# Authenticate (https://developer.godaddy.com/en/docs/api-users/auth)



## Overview

GoDaddy APIs use Bearer token authentication through a Personal Access Token (PAT) tied to specific capability scopes. PATs are required for all v3 Domains APIs. The classic GoDaddy developer key (`sso-key`) is still supported, but scheduled for deprecation. After you have a token, go to the [quickstart](https://developer.godaddy.com/docs/api-users/quickstart) to make your first call, or [set up the CLI](https://developer.godaddy.com/docs/api-users/cli-setup) for a command-line workflow.

### Account requirements

Some operations require the account to meet specific eligibility rules regardless of credential type. A valid credential on an ineligible account is still refused with a `403 Forbidden` response and an `Error` code that distinguishes the reason from a missing scope. Check the `code` field on the response body, not just the HTTP status, to determine the reason. Go to [Handle errors](https://developer.godaddy.com/docs/api-users/errors) for the full error envelope and status code reference.

| Operation group                                                                | Requirement                                                                                                                                                                                               |
| ------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Domain management — list, DNS, contacts, renewals, lock, privacy               | Account holds at least one domain, OR is on a plan that grants management access.                                                                                                                         |
| Registration, renewal, transfer (any operation that costs money in production) | Account has a valid billing method on file or a funded [Good as Gold](https://www.godaddy.com/help/what-is-good-as-gold-3359) balance. Go to [Set up a payment profile](https://developer.godaddy.com/docs/api-users/payment-profile). |

### PAT scopes

The following table lists the Domains API scopes you can assign when generating a PAT. Each scope enables specific operations. A write-scoped token satisfies read operations for the same resource; a read-scoped token is refused on writes.

When you generate a token, the **Domains & DNS** bundle in the scope picker selects all scopes below. You can expand it to grant a subset instead.

| Scope                       | Required to                                                            |
| --------------------------- | ---------------------------------------------------------------------- |
| `domains.domain:read`       | Read domain records, availability, suggestions, quotes, and operations |
| `domains.domain:create`     | Register domains                                                       |
| `domains.domain:update`     | Modify domain settings                                                 |
| `domains.domain:delete`     | Delete or cancel domains                                               |
| `domains.dns:update`        | Create, update, and delete DNS zone records                            |
| `domains.nameserver:update` | Replace authoritative nameservers for a domain                         |
| `domains.host:update`       | Modify domain host records                                             |
| `domains.forward:update`    | Configure domain forwarding                                            |
| `domains.contact:update`    | Update registrant, admin, or tech contacts                             |
| `domains.transfer:execute`  | Initiate an inbound domain transfer                                    |
| `domains.transfer:update`   | Modify a transfer in progress                                          |

<Tabs items={['Personal Access Token (PAT)', 'Classic Developer Key']}>
  <Tab value="Personal Access Token (PAT)">
    A PAT is a scoped Bearer token. Unlike `sso-key`, PATs are tied to specific capability scopes and can be revoked individually without rotating your account-wide key pair.

    ### Generate a PAT

    The following describe how to generate a PAT.

    1. Sign in to the [Personal Access Token](https://developer.godaddy.com/personal-access-token) page.
    2. Click **+ Generate Token**.
    3. In the **Generate personal access token** dialog, complete the following fields:
       | Field          | Description                             | Note                                                         |
       | -------------- | --------------------------------------- | ------------------------------------------------------------ |
       | **Name**       | Name for the token.                     |                                                              |
       | **Expiration** | Number of days until the token expires. |                                                              |
       | **Scopes**     | Scopes for the token.                   | Go to [PAT scopes](#pat-scopes) to see the available scopes. |
    4. Click **Generate Token**.

    ### Store your token securely

    After generating the token, it displays once. You can't retrieve it again from the [Personal Access Token page](https://developer.godaddy.com/personal-access-token) — store it in secure storage immediately.

    1. In the **Copy your new token** dialog, click the copy icon.
    2. Save the token in a password manager, secrets manager, or your application's secure credential store. Don't commit it to source control, check it into a repo, or paste it into chat.
    3. Load the token at **runtime** when you need it:
       * **Local scripts:** export it in the shell session you're about to use (not permanently in your shell profile):

         ```bash
         export GODADDY_PAT="<YOUR_GODADDY_PAT>"
         ```

       * **Apps and CI:** inject `GODADDY_PAT` from your platform's secret store (GitHub Actions secrets, AWS Secrets Manager, etc.) when the process starts.

    <Callout type="warn" title="Don't treat export as storage">
      `export GODADDY_PAT=...` makes the token available to the current shell — it is not a secure place to keep credentials long term. Store the value in a secrets manager first, then export or inject it only when running a command or starting your app.
    </Callout>

    ### Use a token

    The PAT is sent as a Bearer token in the `Authorization` header on every request.

    * Add the header to every request:

    ```http
    Authorization: Bearer ${GODADDY_PAT}
    ```

    ### Revoke a token

    After a token isn't needed anymore, revoke it to prevent it from being used again.

    1. Sign in to the [Personal Access Token](https://developer.godaddy.com/personal-access-token) page.
    2. Next to the token you want to revoke, click the trash icon.
    3. In the **Revoke token?** dialog, click **Revoke Token**.
  </Tab>

  <Tab value="Classic Developer Key">
    <Callout type="warn" title="Deprecated">
      This is the legacy way of generating a GoDaddy developer key. It's slated for retirement and won't work for v3 Domains APIs. Use a [Personal Access Token](#generate-a-pat) instead.
    </Callout>

    ## Generate a key and secret

    1. Sign in at <ClassicDeveloperLink path="/keys" />.
    2. Generate a new key for Production.
    3. Copy both the **Key** and **Secret** immediately. The Secret is shown once.

    * Export the credential:

    ```bash
    export GODADDY_KEY="<YOUR_GODADDY_KEY>"
    export GODADDY_SECRET="<YOUR_GODADDY_SECRET>"
    ```

    ### Use the credential

    * Add the header to every request:

    ```http
    Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}
    ```
  </Tab>
</Tabs>
