# Lock a domain (https://developer.godaddy.com/en/docs/api-users/manage-domains/lock)



## Overview

Registry lock sets the `clientTransferProhibited` flag at the domain registry, preventing any registrar from initiating an outbound transfer without your explicit consent. Lock is enabled by default at registration and has no effect on DNS resolution, email delivery, or any service hosted on the domain. Disable it only for the duration of a transfer or registrant change, then re-enable it immediately.

Lock state is a field on the `DomainDetail` object, read with `GET /v1/domains/{domain}` and toggled with `PATCH /v1/domains/{domain}`.

<Callout type="info">
  Registry lock management isn't available in v3 yet. This page uses the v1 endpoint (`PATCH /v1/domains/{domain}`).
</Callout>

## Prerequisites

The following prerequisites are required before you manage registry lock:

* A GoDaddy account that owns the domain
* A [Personal Access Token](https://developer.godaddy.com/docs/api-users/auth) with `domains.domain:read` and `domains.domain:update` scopes

## Read lock state

Returns the full `DomainDetail` object. The `locked` boolean is `true` when `clientTransferProhibited` is set at the registry.

The following procedure reads the lock state for a domain.

* Run the following command:

```bash
curl -s "https://api.godaddy.com/v1/domains/example.com" \
  -H "Authorization: Bearer $GODADDY_PAT" \
  -H "Accept: application/json"
```

```json
{
  "domain": "example.com",
  "status": "ACTIVE",
  "locked": true,
  "renewAuto": true,
  "expires": "2026-03-15T00:00:00.000Z"
}
```

## Enable lock

Send `{"locked": true}` to the domain update endpoint. Returns `204 No Content`. Idempotent — locking an already-locked domain is a no-op.

The following procedure enables the registry transfer-lock on a domain.

* Run the following command for your preferred language:

<Tabs items={['curl', 'Node', 'Python', 'Go']}>
  <>
    <Tab value="curl">
      ```bash
      curl -s -X PATCH "https://api.godaddy.com/v1/domains/example.com" \
        -H "Authorization: Bearer $GODADDY_PAT" \
        -H "Content-Type: application/json" \
        -d '{"locked": true}'
      ```
    </Tab>

    <Tab value="Node">
      ```js
      const pat = process.env.GODADDY_PAT;
      const res = await fetch("https://api.godaddy.com/v1/domains/example.com", {
        method: "PATCH",
        headers: {
          Authorization: `Bearer ${pat}`,
          "Content-Type": "application/json",
        },
        body: JSON.stringify({ locked: true }),
      });
      console.log(res.status); // expect 204
      ```
    </Tab>

    <Tab value="Python">
      ```python
      import os, requests

      res = requests.patch(
          "https://api.godaddy.com/v1/domains/example.com",
          json={"locked": True},
          headers={
              "Authorization": f"Bearer {os.environ['GODADDY_PAT']}",
              "Content-Type": "application/json",
          },
      )
      print(res.status_code)  # expect 204
      ```
    </Tab>

    <Tab value="Go">
      ```go
      package main

      import (
          "bytes"
          "fmt"
          "net/http"
          "os"
      )

      func main() {
          body := bytes.NewReader([]byte(`{"locked": true}`))
          req, _ := http.NewRequest("PATCH",
              "https://api.godaddy.com/v1/domains/example.com", body)
          req.Header.Set("Authorization", "Bearer "+os.Getenv("GODADDY_PAT"))
          req.Header.Set("Content-Type", "application/json")
          res, _ := http.DefaultClient.Do(req)
          defer res.Body.Close()
          fmt.Println(res.StatusCode) // expect 204
      }
      ```
    </Tab>
  </>
</Tabs>

## Disable lock

Send `{"locked": false}` to release the transfer-lock. Returns `204 No Content`.

The following procedure disables the registry transfer-lock on a domain.

