Skip to content
Good Roots Work docs Main site Open CAA tool
Good Roots Work Documentation

Public API

Public API

Section titled “Public API”

The Good Roots Work public API powers the CAA Policy Management tool. These endpoints are unauthenticated and available at:

https://goodroots.work/api/v1/

CORS is enabled for https://goodroots.work. Tenant and internal APIs are not documented here.

Endpoints

Section titled “Endpoints”

Check CAA policy

Section titled “Check CAA policy”
GET /api/v1/caa/check?domain={domain}

Walks the DNS hierarchy to find the authoritative zone, returns decoded CAA records, policy analysis, hosting detection, and Domain Connect discovery metadata.

Example:

Terminal window
curl -s "https://goodroots.work/api/v1/caa/check?domain=example.com"

CA identifiers

Section titled “CA identifiers”
GET /api/v1/caa/ca-identifiers

Returns the CA domain identifier list used by the policy editor picker. Data is loaded from CDN with Worker-side caching.

Deploy via Domain Connect

Section titled “Deploy via Domain Connect”
POST /api/v1/caa/deploy
Content-Type: application/json

Body:

{
  "domain": "example.com",
  "policy": {
    "properties": {
      "issue": { "letsencrypt.org": { "critical": false } }
    }
  }
}

Responses:

StatusMeaning
200{ "success": true, "redirectUrl": "..." } — navigate the user to the DNS provider
400Invalid domain, empty policy, unsupported provider, or too many records
503Signing not configured on the server
500Unexpected error

Requires _domainconnect TXT at the authoritative zone and a DNS provider that supports Domain Connect (e.g. Cloudflare).

See Domain Connect deploy for the full flow.

Errors

Section titled “Errors”

Errors return JSON with success: false, an error code, and a message:

{
  "success": false,
  "error": "domain_connect_unsupported",
  "message": "Could not resolve Domain Connect settings from _domainconnect TXT records",
  "timestamp": "2026-05-26T13:47:48.689Z"
}
Section titled “Related”