Custom Domains
Overview
Key Concepts
- Configure Auth0 services to work your custom domain.
- Complete the verification process for your custom domain through Auth0 Dashboard.
- Check the table of features that work with custom domain.
- Review how custom domains work with URIs and token requests.
- Decide if you are going to manage your certificates or if you want Auth0 to manage certificates for you.
login.YOUR_DOMAIN.com instead of YOUR_DOMAIN.auth0.com. The custom domain in Auth0 is like a “mask” for your tenant domain URL.
You can configure your custom domain when you create your tenant or you can add a custom domain to an existing implementation with minor code and configuration changes.
Benefits of using a custom domain
With a custom domain, your users feel confident that they are providing their credentials to the right party. Authentication happens within the context of your brand which helps you build brand loyalty. Users are not redirected to a third-party site that breaks the branding context. This prevents users from becoming confused about whether they are still making a transaction or operation with you. Containing your authentication services in one place makes your application architecture more maintainable. Applications gain only the access they need and authentication services scale easily. Other security benefits of using a custom domain include:- Some browsers, by default, make it difficult to communicate in an iFrame if you don’t have a shared domain.
- It’s harder to phish your domain if you have a vanity URL because the phisher must create a vanity URL to mimic yours. For example, with a custom domain, you can use your own certificate to get an Extended Validation, making phishing harder.
How it works
You configure a custom domain on the Auth0 Dashboard > Branding > Custom Domains tab in the . Add your custom domain, choose your certification type and follow the instructions. You will complete a verification process for your domain that varies depending on whether you use an Auth0-managed or a self-managed certificate. When you create a CNAME, you must declare it to Auth0 so that Auth0 can verify it and use the custom domain. After you configure and verify the custom domain, you must configure the Auth0 features to use the new custom domain.To set up a free custom domain, Auth0 tenants must have a valid credit card on file for verification purposes and fraud prevention. The credit card will not be charged.
login.YOUR_DOMAIN.com to YOUR_DOMAIN.auth0.com.
Auth0 does not provide a static list of IP addresses because they are subject to change. We recommend that you add your custom domain to the Allow List instead.
YOUR_DOMAIN.auth0.com will continue to work. After the change, your users must log in again because existing sessions will no longer be valid. In addition, users may need to delete the browser cookie associated with your custom domain if errors are present during login. If you use embedded Lock or an SDK, you can choose to use the standard domain setting or a custom domain.
Your custom domain must abide by HTTP best practices. If the field order is not correct, you could potentially send duplicate headers. See RFC 7230 HTTP/1.1 Message Syntax Routing - Field Order for details.
Custom domains and authentication
The following Auth0 authentication features support the use of custom domains.| Feature or Flow | Details |
|---|---|
| Universal Login | For a seamless and secure user experience |
| MFA | All factors |
| Guardian | Android SDK/Swift SDK/MFA Widget version 1.3.3/Guardian.js version 1.3.0 or later |
| Emails | Links included in the emails use your custom domain |
| Connections | Database, social, Google Workspace, Azure AD, ADFS, AD/LDAP |
| Version 11 with cross-origin authentication | |
| With Universal Login (The email link sent using the custom domain if the option is enabled in Dashboard > Tenant Settings > Custom Domains.) | |
| Connections and applications | |
| WS-Federation | Auth0 as identity provider using WS-Fed add-on |
| OAuth 2.0/OIDC-Compliant flows | Using the /authorize and /oauth/token endpoints |
Custom domains and URIs
Auth0 uses certain metadata endpoints for interoperability and configuration of third-party and applications. When the metadata contains URIs that point back to Auth0, the URL can be either the Auth0 subdomain or your custom domain depending on the hostname you used to request the metadata. For example: To learn more, review Redirect Users After Login. This flexibility applies to the following authentication scenarios:- Configure Applications with OpenID Connect Discovery
- Configure Auth0 as SAML Service Provider
- Configure Auth0 as SAML Identity Provider
Custom domains and token requests
Auth0 issues tokens with theiss claim for the domain you used with the token request. For example:
If you obtain an for the using an with your custom domain, you must call the Management API using the custom domain or your token will be considered invalid. The token’s iss claim is independent of the . Audience values remain the same for tokens obtained using a custom domain. To learn more about tokens, review Management API Access Tokens.
Certificate management options
Auth0-managed certificates
Auth0 can manage the certificates for your custom domain and manage the SSL handshake directly. You add a CNAME record on the domain, Auth0 validates the record and generates the certificate on Auth0 servers. The certificate renews automatically every three months. Once verified, configure your Auth0 features to start using your custom domain. To learn more, review Configure Custom Domains with Auth0-Managed Certificates.Self-managed certificates
You can obtain and manage your own certificates in Custom Domains. In this case, you are responsible for handling SSL certificates and setting up and managing a reverse proxy to send content to Auth0. Auth0 negotiates SSL with the proxy not directly with the end-user client. The proxy, in turn, negotiates SSL with the end-user. To prevent someone from trying to use your Auth0 account from a domain you don’t own, Auth0 needs to validate that the domain belongs to you: You need to provide Auth0 with a header (cname-api-key) to validate. You must be an Auth0 Enterprise subscriber to use this option.
Auth0 provides instructions to configure a reverse proxy for the following providers: