# Docs

- [Introduction](/docs): What Customdomain is, the connect → secure → serve → monitor loop, and where to go next.
- Getting started
  - [Quickstart](/docs/getting-started/quickstart): Connect your first custom domain end to end in about five minutes.
- Concepts
  - [Architecture](/docs/concepts/architecture): The two independent planes that share one database and talk over HTTP.
  - [Connections](/docs/concepts/connections): The connection lifecycle, the authoritative record set, tenancy, and drift.
  - [Setup types & the ask gate](/docs/concepts/ownership-and-setup-types): How a domain is classified, the four connect rails, and the status-based edge authorization gate.
- Authentication
  - [Overview](/docs/authentication/overview): The three credential types, member roles, and the unauthenticated surfaces.
  - [Widget tokens](/docs/authentication/widget-tokens): Minting short-lived JWTs via POST /v1/tokens for the browser widget.
- Connect flow
  - [Overview](/docs/connect-flow/overview): The create → apply → live pipeline and the four rails that write DNS.
  - [Create a connection](/docs/connect-flow/create-a-connection): POST /v1/connections — the request, the idempotent replay, and the record set it returns.
  - [Apply records & go live](/docs/connect-flow/verify-and-go-live): The three automatic rails, the manual fallback, propagation to live, and cert issuance.
  - [Offboarding](/docs/connect-flow/offboarding): How a customer disconnects a domain today, and the current limitations.
- DNS
  - [DNS providers](/docs/dns/providers): The built-in auto-write fleet, the connect rails, and the parity census.
  - [Provider setup](/docs/dns/provider-setup): Exactly what to do at each DNS provider to create the credential its adapter needs.
  - [Email DNS & SPF merge](/docs/dns/email-dns): Adding MX/SPF/DKIM/DMARC alongside a connection, and how SPFM merges SPF safely.
- Webhooks
  - [Overview](/docs/webhooks/overview): Register HTTPS endpoints to receive signed events as connections progress.
  - [Verifying signatures](/docs/webhooks/verifying-signatures): HMAC-SHA256 signature verification and replay protection.
- API reference
  - [API reference](/docs/api-reference): Base URL, auth schemes, versioning, the error envelope, and the full generated operation reference.
  - Tokens
    - [Exchange application credentials for a short-lived widget JWT](/docs/api-reference/tokens/createWidgetToken)
  - Domains
    - [Detect where a domain's DNS lives and how it will be set up](/docs/api-reference/domains/checkDomain)
  - Connections
    - [Create a domain connection (idempotent per app + domain)](/docs/api-reference/connections/createConnection)
    - [List connections](/docs/api-reference/connections/listConnections)
    - [Get a connection with its authoritative record set](/docs/api-reference/connections/getConnection)
    - [Authoritative desired DNS record set for a connection](/docs/api-reference/connections/getConnectionRecords)
    - [Write a connection's records through the customer's provider (BYO token, used once)](/docs/api-reference/connections/applyConnection)
    - [Begin the OAuth-into-DNS-provider authorization for a connection](/docs/api-reference/connections/startConnectionOAuth)
    - [OAuth redirect target (public; authenticated by the signed state)](/docs/api-reference/connections/oauthCallback)
    - [Build the signed Domain Connect apply URL for a connection](/docs/api-reference/connections/startDomainConnect)
  - Applications
    - [Create an application (client_secret returned once)](/docs/api-reference/applications/createApplication)
    - [List applications](/docs/api-reference/applications/listApplications)
    - [Get an application](/docs/api-reference/applications/getApplication)
    - [Issue an API key for an application (key returned once)](/docs/api-reference/applications/createApiKey)
    - [List an application's API keys (secrets omitted)](/docs/api-reference/applications/listApiKeys)
    - [Revoke an API key](/docs/api-reference/applications/revokeApiKey)
  - Members
    - [Invite a member to the caller's tenant (invite_token shown once)](/docs/api-reference/members/inviteMember)
    - [List the caller tenant's members](/docs/api-reference/members/listMembers)
