Connect Domain

Reference

Enums, environment variables, error codes, and other lookup tables.

Enums

ConnectionStatecreated, pending_ownership, verifying, verified, dns_writing, propagating, stalled, issuing_cert, live, drifted, failed, archived.

SetupTypeautomatic, manual, semiautomatic, shared_login, async, api. (Only automatic, manual, and Domain Connect are implemented in the widget.)

UsageKindconnect, active_domain, cert, api_call.

Scopeconnections:read, connections:write, apps:admin, webhooks:write, usage:read.

Webhook eventsdomain.added, domain.verified, ssl.issued, domain.flow.completed, domain.drift.

Common error codes

CodeHTTPMeaning
unauthorized401Missing/invalid credential.
forbidden403Valid credential lacks the required scope.
not_found404Object doesn't exist or isn't in your tenant.
invalid400Malformed request.
HostnameConflict409Hostname already held active.
ownership_not_found409Ownership TXT missing/incorrect at verify.
QuotaExceeded402Plan connect limit reached (carries upgrade_url).
billing_unavailable502No billing provider configured.
internal500Server error (generic message + correlation ref).

Environment variables

See Self-hosting → Configuration for the full control-plane and edge env tables.

Ownership challenge

  • Name: _customdomain-challenge.<hostname>
  • Type: TXT
  • Value: the value returned in ownership_challenge on connection create.

Webhook signature

  • Headers: X-CD-Timestamp: <unix seconds> and X-CD-Signature: sha256=<hex>
  • Algorithm: HMAC-SHA256 over ${timestamp}.${rawBody} (the timestamp, a dot, then the exact request body), keyed by the endpoint's signing secret. Reject deliveries whose timestamp is outside a ~5-minute window. See Verifying signatures.

Resources

  • ARCHITECTURE.md (repository root of app/) — the two-plane design and invariants.
  • CONTRACTS.md — frozen inter-component interfaces.
  • BENCHMARKS.md — parity vs Entri + performance.
  • openapi-v1.yaml — OpenAPI document (this reference is authoritative where the hand-written pages differ from the generated API reference).

On this page