Fact-checked by Grok 2 weeks ago

Auth-Code

An Auth-Code, also known as an authorization code, Auth-Info code, EPP code, or transfer code (standardized as Transfer Authorization Code or TAC in the 2025 ICANN Transfer Policy update), is a unique alphanumeric generated by a to verify the identity of the domain holder during the of a (gTLD) registration from one registrar to another. It functions as a critical security mechanism within the Corporation for Assigned Names and Numbers () ecosystem, ensuring that only the rightful registrant can initiate or approve such transfers, thereby preventing unauthorized changes to ownership. The Auth-Code is generated either by the domain holder through the 's online interface (if available) or by the current upon request and is typically provided to the domain holder through secure channels, such as an online account portal or encrypted , to maintain its confidentiality. This code must be submitted by the gaining (the new provider) as part of the process, which is standardized under the (EPP) for registrations. Without a valid Auth-Code, transfers cannot proceed, and registrars are required by policy to release the code promptly upon a verified request from the domain holder, usually within five calendar days. The use of Auth-Codes has been a of since the early 2000s, evolving from ICANN's Inter-Registrar Transfer Policy to address vulnerabilities in the global .

Definition and Purpose

What is an Auth-Code?

An Auth-Code, also known as an EPP code, authorization code, transfer code, or Auth-Info Code, is a unique alphanumeric passcode generated by a to verify the ownership of a during the transfer process to another . This code acts as a measure to help prevent fraudulent or unauthorized domain transfers by confirming the identity of the domain holder. Technically, the Auth-Code is rooted in the (EPP), a for provisioning, where it functions as the "AuthInfo" element within XML commands. In EPP's mapping, the <domain:authInfo> element encapsulates information—typically a password-like string—associated with the domain object, which is essential for authorizing transfer operations and must be securely handled. Under oversight, Auth-Codes are mandatory for transfers involving all generic top-level domains (gTLDs), as stipulated in the Inter-Registrar Transfer Policy (IRTP). These codes must be unique on a per-domain basis, such as "abc123-xyz", which the domain holder is responsible for keeping confidential to maintain security.

Role in Domain Transfers

The Auth-Code serves as a critical security mechanism in domain transfers, primarily to confirm the domain holder's intent and identity while preventing unauthorized transfers. By requiring the code to initiate a transfer request via the (EPP), it ensures that only the legitimate registrant can authorize the move of a from one to another. This verification step is essential for gTLD domains under oversight, acting as a unique identifier generated by the losing . Within the transfer lifecycle, the Auth-Code is submitted by the gaining to the losing and the relevant registry to validate and approve the transfer. This process facilitates the update of the registry database, enabling the seamless relocation of the without disrupting services, provided all other prerequisites like domain unlocking are met. The integration promotes standardized operations across the ecosystem. ICANN mandates that all accredited registrars provide the Auth-Code to the domain holder upon request, with delivery required within five calendar days if no self-service option is available. Registrars cannot refuse to release the code solely due to disputes over payment between the holder and the registrar; withholding is permitted only for temporary server-side locks, which must be removed within five calendar days. By enforcing these requirements, the Auth-Code enhances the overall ecosystem's integrity, ensuring smooth among ICANN-accredited registrars while upholding standards for transfers worldwide. This applies uniformly to inter-registrar movements of eligible gTLD domains, reducing friction in the global DNS infrastructure.

History and Development

Origins in ICANN Policies

The emergence of Auth-Code, also known as AuthInfo, traces back to the late 1990s following the formation of the Internet Corporation for Assigned Names and Numbers (ICANN) in 1998, which aimed to privatize and standardize the management of the Domain Name System (DNS) after transitioning oversight from the U.S. government. This shift created a pressing need for uniform procedures to handle domain name transfers between competing registrars, as the growing commercialization of domain registrations led to fragmented practices and vulnerabilities in the transfer process. The first steps toward formalizing these mechanisms occurred in 2001, when registrars and registrants raised concerns about delays, denials, and unauthorized transfers, prompting the Domain Name Supporting Organization (DNSO) to establish a Transfer Task Force in October of that year. This task force developed recommendations to streamline registrar-to-registrar transfers and introduce authorization safeguards against hijacking, culminating in a final report in February 2003 that the GNSO Council endorsed and forwarded to the ICANN Board for adoption in April 2003. These efforts laid the groundwork for the Inter-Registrar Transfer Policy (IRTP), emphasizing registrant control and security in domain movements. A pivotal update to the IRTP explicitly defined "AuthInfo" codes as unique, per-domain identifiers generated by the losing to verify transfer requests, mandating their provision to the registrant upon request and prohibiting reuse for any other purpose. ICANN's policy archives from that year required these codes to be created solely by the current and delivered to the holder within five days, ensuring they served exclusively for transfer authentication while separate forms of handled . This specification, effective November 12, , addressed early gaps in transfer security and was implemented through the (EPP).

