Domain Verification

Domain verification proves you own or are authorized to test a domain. This is required before starting any pentest.

TLD verification hierarchy

TurboPentest uses a top-level domain (TLD) verification model. You verify a root domain once and all subdomains are automatically covered:

  • Verify example.com (the top-level domain)
  • All subdomains are automatically authorized - api.example.com, app.example.com, staging.example.com, etc.
  • No need to verify each subdomain individually

This means you can add new pentest targets under a verified domain at any time without repeating the verification process.

DNS TXT record method

  1. Register your top-level domain with TurboPentest
  2. Add a TXT record to your domain's DNS
  3. Trigger the verification check

Step-by-step

Terminal
# 1. Register your domain and get the verification token
curl -X POST https://turbopentest.com/api/tlds \
  -H "X-API-Key: $TURBOPENTEST_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'

Response:

Response
{
  "id": "tld_001",
  "domain": "example.com",
  "verificationToken": "abc123def456",
  "status": "pending"
}
Terminal
# 2. Add DNS TXT record (using your DNS provider)
# Record type: TXT
# Host: @ (or example.com)
# Value: turbopentest-verify=abc123def456
# TTL: 300

# 3. Wait for DNS propagation (typically 1-5 minutes), then verify
curl -X POST https://turbopentest.com/api/tlds/tld_001/verify \
  -H "X-API-Key: $TURBOPENTEST_API_KEY"

Expiration

Domain verifications are valid for 1 year from the date of verification. You will receive reminder emails before expiration:

ReminderWhen
First reminder60 days before expiry
Second reminder30 days before expiry
Final reminder7 days before expiry

When a verification expires, all scheduled pentests under that domain are automatically paused. You will need to re-verify the domain to resume them. Re-verification follows the same DNS TXT record process - your existing TXT record may still be in place, so you can often just trigger the verify check again.

Limitations

  • IP addresses cannot be verified (domain must be a hostname)
  • The TXT record must be on the root domain, not a subdomain
  • You must register the top-level domain - subdomains cannot be registered directly

Previous

Subscriptions & Credits

Next

API Keys

On this page