What is an Auth Code?
An auth code (authorization code), also known as an EPP code, transfer code, or domain secret, is a unique password assigned to each domain name. This code must be provided to successfully transfer a domain from one registrar to another, acting as a security mechanism to prevent unauthorized domain transfers.
How Auth Codes Work
The Domain Transfer Security Model
Auth codes serve as proof of domain ownership during transfers:
1. Domain owner requests auth code from current registrar
2. Registrar provides unique code (typically 6-16 alphanumeric characters)
3. Owner initiates transfer at new registrar
4. Auth code submitted as proof of authorization
5. Transfer proceeds only if code matches
6. Current registrar confirms (or auto-approves after 5 days)
Auth Code Format
Typical auth code characteristics:
Length: 8-16 characters
Format: Alphanumeric (letters + numbers)
Case: Usually case-sensitive
Example: Xy8#kL2$pQ9m
Validity: No expiration (remains same until regenerated)
Obtaining Your Auth Code
From Major Registrars
GoDaddy:1. Log in to account
2. Navigate to Domain Settings
3. Click "Transfer domain away from GoDaddy"
4. Auth code displayed or emailed
Namecheap:1. Domain List → Manage
2. Scroll to "Auth Code"
3. Click "Get EPP Code"
4. Code sent to admin email
Google Domains:1. Select domain
2. Click "Transfer out"
3. Get authorization code
4. Unlock domain
Cloudflare:1. Domain Overview
2. Configuration → Transfer
3. Get authorization code
4. Remove transfer lock
Common Methods
Control Panel:- Most registrars have "Get Auth Code" in domain settings
- Usually instant delivery
- Some registrars require email request
- Sent to domain admin contact email
- Delivery within minutes to hours
- Legacy registrars may require support ticket
- Identity verification may be needed
- Longer turnaround time
Auth Code Requirements
Prerequisites for Obtaining Auth Code
1. Domain Ownership Verification- Must be logged in as domain owner
- Access to admin contact email
- May require 2FA authentication
✓ Domain unlocked (transfer lock disabled)
✓ Not in redemption period
✓ No active UDRP dispute
✓ Not within 60 days of registration or previous transfer
✓ Admin email verified and accessible
- No outstanding payments
- Account in good standing
- No security holds
The Domain Transfer Process
Step-by-Step Transfer with Auth Code
Phase 1: Preparation (at current registrar)Day 0:
1. Unlock domain
2. Disable WHOIS privacy (temporarily)
3. Verify admin contact email is accessible
4. Obtain auth code
5. Document current DNS settings
Day 0:
1. Start transfer process at new registrar
2. Enter domain name
3. Provide auth code
4. Confirm admin contact email
5. Pay transfer fee (typically includes 1-year extension)
Day 0-1:
1. Email sent to admin contact
2. Approve transfer via email link
3. Current registrar notified
4. 5-day approval window starts (or immediate with approval)
Day 1-7:
1. Current registrar approves (or auto-approves after 5 days)
2. Domain transfers to new registrar
3. Registration extended by 1 year
4. Transfer complete
Transfer Timeline
Immediate: New registrar receives request
Day 0-1: Approval email sent to admin contact
Day 1-5: Waiting period (unless manually approved)
Day 5: Auto-approval if current registrar doesn't respond
Day 5-7: Transfer completes
Auth Code Security
Why Auth Codes are Necessary
Without auth codes, domain hijacking would be trivial:
Without Auth Code:
Attacker initiates transfer → Domain stolen
With Auth Code:
Attacker initiates transfer → Requires auth code → Blocked
Protecting Your Auth Code
Best Practices:1. Don't share publicly: Never post auth codes online
2. Use secure transmission: Send via encrypted email or secure channels
3. Regenerate after use: Request new auth code after transfer completes
4. Verify recipient: Confirm you're sharing with legitimate new registrar
5. Enable transfer lock: Keep domain locked when not transferring
Security Warnings
Auth Code Phishing:Fake Email:
"Your domain is expiring! Provide your auth code to renew."
Legitimate Email:
Never asks for auth code unless YOU initiated transfer.