Evolution of Transfer Protocols

The adoption of the (EPP) as RFC 5730-5734 by the (IETF) in August 2009 marked a significant effort for provisioning, including the Auth-Code—formally known as the "authInfo" element—as an extensible authorization mechanism for transfers. This replaced earlier ad-hoc methods used by registrars, providing a structured XML-based framework where the authInfo serves as a password-like token required for approving transfer requests via the EPP command, ensuring across registries and registrars. By defining the pwAuthInfoType for secure object management, EPP integrated Auth-Code handling into core operations like domain creation, updates, and transfers, facilitating automated and scalable inter-registrar processes. In 2016, amendments to the Inter-Registrar Transfer Policy (IRTP), effective December 1, 2016, under ICANN's Revised Transfer Policy introduced standardized Forms of (FOAs) for transfers and a mandatory 60-day inter-registrar transfer lock following a Change of Registrant or initial , during which Auth-Codes could not be used for transfers unless the registrant explicitly opted out. These updates aimed to reduce fraudulent activities while maintaining transfer fluidity. Subsequent policy status reports from 2017 to 2019 highlighted implementation gaps in IRTP compliance, leading to clarifications on bulk transfer provisions that allow registrars to multiple Auth-Code-validated transfers in scenarios like registrar closures without individual approvals. More recent developments, such as the 2022 updates by InternetNZ for the .nz , transitioned from legacy Unique Domain Authentication Identifier (UDAI) codes to full Auth-Code implementation aligned with EPP standards, requiring generation of new 16-character alphanumeric codes for transfers on the updated registry . This shift, effective November 2022, discontinued UDAI formats without migration, ensuring .nz domains conform to global provisioning norms while maintaining for ongoing transfers. In 2020, the Generic Names Supporting Organization (GNSO) initiated a Policy Development Process (PDP) to review the Transfer Policy, with the working group delivering its final report in February 2025 to the GNSO Council. The report recommends enhancements to improve the ease, security, and efficacy of inter-registrar domain transfers, including clarifications on Auth-Code usage. As of November 2025, the recommendations are under consideration by the ICANN Board following public comment and GNSO Council review.

Obtaining and Using an Auth-Code

Requesting from Current Registrar

To request an Auth-Code from the current registrar, domain holders must first ensure the domain meets specific eligibility criteria established by ICANN policies. The domain must be at least 60 days old from its initial registration or any registrant contact information changes, as ICANN imposes a 60-day lock to prevent fraudulent transfers following such updates. Additionally, the domain cannot be in a redemption grace period, during which transfers are prohibited to allow for potential renewal by the original holder, nor in a pending delete status. Most critically, the domain must be unlocked by removing the clientTransferProhibited status via the Extensible Provisioning Protocol (EPP), a standard mechanism that registrars use to manage domain statuses; this lock is often enabled by default for security but must be disabled before requesting the code. The standard request process begins with the domain holder logging into their account on the registrar's website or control panel. From there, they navigate to the domain management section, select the specific domain, and locate an option such as "Get Authorization Code," "Request EPP Code," or "Transfer Out" to initiate the generation or retrieval of the Auth-Code. ICANN rules require registrars to provide this code without delay, typically within five calendar days of the request, and many allow immediate access through the dashboard for eligible domains. Registrars are obligated to support automated methods for requesting and receiving the code, including through their application programming interfaces (APIs) for bulk or programmatic access, ensuring efficiency for holders managing multiple domains. Once requested, the Auth-Code is delivered to the domain holder via secure methods such as display in the account dashboard, to the registrant's contact address on file, or direct response. For example, at , holders can view and copy the code directly from the domain settings page after unlocking, with an option to it to the registrant. Similarly, provides the EPP code instantly in the domain management interface upon request, accessible after disabling the registrar lock. These delivery options prioritize security and accessibility while complying with ICANN's emphasis on holder verification. Under 's Transfer Policy, registrars must ensure that generated Auth-Codes are unique to each , used solely for identifying the holder during transfers, and capable of being revoked or regenerated by the holder to maintain control. This includes designing codes to be non-guessable, often as alphanumeric strings of sufficient length, to prevent unauthorized access. If a registrar fails to provide the code within the required timeframe or imposes undue barriers, holders can file a with for resolution.

