DigitalOcean DNS
DigitalOcean uses a single Personal Access Token with Domains:Read and Domains:Write scopes. Propagation is fast (under 60 s); rate limits are per-token and very generous.
Prerequisites
- A DigitalOcean account that owns the domain.
- Permission to create Personal Access Tokens (account owner or team-admin role).
Create the token
-
DigitalOcean control panel → API → Tokens → Generate New Token.
-
Name:
certautopilot-dns. -
Scopes: Custom scopes → enable Domains:
domains:readdomains:createdomains:updatedomains:delete
Avoid account-wide Read/Write if your token hygiene can help it.
-
Expiration: as long as your rotation policy allows.
-
Copy the token — it is shown once.
Add the credential
- Settings → DNS Credentials → New → DigitalOcean.
- Name:
digitalocean-example-prod. - API token: paste.
- Test connectivity → Save.
Config fields
| Field | Required | Purpose |
|---|---|---|
api_token | yes | DigitalOcean Personal Access Token with domains scopes. |
Rate limits
5000 requests per hour per token. DNS-01 uses 2 requests per validation; not a concern unless you are running thousands of certs per hour on the same token.
Propagation
DigitalOcean DNS resolves authoritatively within ~30 seconds. Default propagation settings are fine.
Troubleshooting
"Unauthorized" on every request
Token has been revoked or expired. Regenerate in the DigitalOcean console and update the credential.
"Domain not found"
The domain is not managed by DigitalOcean DNS (registered there but NS points elsewhere, or added to the account but not actually delegated). Check at DigitalOcean → Networking → Domains.