<Callout type="warning" title="Re-lock immediately after the operation completes">
  Unlock only for as long as the transfer or registrant change requires. Once the operation completes, re-enable lock with `{"locked": true}`. High-value and production-serving domains should be locked at all other times.
</Callout>

* Run the following command for your preferred language:

<Tabs items={['curl', 'Node', 'Python', 'Go']}>
  <>
    <Tab value="curl">
      ```bash
      curl -s -X PATCH "https://api.godaddy.com/v1/domains/example.com" \
        -H "Authorization: Bearer $GODADDY_PAT" \
        -H "Content-Type: application/json" \
        -d '{"locked": false}'
      ```
    </Tab>

    <Tab value="Node">
      ```js
      const pat = process.env.GODADDY_PAT;
      const res = await fetch("https://api.godaddy.com/v1/domains/example.com", {
        method: "PATCH",
        headers: {
          Authorization: `Bearer ${pat}`,
          "Content-Type": "application/json",
        },
        body: JSON.stringify({ locked: false }),
      });
      console.log(res.status); // expect 204
      ```
    </Tab>

    <Tab value="Python">
      ```python
      import os, requests

      res = requests.patch(
          "https://api.godaddy.com/v1/domains/example.com",
          json={"locked": False},
          headers={
              "Authorization": f"Bearer {os.environ['GODADDY_PAT']}",
              "Content-Type": "application/json",
          },
      )
      print(res.status_code)  # expect 204
      ```
    </Tab>

    <Tab value="Go">
      ```go
      package main

      import (
          "bytes"
          "fmt"
          "net/http"
          "os"
      )

      func main() {
          body := bytes.NewReader([]byte(`{"locked": false}`))
          req, _ := http.NewRequest("PATCH",
              "https://api.godaddy.com/v1/domains/example.com", body)
          req.Header.Set("Authorization", "Bearer "+os.Getenv("GODADDY_PAT"))
          req.Header.Set("Content-Type", "application/json")
          res, _ := http.DefaultClient.Do(req)
          defer res.Body.Close()
          fmt.Println(res.StatusCode) // expect 204
      }
      ```
    </Tab>
  </>
</Tabs>

## When to unlock

Two operations require the lock to be off before they can proceed:

| Scenario                           | Detail                                                                                                                                           |
| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Outbound transfer**              | The receiving registrar cannot initiate the transfer until lock is disabled.                                                                     |
| **Registrant change on some TLDs** | A subset of ccTLDs require unlock before the registry accepts a registrant update. Check the TLD's registry policy before attempting the change. |

<Callout type="info">
  Lock is enabled by default at registration. Leave it on at all other times — it has no effect on DNS resolution, email delivery, or any service hosted on the domain.
</Callout>

## Request body

`PATCH /v1/domains/{domain}` accepts a `DomainUpdate` object. Only the fields you include are updated.

| Field         | Type      | Description                                                                                                                 |
| ------------- | --------- | --------------------------------------------------------------------------------------------------------------------------- |
| `locked`      | boolean   | Whether to engage the registry transfer-lock.                                                                               |
| `renewAuto`   | boolean   | Whether auto-renew is enabled. See [Renewals](https://developer.godaddy.com/docs/api-users/manage-domains/renewals).                                     |
| `nameServers` | string\[] | Authoritative nameservers (apex). See [DNS → Manage nameservers](https://developer.godaddy.com/docs/api-users/manage-domains/dns#manage-nameservers-v2). |
| `exposeWhois` | boolean   | Whether contact details appear in WHOIS. Overridden by `privacy`.                                                           |

## Common errors

| Status | Most likely cause                                                 |
| ------ | ----------------------------------------------------------------- |
| `400`  | Malformed request body.                                           |
| `403`  | Credential lacks write access to this domain.                     |
| `404`  | Domain doesn't exist or isn't owned by the authenticated account. |
| `409`  | Conflicting operation in progress (e.g. mid-transfer).            |
| `422`  | Invalid field value.                                              |

Full error envelope: [Errors](https://developer.godaddy.com/docs/api-users/errors).

## Reference

* [v1 domain settings — domain update (`PATCH /v1/domains/{domain}`)](https://developer.godaddy.com/docs/references/rest/domains/v1/manage-domain-settings)

## Next

<Cards>
  <Card title="Auto-renew and renewals" description="Toggle auto-renew and manually renew before expiration." href="/docs/api-users/manage-domains/renewals" />

  <Card title="DNS records and nameservers" description="Read and write DNS records, or delegate to another provider." href="/docs/api-users/manage-domains/dns" />
</Cards>
