Overview
Two security features protect domains from unauthorized transfers:
- Transfer lock (registrar lock) — prevents the domain from being transferred away without your explicit action.
- EPP code (auth code / authorization code) — a secret code required by the receiving registrar to initiate any inbound transfer.
Both are managed from the Commerce domain detail page.
Transfer Lock
What It Does
When locked, the registrar blocks any transfer-out request at the registry level. An attempt to transfer the domain to another registrar returns an error until the lock is removed.
Default State
Commerce enables the transfer lock on all new registrations and completed inbound transfers. The is_locked field on the domains record defaults to true.
Toggling Lock
Admin: Admin → Domains → [domain] → Transfer Lock toggle.
Client: /client/domains/{domain} → Transfer Lock toggle.
Toggling calls setLock(domain, true/false) on the active registrar module. On success, domains.is_locked is updated.
Before a transfer out: the client must unlock the domain. Remind them: unlock the domain first, then request the EPP code, then initiate the transfer at the new registrar — all in the same session if possible, before the EPP code expires.
Lock Propagation
Lock changes propagate through the registry within minutes for most TLDs, but can take up to 24 hours for some ccTLDs. If the receiving registrar reports the domain is still locked after the client unlocked it, wait a few hours and retry.
EPP Code (Auth Code)
What It Is
The EPP code is a secret string, typically 8–16 characters, set by the registrar for each domain. The receiving registrar requires it to verify that the transfer is authorized by the domain owner.
Fetching the EPP Code
- Go to Admin → Domains → [domain] or
/client/domains/{domain}. - Click Get EPP Code.
- Commerce calls
getEppCode(domain)on the registrar module. - The code is shown once on screen.
Storage Policy
EPP codes are never stored in Commerce. Each click of the button fetches a fresh code from the registrar. This is by design — storing auth codes creates unnecessary security exposure.
Expiry
EPP codes expire at the registrar. Typical lifetimes:
| Registrar | EPP Code Lifetime |
|---|---|
| ResellerClub | 30 days |
| Enom | 5 days |
| OpenSRS | 14 days |
| Namecheap | Varies (typically 7–14 days) |
| CentralNic | 14 days |
If the code expires before the client uses it, they can request a new one by clicking the button again.
EPP Required Flag
Some TLDs do not use EPP codes (some ccTLDs handle transfer authorization differently). The domain_tlds.epp_required flag controls whether the EPP Code button is shown for that TLD.
Transfer Out Checklist
Before a client transfers a domain out:
- Ensure the domain is at least 60 days old (ICANN rule).
- Ensure the domain has not been renewed or transferred in the last 60 days.
- Unlock the domain (Transfer Lock toggle → off).
- Request the EPP code — copy it immediately.
- Go to the new registrar and initiate the transfer, pasting the EPP code.
- Monitor the transfer — Commerce will detect completion via
commerce:sync-domain-statusesand update the status totransferred_away.