Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

TXT DCV method

TXT record validation requires the creation of a TXT record in the hostname’s authoritative DNS.

​​ When to use

Generally, you need to perform TXT-based DCV when your certificate requires DCV and you cannot perform Delegated DCV.

​​ Setup

​​ Specify DCV method

If you want to use a Universal SSL certificate, you will need to edit the validation_method via the API and specify your chosen validation method.

Alternatively, you could order an advanced certificate via the dashboard or the API.

​​ Get DCV values

Once you create a new certificate and choose the validation method of TXT, your tokens will be ready after a few seconds.

These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.

You can access these tokens using the API with the GET request and including status=pending_validation as a request parameter.

For example, here are two tokens highlighted in the API response for a wildcard certificate.

"result": [
"type": "advanced",
"hosts": ["*.<DOMAIN>.com", "<DOMAIN>.com"],
"primary_certificate": "0",
"status": "pending_validation",
"certificates": [],
"created_on": "2022-10-12T21:46:21.979150Z",
"validity_days": 90,
"validation_method": "txt",
"validation_records": [
"status": "pending",
"txt_name": "_acme-challenge.<DOMAIN>.com",
"txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk"
"status": "pending",
"txt_name": "_acme-challenge.<DOMAIN>.com",
"txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns"
"certificate_authority": "google"
  1. Log in to the Cloudflare dashboard.
  2. Choose your account and domain.
  3. Go to SSL/TLS > Edge Certificates.
  4. Select a certificate.
  5. Copy the values for Certificate validation TXT name and Certificate validation TXT value.

If you had created a wildcard certificate, you would need to copy the values for two different validation TXT records.

​​ Update DNS records

At your authoritative DNS provider, create a TXT record named the txt_name and containing the txt_value.

Repeat this process for all the DCV records returned in the validation_records field to your Authoritative DNS provider.

If one or more of the hostnames on the certificate fail to validate, the certificate will not be issued or renewed.

This means that a wildcard certificate covering and * will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.

​​ Complete DCV

Once you update your DNS records, you can either wait for the next retry or request an immediate recheck.

To request an immediate recheck, send another PATCH request with the same validation_method as your current validation method.

​​ Renew DCV tokens

If possible, DCV tokens for proxied hostnames are always renewed via HTTP.

However, some certificates — for example, if you are using wildcard certificates or certificates with multiple SANs or your hostname is not proxied — are not eligible for HTTP validation.

If your certificate is not eligible for HTTP validation, you will need to repeat the DCV process with your chosen method. Cloudflare generates these renewal TXT tokens 30 days before certificate expiration.