Saltar al contenido principal

Domain Verification

Domain verification proves your organization owns a specific domain. This is required for:

  • Issuing SSL/TLS certificates for API endpoints
  • Enabling API token scoping to specific domains
  • Compliance with CAB Forum Baseline Requirements

Why Verify Your Domain?

When Plexicus issues API certificates or tokens scoped to your domain, it must verify you own that domain. This prevents malicious actors from impersonating your organization.

Accessing Domain Verification

  1. Navigate to SettingsDomain Verification (or app.plexicus.ai/settings#domain-verification)
  2. You will see a list of verified domains (if any) and an option to Add Domain

Verifying a Domain via DNS TXT Record

Step 1: Start Verification

  1. Click Add Domain
  2. Enter your domain name (e.g., api.company.com or company.com)
  3. Click Next

Step 2: Add DNS TXT Record

Plexicus generates a unique TXT record you must add to your domain's DNS:

Record Type: TXT
Record Name: _plexicus-verify.[your-domain] (e.g., _plexicus-verify.api.company.com)
Record Value: plexicus-verification=[unique-token]

Example:

_plexicus-verify.api.company.com TXT "plexicus-verification=abc123def456xyz789"

Step 3: Add Record to Your DNS Provider

Log in to your DNS provider (e.g., Route 53, Cloudflare, GoDaddy) and add the TXT record:

AWS Route 53
  1. Open the Route 53 console
  2. Select your hosted zone
  3. Click Create record
  4. Record name: _plexicus-verify.api.company.com
  5. Record type: TXT
  6. Record value: "plexicus-verification=abc123def456xyz789"
  7. TTL: 300 (or default)
  8. Click Create records
Cloudflare
  1. Log in to Cloudflare
  2. Select your domain
  3. Go to DNSRecords
  4. Click Add record
  5. Type: TXT
  6. Name: _plexicus-verify.api.company.com
  7. Content: plexicus-verification=abc123def456xyz789
  8. TTL: Auto (or 300)
  9. Click Save
GoDaddy
  1. Log in to GoDaddy
  2. Go to My ProductsManage DNS
  3. Click Add DNS record
  4. Type: TXT
  5. Name: _plexicus-verify
  6. Value: plexicus-verification=abc123def456xyz789
  7. Click Add
Other Providers

Consult your DNS provider's documentation for adding TXT records. You need to create a record with:

  • Name/Label: _plexicus-verify.[your-domain]
  • Type: TXT
  • Value: plexicus-verification=[token]

Step 4: Wait for DNS Propagation

DNS changes can take 5 minutes to 48 hours to propagate globally. You can check propagation status:

# Check if the record is live
dig _plexicus-verify.api.company.com TXT

# Or use an online DNS checker like mxtoolbox.com

Step 5: Verify in Plexicus

  1. Return to the Domain Verification page
  2. Click Verify Now for the pending domain
  3. Plexicus will:
    • Query your DNS for the TXT record
    • Validate the token format
    • Mark the domain as Verified if successful

Expected result: Status changes to Verified with a checkmark.

nota

If verification fails, ensure:

  1. The TXT record is correctly added to your DNS provider
  2. Enough time has passed for DNS propagation (run dig to check)
  3. The record value matches exactly (copy-paste from Plexicus to avoid typos)
  4. The record name includes the full _plexicus-verify prefix

Domain Verification Statuses

StatusMeaning
PendingDomain added, awaiting DNS TXT record verification
VerifiedDomain ownership confirmed; ready for use
FailedPrevious verification attempt failed; try again or check DNS
ExpiredDomain verification token expired (domains expire after 30 days if not verified)

Using Verified Domains

Once verified, your domain can be used for:

API Integration

Verified domains enable secure API communication and can be used for certificate-based authentication.

Certificate Issuance

If Plexicus issues client certificates for your API client, the certificate's Common Name (CN) will match your verified domain.

Removing a Domain

  1. Find the verified domain in the list
  2. Click Remove
  3. The domain and any tokens scoped to it will be deactivated

Once removed, you must re-verify if you need to re-use that domain.

Troubleshooting

"DNS record not found"

Cause: TXT record not yet added or DNS hasn't propagated.

Resolution:

  1. Double-check the record is added in your DNS provider
  2. Wait 10–15 minutes and try again
  3. Verify the exact record value (case-sensitive) using dig:
    dig _plexicus-verify.api.company.com TXT +short
  4. If still missing, contact your DNS provider's support

"Verification token expired"

Cause: More than 30 days have passed since the token was issued.

Resolution:

  1. Click Generate New Token on the pending domain
  2. Replace the TXT record value in your DNS provider
  3. Click Verify Now to try again

"Domain already verified"

Cause: This domain is already verified in your account.

Resolution:

  • If this is a duplicate entry, remove it
  • If you need to re-verify after a long time, click Reverify (if available)

DNS CNAME Alternative

Some organizations prefer CNAME records for easier management. Plexicus also supports CNAME verification:

Instead of a TXT record, you can add:

_plexicus-verify.api.company.com CNAME verify.plexicus.ai

This delegates verification queries to Plexicus's verification endpoint. Use this if:

  • You prefer not to manage individual TXT records
  • Your DNS provider handles CNAME-to-external-domain better
aviso

Both TXT and CNAME methods provide equivalent security. Choose the one your DNS provider prefers.

Security Considerations

  • Token rotation: Verification tokens expire after 30 days of non-use. Re-verify to refresh.
  • DNS hijacking prevention: Verify domains frequently. Stale verification allows potential takeover.
  • Audit logging: All domain verification actions appear in your Audit Log.
  • Minimal exposure: The DNS record is readable by anyone; it's not secret. Verification proves you control the DNS zone.