DomainAttest is an open protocol that lets any registrar issue a signed, short-lived attestation that an account controls a domain — and lets any marketplace verify it instantly. No TXT records. No propagation. No stale verifications.
Read the specification Why it existsSeller Marketplace Registrar │ │ │ │ list domain │ │ ├──────────────────────>│ │ │ │ redirect (OAuth) │ │<──────────────────────┤ │ │ │ │ log in with existing account + 2FA, approve │ ├───────────────────────────────────────────────>│ │ │ │ │ │ signed ownership │ │ │ attestation │ │ │<───────────────────────┤ │ │ │ │ verify signature, │ │ listing goes live │ ES256-signed · expires in minutes · valid for one marketplace only
A profile of the OAuth 2.0 authorization code flow with PKCE. No new cryptography, no new identity system, no bearer secrets to phish.
| DNS verification | DomainAttest | |
|---|---|---|
| Time | Minutes to days | Seconds |
| Seller effort | Manual record edits | One click |
| Proves | DNS control, once | Registrar-of-record ownership, now |
| Freshness | Stale forever | Renewable on demand |
| Failure mode | Mistyped records, propagation | Standard OAuth errors |
| Fraud surface | Passes with hijacked DNS | Requires registrar signature |
| Infrastructure per marketplace | Custom polling systems | Signature validation |
| Standard | Every marketplace rebuilds it | One open protocol |
Expose one authorization endpoint and one token endpoint over your existing login, and publish a JWKS. Typical effort with a modern auth stack: two to four engineering weeks.
Validate registrar-signed attestations per the spec, or integrate the DomainAttest Hub once and gain coverage of every connected registrar, current and future.
Atom operates the reference implementation (registrar + marketplace) and the DomainAttest Hub. Add yours by pull request.
DomainAttest does not replace marketplace differentiation. It standardizes exactly one commodity layer: proving who owns a domain. Marketplaces still compete on discovery, pricing, negotiation, escrow, and experience — they simply stop rebuilding the same verification system, badly, over and over.
The registrar already knows who owns the domain. Now there is a protocol that lets them say so.