500+ TLDs
Register, transfer, renew, lock, push WHOIS. EPP / authcodes handled.
code Developer documentation
Build registrar, SSL, and hosting features in hours, not weeks.
A single REST API at /api/v1 for ICANN-accredited domain registration, DV/OV/EV/Wildcard SSL, and DirectAdmin hosting. Bearer auth. JSON envelope. Signed webhooks. Your customers stay on your platform — we run the infrastructure.
Why an API
language
verified
dns
dvr
cell_tower
Five things that take real engineering, ready to call.
SSL on demand
DV, OV, EV, wildcard. ACME challenges and CA orchestration are ours.
Anycast DNS
A, AAAA, CNAME, MX, TXT, NS, SRV, CAA. CRUD with TTL controls.
Managed hosting
DirectAdmin shared hosting. Provision, suspend, rotate, billable usage.
Signed webhooks
HMAC-SHA256, exponential retry, no missed events.
1. Authentication
Bearer keys. Prefix-visible. Shown once.
Mint a key in the API Partner dashboard — you'll see the plaintext exactly once. The prefix (e.g. gg_live_pk_aBCd) is safe to log; the full secret is not. Revoke at any time; clients using a revoked key get 401 immediately.
# Sanity-check your key curl https://gigaglobe.com/api/v1/me \ -H "Authorization: Bearer gg_live_pk_YOUR_32_CHAR_SUFFIX"
2. Response envelope
Errors
Same JSON shape on every endpoint.
Single resource
{
"data": {
"object": "domain",
"id": "dom_42",
"name": "acmecorp.com",
...
},
"meta": { "request_id": "abc123" }
}
Lists
{
"data": [ {...}, {...} ],
"total": 142,
"has_more": true,
"meta": { "request_id": "abc123" }
}
{
"error": {
"type": "invalid_request_error",
"code": "not_found",
"message": "Domain not found.",
"param": "domain"
},
"meta": { "request_id": "abc123" }
}
Every response also includes X-Request-Id. Quote it when contacting support.
3. Try it now
Three real cURL examples.
Register a domain
curl https://gigaglobe.com/api/v1/domains \
-H "Authorization: Bearer $GG_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "acmecorp.com",
"customer_id": "cust_42abc",
"years": 2,
"nameservers": ["ns1.gigaglobe.com","ns2.gigaglobe.com"]
}'
Issue a DV certificate
curl https://gigaglobe.com/api/v1/ssl \
-H "Authorization: Bearer $GG_KEY" \
-H "Content-Type: application/json" \
-d '{
"common_name": "app.acmecorp.com",
"cert_type": "dv",
"customer_id": "cust_42abc",
"san_names": ["www.app.acmecorp.com"]
}'
Subscribe to webhook events
curl https://gigaglobe.com/api/v1/webhooks \
-H "Authorization: Bearer $GG_KEY" \
-H "Content-Type: application/json" \
-d '{ "url": "https://your.app/webhook", "events": ["domain.*","ssl.issued"] }'
4. Webhook signature verification
HMAC-SHA256, timestamped, no replay.
Every delivery includes:
X-GigaGlobe-Signature: t=<unix>,v1=<hex>
X-GigaGlobe-Event: domain.registered
X-GigaGlobe-Delivery: dlv_…
Verify by computing HMAC_SHA256(secret, "{t}.{raw_body}") and constant-time-comparing to v1. Reject if |now - t| > 300s.
Node.js
const crypto = require('crypto');
const sig = req.headers['x-gigaglobe-signature'];
const parts = Object.fromEntries(
sig.split(',').map(s => s.split('='))
);
const expected = crypto.createHmac('sha256', SECRET)
.update(parts.t + '.' + rawBody)
.digest('hex');
if (Math.abs(Date.now()/1000 - parts.t) > 300) return res.status(400).end();
if (!crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(parts.v1)
)) return res.status(400).end();
PHP
$sig = $_SERVER['HTTP_X_GIGAGLOBE_SIGNATURE'];
preg_match('/t=(\d+),v1=([a-f0-9]+)/', $sig, $m);
[$t, $v1] = [$m[1], $m[2]];
$body = file_get_contents('php://input');
$expected = hash_hmac('sha256', $t.'.'.$body, $SECRET);
if (abs(time() - (int)$t) > 300) { http_response_code(400); exit; }
if (!hash_equals($expected, $v1)) { http_response_code(400); exit; }
// trusted — handle the event
$event = json_decode($body, true);
Python
import hmac, hashlib, time
sig = request.headers['X-GigaGlobe-Signature']
t, v1 = [p.split('=')[1] for p in sig.split(',')]
expected = hmac.new(
SECRET.encode(),
f"{t}.{body}".encode(),
hashlib.sha256
).hexdigest()
if abs(time.time() - int(t)) > 300: abort(400)
if not hmac.compare_digest(expected, v1): abort(400)
Go
sig := r.Header.Get("X-GigaGlobe-Signature")
// parse t= and v1= ...
mac := hmac.New(sha256.New, []byte(secret))
mac.Write([]byte(t + "." + string(body)))
expected := hex.EncodeToString(mac.Sum(nil))
if math.Abs(float64(time.Now().Unix()-tsInt)) > 300 {
http.Error(w, "stale", 400); return
}
if !hmac.Equal([]byte(expected), []byte(v1)) {
http.Error(w, "bad sig", 400); return
}
Retry policy: immediate, +30s, +2m, +10m, +1h, +6h, +24h. After 7 failed attempts the delivery is abandoned. After 100 consecutive failures the webhook is auto-disabled and you'll get an email.
5. Endpoint catalog
Twenty-five endpoints. Stripe-style naming.
Identity & domains
GET /me
GET /domains
POST /domains
POST /domains/search
GET /domains/{id}
GET /domains/{id}/availability
PATCH /domains/{id}
POST /domains/{id}/transfer
POST /domains/{id}/renew
DNS
GET /domains/{id}/dns
POST /domains/{id}/dns
DELETE /domains/{id}/dns/{record}
SSL
GET /ssl
POST /ssl
GET /ssl/{id}
POST /ssl/{id}/renew
POST /ssl/{id}/reissue
Hosting
GET /hosting
POST /hosting
GET /hosting/{id}
POST /hosting/{id}/suspend
POST /hosting/{id}/unsuspend
POST /hosting/{id}/password
Billing (read-only)
GET /orders
GET /orders/{id}
GET /invoices
GET /invoices/{id}
Webhooks & usage
GET /webhooks
POST /webhooks
PATCH /webhooks/{id}
DELETE /webhooks/{id}
POST /webhooks/{id}/test
GET /usage
Open the full spec at /api/v1/openapi.json — load it into Stoplight, Swagger UI, or your code generator.
Postman collection
25 requests, pre-wired auth, all body examples. Set base_url + api_key and run.
OpenAPI 3.0 spec
Generate SDKs in any language. Hosted at /api/v1/openapi.json for tools to load directly.
open_in_new View specChangelog
Every additive change to v1 — new fields, new endpoints, new event names — with dates.
arrow_outward Read changelogDeveloper support
Stuck on a request_id? Email developers@gigaglobe.com — humans, not bots.
mail Contact usMint your first key in 30 seconds.
Sign in to the API Partner dashboard, click Mint key, and curl /api/v1/me to verify.