GA 1.2.0

Expanded key limits per user, increasing support to up to 5 keys for SMB accounts and up to 10 keys for Enterprise accounts.

Implemented strict permission inheritance, ensuring API keys can never exceed the permissions of their creator and may only be scoped to a subset of those permissions.

Enabled dynamic RBAC alignment, where keys automatically inherit and update access rights based on the creator’s current resource group assignments.

Implemented organization-level rotation policies, enabling administrators to define maximum key age requirements (30, 90, 365 days, or never expire) to enforce consistent security hygiene across teams.

Expanded API support, enabling creation and updates of vanity nameserver mappings with consistent behavior across UI and API workflows.

Improved API support for health data, introducing and enhancing health-related APIs (including nameserver health, AXFR health, and zone transfer status fields) to ensure consistent, reliable data across UI and backend services.

Implemented audit-based alerts for key health, logging near-expiration and expired keys as a foundation for future UI notifications and alerting capabilities.

Enhanced validation and error handling, where vanity nameservers are validated for correct format, DNS delegation, and IP resolution before use, with clear error messages provided for misconfigurations.

Improved health status logic and accuracy, enhancing serial comparison to clearly differentiate healthy synchronization, propagation delays, and failed transfers, with consistent status reporting across nameservers, XFR activity, and notifications.

Expanded audit logging for diagnostics, automatically capturing AXFR activity, NOTIFY deliveries, serial mismatches, and delays to improve traceability and accelerate troubleshooting.

Introduced descriptive annotations, allowing users and administrators to label keys with notes or descriptions for easier identification.

Enhanced global administrative visibility, enabling admins with access management permissions to view all API keys across the organization (with secrets hidden by default).

Added centralized administrative actions, allowing authorized administrators to rotate, disable, or delete keys globally while maintaining least-privilege access to secret material.

Improved the visibility of vanity nameservers, making it easy to confirm branding and configuration at a glance.

Provided clear, actionable status messaging, adding inline explanations for warning and error states (such as serial mismatches or missing transfers) to guide next steps without requiring support engagement.

Implemented near real-time health updates, refreshing health data shortly after configuration changes or transfer activity to increase confidence in displayed status.

Resolved authentication errors when logging into QA via API using username/password credentials.

Corrected API key count calculations, including exclusion of expired keys from 7-day expiration metrics.

Corrected audit log entries for service key creation to capture accurate details.

Ensured service key names map correctly to service identifiers.

Ensured proper cleanup of user entities and RBAC associations when service keys are deleted.

Fixed an issue where creating a nameserver set with an existing name could cause unexpected behavior.

Resolved cases where configured nameservers were not updated when a new nameserver set was applied.

Prevented invalid configurations by disabling vanity nameservers when custom nameservers are used.

Fixed missing and incorrect key counts on admin list views.

Improved messaging and UI behavior when editing roles for service keys.

Fixed issues preventing removal of service key notes during edits.

Improved alignment and consistency in the Nameserver Set table.

Corrected display of vanity nameserver records to consistently show FQDNs.

Fixed UI alignment issues for empty note fields and timestamp ordering in key list views.

Removed unintended visual artifacts (drop shadows, double borders) across key management UI components.

Introduced new endpoints:

Added support for organization-level service keys, enabling multiple account-level keys tied to the organization rather than an individual user. These keys act as principals and can be associated with roles and resource groups.

Enhanced scoped permissions and governance, ensuring organization keys are always limited to admin-selected permissions and resource groups, and are subject to the same audit logging and policy enforcement as user keys.

Implemented audit-first logging for rate limits, capturing all breaches and laying the groundwork for future alerting and notification integrations.

Enabled optional expiration dates configurable at key creation time.

Implemented one-click key rotation, allowing users and administrators to generate a new key while retiring the old one in a single, seamless action.

Introduced last-used tracking, recording the most recent API call made using a specific key and secret.

Improved the secure handling of secrets, with API key secrets hidden by default and only revealed through explicit user action.

Enabled full API call attribution, logging every request made with an API key and associating it with the specific key, owning user, and accessed resource or action.

Introduced a complete lifecycle audit trail, capturing creation, rotation, disabling, deletion, and all API usage events.

Implemented expiration and aging audit entries, logging keys nearing expiration at 30 days, 7 days, 24 hours, upon expiration, and daily thereafter until removal.

Enabled vanity nameserver configuration at setup, allowing branded nameservers to be created or updated directly within the UI or API during nameserver set creation for simplified deployment and lifecycle management.

Expanded administrative control of service keys, ensuring that only users with administrative privileges can create, manage, rotate, or delete organization-level keys.

Implemented strict separation of responsibilities, preventing regular users from creating or managing organization-level keys; they may only create keys scoped to their personal permissions.

Enabled automatic glue record management, automatically creating required A/AAAA glue records when vanity nameservers reside on primary or managed domains, ensuring correct DNS resolution without manual configuration.

Introduced secondary nameserver health checks, implementing SOA-based validation across all delegated nameservers to detect serial inconsistencies, invalid refresh/retry/expire values, and lagging or unreachable nameservers before zones become stale.

Implemented zone transfer (XFR) health and activity tracking, providing detailed insight into AXFR behavior, including the last transfer attempt per IP in the secondary IP set, retrieved SOA serials, and monitoring of XFR service IPs to surface the most recent successful transfer and delivered serial.

Provided guided API key creation workflows provide a simple, intuitive experience for generating keys. User-scoped keys are managed under User Account, while organization-wide keys are centralized under the Access Management section.

Implemented clear lifecycle states for all keys—active, expired, or disabled—displayed consistently across the UI.

Introduced a centralized lifecycle dashboard under Access Management, listing all active, disabled, and inactive keys.

Delivered inline microcopy and guidance explaining key states and lifecycle rules, including the distinction between expired keys (permanently disabled) and disabled keys (re-activatable).

Enhanced safe deletion workflows with confirmation dialogs to prevent accidental removal of keys.

Expanded comprehensive key metadata, displaying creation date, expiration date, last-used timestamp, and current status for every key.

Introduced a secondary DNS domain health overview, introducing a dedicated Health view that provides a centralized snapshot of DNS health following the transition to the UltraDNS backend, using clear green, yellow, and red indicators with inline explanations to highlight status and impact.

Enhanced nameserver delegation visibility, adding a Nameservers tab (enabled by default for secondary DNS domains) that displays expected registrar-configured nameservers, verifies delegation correctness, and performs on-demand checks with cached results to reduce unnecessary lookups.

Introduced branded vanity nameservers, enabling custom nameserver hostnames mapped to DigiCert system nameservers. Each nameserver set supports up to six system nameservers.