An EPP code — also called an authorization code, auth code, transfer secret, or EPP key — is a per-domain password that proves you’re the rightful registrant when transferring a domain to a new registrar. You request it from your current registrar (ICANN policy requires them to provide it), and the new registrar needs it to complete the transfer. It’s only used for inter-registrar transfers, not for nameserver or DNS changes — and you should keep it secret.
If you’ve ever tried to move a domain from one provider to another, you’ve met this code — possibly under a confusing pile of different names. The good news is that all those names refer to the same thing, and once you understand its single purpose, the whole transfer process makes a lot more sense.
A per-domain password (also called an auth code, transfer secret, or EPP key) that proves you are the rightful registrant when transferring a domain to a new registrar. You request it from your current registrar, and the gaining registrar requires it to complete an inter-registrar transfer.
What the auth code is and what it does
The name comes from EPP — the Extensible Provisioning Protocol that registrars and registries use to communicate behind the scenes. For your purposes, though, the code is best understood as one thing: a password for a specific domain. It exists so that when a name moves from one registrar to another, there’s proof that the person requesting the move actually controls the domain.
That’s its entire job. When you start a transfer at a new (“gaining”) registrar, they ask for the auth code. They submit it to verify the request against the current (“losing”) registrar’s records, and only a matching code lets the transfer proceed. Without the correct code, the transfer simply can’t happen — which is exactly the point. It stops anyone from yanking a domain away without the owner’s say-so.
So many names, one code
Auth code, authorization code, EPP code, EPP key, transfer secret, transfer code, transfer key — registrars use different labels, but they all mean the same per-domain transfer password. If a provider asks for any of these during a transfer, they’re asking for this one value.
Where to get it — and when you need it
You always get the auth code from your current registrar, the one the domain is registered with today — never from the registrar you’re moving to. Under ICANN policy, the current registrar must provide the code to the registrant on request, so they can’t hold your domain hostage by refusing it.
How you actually receive it varies. Many registrars display it instantly in the domain’s management page once the domain is unlocked; others email it to the registrant’s address on file as a security step, so the code reaches the verified owner rather than appearing on screen for anyone with account access. Either way, it’s usually available within minutes.
Crucially, you only need the auth code in one situation: an inter-registrar transfer — moving the domain to a different registrar. Everyday domain management doesn’t involve it at all.
| Task | Needs the auth code? | Why |
|---|---|---|
| Transferring to a new registrar | Yes | Proves you own the domain so the gaining registrar can pull it across. |
| Changing nameservers | No | Done within your current registrar account; no transfer involved. |
| Editing DNS records | No | Managed at your existing DNS provider, not a registrar change. |
| Renewing the domain | No | Renewal extends the term at the same registrar. |
This is a common point of confusion: people about to change nameservers sometimes hunt for an auth code they don’t need. If the domain is staying put and you’re only repointing DNS, no code is required. The auth code is strictly the key that unlocks a move to a different registrar — see our transfer guide for the full flow.
Keeping the code safe
Because the auth code authorizes a transfer, it deserves the same care as a password. Anyone who has your auth code and finds the domain unlocked could attempt to transfer the name away from you. The two protections work together: the registrar transfer lock stops a transfer from being initiated, and the auth code stops one from completing.
Treat the auth code like a password
Don’t share it except with the gaining registrar during a transfer you started. Don’t paste it into untrusted forms or store it where others can see it. After a transfer completes — or if you ever suspect it leaked — regenerate the code at your registrar so an old copy can’t be reused. A leaked code on an unlocked domain is the recipe for a hijack.
ccTLDs can work differently
Most generic TLDs use the EPP auth-code model, but some country-code TLDs use their own transfer mechanisms — a different token, a registry-side approval, or an alternate verification step. If your extension is a ccTLD, confirm the exact transfer process your registry and registrar require rather than assuming the standard auth-code flow applies.
★ Key takeaways
- The EPP / auth code is a per-domain password that proves ownership when transferring to a new registrar.
- Get it from your current registrar — ICANN policy requires them to provide it — shown in the dashboard or sent by email.
- It’s needed only for inter-registrar transfers, not for nameserver, DNS, or renewal changes.
- Keep it secret and regenerate it after a transfer; some ccTLDs use different transfer mechanisms.
Frequently asked questions
What is an EPP or authorization code?
An EPP code — also called an authorization code, auth code, transfer secret or EPP key — is a per-domain password that proves you are the rightful registrant when moving a domain to a new registrar. The gaining registrar requires it to pull the domain across, so it acts as the key that authorizes an inter-registrar transfer.
Where do I get my authorization code?
You request it from your current registrar — the one the domain is registered with today. Under ICANN policy the registrar must provide it on request. Many registrars show it instantly in the domain’s settings once the domain is unlocked, while others email it to the registrant’s address on file for security.
Do I need an auth code to change my nameservers or DNS?
No. The authorization code is only for transferring a domain between registrars. Changing nameservers, editing DNS records, or pointing your domain at a different host all happen within your existing registrar account and require no auth code. You only need it when the domain is actually leaving for a new registrar.
Why must I keep my auth code secret?
Because anyone holding the auth code, combined with an unlocked domain, can attempt to transfer the name away from you. The code is effectively a transfer password, so treat it like one: share it only with the gaining registrar during a transfer you initiated, and consider regenerating it afterward so an old copy can’t be reused.
Do all domain extensions use an EPP auth code?
Most generic TLDs use the EPP authorization-code model for transfers. Some country-code TLDs, however, use their own transfer mechanisms — a different token, a registry-side approval, or an alternate verification step. If your extension is a ccTLD, check the specific transfer process your registry and registrar require.
Sources & further reading
- ICANN — Internet Corporation for Assigned Names and Numbers (inter-registrar transfer policy and registrant rights)
- IANA — Root Zone Database (which registry operates each extension)
- Related: how to transfer a domain, domain transfer lock explained, how to choose a domain registrar, domain transfer vs redemption, what is a domain registrar?, how to register a domain name