Skip to content

API System Authentication


Identification for the API system is based on mutual TLS (mTLS) where the server (the API service) will verify the connected client (the Registrar client).

To access the API server, the client will need to have a valid certificate signed by one of our approved Root CA's.

The certificate needs to be sent to registry-mgr AT to be approved and attached to the registrar account.

At any given moment, there is only a single valid certificate.


Please note that prior to communicating with the API server, the AR MUST have a valid certificate attached to its registrar profile.

You can see an example for a simple check request at Technical Requirements page under the Request Section.

Automatic Certificate Renewal

To renew an expired certificate - the AR must generate a new certificate in front of the same CA as before.

Then the AR should connect to the API with the renewed certificate, when its old certificate is still valid. From this point on, the AR should only use the renewed certificate.

The automatic renewal process cannot be performed through Info request or Checkrequest.

Suspicious Certificate Blocking

If there is a suspicion of attempted assault - the AR MUST block his certificate immediately, the AR will no longer be able to use the current certificate, and it will be necessary to contact the Registry Management to insert a new certificate.

In order to REVOKE immediately the certificate, send an empty request (when still using your last certificate) to the relative routing '/revoke'.

In addition, with any suspicion that the private key has leaked, the AR should have the option to perform an immediate REVOKE in front of the CA.