AWS ROUTE 53 · MCP-NATIVE

Route 53 ops, MCP-native. Without leaving the editor — or your IaC.

Authwright is the MCP server for AWS Route 53 — hosted zones, record sets, ACM certificates, DNSSEC — driven from Claude, Cursor, or ChatGPT. Diff before write. Snapshot before edit. Designed to complement your Terraform, not replace it.

Join the Route 53 waitlistCheck a domain free

Early access · Route 53 ingest in development

A real Route 53 implementation. IAM-scoped, ACM-aware, snapshot-protected.

mcp · authwright + route 53
  1. what's the current A record for api-staging.acme.com?
  2. zone Z1D633PJN98FT9 · ttl 60s
  3. A 10.0.12.44, 10.0.12.45
  4. change to 10.0.13.0/24 alias
  5. dns_changeset_preview ready · 2 mods
2 live · 3 early access
  • GoDaddy
  • NamecheapEarly
  • Cloudflare
  • PorkbunEarly
  • Route 53Early
Route 53 is taking waitlist signups.

THE CONSOLE TAB

Your DNS lives in Terraform. Your runtime questions live in the console.

You did the right thing — Route 53 in Terraform, ACM certs requested via IaC, hosted zones versioned in git. And it works. Until production wants a 30-second answer to "what's the current A record for api-staging?" You hit the AWS console. You click through three nav levels. You find the zone. You read the row. You go back to Claude. Twenty times a day.

Authwright cuts the round trip. Ask your editor. Get the answer. Make the change if you decide to. Snapshot is automatic. Terraform still owns the canonical config — Authwright just talks to the same API in the moments when Terraform is the wrong shape.

Terraform is for the audit trail. MCP is for the conversation.

42 TOOLS, ONE MCP SESSION

Route 53 + ACM, callable from your editor.

42 MCP tools wired to the Route 53 API and ACM, callable from any MCP-compatible AI client.

  • list_zones()Hosted zones and their records, with a diff-friendly structured shape your model can summarize.
  • dns_changeset()Edit record sets with dns_changeset_preview before every write. Snapshots stored per zone, rollback is one call.
  • dnssec_ksk()Toggle DNSSEC at the hosted-zone level via the standard Route 53 KSK flow.
  • acm_expiry()Surface ACM certificates about to expire. ACM has no revoke verb, only delete — Authwright surfaces that clearly.
  • ns_drift()Cross-check your zones against your domain registration. Nameserver drift between registrar and hosted zone is a common silent failure.
  • health_score()0-100 score on expiry, DNSSEC, SSL, MX, SPF, DKIM, DMARC, MTA-STS, BIMI.
  • email_auth()And — if you want — set up email authentication on a domain in one call.

You stay in your editor. The AWS console becomes the place you visit twice a year.

MCP, not SaaS

If your team lives in Claude, Cursor, or ChatGPT, this is the tool your stack was missing.

Every other DMARC vendor shipped a web dashboard in 2019 and never looked up. Authwright is built as a Model Context Protocol server — which means it's callable directly from the AI environments your operators already use.

A tech in Cursor can resolve a deliverability ticket without opening a browser tab. A founder in Claude can onboard a new client domain in a single prompt.

This is not a wrapper around someone else's API. It's a first-class MCP server designed for the way technical teams actually work in 2026.

Claude CodeLookup online
> Set up DMARC on acme.com with a reject policy.

Lookup calling email_auth_wizard...
  [ok] diagnose - score 32/100
  [ok] propose - 4 changes (SPF, DKIM, DMARC, MTA-STS)
  [ok] apply   - GoDaddy adapter, snapshot saved
  [ok] host    - mta-sts.acme.com live
  [ok] propagation - 8/8 resolvers
  [ok] re-diagnose - score 94/100

Email EasyPass complete in 47s.

What makes it different

Four things the console and Terraform won't do together.

  • 01CONVERSATION

    Conversational reads at production scale.

    "What's the current TTL on the api record in the acme-prod zone?" — one question. The model resolves the zone, returns the answer. No console tabs.

