diff --git a/providers/dns/nitrado/internal/client.go b/providers/dns/nitrado/internal/client.go
new file mode 100644
index 000000000..bf0137a49
--- /dev/null
+++ b/providers/dns/nitrado/internal/client.go
@@ -0,0 +1,137 @@
+package internal
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/go-acme/lego/v4/providers/dns/internal/errutils"
+	"github.com/go-acme/lego/v4/providers/dns/internal/useragent"
+)
+
+const defaultBaseURL = "https://api.nitrado.net"
+
+// Client the Nitrado API client.
+type Client struct {
+	token string
+
+	BaseURL    *url.URL
+	HTTPClient *http.Client
+}
+
+// NewClient creates a new Client.
+func NewClient(token string) (*Client, error) {
+	if token == "" {
+		return nil, errors.New("credentials missing")
+	}
+
+	baseURL, _ := url.Parse(defaultBaseURL)
+
+	return &Client{
+		token:      token,
+		BaseURL:    baseURL,
+		HTTPClient: &http.Client{Timeout: 10 * time.Second},
+	}, nil
+}
+
+// InsertRecord inserts a DNS record.
+// https://doc.nitrado.net/#api-Domain-Insert_DNS_records
+func (c *Client) InsertRecord(ctx context.Context, domain string, record Record) error {
+	endpoint := c.BaseURL.JoinPath("domain", domain, "records")
+
+	req, err := newJSONRequest(ctx, http.MethodPost, endpoint, record)
+	if err != nil {
+		return err
+	}
+
+	return c.do(req, nil)
+}
+
+// DeleteRecord deletes a DNS record.
+// https://doc.nitrado.net/#api-Domain-Delete_DNS_records
+func (c *Client) DeleteRecord(ctx context.Context, domain string, record Record) error {
+	endpoint := c.BaseURL.JoinPath("domain", domain, "records")
+
+	req, err := newJSONRequest(ctx, http.MethodDelete, endpoint, record)
+	if err != nil {
+		return err
+	}
+
+	return c.do(req, nil)
+}
+
+func (c *Client) do(req *http.Request, result any) error {
+	useragent.SetHeader(req.Header)
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.token))
+
+	resp, err := c.HTTPClient.Do(req)
+	if err != nil {
+		return errutils.NewHTTPDoError(req, err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode/100 != 2 {
+		return parseError(req, resp)
+	}
+
+	if result == nil {
+		return nil
+	}
+
+	raw, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return errutils.NewReadResponseError(req, resp.StatusCode, err)
+	}
+
+	err = json.Unmarshal(raw, result)
+	if err != nil {
+		return errutils.NewUnmarshalError(req, resp.StatusCode, raw, err)
+	}
+
+	return nil
+}
+
+func newJSONRequest(ctx context.Context, method string, endpoint *url.URL, payload any) (*http.Request, error) {
+	buf := new(bytes.Buffer)
+
+	if payload != nil {
+		err := json.NewEncoder(buf).Encode(payload)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create request JSON body: %w", err)
+		}
+	}
+
+	req, err := http.NewRequestWithContext(ctx, method, endpoint.String(), buf)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create request: %w", err)
+	}
+
+	req.Header.Set("Accept", "application/json")
+
+	if payload != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+
+	return req, nil
+}
+
+func parseError(req *http.Request, resp *http.Response) error {
+	raw, _ := io.ReadAll(resp.Body)
+
+	var errAPI APIError
+
+	err := json.Unmarshal(raw, &errAPI)
+	if err != nil {
+		return errutils.NewUnexpectedStatusCodeError(req, resp.StatusCode, raw)
+	}
+
+	return &errAPI
+}
diff --git a/providers/dns/nitrado/internal/client_test.go b/providers/dns/nitrado/internal/client_test.go
new file mode 100644
index 000000000..c0777f712
--- /dev/null
+++ b/providers/dns/nitrado/internal/client_test.go
@@ -0,0 +1,86 @@
+package internal
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/go-acme/lego/v4/platform/tester/servermock"
+	"github.com/stretchr/testify/require"
+)
+
+func mockBuilder() *servermock.Builder[*Client] {
+	return servermock.NewBuilder[*Client](
+		func(server *httptest.Server) (*Client, error) {
+			client, err := NewClient("secret")
+			if err != nil {
+				return nil, err
+			}
+
+			client.BaseURL, _ = url.Parse(server.URL)
+			client.HTTPClient = server.Client()
+
+			return client, nil
+		},
+		servermock.CheckHeader().
+			WithJSONHeaders().
+			WithAuthorization("Bearer secret"),
+	)
+}
+
+func TestClient_InsertRecord(t *testing.T) {
+	client := mockBuilder().
