Overview

Key Concepts
  • Configure Auth0 services to work your custom domain.
  • Complete the verification process for your custom domain through Auth0 Dashboard.
  • Check the table of features that work with custom domain.
  • Review how custom domains work with URIs and token requests.
  • Decide if you are going to manage your certificates or if you want Auth0 to manage certificates for you.
You can use your own domain name (also known as a CNAME or vanity URL) on authentication pages. A lets you unify the login experience with your own brand and products. Your users see a URL that displays your brand such as login.YOUR_DOMAIN.com instead of YOUR_DOMAIN.auth0.com. The custom domain in Auth0 is like a “mask” for your tenant domain URL. You can configure your custom domain when you create your tenant or you can add a custom domain to an existing implementation with minor code and configuration changes.

Benefits of using a custom domain

With a custom domain, your users feel confident that they are providing their credentials to the right party. Authentication happens within the context of your brand which helps you build brand loyalty. Users are not redirected to a third-party site that breaks the branding context. This prevents users from becoming confused about whether they are still making a transaction or operation with you. Containing your authentication services in one place makes your application architecture more maintainable. Applications gain only the access they need and authentication services scale easily. Other security benefits of using a custom domain include:
  • Some browsers, by default, make it difficult to communicate in an iFrame if you don’t have a shared domain.
  • It’s harder to phish your domain if you have a vanity URL because the phisher must create a vanity URL to mimic yours. For example, with a custom domain, you can use your own certificate to get an Extended Validation, making phishing harder.

How it works

You configure a custom domain on the Auth0 Dashboard > Branding > Custom Domains tab in the . Add your custom domain, choose your certification type and follow the instructions. You will complete a verification process for your domain that varies depending on whether you use an Auth0-managed or a self-managed certificate. When you create a CNAME, you must declare it to Auth0 so that Auth0 can verify it and use the custom domain. After you configure and verify the custom domain, you must configure the Auth0 features to use the new custom domain.
To set up a free custom domain, Auth0 tenants must have a valid credit card on file for verification purposes and fraud prevention. The credit card will not be charged.
Auth0 recommends that you create your custom domain during the development phase (before you go to production) so that you can ensure that you have managed the CNAME correctly. For example, you can create a CNAME that maps login.YOUR_DOMAIN.com to YOUR_DOMAIN.auth0.com.
Auth0 does not provide a static list of IP addresses because they are subject to change. We recommend that you add your custom domain to the Allow List instead.
You can update an existing tenant to use a custom domain. Your existing integrations using YOUR_DOMAIN.auth0.com will continue to work. After the change, your users must log in again because existing sessions will no longer be valid. In addition, users may need to delete the browser cookie associated with your custom domain if errors are present during login. If you use embedded Lock or an SDK, you can choose to use the standard domain setting or a custom domain.
Your custom domain must abide by HTTP best practices. If the field order is not correct, you could potentially send duplicate headers. See RFC 7230 HTTP/1.1 Message Syntax Routing - Field Order for details.

Custom domains and authentication

The following Auth0 authentication features support the use of custom domains.
Feature or FlowDetails
Universal LoginFor a seamless and secure user experience
MFAAll factors
GuardianAndroid SDK/Swift SDK/MFA Widget version 1.3.3/Guardian.js version 1.3.0 or later
EmailsLinks included in the emails use your custom domain
ConnectionsDatabase, social, Google Workspace, Azure AD, ADFS, AD/LDAP
Version 11 with cross-origin authentication
With Universal Login (The email link sent using the custom domain if the option is enabled in Dashboard > Tenant Settings > Custom Domains.)
Connections and applications
WS-FederationAuth0 as identity provider using WS-Fed add-on
OAuth 2.0/OIDC-Compliant flowsUsing the /authorize and /oauth/token endpoints

Custom domains and URIs

Auth0 uses certain metadata endpoints for interoperability and configuration of third-party and applications. When the metadata contains URIs that point back to Auth0, the URL can be either the Auth0 subdomain or your custom domain depending on the hostname you used to request the metadata. For example:
If you useReference Inside Metadata
https://travel0.auth0.com/.well-known/...https://travel0.auth0.com/...
https://travel0.auth0.com/samlp/metadata/...https://travel0.auth0.com/...
https://login.travel0.com/samlp/metadata/...https://login.travel0.com/...
To learn more, review Redirect Users After Login. This flexibility applies to the following authentication scenarios:

Custom domains and token requests

Auth0 issues tokens with the iss claim for the domain you used with the token request. For example:
If you useClaim value for iss
https://travel0.auth0.com/authorize...
https://travel0.auth0.com/oauth/token...		https://travel0.auth0.com/
https://login.travel0.com/authorize...
https://login.travel0.com/oauth/token...		https://login.travel0.com/
If you obtain an for the using an with your custom domain, you must call the Management API using the custom domain or your token will be considered invalid. The token’s iss claim is independent of the . Audience values remain the same for tokens obtained using a custom domain. To learn more about tokens, review Management API Access Tokens.

Certificate management options

Auth0-managed certificates

Auth0 can manage the certificates for your custom domain and manage the SSL handshake directly. You add a CNAME record on the domain, Auth0 validates the record and generates the certificate on Auth0 servers. The certificate renews automatically every three months. Once verified, configure your Auth0 features to start using your custom domain. To learn more, review Configure Custom Domains with Auth0-Managed Certificates.

Self-managed certificates

You can obtain and manage your own certificates in Custom Domains. In this case, you are responsible for handling SSL certificates and setting up and managing a reverse proxy to send content to Auth0. Auth0 negotiates SSL with the proxy not directly with the end-user client. The proxy, in turn, negotiates SSL with the end-user. To prevent someone from trying to use your Auth0 account from a domain you don’t own, Auth0 needs to validate that the domain belongs to you: You need to provide Auth0 with a header (cname-api-key) to validate. You must be an Auth0 Enterprise subscriber to use this option. Auth0 provides instructions to configure a reverse proxy for the following providers:

Learn more