Domainee
Sign inGet started

EPP auth code

The EPP auth code is the password that lets you transfer a domain between registrars. Always rotates after a transfer for security.

The EPP auth code (also called EPP code, auth-info code, transfer code, or AuthInfo) is a secret string that authorizes the transfer of a domain from one registrar to another. EPP stands for Extensible Provisioning Protocol, the protocol registrars use to talk to registries.

When you transfer a domain:

  1. You get the auth code from your current (losing) registrar.
  2. You initiate the transfer at the new (gaining) registrar, providing the code.
  3. The gaining registrar relays it to the registry via EPP.
  4. The registry verifies the code matches the one on file and pushes the domain over.

Without the right code, the transfer doesn't happen.

Where to find it

Your current registrar's domain settings will have "EPP code" or "Transfer authorization code" near the transfer/lock section. Click reveal, copy. Some registrars email it to the registrant email address rather than display it inline.

Common gotcha: the registrar may also need you to disable the registrar lock before they'll give you the code.

What the code looks like

The format depends on the registry. Roughly:

  • Most modern gTLDs: 6-32 character alphanumeric mix, often including special chars. Example: 8KJ@h7!Lq3Mv9pQz.
  • Some legacy TLDs: simple 8-12 character alphanumeric.
  • Some ccTLDs use a different transfer mechanism entirely (.de uses DENIC's CHANGE order, .uk uses an "IPS tag" change at Nominet).

Why it rotates

After a successful transfer, the new registrar will generate a new code. You can't reuse the old one. This is a security feature: even if the old code was leaked, it can't be used to transfer again.

How it can go wrong

  • Code expired. Some registrars expire the code after 7-30 days. Get it as close to starting the transfer as possible.
  • Whitespace. Copy-paste sometimes grabs leading/trailing whitespace. Most registrars trim, some don't.
  • Wrong code for wrong domain. If you have multiple domains at the same registrar, double-check you're using the right code for the right domain.
  • Special chars. Some registrars URL-encode the code in API submissions but don't decode it back. Compare what you have to what the gaining registrar shows.

In a custom-domain SaaS

If your platform helps users bring an existing domain over rather than registering a new one, the auth code is the central friction point. Document the location of the code in the UI of the 3 or 4 most common registrars (GoDaddy, Namecheap, Cloudflare, Google Domains historical), so support tickets stop being "where's the code?"

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.