Gandi Integration
Complete guide for integrating Gandi with Domain Collective
Gandi Integration Guide
Gandi is a French domain registrar known for its strong privacy stance and "No Bullshit" philosophy. This guide covers everything you need to know about integrating Gandi with Domain Collective.
Overview
Integration Details
- API Type
- REST API (JSON)
- Authentication
- Personal Access Token (Bearer)
- Token Validity
- Maximum 1 year
- Minimum Domains
- None required
Supported Features
Domain synchronization
DNS record viewing
LiveDNS management
Nameserver updates
Limited privacy info
Token Expiry: Gandi Personal Access Tokens expire after a maximum of 1 year. Set a reminder to renew your token before it expires to maintain uninterrupted service.
Creating a Personal Access Token
Step 1: Access Your Account Settings
-
Log into Gandi
- Go to gandi.net
- Sign in with your credentials
- Navigate to your account dashboard
-
Open Security Settings
- Click your username (top right)
- Select "User settings" or "Account settings"
- Navigate to "Security" section
Step 2: Generate Personal Access Token
-
Find PAT Section
- Look for "Personal Access Tokens" or "API Keys"
- Click "Create a token" or "Generate new token"
-
Configure Your Token
- Name: Give it a descriptive name (e.g., "Domain Collective")
- Expiration: Choose duration (max 1 year)
- Scopes: Select required permissions (see below)
Step 3: Select Required Scopes
For Domain Collective to work properly, enable these scopes:
Required Scopes
domain:read- View domain informationdomain:write- Manage domain settingsdns:read- View DNS recordsdns:write- Manage DNS records
Step 4: Save Your Token
- Click "Create" or "Generate"
- COPY THE TOKEN IMMEDIATELY
- Store it securely - it won't be shown again!
Critical: The token is displayed only once! If you lose it, you'll need to generate a new one.
Adding to Domain Collective
Integration Process
-
Navigate to Integrations
- Log into Domain Collective
- Click "Integrations" in the sidebar
- Click "Add New Integration"
-
Select Gandi
- Click the Gandi card
- A single field form appears
-
Enter Token
API Token: [Paste your Personal Access Token] -
Submit and Sync
- Click "Add Integration"
- Automatic sync begins immediately
- Wait for completion (usually 1-2 minutes)
Understanding Gandi's API
API Structure
Gandi uses a modern REST API with some unique field naming:
{
"fqdn": "example.com", // Not "domain"
"dates": {
"registry_created_at": "...", // Not "createdAt"
"registry_ends_at": "..." // Not "expires"
},
"autorenew": true, // Not "renewAuto"
"status": ["clientTransferProhibited"]
}LiveDNS vs Domain API
Gandi separates DNS management into two APIs:
- Domain API: Domain info, nameservers
- LiveDNS API: DNS records management
Domain Collective handles both automatically.
Features and Capabilities
What Gets Synced
| Data Type | Details | Notes |
|---|---|---|
| Domain Info | FQDN, status, dates | Uses fqdn field |
| DNS Records | All LiveDNS records | rrset_ prefixed fields |
| Nameservers | Current configuration | Via domain API |
| Auto-Renewal | Renewal settings | autorenew field |
| Domain Status | Lock and transfer status | Array of statuses |
| Organization | Owner organization | If applicable |
Field Mapping Specifics
Gandi uses unique field names that Domain Collective maps automatically:
| Gandi Field | Standard Field | Description |
|---|---|---|
fqdn | domainName | Fully qualified domain name |
dates.registry_created_at | registrationDate | Creation date |
dates.registry_ends_at | expiryDate | Expiration date |
autorenew | autoRenew | Auto-renewal status |
rrset_name | name | DNS record name |
rrset_type | type | DNS record type |
rrset_values | value | DNS record values (array) |
rrset_ttl | ttl | DNS time-to-live |
Managing Your Integration
Token Expiration Handling
Domain Collective helps you manage token expiration:
-
Expiry Detection
- Automatic detection when token expires
- Clear error message on integration card
- "Update Credentials" button appears
-
Token Renewal Process
- Generate new token in Gandi
- Click "Update Credentials"
- Paste new token
- Integration continues without data loss
Setting Renewal Reminders
Best practice for token management:
- Note expiry date when creating token
- Set calendar reminder 1 week before
- Generate new token before expiry
- Update in Domain Collective immediately
Troubleshooting
Common Issues
"Invalid Token" or "401 Unauthorized"
Causes:
- Token expired (most common)
- Token copied incorrectly
- Missing required scopes
Solutions:
- Generate new token in Gandi
