Domain Verification
Prove ownership of your target before running full scans.
Why verify?
Flowpatrol scans live, running applications. To prevent misuse, we require you to verify ownership of any domain you want to run full scans against.
Quick probes (flowpatrol_probe) work on any public URL without verification. Full scans (flowpatrol_scan) require a verified domain.
Adding a domain
Go to Settings → Domains
Open the Domains page in the Flowpatrol dashboard and click Add Domain.
Enter your domain and choose a method
Enter the domain you want to verify (e.g., myapp.vercel.app or example.com) and choose one of three verification methods:
| Method | Best for |
|---|---|
| DNS TXT Record | Domains where you control DNS settings |
| HTML Meta Tag | Platform subdomains (Vercel, Netlify, etc.) |
| File Upload | Any domain where you can host static files |
When you click Add Domain, Flowpatrol generates a unique verification token (starting with fp-verify=) for your domain.
Place the verification token
Follow the instructions shown on the domain row in the dashboard:
Add a TXT record to your DNS:
_flowpatrol.yourdomain.com TXT "fp-verify=abc123..."The exact record to add (including your token) is shown in the dashboard — just copy it. DNS propagation typically takes a few minutes.
Add a meta tag to your site's <head>:
<meta name="flowpatrol-verification" content="fp-verify=abc123..." />The dashboard provides the full tag with your token — copy and paste it into your root layout, then deploy.
Create a plain text file at:
https://yourdomain.com/.well-known/flowpatrol-verify.txtThe file should contain your verification token as the only content. Deploy the file, then verify.
Click Verify
Once the token is in place, click the Verify button on the domain row. Flowpatrol checks the method you chose:
- DNS TXT: Queries
_flowpatrol.yourdomain.comvia Cloudflare DNS-over-HTTPS - Meta tag: Fetches your homepage and looks for the
flowpatrol-verificationmeta tag - File: Fetches
/.well-known/flowpatrol-verify.txtand checks the contents
If the check passes, the domain status changes to Verified and you can run full scans.
Platform-specific guides
Vercel
For Vercel deployments, the HTML meta tag method is easiest:
- Add the meta tag to your root layout (
app/layout.tsx) - Deploy to Vercel
- Click Verify in the dashboard
If you own the domain on Vercel (not a .vercel.app subdomain), you can also use DNS verification through Vercel's DNS settings.
Netlify
Same as Vercel — use the HTML meta tag, or if you manage DNS through Netlify, add the TXT record there.
Railway / Render / Fly.io
Use the HTML meta tag or file-based method. These platforms don't always expose DNS settings for their default subdomains.
Wildcard verification
Verifying a root domain (e.g., example.com) automatically covers all subdomains:
app.example.comstaging.example.comapi.example.com
You don't need to verify each subdomain separately. This is enforced at the database level — the is_domain_verified() function checks both exact matches and parent domain matches.
Verification status
| Status | Meaning |
|---|---|
| Pending | Domain added but verification check hasn't passed yet |
| Verified | Ownership confirmed — full scans are allowed |
| Expired | Verification was previously confirmed but a re-check failed |
You can re-check a verified domain at any time by clicking Re-check on the domain row.
When is verification required?
| Tool | Requires verification? |
|---|---|
flowpatrol_probe | No — works on any public URL |
flowpatrol_scan | Yes — domain must be verified |
flowpatrol_report | No — just retrieves existing results |
Localhost
Localhost URLs (localhost, 127.0.0.1, 0.0.0.0) are always allowed without verification. This lets you test during local development.
Removing a domain
Go to Settings → Domains, find the domain, and click the trash icon. This removes the domain and revokes verification — any scheduled scans for that domain will stop.