Quickstart

Zero to a live, dig-able record in five steps. Everything past step 1 is copy-paste curl. Substitute example.com for your domain as you go.

1. Get an API key

API keys are minted in the console (you need a browser once for the magic-link sign-in):

1. console.dnswiz.app → sign in.
2. Settings → API keys → New key.
3. Copy the dnswiz_… secret, it’s shown exactly once.

export DNSWIZ_API_KEY=dnswiz_xxxxxxxxxxxxxxxxxxxx
export API=https://api.dnswiz.app

2. Create a zone

curl -s -X POST $API/v1/zones \
  -H "Authorization: Bearer $DNSWIZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "example.com"}'

{
  "id": "a1b2c3d4-0000-0000-0000-000000000000",
  "name": "example.com.",
  "active": true,
  "created_at": "2026-05-28T09:00:00Z",
  "updated_at": "2026-05-28T09:00:00Z"
}

Grab the id, you’ll need it to add records:

export ZONE=a1b2c3d4-0000-0000-0000-000000000000

3. Delegate the zone

dnswiz is now authoritative for example.com, but the world doesn’t know yet. Point your registrar’s NS records at ours:

ns1.dnswiz.app
ns2.dnswiz.app

The console’s zone page shows a delegation banner that turns green once it detects the NS records have propagated (usually under 5 minutes). You can keep going while it propagates.

4. Add an A record

curl -s -X POST $API/v1/zones/$ZONE/records \
  -H "Authorization: Bearer $DNSWIZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "name": "www",
        "type": "A",
        "ttl": 300,
        "data": { "value": "203.0.113.10" }
      }'

{
  "id": "11111111-0000-0000-0000-000000000000",
  "zone_id": "a1b2c3d4-0000-0000-0000-000000000000",
  "name": "www",
  "type": "A",
  "ttl": 300,
  "data": { "value": "203.0.113.10" },
  "created_at": "2026-05-28T09:01:00Z",
  "updated_at": "2026-05-28T09:01:00Z"
}

The data shape is per record type, see Record types for all of them. A few quick ones:

// AAAA
{ "name": "www", "type": "AAAA", "ttl": 300, "data": { "value": "2001:db8::1" } }

// CNAME (non-apex only)
{ "name": "blog", "type": "CNAME", "ttl": 300, "data": { "value": "hashnode.network." } }

// MX (priority + host)
{ "name": "@", "type": "MX", "ttl": 3600, "data": { "value": "10 mx.example.com." } }

// TXT
{ "name": "@", "type": "TXT", "ttl": 300, "data": { "value": "v=spf1 include:_spf.google.com ~all" } }

5. Verify

Ask dnswiz directly (works the moment the record exists, before delegation propagates):

dig @ns1.dnswiz.app www.example.com A +short
# 203.0.113.10

Once delegation has propagated, the public resolvers agree:

dig www.example.com A +short
# 203.0.113.10

That’s it, you’re serving authoritative DNS.

Where to go next

• Pools & members: turn that A record into a health-checked, multi-region failover pool.
• TLS certs: dnswiz cert issue --name www.example.com.
• Query firewall: refuse ANY/AXFR amplification in one rule.
• API reference: every endpoint, with example requests and responses.

Notes for scripting

• Idempotency. Pass Idempotency-Key: <uuid> on any POST/PATCH/ DELETE and a retried request won’t double-apply.
• Pagination. List endpoints return { items, next_cursor }. Pass ?cursor=<next_cursor> to page; next_cursor: null means you’re done.
• Errors. Non-2xx responses are RFC 7807 problem+json; the type field links to the error catalog and X-Request-ID on the response is what we need to find it in logs.
• IP allow-list. Mint a key with a CIDR allow-list (Settings → API keys) to pin it to your CI runner’s egress range.