+		Route("POST /domain/example.com/records",
+			servermock.ResponseFromFixture("insert_record.json"),
+			servermock.CheckRequestJSONBodyFromFixture("insert_record-request.json"),
+		).
+		Build(t)
+
+	record := Record{
+		Name:    "_acme-challenge",
+		Type:    "TXT",
+		Content: "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY",
+		TTL:     "120",
+	}
+
+	err := client.InsertRecord(t.Context(), "example.com", record)
+	require.NoError(t, err)
+}
+
+func TestClient_InsertRecord_error(t *testing.T) {
+	client := mockBuilder().
+		Route("POST /domain/example.com/records",
+			servermock.ResponseFromFixture("error.json").
+				WithStatusCode(http.StatusUnauthorized),
+		).
+		Build(t)
+
+	record := Record{
+		Name:    "_acme-challenge",
+		Type:    "TXT",
+		Content: "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY",
+		TTL:     "120",
+	}
+
+	err := client.InsertRecord(t.Context(), "example.com", record)
+	require.EqualError(t, err, "error: Access token not valid. access_token_not_valid: {}")
+}
+
+func TestClient_DeleteRecord(t *testing.T) {
+	client := mockBuilder().
+		Route("DELETE /domain/example.com/records",
+			servermock.ResponseFromFixture("delete_record.json"),
+			servermock.CheckRequestJSONBodyFromFixture("delete_record-request.json"),
+		).
+		Build(t)
+
+	record := Record{
+		Name:    "_acme-challenge",
+		Type:    "TXT",
+		Content: "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY",
+	}
+
+	err := client.DeleteRecord(t.Context(), "example.com", record)
+	require.NoError(t, err)
+}
diff --git a/providers/dns/nitrado/internal/fixtures/delete_record-request.json b/providers/dns/nitrado/internal/fixtures/delete_record-request.json
new file mode 100644
index 000000000..ace5d1bf7
--- /dev/null
+++ b/providers/dns/nitrado/internal/fixtures/delete_record-request.json
@@ -0,0 +1,5 @@
+{
+  "name": "_acme-challenge",
+  "type": "TXT",
+  "content": "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY"
+}
diff --git a/providers/dns/nitrado/internal/fixtures/delete_record.json b/providers/dns/nitrado/internal/fixtures/delete_record.json
new file mode 100644
index 000000000..441bb5154
--- /dev/null
+++ b/providers/dns/nitrado/internal/fixtures/delete_record.json
@@ -0,0 +1,4 @@
+{
+  "status": "success",
+  "message": "Inserted successfully"
+}
diff --git a/providers/dns/nitrado/internal/fixtures/error.json b/providers/dns/nitrado/internal/fixtures/error.json
new file mode 100644
index 000000000..2cc66950b
--- /dev/null
+++ b/providers/dns/nitrado/internal/fixtures/error.json
@@ -0,0 +1,8 @@
+{
+  "status": "error",
+  "message": "Access token not valid.",
+  "data": {
+    "error_code": "access_token_not_valid",
+    "error_details": {}
+  }
+}
diff --git a/providers/dns/nitrado/internal/fixtures/insert_record-request.json b/providers/dns/nitrado/internal/fixtures/insert_record-request.json
new file mode 100644
index 000000000..fb5c44602
--- /dev/null
+++ b/providers/dns/nitrado/internal/fixtures/insert_record-request.json
@@ -0,0 +1,6 @@
+{
+  "name": "_acme-challenge",
+  "type": "TXT",
+  "content": "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY",
+  "ttl": "120"
+}
diff --git a/providers/dns/nitrado/internal/fixtures/insert_record.json b/providers/dns/nitrado/internal/fixtures/insert_record.json
new file mode 100644
index 000000000..441bb5154
--- /dev/null
+++ b/providers/dns/nitrado/internal/fixtures/insert_record.json
@@ -0,0 +1,4 @@
+{
+  "status": "success",
+  "message": "Inserted successfully"
+}
diff --git a/providers/dns/nitrado/internal/types.go b/providers/dns/nitrado/internal/types.go
new file mode 100644
index 000000000..d85b9523c
--- /dev/null
+++ b/providers/dns/nitrado/internal/types.go
@@ -0,0 +1,40 @@
+package internal
+
+import (
+	"encoding/json"
+	"strings"
+)
+
+type APIResponse[T any] struct {
+	Status  string `json:"status"`
+	Message string `json:"message"`
+	Data    T      `json:"data"`
+}
+
+type ErrorInfo struct {
+	ErrorCode    string          `json:"error_code"`
+	ErrorDetails json.RawMessage `json:"error_details"`
+}
+
+type APIError APIResponse[ErrorInfo]
+
+func (a *APIError) Error() string {
+	var msg strings.Builder
+
+	msg.WriteString(a.Status)
+	msg.WriteString(": ")
+	msg.WriteString(a.Message)
+	msg.WriteString(" ")
+	msg.WriteString(a.Data.ErrorCode)
+	msg.WriteString(": ")
+	msg.Write(a.Data.ErrorDetails)
+
+	return msg.String()
+}
+
+type Record struct {
+	Name    string `json:"name,omitempty"`
+	Type    string `json:"type,omitempty"`
+	Content string `json:"content,omitempty"`
+	TTL     string `json:"ttl,omitempty"`
+}
diff --git a/providers/dns/nitrado/nitrado.go b/providers/dns/nitrado/nitrado.go
new file mode 100644
index 000000000..e8159a666
--- /dev/null
+++ b/providers/dns/nitrado/nitrado.go
@@ -0,0 +1,155 @@
+// Package nitrado implements a DNS provider for solving the DNS-01 challenge using Nitrado.