- Attackers may impersonate support requesting auth code
- Always verify through official registrar channels
- Never provide auth code to anyone claiming to be "support"
Common Auth Code Issues
Problem: Auth Code Not Working
Causes:- Typo in code entry (case-sensitive)
- Domain still locked
- Code expired or regenerated
- WHOIS privacy enabled
- Wrong domain name entered
1. Double-check exact code (copy/paste)
2. Verify domain is unlocked
3. Request fresh auth code
4. Disable WHOIS privacy temporarily
5. Confirm domain spelling
Problem: Cannot Obtain Auth Code
Causes:- Domain locked
- Recent registration (< 60 days)
- Payment issues
- Security hold
- Registrar restrictions
1. Check domain lock status: dig example.com | grep clientTransferProhibited
2. Verify 60-day eligibility
3. Resolve outstanding payments
4. Contact registrar support for holds
5. Review registrar transfer policies
Problem: Email Not Received
Causes:- Spam folder filtering
- Incorrect admin email
- Email forwarding issues
- Registrar delay
1. Check spam/junk folder
2. Verify admin contact email in WHOIS
3. Wait 1-2 hours
4. Request resend
5. Update contact email if incorrect
Auth Code vs Transfer Lock
Transfer Lock (Registrar Lock)
Separate security feature:
Transfer Lock: Prevents transfer initiation at registrar level
Auth Code: Proves authorization when transfer is initiated
Both Required for Secure Transfer:
1. Unlock domain (disable transfer lock)
2. Provide auth code (prove authorization)
Domain Status Codes
EPP status codes related to transfers:
clientTransferProhibited → Transfer locked by registrar
serverTransferProhibited → Transfer locked by registry
transferPeriod → Currently transferring
# Check status:
whois example.com | grep -i transfer
Special Transfer Scenarios
Premium Domains
Premium domains may have:
- Higher transfer fees
- Additional verification requirements
- Extended approval times
- Special auth code retrieval process
Expired Domains
Auth codes for expired domains:
Grace Period: Auth code still available
Redemption Period: Must restore before transfer (high fee)
Pending Delete: No transfers allowed
Multiple Domain Transfers
Bulk transfer considerations:
# Obtain auth codes for all domains
for domain in domain1.com domain2.com domain3.com; do
echo "Auth code for $domain: [request from registrar]"
done
# Organize codes securely
domains_authcodes.txt:
domain1.com → Xy8#kL2$pQ9m
domain2.com → Mz3%nB5@hR7k
domain3.com → Pq4&vN8!dS2w
Checking Transfer Eligibility
Pre-Transfer Checklist
# 1. Check domain lock status
whois example.com | grep -i "Status:"
# 2. Verify registration date
whois example.com | grep -i "Creation Date:"
# 3. Check last transfer date
whois example.com | grep -i "Updated Date:"
# 4. Verify admin email is accessible
whois example.com | grep -i "Admin Email:"
# 5. Confirm DNS is documented (for continuity)
dig example.com ANY
Using DomScan
curl "https://domscan.net/v1/health?domain=example.com"
# Returns transfer eligibility information:
# - Lock status
# - Registration date
# - Transfer lock details
Best Practices
Before Transfer
1. Document current configuration:
- DNS records
- Email settings
- SSL certificates
- Nameservers
2. Lower DNS TTLs (optional):
24-48 hours before transfer, set TTL to 300 seconds
Allows quick DNS changes if needed
3. Backup domain data:
- Export zone file
- Screenshot DNS settings
- Save MX and TXT records
During Transfer
1. Monitor email: Check admin contact email frequently
2. Approve promptly: Don't wait for 5-day auto-approval
3. Verify DNS continuity: Ensure DNS still resolves during transfer
4. Check website/email: Confirm no disruption
After Transfer
1. Verify transfer completion: Confirm domain at new registrar
2. Re-enable transfer lock: Lock domain immediately
3. Configure DNS: Set up DNS at new registrar if needed
4. Re-enable privacy: Turn on WHOIS privacy
5. Restore TTLs: Return DNS TTLs to normal values
6. Test everything: Verify website, email, and services work
Auth Code Alternatives
Push Transfers
Internal transfers within same registrar:
- No auth code needed
- Account-to-account transfer
- Usually instant
- Often free
Registry Transfers
Some ccTLDs use different systems:
- .uk: IPS tag system
- .au: EPP with different workflow
- .de: AuthInfo-2 system
Domain transfers are a critical domain management operation, and auth codes provide essential security. Understanding how to obtain, use, and protect auth codes ensures smooth domain transfers and prevents unauthorized domain theft.