Required before any scan · CFAA-compliant
Verify ownership
MagnusQA never scans a site you have not verified ownership of. Pick a method that works for your hosting setup — every attempt (success and failure) is logged with IP and timestamp for the audit trail.
DNS TXT record (recommended)
After you register a site, we issue a token. Add a TXT record at the apex of your domain:
name: @ (or your domain) type: TXT value: magnusqa-verify=<your_token>
Then POST to /api/v1/sites/:id/verify with { method: "dns_txt", proof: "magnusqa-verify=..." }. Typical propagation: 5–60 minutes.
File upload
Host a file at:
https://your-site.com/.well-known/magnusqa-verify.txt
Body must be exactly magnusqa-verify=<token>. Then call the verify endpoint with method file_upload and the file body as proof.
Email verification
We email admin@ and webmaster@ at the registered domain with a verification link. Click it to verify.
Use only when DNS or file upload is unavailable — email-based verification is more spoofable.
OAuth (hosted providers)
Sign in with your DNS or hosting provider to authorize ownership. Supported: Cloudflare, Netlify, Vercel.
Operator must enable each provider integration; check /status for the live list.
Why we’re strict about this
Automated scanning of a website you don’t own can violate the US Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and equivalent laws in other jurisdictions. Even though our scans are read-mostly, the only way to provide a defensible service is to require ownership proof for every scanned URL.
Every verification attempt is recorded in ownership_verifications with the proof value, IP, and timestamp — you can pull your own history at GET /api/v1/sites/:id/verification-history.
If you need to scan a site on behalf of a client, the client must complete the ownership step (or grant you a verified-team-member role). The agent API explicitly forbids site onboarding for the same reason.