Provider Onboarding: One-Click WAB DNS Discovery

Add WAB DNS Discovery to your DNS platform or registrar panel so domain owners can enable or disable AI discoverability with a single toggle, just like SSL activation.

1) Fetch Protocol Manifest

Machine contract 
GET /api/discovery/provider/manifest

Use this endpoint to lock integration against a stable protocol definition.

2) Build TXT Record Template

Per-domain payload 
GET /api/discovery/provider/record-template?domain=example.com

Returns ready-to-write values for DNS API calls in your enable-toggle flow.

3) Verify Status

UI state source 
GET /api/discovery/provider/status?domain=example.com

Map status to your UI toggle badges:

  • enabled: DNS + endpoint verified
  • partial: DNS found, endpoint issue
  • disabled: no valid TXT record

4) Batch Verification + Callback

Registrar dashboards 
POST /api/discovery/provider/verify-batch
{
  "domains": ["example.com", "shop.example.com"],
  "include_agent_run": false,
  "callback_url": "https://provider.example/webhooks/wab",
  "callback_secret": "shared-secret"
}

Optional callback pushes final result to your webhook endpoint with request id and optional HMAC signature.

5) Webhook Signature Verification

Security

Verify the x-wab-signature header on your callback endpoint to confirm the request came from WAB. The signature is HMAC-SHA256(requestBody, callbackSecret) encoded as hex.

Node.js

const crypto = require('crypto');

function verifyWabSignature(rawBody, receivedSig, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody)            // raw Buffer or string
    .digest('hex');
  // constant-time compare to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(expected, 'utf8'),
    Buffer.from(receivedSig, 'utf8')
  );
}

// Express example
app.post('/webhooks/wab', express.raw({ type: '*/*' }), (req, res) => {
  const sig = req.headers['x-wab-signature'];
  if (!verifyWabSignature(req.body, sig, process.env.WAB_CALLBACK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  const payload = JSON.parse(req.body.toString());
  // … process payload
  res.sendStatus(200);
});

Python (Flask)

import hmac, hashlib
from flask import Flask, request, abort

app = Flask(__name__)
WAB_SECRET = os.environ['WAB_CALLBACK_SECRET']

@app.route('/webhooks/wab', methods=['POST'])
def wab_webhook():
    sig = request.headers.get('x-wab-signature', '')
    expected = hmac.new(
        WAB_SECRET.encode(), request.data, hashlib.sha256
    ).hexdigest()
    if not hmac.compare_digest(expected, sig):
        abort(401)
    payload = request.get_json(force=True)
    # … process payload
    return '', 200

Enable/Disable Flow

One-click UX
  • Enable: write TXT, verify, show enabled
  • Disable: delete TXT, verify, show disabled
  • Retry verification until propagation converges

Integration Endpoints

/api/discovery/provider/manifest
/api/discovery/provider/record-template
/api/discovery/provider/enable-plan
/api/discovery/provider/status
/api/discovery/provider/verify-batch
Open Manifest Open Template Example Open Provider Sandbox Cloudflare One-Click cPanel One-Click Route 53 One-Click Plesk One-Click Google Cloud DNS Azure DNS One-Click GoDaddy / Namecheap CLI Adoption Metrics Trust Layer (v1.3) WAB vs Other Protocols Download Postman Collection Open DNS Page