Restrict/scope API tokens to a subdomain

API Tokens are good, but it would be much better if they could be scoped to a specific subdomain.

I believe this is the same request as Having different api key per domain, from nearly a year ago - any progress since then?

My specific use case here is an ACME DNS-01 client that I want to scope to the specific subdomain that the client is on, such that if that token were to be compromised the rest of my domain is safe.

+1 For this, would love to see.

I have a few remote servers that I’d like to run a Dynamic DNS script on, but I don’t want to risk giving edit access to my entire domain in case those boxes were to be compromised.

+1 on API tokens with scope limited to specific subdomains

This is still relevant as a means to grant a host the ability to obtain a Let’s Encrypt certificate for a subdomain (e.g., by giving it the API token, without granting it the ability to mess with all record for the domain (

Is there any news on this?

Hi @kidmose,

It would be possible with subdomain zones, since API tokens are scoped by zone, you could limit it to just a specific subdomain. This feature, however, is currently restricted to those on an Enterprise plan.

Is this only available on Enterprise or Business as well?

I do not see this feature listed anywhere.

Hi @mike.fallen,

If you mean about the subdomain zone feature, then yes:

Using sub domain configuration seems like a very complicated way to achieve the desired result. In even a moderately sized business you would end up with hundreds of subdomains relatively quickly.

I’ll bump this. I have been wishing there was a way to specify that you only want an API key to manage one specific subdomain. Even if it does become a ton of zones, that flexibility would be nice and I’d gladly do it that way if it were a reasonable option for an individual.

+1 on API tokens with scope limited to specific resource records (LetsEncrypt being the primary use case here)

Agreed. I have LE at different sites and would like to limit each site’s access to a subdomain in case one of the keys becomes compromised.

+1 on this as well; it will make the setup with Let’s Encrypt or in general with DDNS solutions way safer and better. It could be as simple as adding an additional configuration option in the API key setup to restrict one level down from the Zone to the Record level.

It still has to be a Zone Level permission, as you’re adding a DNS record to the zone. Imagine something like UNIX permissions. You can’t set a permission for non-existent file. You have to set that permission for the directory you want it in.


It would be great if you could restrict an API Token to modify only a single DNS record or subdomain.

Here are specific use cases:

  • In AWS EC2, IP addresses are often ephemeral. Updating DNS per server could be automated with an API key and a restricted subdomain. Let’s say, create a subdomain called “dynamic” or “dyn” and let the servers modify this.

  • Let’s Encrypt certbot-dns-cloudflare needs access to the zone in order to renew certificates.

There is no reason these processes should have access to all DNS records in a zone. Just the ones they required. Do you agree?



Especially the final IPFS CICD step is to configure the DNS record.

There are multiple threads with the same request, linking to this one: Restrict/scope API tokens to a subdomain

Also useful when using a subdomain for ddns service running on a not so secure machine.