Unkey Deploy is currently in private beta. To get access, reach out on
Discord or email
support@unkey.com.
api.acme.com) instead of a *.unkey.app subdomain. Unkey handles TLS certificate provisioning and renewal automatically.
Add a custom domain
Open domain settings
Navigate to your project in the dashboard and click Settings. Scroll to the Custom domains section.
Enter your domain
Select the environment and enter the fully qualified domain name you want to use (for example, 
api.acme.com).Add the DNS records
Unkey generates two DNS records to add at your DNS provider:
Certificate provisioning
After DNS verification succeeds, Unkey provisions a TLS certificate from Let’s Encrypt using an ACME HTTP-01 challenge. Frontline serves the challenge token automatically during this process. Certificates renew before expiration without any action from you.If Let’s Encrypt rate limits are reached, certificate issuance retries automatically with backoff. This can add up to two hours of delay in rare cases.
DNS provider examples
- Cloudflare
- Route53
- Vercel
- Open your domain in the Cloudflare dashboard.
- Click DNS in the sidebar.
- Click Add record.
- Add the TXT record with name
_unkey.{your-subdomain}and the verification value. - Add the CNAME record with name
{your-subdomain}and the target from your Unkey dashboard. - Set the CNAME proxy status to DNS only (gray cloud) so Unkey can terminate TLS directly.
Troubleshooting
Domain stuck in verifying
Domain stuck in verifying
Confirm your DNS records have propagated. TXT records can take up to 48 hours to propagate, depending on your DNS provider. You can check propagation with:
Certificate not issued after verification
Certificate not issued after verification
Certificate provisioning starts automatically after both DNS records are verified. If the certificate isn’t issued within 30 minutes, check that your CNAME proxy status is set to DNS only (not proxied) at your DNS provider.