Report this

What is the reason for this report?

bug or feature? API was able to create a new record even though API token does not have create permision

Posted on July 18, 2025
Mike

By Mike

I was surprised when I needed to setup a DDNS to update DNS and found that it created a new record even though I didn’t give the API token create permission. I expected it to fail until I manually created the record first. First time using DigitalOcean’s DNS update service so perhaps I’m overlooking something or failing to understand what update permissions vs create permission provide. The description implies the create is needed to create a new record though it doesn’t provide exactly what a record is in this case: Create: Create domains and domain records

As a follow on, I was a bit surprised that I didn’t find a way to lock it down to just have the ability to update a single DNS record–something that would be requirement if I was using DigitalOcean in my day job for security reasons and probably used for automatic domain verification for TLS certs. For my use here it is fine to just limit update of existing records but it doens’t appear to work that way


I created a personal access token with just 2 scopes in it (copied below). Scopes are update and read.

Token type: Custom scope

Scopes: 2 scopes

Created: xxx

Last used: xxx

Expires: xxx

Scopes

Read Accessdomain 1 scope Update Accessdomain 1 scope Total Custom Scopes

2 scopes



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hey!

Interesting find. From the docs, it really does seem like create should be required to create new DNS records, so if it worked with just update, that’s a bit unexpected. Could be a bug, or maybe the API treats missing records differently in some edge cases?

Might be worth double-checking the exact request payload, and I’d suggest reaching out to DigitalOcean support to confirm, they could clarify whether this is intended behavior or something that needs fixing:

https://do.co/support

- Bobby

That definitely sounds like unintended behavior and worth flagging. If the API token lacks create permissions, the system should reject any POST or insert operations tied to that token. It could be a misconfiguration of the access control rules (ACLs), or possibly a broader security oversight depending on how the token was scoped.

I’d double-check the role assignments tied to the token and inspect any custom logic that might be bypassing standard ACL checks (like background scripts or Business Rules running with elevated privileges). If everything checks out and it’s still creating records, this could very well be a bug rather than a feature.

It might be worth raising a support ticket or posting to the official ServiceNow dev Slack or forum to see if others can replicate it.

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.