Transfer Process Steps

The domain transfer process using an Auth-Code follows a structured sequence governed by ICANN's Inter-Registrar Transfer Policy, ensuring secure and authorized movement of the domain registration from the to the via interactions with the registry. This workflow typically spans 5-7 days from initiation to completion, depending on processing and approval times. The Auth-Code, also known as AuthInfo, serves as the critical authorization element in the (EPP) commands exchanged between registrars and the registry. The process begins at the losing registrar, where the domain holder must first unlock the domain to remove any transfer prohibitions, such as clientTransferProhibited status, and then obtain the Auth-Code if not already generated. Unlocking disables registrar-imposed restrictions that prevent transfers, while the Auth-Code is requested through the registrar's control panel or support, with delivery required within 5 calendar days. Once obtained, the domain holder proceeds to the gaining registrar. Next, the domain holder initiates the transfer at the gaining by submitting the and the Auth-Code, often through an online transfer form. The gaining validates the provided details and sends an EPP command to the registry, incorporating the AuthInfo from the code to authenticate the request. The registry then notifies the losing of the pending via an EPP message, prompting verification. A brief reference to the EPP command structure highlights its use of XML elements like domain:transfer with for authorization. The losing must approve the , either automatically (common for non-disputed cases) or manually, within 5 days of receiving the request; failure to respond results in auto-approval under policy. Upon approval, the registry executes the by updating the domain's sponsorship to the gaining , modifying records to reflect new registrant and contact details, and applying any specified () changes. The process completes when the registry confirms the , notifying both registrars, with the domain now under the gaining registrar's ; this step typically finalizes within 5-7 days from initiation. Note that as of August 2025, the Registration Data Policy requires additional verification for redacted registrant data during transfers. Following completion, the gaining applies a 60-day inter-registrar transfer lock to prevent immediate re-transfers, as required by policy for post-transfer stability. Additionally, the transfer automatically extends the domain's registration period by (up to a maximum of 10 years), effectively renewing it under the gaining registrar's terms with a minimum one-year addition. If issues arise, such as an invalid Auth-Code, the registry rejects the EPP transfer command with a specific result code, such as 2202 indicating invalid information, requiring the domain holder to obtain a corrected code from the losing . Other common errors include domain locks or pending statuses, resolvable by contacting the relevant .

Security and Best Practices

Protection Against

The Auth-Code functions as a unique, registrant-specific authorization token required to initiate an inter-registrar , acting as a safeguard akin to a one-time or short-lived password that verifies the requester's legitimate control over the . By mandating possession of this code—typically generated and provided solely to the domain holder upon request—it prevents unauthorized parties from completing a even if they have gained partial access to registrar accounts through , social engineering, or credential compromise. This mechanism ensures that attackers cannot execute without the code, which is not publicly accessible or guessable under proper implementation. ICANN's Inter-Registrar Transfer Policy establishes strict safeguards to maintain the Auth-Code's integrity and availability, prohibiting registrars from withholding the code from the registrant. Registrars must furnish the code within five calendar days of a valid request and ensure it remains unique per , with no reuse across transfers. To enhance security, the policy aligns with (EPP) standards in 9154, recommending generation methods that achieve at least 128 bits of —such as using sufficiently long alphanumeric strings—to render the code resistant to brute-force or dictionary attacks. These requirements collectively minimize opportunities for registrar abuse or weak code vulnerabilities that could facilitate hijacking. As of 2025, updates to the Transfer Policy have reduced the change of registrant lock to 30 days (720 hours) to balance security and usability. Complementing the Auth-Code, enforces a 60-day lockout period following registration or , which bars further transfers and provides a window to detect and reverse attempts. To maximize protection, domain registrants should store Auth-Codes securely in password managers or encrypted vaults rather than unsecured notes or emails, request a new code immediately if compromise is suspected to invalidate the old one, and enable two-factor authentication (2FA) on their accounts to block unauthorized code requests. These practices, when combined with registrar locks, significantly reduce the risk of by layering verification at multiple points in the process.