+package nitrado
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+	"github.com/go-acme/lego/v4/providers/dns/internal/clientdebug"
+	"github.com/go-acme/lego/v4/providers/dns/nitrado/internal"
+)
+
+// Environment variables names.
+const (
+	envNamespace = "NITRADO_"
+
+	EnvToken = envNamespace + "TOKEN"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
+)
+
+// Config is used to configure the creation of the DNSProvider.
+type Config struct {
+	Token string
+
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int
+	HTTPClient         *http.Client
+}
+
+// NewDefaultConfig returns a default configuration for the DNSProvider.
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, dns01.DefaultPropagationTimeout),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+		HTTPClient: &http.Client{
+			Timeout: env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+		},
+	}
+}
+
+// DNSProvider implements the challenge.Provider interface.
+type DNSProvider struct {
+	config *Config
+	client *internal.Client
+}
+
+// NewDNSProvider returns a DNSProvider instance configured for Nitrado.
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvToken)
+	if err != nil {
+		return nil, fmt.Errorf("nitrado: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.Token = values[EnvToken]
+
+	return NewDNSProviderConfig(config)
+}
+
+// NewDNSProviderConfig return a DNSProvider instance configured for Nitrado.
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("nitrado: the configuration of the DNS provider is nil")
+	}
+
+	client, err := internal.NewClient(config.Token)
+	if err != nil {
+		return nil, fmt.Errorf("nitrado: %w", err)
+	}
+
+	if config.HTTPClient != nil {
+		client.HTTPClient = config.HTTPClient
+	}
+
+	client.HTTPClient = clientdebug.Wrap(client.HTTPClient)
+
+	return &DNSProvider{
+		config: config,
+		client: client,
+	}, nil
+}
+
+// Present creates a TXT record using the specified parameters.
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("nitrado: could not find zone for domain %q: %w", domain, err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("nitrado: %w", err)
+	}
+
+	record := internal.Record{
+		Name:    subDomain,
+		Type:    "TXT",
+		Content: info.Value,
+		TTL:     strconv.Itoa(d.config.TTL),
+	}
+
+	err = d.client.InsertRecord(context.Background(), dns01.UnFqdn(authZone), record)
+	if err != nil {
+		return fmt.Errorf("nitrado: insert record: %w", err)
+	}
+
+	return nil
+}
+
+// CleanUp removes the TXT record matching the specified parameters.
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("nitrado: could not find zone for domain %q: %w", domain, err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("nitrado: %w", err)
+	}
+
+	record := internal.Record{
+		Name:    subDomain,
+		Type:    "TXT",
+		Content: info.Value,
+	}
+
+	err = d.client.DeleteRecord(context.Background(), dns01.UnFqdn(authZone), record)
+	if err != nil {
+		return fmt.Errorf("nitrado: delete record: %w", err)
+	}
+
+	return nil
+}
+
+// Timeout returns the timeout and interval to use when checking for DNS propagation.
+// Adjusting here to cope with spikes in propagation times.
