Download OpenAPI specification:
JSON API for the DNSCove control-plane: magic-link auth, zones and records, delegation/parity checks, snapshot publish, Route53 import, and scoped machine tokens for automation (ACME DNS-01, per-zone record management, and tenant-wide provisioning).
Two credential types, both sent as Authorization: Bearer <token>:
Session — a short-lived HMAC token from the magic-link exchange. Full access to the tenant's zones. Used by the console.
Scoped machine token (dnsc_<id>_<secret>) — carries one scope:
acme-dns01 — bound to one zone; may call only
POST /api/zones/{id}/acme-challenge on that zone.zone-admin — bound to one zone; full record CRUD + delegation/parity +
ACME on that zone. No zone lifecycle, no publish, no token minting.tenant-admin — tenant-wide (no zone binding): create/list/delete zones,
act on any zone, publish, and mint/revoke tokens. Root-equivalent —
prefer a narrower scope when one zone is enough.An endpoint that doesn't accept a token's scope answers 403.
Infrastructure-as-code: manage zones and records from your existing tooling — see the Terraform / OpenTofu and CloudFormation guides.
| email required | string <email> |
{- "email": "user@example.com"
}{- "sent": true,
- "dev_token": "string",
- "dev_link": "string"
}{- "zones": [
- {
- "id": "string",
- "tenant_id": "string",
- "origin": "string",
- "status": "PENDING_VERIFICATION",
- "ns": [
- "string"
], - "serial": 0,
- "published_serial": 0,
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z"
}
]
}| origin required | string |
{- "origin": "example.com"
}{- "id": "string",
- "tenant_id": "string",
- "origin": "string",
- "status": "PENDING_VERIFICATION",
- "ns": [
- "string"
], - "serial": 0,
- "published_serial": 0,
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z"
}| id required | string Example: Z1a2b3c4d5e6f70 |
{- "id": "string",
- "tenant_id": "string",
- "origin": "string",
- "status": "PENDING_VERIFICATION",
- "ns": [
- "string"
], - "serial": 0,
- "published_serial": 0,
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z"
}| id required | string Example: Z1a2b3c4d5e6f70 |
{- "delegation": {
- "origin": "string",
- "delegated": true,
- "expected": [
- "string"
], - "found": [
- "string"
], - "missing": [
- "string"
], - "checked_at": "2019-08-24T14:15:22Z"
}, - "status": "PENDING_VERIFICATION"
}| id required | string Example: Z1a2b3c4d5e6f70 |
{- "parity": {
- "origin": "string",
- "matches": true,
- "checked": 0,
- "mismatched": 0,
- "truncated": true,
- "checked_at": "2019-08-24T14:15:22Z"
}, - "safe_to_delete": true,
- "status": "PENDING_VERIFICATION"
}Session, zone-admin (this zone), or tenant-admin.
| id required | string Example: Z1a2b3c4d5e6f70 |
| action | string Default: "UPSERT" Enum: "UPSERT" "DELETE" |
| name required | string |
| type required | string |
| ttl | integer Default: 300 |
| records | Array of strings |
{- "action": "UPSERT",
- "name": "www.example.com.",
- "type": "A",
- "ttl": 300,
- "records": [
- "192.0.2.1"
]
}{- "status": "PENDING",
- "serial": 0
}| id required | string Example: Z1a2b3c4d5e6f70 |
{- "tokens": [
- {
- "id": "string",
- "zone_id": "string",
- "scope": "acme-dns01",
- "name": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "expires_at": "2019-08-24T14:15:22Z",
- "revoked": true
}
]
}Mints an acme-dns01 or zone-admin token bound to this zone. Returns the plaintext token exactly once — store it securely; it is unrecoverable afterward. tenant-admin is not a per-zone scope; mint it at POST /api/tokens.
| id required | string Example: Z1a2b3c4d5e6f70 |
| name | string |
| scope | string Default: "acme-dns01" Enum: "acme-dns01" "zone-admin" |
| expires_in_days | integer 0 = no expiry |
{- "name": "cert-manager webhook",
- "scope": "acme-dns01",
- "expires_in_days": 0
}{- "id": "string",
- "zone_id": "string",
- "scope": "acme-dns01",
- "name": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "expires_at": "2019-08-24T14:15:22Z",
- "revoked": true,
- "token": "dnsc_1a2b3c4d5e6f7a8b_…"
}{- "tokens": [
- {
- "id": "string",
- "zone_id": "string",
- "scope": "acme-dns01",
- "name": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "expires_at": "2019-08-24T14:15:22Z",
- "revoked": true
}
]
}Mints tenant-admin (default, tenant-wide) or a zone-bound scope when a zone_id in the caller's tenant is supplied. Returns the plaintext token exactly once.
| name | string |
| scope | string Default: "tenant-admin" Enum: "tenant-admin" "zone-admin" "acme-dns01" |
| zone_id | string required for zone-bound scopes; ignored for tenant-admin |
| expires_in_days | integer 0 = no expiry |
{- "name": "terraform",
- "scope": "tenant-admin",
- "zone_id": "string",
- "expires_in_days": 0
}{- "id": "string",
- "zone_id": "string",
- "scope": "acme-dns01",
- "name": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "expires_at": "2019-08-24T14:15:22Z",
- "revoked": true,
- "token": "dnsc_1a2b3c4d5e6f7a8b_…"
}Adds (PRESENT) or removes (CLEANUP) one value on the _acme-challenge TXT record and republishes to the edge. Accepts a session or an acme-dns01 / zone-admin token bound to this zone, or a tenant-admin token. Values merge, so multiple challenges at the same name (SAN/wildcard) coexist.
| id required | string Example: Z1a2b3c4d5e6f70 |
| action required | string Enum: "PRESENT" "CLEANUP" |
| name required | string |
| value required | string base64url key authorization |
{- "action": "PRESENT",
- "name": "_acme-challenge.canary.lab.dnscove.com.",
- "value": "string"
}{- "status": "ok",
- "action": "string",
- "changed": true,
- "published": true,
- "serial": 0
}| json required | string raw Route53 JSON |
{- "json": "string"
}{- "zone": {
- "id": "string",
- "tenant_id": "string",
- "origin": "string",
- "status": "PENDING_VERIFICATION",
- "ns": [
- "string"
], - "serial": 0,
- "published_serial": 0,
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z"
}, - "imported": 0,
- "skipped": [
- {
- "name": "string",
- "type": "string",
- "reason": "string"
}
], - "published": true,
- "publish_error": "string",
- "ns": [
- "string"
]
}