Restrict/scope API tokens to a subdomain

API Tokens are good, but it would be much better if they could be scoped to a specific subdomain.

I believe this is the same request as Having different api key per domain, from nearly a year ago - any progress since then?

My specific use case here is an ACME DNS-01 client that I want to scope to the specific subdomain that the client is on, such that if that token were to be compromised the rest of my domain is safe.

+1 For this, would love to see.

I have a few remote servers that I’d like to run a Dynamic DNS script on, but I don’t want to risk giving edit access to my entire domain in case those boxes were to be compromised.

+1 on API tokens with scope limited to specific subdomains

This is still relevant as a means to grant a host the ability to obtain a Let’s Encrypt certificate for a subdomain (e.g., by giving it the API token, without granting it the ability to mess with all record for the domain (

Is there any news on this?

Hi @kidmose,

It would be possible with subdomain zones, since API tokens are scoped by zone, you could limit it to just a specific subdomain. This feature, however, is currently restricted to those on an Enterprise plan.

Is this only available on Enterprise or Business as well?

I do not see this feature listed anywhere.

Hi @mike.fallen,

If you mean about the subdomain zone feature, then yes:

Using sub domain configuration seems like a very complicated way to achieve the desired result. In even a moderately sized business you would end up with hundreds of subdomains relatively quickly.

I’ll bump this. I have been wishing there was a way to specify that you only want an API key to manage one specific subdomain. Even if it does become a ton of zones, that flexibility would be nice and I’d gladly do it that way if it were a reasonable option for an individual.