Common Issues and Resolutions

One common issue during domain transfers is the use of an expired or invalid , which may occur because some impose a limited validity period of 30 to 60 days from issuance. To resolve this, the domain owner must request a new Auth-Code from the current through their or channels, ensuring the fresh code is used promptly within the transfer initiation window. non-compliance, such as unreasonable delays in providing or processing Auth-Codes, violates the (IRTP) and can halt transfers for weeks. In such cases, the affected party should escalate the matter to ICANN's team via their complaint form, explicitly citing IRTP sections on timely responses, with resolutions averaging 10 to 15 days based on reported cases. This often prompts the registrar to expedite the Auth-Code issuance or approval. Domains locked with the clientTransferProhibited status prevent Auth-Code usage and transfer attempts, a standard security feature that must be manually disabled. The resolution involves logging into the registrar's control panel, navigating to the domain's management settings, and removing the clientTransferProhibited lock before re-entering the Auth-Code in the gaining registrar's transfer tool. For diagnostics, EPP result codes like 2304 (object status prohibits operation) can confirm this status during failed attempts. Bulk transfers introduce complications when handling multiple domains, as each requires a unique Auth-Code, and manual processes can lead to errors or timeouts in high-volume scenarios, as highlighted in ICANN's reports on transfer efficiency. To address this, registrars recommend using integrations for automated bulk requests, generating and applying per-domain Auth-Codes systematically to avoid mismatches or expirations across the batch.

Variations Across Top-Level Domains

Generic Top-Level Domains (gTLDs)

In generic top-level domains (gTLDs) managed by , Auth-Codes—also known as AuthInfo codes—serve as a standardized measure required for initiating transfers between accredited registrars. This uniform application extends to all approximately 1,241 delegated gTLDs, encompassing legacy extensions like .com and .org as well as over 1,200 new gTLDs introduced through the 2012 expansion program. Registries such as , which operates .com and .net, enforce these transfers exclusively via the (EPP), where the gaining registrar must submit a valid Auth-Code to authorize the change. The Auth-Code format remains consistent across all gTLDs, consisting of a unique, registrar-generated alphanumeric string assigned on a per-domain basis to prevent unauthorized transfers. Registrars are obligated to provide this code to the domain holder upon request and must support the Standardized Form of Authorization (FOA) as an additional verification mechanism, particularly in disputed transfers or when the code alone is insufficient for confirmation. This dual approach ensures registrant control while mitigating risks of , with the Inter-Registrar Transfer Policy (IRTP) serving as the foundational framework. For example, in .com transfers, the losing must furnish the Auth-Code within five calendar days of the holder's request, and the registry completes the process within another five days unless a valid objection is raised. Similarly, new gTLDs like .app, delegated in 2015, follow identical IRTP protocols, requiring Auth-Code submission for all inter-registrar movements to maintain consistency with legacy gTLDs. ICANN's Contractual Compliance department oversees adherence through periodic audits of registrars, verifying timely Auth-Code provision and EPP compliance to uphold the policy's integrity across the gTLD ecosystem.

Country-Code Top-Level Domains (ccTLDs)

Country-code top-level domains (ccTLDs) exhibit significant variation in their adoption of Auth-Codes for domain transfers, reflecting the autonomy of national registries outside the direct oversight of . While 's Extensible Provisioning Protocol (EPP) standards, including Auth-Codes, influence many ccTLDs through voluntary alignment, implementation remains heterogeneous across the approximately 310 active ccTLDs worldwide (as of 2024). Many of these registries have integrated Auth-Codes via EPP for secure transfers, as seen in domains like .eu and .ca, where the code serves as a mandatory generated by the current to authorize the move to a new one. In contrast, others employ alternative mechanisms to prevent unauthorized transfers, prioritizing local regulatory or operational preferences. continues to encourage EPP adoption in ccTLDs through best practices as of 2025, though uptake remains voluntary. For instance, the .uk ccTLD, managed by Nominet, eschews Auth-Codes entirely in favor of (Internet Presence Service) tags, which the losing registrar must update to match the gaining 's identifier before the can proceed. This tag-based system ensures verification through registry-level coordination rather than a per-domain code. Similarly, the .nz ccTLD underwent a transition in November 2022, when the Commission (DNC, formerly NZRS) discontinued the legacy Unique Domain Authentication Identifier (UDAI)—a 16-character code valid for 30 days—and shifted to standard EPP Auth-Codes to better align with global practices. This change streamlined s by adopting a more universally recognized format, though existing UDAI values were not migrated, requiring new generations as needed. Other ccTLDs further diverge by relying on documentary or contact-based verification, often bypassing digital codes. The .hu ccTLD in , overseen by the Domain.hu registry, typically requires the domain owner to submit a signed and scanned transfer order form—complete with witness signatures—to the new , serving as primary without a code in many cases. Alternatively, if an Auth-Code is used, it must be requested from the registry post-identification, but the form remains a common fallback for non-code transfers. In regions with less developed digital infrastructure, such as .is (), transfers hinge on updating the administrative contact (admin handle) to the new registrar's details, coordinated directly with ISNIC, the national registry. Comparable processes apply to .lr () and .jm (), where registries like Data Technology Solutions and Jamaica's facilitate transfers via admin contact changes or email confirmations to the listed registrant, with no mandatory Auth-Code but optional integration in some modernized systems since the mid-2010s. These adaptations underscore the balance between security and accessibility in non-ICANN environments, where local contexts shape transfer protocols.