    - [Accept an invite (single-use token)](/docs/api-reference/members/acceptMember)
    - [Change a member's role (owner-protected)](/docs/api-reference/members/updateMemberRole)
    - [Remove a member or revoke a pending invite (owner-protected)](/docs/api-reference/members/removeMember)
  - Tenancy
    - [Create a tenant](/docs/api-reference/tenancy/createTenant)
    - [Get a tenant](/docs/api-reference/tenancy/getTenant)
    - [One-call signup provisioning (tenant + owner + app + API key)](/docs/api-reference/tenancy/provisionTenant)
  - Providers
    - [List the DNS providers the Connect engine can detect and automate](/docs/api-reference/providers/listProviders)
    - [Full parity census — every target provider routed to its working mode](/docs/api-reference/providers/providerCensus)
  - Templates
    - [List Domain Connect service templates](/docs/api-reference/templates/listTemplates)
    - [Get one Domain Connect template](/docs/api-reference/templates/getTemplate)
    - [Build the Domain Connect apply URL for a domain](/docs/api-reference/templates/buildTemplateApplyUrl)
  - Registrar
    - [Search domain availability and pricing](/docs/api-reference/registrar/searchDomains)
    - [Cheapest real-time price for a domain](/docs/api-reference/registrar/quoteDomain)
    - [Register a domain (fail-closed; requires Idempotency-Key)](/docs/api-reference/registrar/purchaseDomain)
  - Monitor
    - [Check declared baseline records against live public DNS](/docs/api-reference/monitor/checkRecords)
  - Webhooks
    - [Register a webhook endpoint (secret returned once)](/docs/api-reference/webhooks/createWebhook)
    - [List webhook endpoints](/docs/api-reference/webhooks/listWebhooks)
    - [Delete a webhook endpoint](/docs/api-reference/webhooks/deleteWebhook)
    - [Recent webhook delivery attempts for the caller's tenant](/docs/api-reference/webhooks/listWebhookDeliveries)
  - Billing
    - [Public plan catalog (plus billing {configured, mode})](/docs/api-reference/billing/listPlans)
    - [Metered domain usage, plan, and quota for the caller's tenant](/docs/api-reference/billing/getUsage)
    - [Start a Stripe Checkout session for a self-serve plan](/docs/api-reference/billing/createCheckout)
    - [Open a Stripe Billing Portal session](/docs/api-reference/billing/createPortalSession)
  - Enterprise
    - [Role / permission matrix (static reference)](/docs/api-reference/enterprise/getRbac)
    - [Audit log (tenant-scoped for tenant credentials; full log for the management key)](/docs/api-reference/enterprise/getAudit)
- Widget SDK
  - [Overview](/docs/widget-sdk/overview): A drop-in "Connect your domain" modal, gated by a widget JWT, with no keys in the browser.
  - [Installation & embed](/docs/widget-sdk/installation-and-embed): Install customdomain-js, mint a widget token server-side, and open the modal.
  - [Reference](/docs/widget-sdk/reference): The seven methods, the six window events and callbacks, full config, statuses, and theming tokens.
- MCP
  - [MCP server](/docs/mcp/overview): The Model Context Protocol server — six domain tools an AI agent can call over JSON-RPC, its transports, and its auth.
- Self-hosting
  - [Overview](/docs/self-hosting/overview): Components, local development, deployment topology, and an honest capabilities list.
  - [Configuration](/docs/self-hosting/configuration): Environment variables for the control-plane, edge, and console, plus production guardrails.
- Security
  - [Overview](/docs/security/overview): Tenancy, credential model, value-checked DNS, one-time provider tokens, and the unauthenticated surfaces.
- Billing
  - [Plans & quotas](/docs/billing/plans-and-quotas): The plan catalog, metered domain usage, and Stripe checkout.
- [Reference](/docs/reference): Enums, environment variables, error codes, and other lookup tables.
- [Troubleshooting](/docs/troubleshooting): Common failure modes — stuck connections, propagation delays, rail errors, and drift.
- [FAQ](/docs/faq): Short answers to common questions about connecting domains.
- [User journeys](/docs/user-journeys): Every user-facing flow and the surface that implements it.
- [Changelog](/docs/changelog): How the product and API change over time.