Authenticate
View as MarkdownAuthenticate API requests with a Personal Access Token (PAT). PATs are required for all Domains APIs. The classic GoDaddy developer key is supported through 2026 for other APIs.
Overview
GoDaddy APIs use Bearer token authentication through a Personal Access Token (PAT) tied to specific capability scopes. PATs are required for all v3 Domains APIs. The classic GoDaddy developer key (sso-key) is still supported, but scheduled for deprecation. After you have a token, go to the quickstart to make your first call, or set up the CLI for a command-line workflow.
Account requirements
Some operations require the account to meet specific eligibility rules regardless of credential type. A valid credential on an ineligible account is still refused with a 403 Forbidden response and an Error code that distinguishes the reason from a missing scope. Check the code field on the response body, not just the HTTP status, to determine the reason. Go to Handle errors for the full error envelope and status code reference.
| Operation group | Requirement |
|---|---|
| Domain management — list, DNS, contacts, renewals, lock, privacy | Account holds at least one domain, OR is on a plan that grants management access. |
| Registration, renewal, transfer (any operation that costs money in production) | Account has a valid billing method on file or a funded Good as Gold balance. Go to Set up a payment profile. |
PAT scopes
The following table lists the Domains API scopes you can assign when generating a PAT. Each scope enables specific operations. A write-scoped token satisfies read operations for the same resource; a read-scoped token is refused on writes.
When you generate a token, the Domains & DNS bundle in the scope picker selects all scopes below. You can expand it to grant a subset instead.
| Scope | Required to |
|---|---|
domains.domain:read | Read domain records, availability, suggestions, quotes, and operations |
domains.domain:create | Register domains |
domains.domain:update | Modify domain settings |
domains.domain:delete | Delete or cancel domains |
domains.dns:update | Create, update, and delete DNS zone records |
domains.nameserver:update | Replace authoritative nameservers for a domain |
domains.host:update | Modify domain host records |
domains.forward:update | Configure domain forwarding |
domains.contact:update | Update registrant, admin, or tech contacts |
domains.transfer:execute | Initiate an inbound domain transfer |
domains.transfer:update | Modify a transfer in progress |
A PAT is a scoped Bearer token. Unlike sso-key, PATs are tied to specific capability scopes and can be revoked individually without rotating your account-wide key pair.
Generate a PAT
The following describe how to generate a PAT.
- Sign in to the Personal Access Token page.
- Click + Generate Token.
- In the Generate personal access token dialog, complete the following fields:
Field Description Note Name Name for the token. Expiration Number of days until the token expires. Scopes Scopes for the token. Go to PAT scopes to see the available scopes. - Click Generate Token.
Store your token securely
After generating the token, it displays once. You can't retrieve it again from the Personal Access Token page — store it in secure storage immediately.
- In the Copy your new token dialog, click the copy icon.
- Save the token in a password manager, secrets manager, or your application's secure credential store. Don't commit it to source control, check it into a repo, or paste it into chat.
- Load the token at runtime when you need it:
-
Local scripts: export it in the shell session you're about to use (not permanently in your shell profile):
export GODADDY_PAT="<YOUR_GODADDY_PAT>" -
Apps and CI: inject
GODADDY_PATfrom your platform's secret store (GitHub Actions secrets, AWS Secrets Manager, etc.) when the process starts.
-
Don't treat export as storage
export GODADDY_PAT=... makes the token available to the current shell — it is not a secure place to keep credentials long term. Store the value in a secrets manager first, then export or inject it only when running a command or starting your app.
Use a token
The PAT is sent as a Bearer token in the Authorization header on every request.
- Add the header to every request:
Authorization: Bearer ${GODADDY_PAT}Revoke a token
After a token isn't needed anymore, revoke it to prevent it from being used again.
- Sign in to the Personal Access Token page.
- Next to the token you want to revoke, click the trash icon.
- In the Revoke token? dialog, click Revoke Token.
Deprecated
This is the legacy way of generating a GoDaddy developer key. It's slated for retirement and won't work for v3 Domains APIs. Use a Personal Access Token instead.
Generate a key and secret
- Sign in at classic-developer.godaddy.com/keys.
- Generate a new key for Production.
- Copy both the Key and Secret immediately. The Secret is shown once.
- Export the credential:
export GODADDY_KEY="<YOUR_GODADDY_KEY>"
export GODADDY_SECRET="<YOUR_GODADDY_SECRET>"Use the credential
- Add the header to every request:
Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}Agent & Automation Notes
Not applicable — this page is credential setupRelated
Guides
Concepts
Last updated on
How is this guide?
End-to-end workflow
Complete workflow for buying and configuring a domain — search, quote, register, add DNS, verify. Runnable start-to-finish in under 5 minutes.
Set up a payment profile
Add a billing method to your GoDaddy account before registering or renewing domains. Required for any operation that charges money.