Skip to content

TXT

TXT record validation requires the creation of a TXT record in the hostname's authoritative DNS.


When to use

Generally, you should use TXT-based DCV when you cannot use HTTP validation or Delegated DCV.

Non-wildcard custom hostnames

If your custom hostname does not include a wildcard, Cloudflare will always and automatically attempt to complete DCV through HTTP validation, even if you have selected TXT for your validation method.

This HTTP validation should succeed as long as your customer is pointing to your custom hostname and they do not have any CAA records blocking your chosen certificate authority.

Wildcard custom hostnames

To validate a certificate on a wildcard custom hostname, you should either set up Delegated DCV or TXT-based DCV.

Cloudflare recommends Delegated DCV as it is much simpler for you and your customers.

If you choose TXT-based DCV, Cloudflare requires two TXT DCV tokens - one for the apex and one for the wildcard - to be placed at your customer’s authoritative DNS provider in order for the wildcard certificate to issue or renew.

These two tokens are required because Let’s Encrypt and Google Trust Services follow the ACME Protocol, which requires one DCV token to be placed for every hostname on the certificate.

This means that - if you choose to use wildcard custom hostnames - you will need a way to share these DCV tokens with your customer.


1. Get TXT tokens

Once you create a new hostname and choose this validation method, your tokens will be ready after a few seconds.

These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.

You can access these tokens using the API with the GET custom hostnames endpoint.

For example, here are two tokens highlighted in the API response for a wildcard custom hostname.

Response
{
"result": [
{
"id": "<HOSTNAME_ID>",
"hostname": "<HOSTNAME>",
"ssl": {
"id": "<CERTIFICATE_ID>",
"type": "dv",
"method": "txt",
"status": "pending_validation",
"validation_records": [
{
"status": "pending",
"txt_name": "_acme-challenge.<HOSTNAME>",
"txt_value": "gESljTB8fBT1mIuoEASU0qcK-oTd46baarnU_ZGjJIY"
},
{
"status": "pending",
"txt_name": "_acme-challenge.<HOSTNAME>",
"txt_value": "Pd8ViwX8KuA78kLbQHGmdEh4tQSpHBRxiNuJOYStEC0"
}
],
"settings": {
"min_tls_version": "1.0"
},
"bundle_method": "ubiquitous",
"wildcard": true,
"certificate_authority": "google"
},
"status": "pending",
"ownership_verification": {
"type": "txt",
"name": "_cf-custom-hostname.<HOSTNAME>",
"value": "ac4a9a9d-5469-44cb-9d76-cea7541c9ff8"
},
"ownership_verification_http": {
"http_url": "http://<HOSTNAME>/.well-known/cf-custom-hostname-challenge/fabdf93c-a4ce-4075-9f3f-c553a5f93bed",
"http_body": "ac4a9a9d-5469-44cb-9d76-cea7541c9ff8"
},
"created_at": "2022-10-06T19:35:33.143257Z"
}
]
}

2. Share with your customer

You will then need to share these TXT tokens with your customers.

3. Add DNS records (customer)

Your customers should place these at their authoritative DNS provider under the "_acme-challenge" DNS label. Once these TXT records are in place, validation and certificate issuance will automatically complete.

If you would like to request an immediate recheck, rather than wait for the next retry, send a PATCH request with the same values as your initial POST request.

4. (Optional) Fetch new tokens

Your DCV tokens expire after a certain amount of time, depending on your certificate authority.

This means that, if your customers take too long to place their tokens at their authoritative DNS provider, you may need to get new tokens and re-share them with your customer.