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
diff --git a/providers/dns/nitrado/nitrado.toml b/providers/dns/nitrado/nitrado.toml
new file mode 100644
index 000000000..711cfc3e0
--- /dev/null
+++ b/providers/dns/nitrado/nitrado.toml
@@ -0,0 +1,22 @@
+Name = "Nitrado"
+Description = ''''''
+URL = "https://server.nitrado.net/"
+Code = "nitrado"
+Since = "v4.32.0"
+
+Example = '''
+NITRADO_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
+lego --dns nitrado -d '*.example.com' -d example.com run
+'''
+
+[Configuration]
+  [Configuration.Credentials]
+    NITRADO_TOKEN = "Token"
+  [Configuration.Additional]
+    NITRADO_POLLING_INTERVAL = "Time between DNS propagation check in seconds (Default: 2)"
+    NITRADO_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation in seconds (Default: 60)"
+    NITRADO_TTL = "The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)"
+    NITRADO_HTTP_TIMEOUT = "API request timeout in seconds (Default: 30)"
+
+[Links]
+  API = "https://doc.nitrado.net/"
diff --git a/providers/dns/nitrado/nitrado_test.go b/providers/dns/nitrado/nitrado_test.go
new file mode 100644
index 000000000..f2818d1d1
--- /dev/null
+++ b/providers/dns/nitrado/nitrado_test.go
@@ -0,0 +1,165 @@
+package nitrado
+
+import (
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/go-acme/lego/v4/platform/tester"
+	"github.com/go-acme/lego/v4/platform/tester/servermock"
+	"github.com/stretchr/testify/require"
+)
+
+const envDomain = envNamespace + "DOMAIN"
+
+var envTest = tester.NewEnvTest(EnvToken).WithDomain(envDomain)
+
+func TestNewDNSProvider(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		envVars  map[string]string
+		expected string
+	}{
+		{
+			desc: "success",
+			envVars: map[string]string{
+				EnvToken: "secret",
+			},
+		},
+		{
+			desc:     "missing credentials",
+			envVars:  map[string]string{},
+			expected: "nitrado: some credentials information are missing: NITRADO_TOKEN",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			defer envTest.RestoreEnv()
+
+			envTest.ClearEnv()
+
+			envTest.Apply(test.envVars)
+
+			p, err := NewDNSProvider()
+
+			if test.expected == "" {
+				require.NoError(t, err)
+				require.NotNil(t, p)
+				require.NotNil(t, p.config)
+				require.NotNil(t, p.client)
+			} else {
+				require.EqualError(t, err, test.expected)
+			}
+		})
+	}
+}
+
+func TestNewDNSProviderConfig(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		token    string
+		expected string
+	}{
+		{
+			desc:  "success",
+			token: "secret",
+		},
+		{
+			desc:     "missing credentials",
+			expected: "nitrado: credentials missing",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			config := NewDefaultConfig()
+			config.Token = test.token
+
+			p, err := NewDNSProviderConfig(config)
+
+			if test.expected == "" {
+				require.NoError(t, err)
+				require.NotNil(t, p)
+				require.NotNil(t, p.config)
+				require.NotNil(t, p.client)
+			} else {
+				require.EqualError(t, err, test.expected)
+			}
+		})
+	}
+}
+
+func TestLivePresent(t *testing.T) {
+	if !envTest.IsLiveTest() {
+		t.Skip("skipping live test")
+	}
+
+	envTest.RestoreEnv()
+
+	provider, err := NewDNSProvider()
+	require.NoError(t, err)
+
+	err = provider.Present(envTest.GetDomain(), "", "123d==")
+	require.NoError(t, err)
+}
+
+func TestLiveCleanUp(t *testing.T) {
+	if !envTest.IsLiveTest() {
+		t.Skip("skipping live test")
+	}
+
+	envTest.RestoreEnv()
+
+	provider, err := NewDNSProvider()
+	require.NoError(t, err)
+
+	err = provider.CleanUp(envTest.GetDomain(), "", "123d==")
+	require.NoError(t, err)
+}
+
+func mockBuilder() *servermock.Builder[*DNSProvider] {
+	return servermock.NewBuilder(
+		func(server *httptest.Server) (*DNSProvider, error) {
+			config := NewDefaultConfig()
+			config.Token = "secret"
+			config.HTTPClient = server.Client()
+
+			p, err := NewDNSProviderConfig(config)
+			if err != nil {
+				return nil, err
+			}
+
+			p.client.BaseURL, _ = url.Parse(server.URL)
+
+			return p, nil
+		},
+		servermock.CheckHeader().
+			WithJSONHeaders().
+			WithAuthorization("Bearer secret"),
+	)
+}
+
+func TestDNSProvider_Present(t *testing.T) {
+	provider := mockBuilder().
+		Route("POST /domain/example.com/records",
+			servermock.ResponseFromInternal("insert_record.json"),
+			servermock.CheckRequestJSONBodyFromInternal("insert_record-request.json"),
+		).
+		Build(t)
+
+	err := provider.Present("example.com", "abc", "123d==")
+	require.NoError(t, err)
+}
+
+func TestDNSProvider_CleanUp(t *testing.T) {
+	provider := mockBuilder().
+		Route("DELETE /domain/example.com/records",
+			servermock.ResponseFromInternal("delete_record.json"),
+			servermock.CheckRequestJSONBodyFromInternal("delete_record-request.json"),
+		).
+		Build(t)
+
+	err := provider.CleanUp("example.com", "abc", "123d==")
+	require.NoError(t, err)
+}