Target verification

Pwnkemon will only scan targets you have proven ownership of. This protects you from accidentally scanning targets you don't have permission to test, and protects Pwnkemon from being used as a generic offensive tool against the internet.

What gets verified

You verify an apex domain (e.g. example.com) or a specific IP. Once verified, any subdomain of that target is also authorised — verifying example.com lets you scan api.example.com, staging.example.com, and so on.

Method 1 — DNS TXT record (recommended)

The cleanest method. Works for domains you control at the registrar level.

1. In the dashboard go to Targets → Add target and enter your domain. Pick DNS TXT as the verification method.
2. Pwnkemon shows you a unique challenge token, e.g. pwnkemon-verify-aB3...xY.
3. Log in to your DNS provider (Cloudflare, Route 53, etc.) and create a new TXT record:

   Name:  _pwnkemon-challenge.example.com
   Type:  TXT
   Value: pwnkemon-verify-aB3...xY
   TTL:   default (300s is fine)

4. Wait 1–2 minutes for DNS to propagate, then click Check in the dashboard. Pwnkemon does a live DNS lookup and verifies the record contains your token.

Once verified, you can safely delete the TXT record. We only check it during verification, never after.

Method 2 — HTTP file challenge

Useful if you don't control DNS (e.g. you own the application but not the domain) or your DNS provider is slow.

1. Pick HTTP file as the verification method when adding the target.
2. Place a file at this path on your site, containing only the token:

   https://example.com/.well-known/pwnkemon-challenge.txt

3. Make sure the file returns HTTP 200 and content type text/plain (most static hosts do this automatically).
4. Click Check — Pwnkemon GETs the file and verifies the contents.

Like the DNS method, the file can be deleted after verification — it's only checked during the verify step.

Verifying an IP address

For IP targets (e.g. internal infrastructure scans you've been authorised to perform), use the HTTP method against a service running on that IP, or contact us for the enterprise verification flow.

How long does verification last?

Verifications are permanent. Once a target is marked verified, it stays verified until you delete it from the dashboard. We don't re-check on a schedule.

Removing a target

From the dashboard, click the target row and select Delete. This removes the verification immediately. Any scans you've already run against it stay in your scan history; they don't disappear with the target.

What if verification fails?

Common causes:

• DNS hasn't propagated yet. Wait a few minutes and try again. You can verify propagation independently with dig TXT _pwnkemon-challenge.example.com.
• Wrong record name. Some DNS providers automatically append the domain, so you might end up with _pwnkemon-challenge.example.com.example.com. Use _pwnkemon-challenge as the relative name in those cases.
• HTTPS not configured. The HTTP file method requires a valid TLS cert. If your site is HTTP-only, the verifier can't reach it.
• WAF blocking us. If you have aggressive bot protection (Cloudflare on max security, etc.), it may block our verifier. Allowlist the path /.well-known/* from challenge.