Support
DomainsManage Domains

Lock a domain

View as Markdown

Read and toggle the registry transfer-lock state on a domain you own. Unlock only when a transfer or registrant change requires it.

Overview

Registry lock sets the clientTransferProhibited flag at the domain registry, preventing any registrar from initiating an outbound transfer without your explicit consent. Lock is enabled by default at registration and has no effect on DNS resolution, email delivery, or any service hosted on the domain. Disable it only for the duration of a transfer or registrant change, then re-enable it immediately.

Lock state is a field on the DomainDetail object, read with GET /v1/domains/{domain} and toggled with PATCH /v1/domains/{domain}.

Registry lock management isn't available in v3 yet. This page uses the v1 endpoint (PATCH /v1/domains/{domain}).

Prerequisites

The following prerequisites are required before you manage registry lock:

  • A GoDaddy account that owns the domain
  • A Personal Access Token with domains.domain:read and domains.domain:update scopes

Read lock state

Returns the full DomainDetail object. The locked boolean is true when clientTransferProhibited is set at the registry.

The following procedure reads the lock state for a domain.

  • Run the following command:
curl -s "https://api.godaddy.com/v1/domains/example.com" \
  -H "Authorization: Bearer $GODADDY_PAT" \
  -H "Accept: application/json"
{
  "domain": "example.com",
  "status": "ACTIVE",
  "locked": true,
  "renewAuto": true,
  "expires": "2026-03-15T00:00:00.000Z"
}

Enable lock

Send {"locked": true} to the domain update endpoint. Returns 204 No Content. Idempotent — locking an already-locked domain is a no-op.

The following procedure enables the registry transfer-lock on a domain.

  • Run the following command for your preferred language:
curl -s -X PATCH "https://api.godaddy.com/v1/domains/example.com" \
  -H "Authorization: Bearer $GODADDY_PAT" \
  -H "Content-Type: application/json" \
  -d '{"locked": true}'
const pat = process.env.GODADDY_PAT;
const res = await fetch("https://api.godaddy.com/v1/domains/example.com", {
  method: "PATCH",
  headers: {
    Authorization: `Bearer ${pat}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ locked: true }),
});
console.log(res.status); // expect 204
import os, requests

res = requests.patch(
    "https://api.godaddy.com/v1/domains/example.com",
    json={"locked": True},
    headers={
        "Authorization": f"Bearer {os.environ['GODADDY_PAT']}",
        "Content-Type": "application/json",
    },
)
print(res.status_code)  # expect 204
package main

import (
    "bytes"
    "fmt"
    "net/http"
    "os"
)

func main() {
    body := bytes.NewReader([]byte(`{"locked": true}`))
    req, _ := http.NewRequest("PATCH",
        "https://api.godaddy.com/v1/domains/example.com", body)
    req.Header.Set("Authorization", "Bearer "+os.Getenv("GODADDY_PAT"))
    req.Header.Set("Content-Type", "application/json")
    res, _ := http.DefaultClient.Do(req)
    defer res.Body.Close()
    fmt.Println(res.StatusCode) // expect 204
}

Disable lock

Send {"locked": false} to release the transfer-lock. Returns 204 No Content.

The following procedure disables the registry transfer-lock on a domain.

Re-lock immediately after the operation completes

Unlock only for as long as the transfer or registrant change requires. Once the operation completes, re-enable lock with {"locked": true}. High-value and production-serving domains should be locked at all other times.

  • Run the following command for your preferred language:
curl -s -X PATCH "https://api.godaddy.com/v1/domains/example.com" \
  -H "Authorization: Bearer $GODADDY_PAT" \
  -H "Content-Type: application/json" \
  -d '{"locked": false}'
const pat = process.env.GODADDY_PAT;
const res = await fetch("https://api.godaddy.com/v1/domains/example.com", {
  method: "PATCH",
  headers: {
    Authorization: `Bearer ${pat}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ locked: false }),
});
console.log(res.status); // expect 204
import os, requests

res = requests.patch(
    "https://api.godaddy.com/v1/domains/example.com",
    json={"locked": False},
    headers={
        "Authorization": f"Bearer {os.environ['GODADDY_PAT']}",
        "Content-Type": "application/json",
    },
)
print(res.status_code)  # expect 204
package main

import (
    "bytes"
    "fmt"
    "net/http"
    "os"
)

func main() {
    body := bytes.NewReader([]byte(`{"locked": false}`))
    req, _ := http.NewRequest("PATCH",
        "https://api.godaddy.com/v1/domains/example.com", body)
    req.Header.Set("Authorization", "Bearer "+os.Getenv("GODADDY_PAT"))
    req.Header.Set("Content-Type", "application/json")
    res, _ := http.DefaultClient.Do(req)
    defer res.Body.Close()
    fmt.Println(res.StatusCode) // expect 204
}

When to unlock

Two operations require the lock to be off before they can proceed:

ScenarioDetail
Outbound transferThe receiving registrar cannot initiate the transfer until lock is disabled.
Registrant change on some TLDsA subset of ccTLDs require unlock before the registry accepts a registrant update. Check the TLD's registry policy before attempting the change.

Lock is enabled by default at registration. Leave it on at all other times — it has no effect on DNS resolution, email delivery, or any service hosted on the domain.

Request body

PATCH /v1/domains/{domain} accepts a DomainUpdate object. Only the fields you include are updated.

FieldTypeDescription
lockedbooleanWhether to engage the registry transfer-lock.
renewAutobooleanWhether auto-renew is enabled. See Renewals.
nameServersstring[]Authoritative nameservers (apex). See DNS → Manage nameservers.
exposeWhoisbooleanWhether contact details appear in WHOIS. Overridden by privacy.

Common errors

StatusMost likely cause
400Malformed request body.
403Credential lacks write access to this domain.
404Domain doesn't exist or isn't owned by the authenticated account.
409Conflicting operation in progress (e.g. mid-transfer).
422Invalid field value.

Full error envelope: Errors.

Reference

Next

Agent & Automation Notes

PermissionsDomain Owner
Scopesdomains.domain:read, domains.domain:update
Rate limitRate-limited per credential per window. Go to /docs/api-users/rate-limits for current values.
IdempotentYes
DestructiveNo
On failureIdempotent — locking an already-locked domain is a no-op. Prefer GET-before-PATCH to confirm current state on error retries.

Last updated on

How is this guide?

On this page