diff --git a/src/dns/caas.js b/src/dns/caas.js
index c07191b2c..15ee955a8 100644
--- a/src/dns/caas.js
+++ b/src/dns/caas.js
@@ -27,6 +27,10 @@ function getFqdn(location, domain) {
 
 function removePrivateFields(domainObject) {
     domainObject.config.token = domains.SECRET_PLACEHOLDER;
+
+    // do not return the 'key'. in caas, this is private
+    delete domainObject.fallbackCertificate.key;
+
     return domainObject;
 }
 
diff --git a/src/domains.js b/src/domains.js
index ee550c532..ac1d630d2 100644
--- a/src/domains.js
+++ b/src/domains.js
@@ -459,7 +459,6 @@ function waitForDnsRecord(location, domain, type, value, options, callback) {
 // removes all fields that are strictly private and should never be returned by API calls
 function removePrivateFields(domain) {
     var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate', 'locked');
-    if (result.fallbackCertificate) delete result.fallbackCertificate.key;  // do not return the 'key'. in caas, this is private
     return api(result.provider).removePrivateFields(result);
 }