Skip to content

product · domain validation

Turn your domain into a verifiable Quidnug identity.

Customers should not have to take your word that oracles.yourapp.com belongs to you. Quidnug validation binds a domain to a quid via DNS, publishes the attestation into the network, re-checks on a tier-dependent cadence, and auto-revokes if the DNS record drops. You pay a subscription per validated domain; you keep the keys; the attestation is signed and anyone can verify it.

Join the waitlist Generate a quid See pricing DNS integrations
  • 4 validation tiers
  • ACME-style DNS challenge
  • 3+ resolvers quorum
  • 15m to 24h recheck cadence
  • auto-revoke on DNS drop

How it works

Six steps from claim to continuous attestation.

No new keys to manage. No hosted identity you don't already own. The validation flow follows the same pattern Let's Encrypt established for certificates: prove control via DNS, get a signed artifact, renew before it expires.

1 CLAIM Submit quid + domain oracles.yourapp.com from the console or via API 2 CHALLENGE Token issued _quidnug-challenge. oracles.yourapp.com TTL 15m, scoped to quid 3 PUBLISH Add TXT record one-click via Cloudflare, Route 53, Google DNS, or manual paste 4 VERIFY Multi-resolver check Cloudflare, Google, Quad9, OpenDNS quorum-of-3 required 5 ATTEST Signed TRUST edge from quidnug root → your quid, domain-scoped in operators.network.… 6 RENEW Continuous re-check hourly to daily (tier-dependent) auto-revoke on drop ACME-style verification. Open-source tooling. Cryptographic output.

Step 1 happens through the console or the validation API. Step 2 returns a 32-byte random token scoped to your quid and domain; publishing anything else in the TXT record fails verification. Step 3 is where most customers plug in a DNS integration, which auto-creates the record via your provider's API so you never paste anything manually.

Step 4 resolves the TXT record through at least three independent public resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9, OpenDNS 208.67.222.222) and requires majority agreement. This protects against split-horizon DNS, rogue resolvers, and intermediate tampering.

Step 5 is the output you actually buy: a signed TRUST edge from the quidnug root quid to your quid, scoped to operators.<your-domain>.network.quidnug.com, at a trust level determined by your tier. The edge lives on the public network and anyone, including your own customers, can verify it without asking us.

Step 6 runs on a schedule tied to your tier. If the TXT record disappears, we auto-publish a revocation edge at level zero and notify you. Re-claim by publishing the TXT record again.

Validation tiers

Four depths of verification, matched to four pricing tiers.

Each tier earns a badge visible to anyone inspecting your validated edges on the trust graph. Deeper tiers bundle faster recheck, more domains, legal-entity KYB, and finally cross-signing authority.

TIER 0 Free email verified 1 domain 24h recheck TIER 1 Pro DNS ownership per-domain pricing 1h recheck · SLA-lite TIER 2 Business legal entity attested KYB + DNS + SLA 15m recheck · API access TIER 3 Governance Partner cross-sign authority co-operate a seed node custom contract
Full pricing page Start on the free tier

Who this is for

Anyone with a domain whose legitimacy matters.

reviews operators

Reviews platforms built on QRP-0001

Your reviews.yourdomain.com quid is the root your reviewers' topical trust hangs off of. A validated root means the trust edges you publish are indistinguishable from those any other legitimate operator publishes.

oracle operators

Price feeds, data oracles

Downstream consumers of oracles.price-feeds.yourfeed.com can verify end-to-end that the quid signing the feed controls the domain its consumers depend on, and that the control has been continuously re-verified.

credentialing bodies

Credentials, attestations, registries

Medical boards, bar associations, trade associations, and certification authorities all live in a world where who is the attester is the whole point. Legal-entity tier bundles your registered-business documentation into the attestation.

custodians + signing services

Custody providers, enterprise signing

High-value multisig arrangements need verifiable proof that each signer is who they claim. Validation pairs naturally with guardian-recovery quorums under the same domain tree.

ai agent operators

AI agent publishers

An agent signing outputs under agents.yourai.com needs its operator identity to be third-party verifiable so downstream systems can trust (or refuse) its outputs.

federated operators

Consortium participants

A federation of hospitals, newsrooms, or fraud-signal sharing partners can all run their own nodes under their own domains; validation gives the consortium a shared way to attest each member's identity without anyone running a CA.

DNS integrations

Works with every major DNS provider.

Three cloud providers ship day one with OAuth or token-scoped API integration. Consumer registrars roll in over the first quarter. Any provider, including obscure ones, works via manual TXT paste.

Shipping day one

CF
Cloudflare
API token · zone-scoped
live
R53
AWS Route 53
IAM assume-role
live
GCP
Google Cloud DNS
OAuth · workload identity
live

Coming soon

NC
Namecheap
API key
planned
GD
GoDaddy
API key + secret
planned
PB
Porkbun
API key
planned
DO
DigitalOcean DNS
personal access token
planned
AZ
Azure DNS
service principal
planned
HE
Hurricane Electric
manual TXT
planned
TXT
Manual TXT paste
any registrar
always
DNS integration details

What "validated" gets you

A signed artifact, not a marketing claim.

On your website

A small embed that shows your current tier badge with a link to the public verification page. Anyone can click through and see the signed edge, the DNS record we observed, and the last recheck timestamp.

On the trust graph

A TRUST edge in operators.network.quidnug.com at a tier-dependent level. Any Quidnug node, yours or anyone else's, can verify without contacting us.

In reviews / oracles / credentials

Applications built on QRP-0001 or other domain-level protocols can surface the badge in-product so end users see whose trust graph they're inside.

In your customers' audits

The signed edge, with DNS challenge transcript, is exportable as a compliance artifact. Auditors verify third-party attestation without relying on quidnug.com's availability.

Open-source protocol, verified domains, one subscription.

The protocol is Apache 2.0. The node is Go. You can run the whole stack yourself. Validation is the paid service that saves you from running your own attestation CA.

Join the waitlist Pricing Protocol docs