Provider setup
Exactly what to do at each DNS provider to create the credential its adapter needs.
Exactly what a customer (or you, on their behalf) must do to create the
credential each adapter needs, plus any account-eligibility gates. The customer
pastes the resulting value into the widget's API-token step (or you pass it to
POST /v1/connections/{id}/apply as credential.token with the matching
provider key — see DNS providers). It is used once
to write the records and is never stored.
Scope every credential to the minimum needed (edit rights on the target zone). Never reuse an account-wide admin token.
BYO API token
| Provider | provider key | How to create the credential | Gate |
|---|---|---|---|
| Cloudflare | cloudflare | My Profile → API Tokens → Create Token → Edit zone DNS scoped to the zone. | none |
| DigitalOcean | digitalocean | API → Tokens → Generate (write scope). | none |
| Gandi | gandi | Account → Security → API key (LiveDNS). | none |
| deSEC | desec | Account → generate a token. | none |
| Hetzner | hetzner | DNS Console → API tokens. | none |
| Vercel | vercel | Account Settings → Tokens. | none |
| DNSimple | dnsimple | Account → Automation → API tokens. | none |
| Porkbun | porkbun | Account → API Access → enable + create key/secret → credential apikey:secretapikey. | must enable API per domain |
| Linode | linode | Cloud Manager → API Tokens (Domains: read/write). | none |
| Vultr | vultr | Account → API → enable + key. | IP allowlist optional |
| Name.com | namecom | Account → API → token → credential user:token. | none |
| Netlify | netlify | User Settings → Applications → Personal access token. | domain must be a Netlify DNS zone |
| GoDaddy | godaddy | Developer portal → API Keys → production key → credential key:secret. | Production API access is gated by account tier (historically ≥10 domains / eligible reseller/pro). Verify current eligibility. |
Machine credential (cloud / OAuth2)
These are still "bring your own credential" — the customer creates a machine identity in their cloud console. No approval of your service is required, but the customer needs cloud-admin access.
Amazon Route 53 — route53
- Create an IAM user/role with a policy allowing
route53:ChangeResourceRecordSetsandroute53:ListResourceRecordSets/GetHostedZoneon the target hosted zone. - Credential:
accessKeyId:secretAccessKey(optionally:region). - The connection's
zoneis the Hosted Zone ID (e.g.Z123ABC), not the name. - Auth is AWS SigV4 (implemented in-adapter; no AWS SDK).
Google Cloud DNS — gcpdns
- Create a service account with role
roles/dns.admin(or narrower) on the project. - Download its JSON key. Credential = that JSON with a
managed_zonefield added (the Cloud DNS zone name).project_idis read from the key. - Auth is OAuth2 via a signed (RS256) JWT assertion (implemented in-adapter).
Azure DNS — azuredns
- Register an app in Entra ID; create a client secret; grant it DNS Zone Contributor on the resource group holding the zone.
- Credential JSON:
{tenant_id, client_id, client_secret, subscription_id, resource_group}. - Auth is the Entra client-credentials flow (implemented in-adapter).
Namecheap — namecheap
- Enable API access (Profile → Tools → API Access) and whitelist your server's public IP.
- Credential:
apiUser:apiKey:clientIp. - Gate: API access requires meeting Namecheap's threshold (e.g. 20+ domains, or a balance/spend minimum). Verify eligibility.
Redirect / no-token
- Domain Connect (
domain-connect) — no stored credential; the customer is redirected to their provider to apply a template. See DNS providers. - Squarespace — no third-party write API; use Domain Connect or guided-manual.
The frictionless "connect account" UX
The one-click "Log in with your provider, click Allow" experience needs a 3-legged OAuth app registered and approved with each provider under your company's identity — a business/legal step, not code. Until then, BYO-token, machine-credential, and Domain Connect cover the same providers without it.