](/docs/troubleshooting): Common failure modes — stuck verification, propagation delays, conflicts, and drift.
- [FAQ](/docs/faq): Short answers to common questions about connecting domains.
- [User journeys](/docs/user-journeys): Every user-facing flow, the surface that implements it, and the automated test that verifies it.
- [Changelog](/docs/changelog): How the product and API change over time.