Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

TXT DCV method

TXT record validation requires the creation of a TXT record in the hostname’s authoritative DNS.

​​ Zone setups

​​ Full zones

Certificates on full zones - whether using a wildcard hostname or not - will be automatically renewed and validated without any action from you. Cloudflare can complete DCV on your behalf by serving the TXT DCV tokens.

​​ Partial zones

For partial zones1, the process depends on whether the certificate uses a wildcard hostname.

Non-wildcard hostname certificates will automatically renew as long as every hostname on the certificate is proxying traffic through Cloudflare.

However, if one or more of the hostnames on the certificate is not proxying through Cloudflare, the certificate will not issue and you will be required to complete DCV for each hostname not proxied - which will require manually updating the DCV token or proxying the hostname - in order for the certificate to renew.

Wildcard hostname certificates will be required to use TXT based DCV for renewals of the certificate. You will need to place one TXT DCV token for every hostname on the certificate for it to successfully renew. If one or more of the hostnames on the certificate fail to validate, the certificate will not be renewed.

This means that a wildcard certificate covering and * will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.

​​ Setup

​​ Specify DCV method

If you want to use a Universal SSL certificate, you will need to edit the validation_method via the API and specify your chosen validation method.

Alternatively, you could order an advanced certificate via the dashboard or the API.

​​ Get DCV values

Once you create a new certificate and choose the validation method of TXT, your tokens will be ready after a few seconds.

These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.

You can access these tokens using the API with the GET request and including status=pending_validation as a request parameter.

For example, here are two tokens highlighted in the API response for a wildcard certificate.

"result": [
"type": "advanced",
"hosts": ["*.<DOMAIN>.com", "<DOMAIN>.com"],
"primary_certificate": "0",
"status": "pending_validation",
"certificates": [],
"created_on": "2022-10-12T21:46:21.979150Z",
"validity_days": 90,
"validation_method": "txt",
"validation_records": [
"status": "pending",
"txt_name": "",
"txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk"
"status": "pending",
"txt_name": "",
"txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns"
"certificate_authority": "google"
  1. Log in to the Cloudflare dashboard.
  2. Choose your account and domain.
  3. Navigate to SSL/TLS > Edge Certificates.
  4. Select a certificate.
  5. Copy the values for Certificate validation TXT name and Certificate validation TXT value.

If you had created a wildcard certificate, you would need to copy the values for two different validation TXT records.

You will need to add all of the DCV records returned in the validation_records field to your Authoritative DNS provider.

​​ Update DNS records

At your authoritative DNS provider, create a TXT record named the txt_name and containing the txt_value. Once this TXT record is in place, validation and certificate issuance will automatically complete.

​​ Complete DCV

Once you update your DNS records, you can either wait for the next retry or request an immediate recheck.

To request an immediate recheck, send another PATCH request with the same validation_method as your current validation method.

​​ Renew DCV tokens

If possible, DCV tokens for proxied hostnames are always renewed via HTTP.

However, some certificates — for example, if you are using wildcard certificates or certificates with multiple SANs or your hostname is not proxied — are not eligible for HTTP validation.

If your certificate is not eligible for HTTP validation, you will need to repeat the DCV process with your chosen method.

  1. Meaning that another DNS provider - not Cloudflare - maintains your Authoritative DNS. ↩︎