Alternatives to Auth-Codes

Other Authorization Methods

In registrar tag systems, such as those employed by Nominet for .uk and .co.uk domains, authorization for domain transfers occurs through the assignment and change of IPS (Internet Payment Service) tags rather than unique codes. The domain owner contacts their current registrar to update the IPS tag to match that of the gaining registrar, which effectively authorizes the transfer without requiring additional verification mechanisms like passwords or forms. This process is managed directly through the registrar's control panel or Nominet's online services, ensuring the domain is reassigned to the new entity's tag upon confirmation. Document-based authorization is utilized in registries like Hungary's .hu, where transfers mandate the submission of physical or digital forms signed by the domain owner to verify intent. For document-protected domains, the registrant must provide a specific authorization document as outlined in the registry's policies, which is then submitted to the gaining registrar or the registry for approval; this transitions the domain under factor-based authentication if needed. The form details the transfer request, including registrant identification, and extends the domain's expiry by one year upon successful processing. Non-protected domains may use an authorization code alongside, but the form serves as the primary safeguard for protected cases. Email and contact verification methods are implemented in certain country-code top-level domains, including Liberia's .lr and Jamaica's .jm, where approval relies on templated emails sent to the administrative contact for confirmation, often integrated with WHOIS record updates. In .lr transfers, the current registrar updates the domain's administrative contact to the gaining registrar's details, authorizing the shift without a separate code. Similarly, .jm processes involve notifying the admin contact via email, combined with WHOIS modifications to reflect the new registrar. Handle-based systems, exemplified by Iceland's .is under ISNIC, authorize transfers by updating the administrative or registrant NIC- at the losing to align with the gaining party's handle in the registry database. The rights holder or authorized administrative contact logs into ISNIC's using their NIC-handle to initiate the change, which serves as the verification mechanism emphasizing ongoing contact control over one-time codes. This update transfers rights and obligations to the new registrant, who must comply with standard registration rules, with ISNIC potentially requiring additional consent confirmation from the original holder. These methods can integrate with protocols like the (EPP) for automated handling in compatible registries.

Comparison of Systems

Auth-Code systems provide a high level of through their unique, domain-specific tokens that must be obtained directly from the current , minimizing the risk of unauthorized transfers compared to email-based verification methods, which are susceptible to attacks where attackers impersonate to intercept confirmation links or codes. In contrast, tag-based systems like the tags used for . domains under Nominet offer comparable protection by requiring registrar-specific identifiers and portal-based , though they necessitate access to the registry's management interface, potentially introducing additional friction for users without direct login credentials. Regarding usability, Auth-Code facilitates quicker processing for generic top-level domains (gTLDs), with registrars required to deliver the code within five calendar days of request, enabling transfers to proceed efficiently once initiated. Document-based alternatives, such as those for . domains managed by the registry, involve submitting signed physical or scanned forms, which can extend processing times to several days (typically 1-15 days depending on the method) due to manual verification and postal or upload handling. While tag systems reduce the need for unique codes, they heighten dependency on the specific registry's portal, limiting seamless inter-registrar mobility for users accustomed to standardized EPP protocols. In terms of efficiency, EPP-enabled Auth-Code mechanisms support automated transfers and bulk operations across ICANN-accredited registrars, streamlining high-volume migrations without manual intervention for each . This outperforms purely manual methods like document submissions, which lack programmatic integration and require human review at every step. ICANN's Inter-Registrar Transfer Policy (IRTP) benchmarks highlight improved transfer completion rates with standardized codes, though exact figures vary by implementation. Despite these strengths, Auth-Code systems have limitations, including code expiration periods that can lead to delays if not requested promptly, necessitating reissuance and restarting the process. Alternatives such as tags circumvent expiry issues by relying on persistent identifiers but restrict flexibility, often confining transfers within ecosystem-specific boundaries rather than enabling broad inter-registrar portability.