Skip to main content

DigitalOcean DNS

DigitalOcean uses a single Personal Access Token with Domains:Read and Domains:Write scopes. Propagation is fast (under 60 s); rate limits are per-token and very generous.

Prerequisites

  • A DigitalOcean account that owns the domain.
  • Permission to create Personal Access Tokens (account owner or team-admin role).

Create the token

  1. DigitalOcean control panel → APITokensGenerate New Token.

  2. Name: certautopilot-dns.

  3. Scopes: Custom scopes → enable Domains:

    • domains:read
    • domains:create
    • domains:update
    • domains:delete

    Avoid account-wide Read/Write if your token hygiene can help it.

  4. Expiration: as long as your rotation policy allows.

  5. Copy the token — it is shown once.

Add the credential

  1. Settings → DNS CredentialsNewDigitalOcean.
  2. Name: digitalocean-example-prod.
  3. API token: paste.
  4. Test connectivitySave.

Config fields

FieldRequiredPurpose
api_tokenyesDigitalOcean Personal Access Token with domains scopes.

Rate limits

5000 requests per hour per token. DNS-01 uses 2 requests per validation; not a concern unless you are running thousands of certs per hour on the same token.

Propagation

DigitalOcean DNS resolves authoritatively within ~30 seconds. Default propagation settings are fine.

Troubleshooting

"Unauthorized" on every request

Token has been revoked or expired. Regenerate in the DigitalOcean console and update the credential.

"Domain not found"

The domain is not managed by DigitalOcean DNS (registered there but NS points elsewhere, or added to the account but not actually delegated). Check at DigitalOcean → Networking → Domains.

See also