Transfer secret, also known as EPP Code, is a randomly generated complex code by a domain registrar which can contain numbers, letters and special characters. Registrars are only permitted to provide the code to the registered owner of the domain as it appears on a whois query. The EPP code is required together with the transfer request to ensure that only the registered domain owner. The official domain contact information is sometimes not current or correct, or may be privacy-protected, but in any event is not very useful to control transfers because administration of domains is done remotely, via the Internet and high speed network.
The code is officially called an AuthInfo Code and an Auth-Info code by ICANN and registry operators. It is alternatively called an auth code, a transfer key, a transfer secret, an EPP code, EPPT authentication code, or EPP authorization code. See Extensible Provisioning Protocol Transfer.
"This is official notification that the RRP Protocol has been decommissioned from the Com/Net Production Environments during scheduled maintenance on October 28, 2006... All Transfer requests submitted after October 28 will require AuthInfo in order to initiate a transfer request. In the scenario where the domain name does not have an AuthInfo assigned the Losing Registrar must assign an AuthInfo code before the Gaining Registrar can initiate the transfer request."The code supports transferring any domain in the above top-level domains from one Registrar to another. If the code is not provided, then those domains generally cannot be transferred. The code helps identify the domain name holder; it does not constitute transfer approval.
Transfers take place within ten days, but usually less than five days.
When getting a new registrar, it is prudent to locate the auth-info code and procedure early. Registrars may assume your only interest in the code is so you can take your business away, and might impede your getting your code when you have only a few days left before losing your domain. They might call the code something else (foiling searches), leave it off FAQs, and ignore your emails, and resellers may be even less helpful. Find out in the beginning and keep this important information safe and secure (at the risk that they'll change the method but at least you'll have a starting point). Internic can be used to file complaints if needed, but ICANN does not resolve individual customer complaints. No centralized Internet authority effectively resolves end-user problems. Due diligence before selecting a registrar is important.
However, each registrar handles the Transfer-Out process differently, and in some cases will only supply the code at the time it is needed. Because registrars discourage transfers out, it may be necessary to pretend to start the process in order to learn the particular details.
In order to successfully transfer a domain, it is vital to remember how to log in with the registrar, and to ensure that the registered admin contact email is current and working. There is typically a transfer domain lock mechanism within the administration interface at the registrar, which must be unlocked for a successful transfer.
Registry operators may have their own provisions in agreements with registrars; those agreements may be posted on operators' websites.
Registrars may also use additional Transaction Auth Codes, e.g. to validate transactions such as allowing a domain to be pushed into one account from another account, within the registrar.