Support

Authenticate

View as Markdown

Authenticate API requests with a Personal Access Token (PAT). PATs are required for all Domains APIs. The classic GoDaddy developer key is supported through 2026 for other APIs.

Overview

GoDaddy APIs use Bearer token authentication through a Personal Access Token (PAT) tied to specific capability scopes. PATs are required for all v3 Domains APIs. The classic GoDaddy developer key (sso-key) is still supported, but scheduled for deprecation. After you have a token, go to the quickstart to make your first call, or set up the CLI for a command-line workflow.

Account requirements

Some operations require the account to meet specific eligibility rules regardless of credential type. A valid credential on an ineligible account is still refused with a 403 Forbidden response and an Error code that distinguishes the reason from a missing scope. Check the code field on the response body, not just the HTTP status, to determine the reason. Go to Handle errors for the full error envelope and status code reference.

Operation groupRequirement
Domain management — list, DNS, contacts, renewals, lock, privacyAccount holds at least one domain, OR is on a plan that grants management access.
Registration, renewal, transfer (any operation that costs money in production)Account has a valid billing method on file or a funded Good as Gold balance. Go to Set up a payment profile.

PAT scopes

The following table lists the Domains API scopes you can assign when generating a PAT. Each scope enables specific operations. A write-scoped token satisfies read operations for the same resource; a read-scoped token is refused on writes.

When you generate a token, the Domains & DNS bundle in the scope picker selects all scopes below. You can expand it to grant a subset instead.

ScopeRequired to
domains.domain:readRead domain records, availability, suggestions, quotes, and operations
domains.domain:createRegister domains
domains.domain:updateModify domain settings
domains.domain:deleteDelete or cancel domains
domains.dns:updateCreate, update, and delete DNS zone records
domains.nameserver:updateReplace authoritative nameservers for a domain
domains.host:updateModify domain host records
domains.forward:updateConfigure domain forwarding
domains.contact:updateUpdate registrant, admin, or tech contacts
domains.transfer:executeInitiate an inbound domain transfer
domains.transfer:updateModify a transfer in progress

A PAT is a scoped Bearer token. Unlike sso-key, PATs are tied to specific capability scopes and can be revoked individually without rotating your account-wide key pair.

Generate a PAT

The following describe how to generate a PAT.

  1. Sign in to the Personal Access Token page.
  2. Click + Generate Token.
  3. In the Generate personal access token dialog, complete the following fields:
    FieldDescriptionNote
    NameName for the token.
    ExpirationNumber of days until the token expires.
    ScopesScopes for the token.Go to PAT scopes to see the available scopes.
  4. Click Generate Token.

Store your token securely

After generating the token, it displays once. You can't retrieve it again from the Personal Access Token page — store it in secure storage immediately.

  1. In the Copy your new token dialog, click the copy icon.
  2. Save the token in a password manager, secrets manager, or your application's secure credential store. Don't commit it to source control, check it into a repo, or paste it into chat.
  3. Load the token at runtime when you need it:
    • Local scripts: export it in the shell session you're about to use (not permanently in your shell profile):

      export GODADDY_PAT="<YOUR_GODADDY_PAT>"
    • Apps and CI: inject GODADDY_PAT from your platform's secret store (GitHub Actions secrets, AWS Secrets Manager, etc.) when the process starts.

Don't treat export as storage

export GODADDY_PAT=... makes the token available to the current shell — it is not a secure place to keep credentials long term. Store the value in a secrets manager first, then export or inject it only when running a command or starting your app.

Use a token

The PAT is sent as a Bearer token in the Authorization header on every request.

  • Add the header to every request:
Authorization: Bearer ${GODADDY_PAT}

Revoke a token

After a token isn't needed anymore, revoke it to prevent it from being used again.

  1. Sign in to the Personal Access Token page.
  2. Next to the token you want to revoke, click the trash icon.
  3. In the Revoke token? dialog, click Revoke Token.

Deprecated

This is the legacy way of generating a GoDaddy developer key. It's slated for retirement and won't work for v3 Domains APIs. Use a Personal Access Token instead.

Generate a key and secret

  1. Sign in at classic-developer.godaddy.com/keys.
  2. Generate a new key for Production.
  3. Copy both the Key and Secret immediately. The Secret is shown once.
  • Export the credential:
export GODADDY_KEY="<YOUR_GODADDY_KEY>"
export GODADDY_SECRET="<YOUR_GODADDY_SECRET>"

Use the credential

  • Add the header to every request:
Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}

Agent & Automation Notes

PermissionsAny account
ScopesNot applicable — this page is credential setup
Rate limitPAT creation: interactive UI, not rate-limited. API calls with PAT: rate-limited per credential per window. Go to /docs/api-users/rate-limits for current values.
IdempotentYes
DestructiveNo
On failurePAT reveals once at creation — if lost, revoke and regenerate. Revocation is instant across all edges.

Last updated on

How is this guide?

On this page