  • 02COMPLEMENT

    Diff-before-write that complements Terraform.

    For the interactive edits Terraform isn't the right shape for, you still get a structured diff and a per-zone rollback snapshot. Your audit trail doesn't have a hole in it.

  • 03IAC_AWARE

    IaC-aware where it matters.

    Authwright surfaces the records Terraform manages versus records added out-of-band, so you don't accidentally fight your own state file.

  • 04REGISTRAR

    Every registrar, one tool surface.

    The same DNS verbs work on GoDaddy, Namecheap, Cloudflare, Porkbun, and Route 53 — useful when you're consolidating zones from acquired entities.

Pricing

Priced for the way platform teams actually work.

Per-account pricing, not per-seat. Same tools, same pricing, every registrar.

RECOMMENDED
Team$99 /mo
25 domains · 5 registrars
  • RBAC + SSO
  • Up to 10 seats
  • 30-day snapshots
Choose Team
Free$0 /mo
1 domain · 1 registrar
  • Public audit, unlimited
  • MCP server access
  • 7-day snapshots
Choose Free
Pro$29 /mo
5 domains · 1 registrar
  • Everything in Free
  • 30-day snapshots
  • Email + chat support
Choose Pro
Agency$299 /mo
100 domains · 15 registrars
  • Multi-tenant workspaces
  • Priority support
Choose Agency
Agency Plus$799 /mo
500 domains · unlimited
  • Dedicated success mgr
  • 99.95% SLA
Choose Agency Plus
EnterpriseTalk to us
500+ · unlimited
  • Custom contract
  • VPC peering
Contact sales

Free public audit

Not ready to sign up? Audit a domain in 30 seconds.

Drop any domain into our free checker. We'll show you the current DMARC posture, SPF lookup count, DKIM selector status, MTA-STS presence, and a grade against the current Gmail and Yahoo requirements. No login. No email gate. No upsell pop-up.

Run a free check →

FAQ

Questions Route 53 engineers actually ask.

Technically accurate against the broker's capability matrix. If something is unsupported: today, we say so here.

Q1What IAM permissions does Authwright need?
A scoped IAM user (or role, via IRSA / OIDC federation) with route53:* on the hosted zones you care about, plus acm:Describe* / acm:List* / acm:DeleteCertificate if you want cert lifecycle. We never ask for * and never need anything outside DNS + ACM.
Q2Does this conflict with my Terraform state?
No, but you should know what it does: Authwright issues writes against the same AWS API Terraform uses. If you write a record through Authwright and Terraform doesn't know about it, the next terraform plan will show drift. Pattern: Authwright for interactive reads + occasional reactive edits; Terraform for the canonical config.
Q3ACM has no revoke — what does Authwright do?
We surface this explicitly. revoke_certificate on a Route 53/ACM target returns unsupported: with a hint to call delete_certificate instead. ACM certs are deleted from inventory, not revoked.
Q4Can Authwright register new domains on Route 53?
Yes — Route 53 Registrar registration is exposed (search, check availability, purchase). Note that Route 53 Registrar privacy is a registration-time setting only.
Q5DNSSEC on Route 53 requires a KSK — does Authwright handle that?
Yes. enable_dnssec walks the KSK creation + parent registrar NS update flow. We surface the parent-registrar step clearly if your domain is registered elsewhere.
Q6What about Route 53 Resolver / private hosted zones?
Public hosted zones are first-class. Private hosted zones are partially supported — list and read work; some write paths are gated behind VPC association requirements we surface as preconditions. Full private-zone support is roadmap.
Q7I have domains across Route 53 and other registrars. One tool?
One MCP session, registrar-agnostic call signatures. The same replace_dns_records works on Route 53 zones and GoDaddy zones in the same conversation.

Early access

Get early access to Authwright for Route 53.

Route 53 portal ingest is in development. Join the waitlist and we'll reach out the day it ships.

Primary registrar

Route 53

How many hosted zones?

We reply within one business day. No drip campaigns. No reseller calls.