The CNAME record is not used for verification, it is used to point your domain at Railway and nothing more, for a myriad of reasons it cannot be used for verification, perhaps the most common reason would be having the Cloudflare proxy enabled, when enabled, the CNAME is completely hidden.

...okay, but what are you verifying? You have a direct Cloudflare integration that adds the cname record and the TXT record was never needed before and everything worked fine. What is the point of this? ...and can you please remove it or give me the option to not bother with this? Things were working fine until this showed up.

We are verifying that you own the domain you are adding to your service. Previously, we never verified this in any way.

This extra security measure is here to stay.

Again, adding the CNAME record is proof enough. Your system detects that record first and then issues the cert which tells you everything you need to know. Even on Cloudflare with proxy. If Railway doesn't detect the cname entry then it doesn't work. What was happening before that you thought you had to do this? It's highly redundant. No CNAME, no nothing working. This doesn't do anything the CNAME entry being present doesn't already do but now... this.

PLEASE GET RID OF IT! ...or at the very least, if you must have this idiotic verification that does nothing already having access to DNS entries does (as evidenced by the fact that the system waited to validate the existence of the required cname records to begin with and this is just another hurdle that proves absolutely nothing more than the cname entry existence does) then please, expose it to the API when querying for the record. And also, how about 1 verification per domain and not per record? My DNS table looks like junk with a sprawling mess of verification records so you can be comfortable knowing I own a domain name for every DNS entry I have. Because you know, those DNS entries would exist without my owning it. ...this doesn't make a lick of sense and the verify token is publicly queryable. Security that doesn't secure anything and proves nothing. Thanks for the extra work. Back and forth and back and forth for adding DNS entires. Geez.

.

I owe you an apology. I just explained this scenario to ChatGPT and, as expected, learned something new. I now see what this is doing and the usefulness of it. You're not validating that I can add the entry, that's already confirmed by the CNAME entry, you're validating the routing on your side is going to the right account which is a completely different explanation. It's an ownership handshake not to validate I "can" add the record, but that when my cname record points to railway that my railway account is the one authoritative to deliver the service over someone else pretending to be me by opening a railway account and using my domain name. That handshake is critical. I never knew this was a thing and completely misunderstood the purpose of this entry. In all fairness it wasn't well explained but now I get it. Now I have egg on my face for my bullshit attitude. My apologies for that. The sudden TXT record requirement was really pissing me off because it's blocking my claude code from adding my entries since I can't see it via the API stack nor Railway cli. I can also see now that it HAS in fact been added so all the issues I'm complaining about are moot. Please forgive my arrogance. I didn't understand and now I do.