- Ensure all required scopes selected
- Copy entire token (no spaces)
- Update credentials in Domain Collective
"Token Expired"
Causes:
- PAT reached expiration date
- Token revoked manually
Solutions:
- Log into Gandi account
- Create new Personal Access Token
- Update via "Update Credentials" button
- No need to delete/recreate integration
"No Domains Found"
Causes:
- No active domains in account
- Token missing
domain:readscope - Domains transferred out
Solutions:
- Verify domains in Gandi account
- Check token has correct scopes
- Generate new token with all scopes
- Try manual sync
"DNS Records Not Loading"
Causes:
- Missing
dns:readscope - Domain not using Gandi LiveDNS
- API response format issue
Solutions:
- Check if domain uses Gandi nameservers
- Verify token has DNS scopes
- Try manual sync
- Contact support with domain name
API Response Issues
Gandi's API has some quirks to be aware of:
- Array Values: DNS
rrset_valuesis always an array - Date Format: ISO 8601 with timezone
- Status Array: Domain status is an array of strings
- FQDN Format: Always includes trailing dot internally
Advanced Features
LiveDNS Management
Gandi's LiveDNS is a powerful DNS service:
-
Automatic Zones
- Created automatically per domain
- Separate from domain API
-
Record Types
- Supports all standard types
- Plus CAA, TLSA, SSHFP
-
Snapshots
- DNS configuration versioning
- Rollback capability
Nameserver Configuration
Update nameservers for Gandi domains:
- Navigate to domain details
- Click "Edit Nameservers"
- Choose Gandi LiveDNS or custom
- Changes apply immediately
API Rate Limits
Gandi's API has generous limits:
- Rate: 120 requests per minute
- Burst: Short bursts allowed
- Daily: No daily maximum
- Pagination: 100 items per page
Security Considerations
Token Security
- Treat like passwords: Never share or expose
- Minimal scopes: Only enable required permissions
- Regular rotation: Generate new tokens quarterly
- Revoke unused: Delete old tokens in Gandi
Gandi Security Features
- Token expiration: Maximum 1 year validity
- Scope limitation: Fine-grained permissions
- Activity logs: Monitor API usage
- 2FA support: Enable on Gandi account
Domain Collective Security
Your Gandi token is protected by:
- Encrypted storage: AES-256 encryption
- Secure transmission: TLS 1.3
- No token logging: Never written to logs
- Isolated access: Per-user separation
Best Practices
-
Token Management
- Set renewal reminders
- Use descriptive token names
- Document expiry dates
- Keep backup token ready
-
Regular Syncing
- Weekly sync recommended
- After DNS changes
- Before domain expiry
-
Security
- Enable 2FA on Gandi
- Use minimal token scopes
- Monitor API activity
- Rotate tokens regularly
-
Multiple Organizations
- Separate tokens per org
- Add as different integrations
- Track token expiry per org
Migration from v4 API
If you're migrating from Gandi's older v4 API:
Key Differences
- Authentication: PAT instead of API key
- Field names: Different naming convention
- Endpoints: New URL structure
- Response format: Consistent JSON
Migration Steps
- Generate PAT in new system
- Update Domain Collective integration
- Remove old v4 API key
- Verify sync works correctly
Frequently Asked Questions
Why do tokens expire after 1 year?
This is a Gandi security policy to ensure tokens are regularly rotated. It cannot be extended beyond 1 year.
Can I use the same token for multiple services?
Yes, but it's more secure to use separate tokens for each service. This way, revoking one doesn't affect others.
What happens when my token expires?
The integration will show an authentication error. Your domains remain in Domain Collective but won't sync until you update the token.
Do I need all the scopes?
For full functionality, yes. You could use fewer scopes, but some features won't work (e.g., no DNS without dns:read).
Can I have multiple Gandi accounts?
Yes, add each as a separate integration with its own token. There's no limit to the number of integrations.
Getting Help
If you need assistance with your Gandi integration:
- Check Token Expiry: Most issues are expired tokens
- Verify Scopes: Ensure all required permissions
- Review Errors: Check integration card for details
- Contact Support: Email support@collective.domains with:
- Integration ID
- Error message
- Token expiry date
- Affected domains
Additional Resources
- Gandi API Documentation
- Gandi LiveDNS Documentation
- Gandi Account Security
- Personal Access Tokens Guide
- Domain Collective Support
Next: Explore Domain Features → or return to Documentation Home →