Domain Verification
Domain verification proves your organization owns a specific domain. This is required for:
- Issuing SSL/TLS certificates for API endpoints
- Enabling API token scoping to specific domains
- Compliance with CAB Forum Baseline Requirements
Why Verify Your Domain?
When Plexicus issues API certificates or tokens scoped to your domain, it must verify you own that domain. This prevents malicious actors from impersonating your organization.
Accessing Domain Verification
- Navigate to Settings → Domain Verification (or
app.plexicus.ai/settings#domain-verification) - You will see a list of verified domains (if any) and an option to Add Domain
Verifying a Domain via DNS TXT Record
Step 1: Start Verification
- Click Add Domain
- Enter your domain name (e.g.,
api.company.comorcompany.com) - Click Next
Step 2: Add DNS TXT Record
Plexicus generates a unique TXT record you must add to your domain's DNS:
Record Type: TXT
Record Name: _plexicus-verify.[your-domain] (e.g., _plexicus-verify.api.company.com)
Record Value: plexicus-verification=[unique-token]
Example:
_plexicus-verify.api.company.com TXT "plexicus-verification=abc123def456xyz789"
Step 3: Add Record to Your DNS Provider
Log in to your DNS provider (e.g., Route 53, Cloudflare, GoDaddy) and add the TXT record:
AWS Route 53
- Open the Route 53 console
- Select your hosted zone
- Click Create record
- Record name:
_plexicus-verify.api.company.com - Record type:
TXT - Record value:
"plexicus-verification=abc123def456xyz789" - TTL: 300 (or default)
- Click Create records
Cloudflare
- Log in to Cloudflare
- Select your domain
- Go to DNS → Records
- Click Add record
- Type:
TXT - Name:
_plexicus-verify.api.company.com - Content:
plexicus-verification=abc123def456xyz789 - TTL: Auto (or 300)
- Click Save
GoDaddy
- Log in to GoDaddy
- Go to My Products → Manage DNS
- Click Add DNS record
- Type:
TXT - Name:
_plexicus-verify - Value:
plexicus-verification=abc123def456xyz789 - Click Add
Other Providers
Consult your DNS provider's documentation for adding TXT records. You need to create a record with:
- Name/Label:
_plexicus-verify.[your-domain] - Type:
TXT - Value:
plexicus-verification=[token]
Step 4: Wait for DNS Propagation
DNS changes can take 5 minutes to 48 hours to propagate globally. You can check propagation status:
# Check if the record is live
dig _plexicus-verify.api.company.com TXT
# Or use an online DNS checker like mxtoolbox.com
Step 5: Verify in Plexicus
- Return to the Domain Verification page
- Click Verify Now for the pending domain
- Plexicus will:
- Query your DNS for the TXT record
- Validate the token format
- Mark the domain as Verified if successful
Expected result: Status changes to Verified with a checkmark.
If verification fails, ensure:
- The TXT record is correctly added to your DNS provider
- Enough time has passed for DNS propagation (run
digto check) - The record value matches exactly (copy-paste from Plexicus to avoid typos)
- The record name includes the full
_plexicus-verifyprefix
Domain Verification Statuses
| Status | Meaning |
|---|---|
| Pending | Domain added, awaiting DNS TXT record verification |
| Verified | Domain ownership confirmed; ready for use |
| Failed | Previous verification attempt failed; try again or check DNS |
| Expired | Domain verification token expired (domains expire after 30 days if not verified) |
Using Verified Domains
Once verified, your domain can be used for:
API Integration
Verified domains enable secure API communication and can be used for certificate-based authentication.
Certificate Issuance
If Plexicus issues client certificates for your API client, the certificate's Common Name (CN) will match your verified domain.
Removing a Domain
- Find the verified domain in the list
- Click Remove
- The domain and any tokens scoped to it will be deactivated
Once removed, you must re-verify if you need to re-use that domain.
Troubleshooting
"DNS record not found"
Cause: TXT record not yet added or DNS hasn't propagated.
Resolution:
- Double-check the record is added in your DNS provider
- Wait 10–15 minutes and try again
- Verify the exact record value (case-sensitive) using
dig:dig _plexicus-verify.api.company.com TXT +short - If still missing, contact your DNS provider's support
"Verification token expired"
Cause: More than 30 days have passed since the token was issued.
Resolution:
- Click Generate New Token on the pending domain
- Replace the TXT record value in your DNS provider
- Click Verify Now to try again
"Domain already verified"
Cause: This domain is already verified in your account.
Resolution:
- If this is a duplicate entry, remove it
- If you need to re-verify after a long time, click Reverify (if available)
DNS CNAME Alternative
Some organizations prefer CNAME records for easier management. Plexicus also supports CNAME verification:
Instead of a TXT record, you can add:
_plexicus-verify.api.company.com CNAME verify.plexicus.ai
This delegates verification queries to Plexicus's verification endpoint. Use this if:
- You prefer not to manage individual TXT records
- Your DNS provider handles CNAME-to-external-domain better
Both TXT and CNAME methods provide equivalent security. Choose the one your DNS provider prefers.
Security Considerations
- Token rotation: Verification tokens expire after 30 days of non-use. Re-verify to refresh.
- DNS hijacking prevention: Verify domains frequently. Stale verification allows potential takeover.
- Audit logging: All domain verification actions appear in your Audit Log.
- Minimal exposure: The DNS record is readable by anyone; it's not secret. Verification proves you control the DNS zone.
Related Pages
- Audit Log — Track all domain verification actions
- Container Registry Integration — Registry authentication and certificate management