Custom Domains
Overview
Key Concepts
Configure Auth0 services to work your custom domain.
Complete the verification process for your custom domain through Auth0 Dashboard.
Check the table of features that work with custom domain.
Review how custom domains work with URIs and token requests.
Decide if you are going to manage your certificates or if you want Auth0 to manage certificates for you.
You can use your own domain name (also known as a CNAME or vanity URL) on authentication pages. A custom domain lets you unify the login experience with your own brand and products. Your users see a URL that displays your brand such as login.YOUR_DOMAIN.com
instead of YOUR_DOMAIN.auth0.com.
The custom domain in Auth0 is like a "mask" for your tenant domain URL.
You can configure your custom domain when you create your tenant or you can add a custom domain to an existing implementation with minor code and configuration changes.
Benefits of using a custom domain
With a custom domain, your users feel confident that they are providing their credentials to the right party. Authentication happens within the context of your brand which helps you build brand loyalty. Users are not redirected to a third-party site that breaks the branding context. This prevents users from becoming confused about whether they are still making a transaction or operation with you.
Containing your authentication services in one place makes your application architecture more maintainable. Applications gain only the access they need and authentication services scale easily. Other security benefits of using a custom domain include:
Some browsers, by default, make it difficult to communicate in an iFrame if you don't have a shared domain.
It's harder to phish your domain if you have a vanity URL because the phisher must create a vanity URL to mimic yours. For example, with a custom domain, you can use your own certificate to get an Extended Validation, making phishing harder.
How it works
You configure a custom domain on the Auth0 Dashboard > Branding > Custom Domains tab in the Auth0 Dashboard. Add your custom domain, choose your certification type and follow the instructions. You will complete a verification process for your domain that varies depending on whether you use an Auth0-managed or a self-managed certificate. When you create a CNAME, you must declare it to Auth0 so that Auth0 can verify it and use the custom domain. After you configure and verify the custom domain, you must configure the Auth0 features to use the new custom domain.
Auth0 recommends that you create your custom domain during the development phase (before you go to production) so that you can ensure that you have managed the CNAME correctly. For example, you can create a CNAME that maps login.YOUR_DOMAIN.com
to YOUR_DOMAIN.auth0.com
.
You can update an existing tenant to use a custom domain. Your existing integrations using YOUR_DOMAIN.auth0.com
will continue to work. After the change, your users must log in again because existing sessions will no longer be valid. In addition, users may need to delete the browser cookie associated with your custom domain if errors are present during login. If you use embedded Lock or an SDK, you can choose to use the standard domain setting or a custom domain.
Custom domains and authentication
The following Auth0 authentication features support the use of custom domains.
Feature or Flow | Details |
---|---|
Universal Login | For a seamless and secure user experience |
MFA | All factors |
Guardian | Android SDK/Swift SDK/MFA Widget version 1.3.3/Guardian.js version 1.3.0 or later |
Emails | Links included in the emails use your custom domain |
Connections | Database, social, Google Workspace, Azure AD, ADFS, AD/LDAP |
Lock | Version 11 with cross-origin authentication |
Passwordless | With Universal Login (The email link sent using the custom domain if the option is enabled in Dashboard > Tenant Settings > Custom Domains.) |
SAML | Connections and applications |
WS-Federation | Auth0 as identity provider using WS-Fed add-on |
OAuth 2.0/OIDC-Compliant flows | Using the /authorize and /oauth/token endpoints |
Custom domains and URIs
Auth0 uses certain metadata endpoints for interoperability and configuration of third-party identity providers and applications. When the metadata contains URIs that point back to Auth0, the URL can be either the Auth0 subdomain or your custom domain depending on the hostname you used to request the metadata. For example:
If you use | Reference Inside Metadata |
---|---|
https://travel0.auth0.com/.well-known/... |
https://travel0.auth0.com/... |
https://travel0.auth0.com/samlp/metadata/... |
https://travel0.auth0.com/... |
https://login.travel0.com/samlp/metadata/... |
https://login.travel0.com/... |
To learn more, review Redirect Users After Login.
This flexibility applies to the following authentication scenarios:
Custom domains and token requests
Auth0 issues tokens with the iss
claim for the domain you used with the token request. For example:
If you use | Claim value for iss |
---|---|
https://travel0.auth0.com/authorize... https://travel0.auth0.com/oauth/token... |
https://travel0.auth0.com/ |
https://login.travel0.com/authorize... https://login.travel0.com/oauth/token... |
https://login.travel0.com/ |
If you obtain an access token for the Management API using an authorization flow with your custom domain, you must call the Management API using the custom domain or your token will be considered invalid. The token's iss
claim is independent of the audience. Audience values remain the same for tokens obtained using a custom domain. To learn more about tokens, review Management API Access Tokens.
Certificate management options
Auth0-managed certificates
Auth0 can manage the certificates for your custom domain and manage the SSL handshake directly. You add a CNAME record on the domain, Auth0 validates the record and generates the certificate on Auth0 servers. The certificate renews automatically every three months. Once verified, configure your Auth0 features to start using your custom domain. To learn more, review Configure Custom Domains with Auth0-Managed Certificates.
Self-managed certificates
You can obtain and manage your own certificates in Custom Domains. In this case, you are responsible for handling SSL certificates and setting up and managing a reverse proxy to send content to Auth0. Auth0 negotiates SSL with the proxy not directly with the end-user client. The proxy, in turn, negotiates SSL with the end-user. To prevent someone from trying to use your Auth0 account from a domain you don't own, Auth0 needs to validate that the domain belongs to you: You need to provide Auth0 with a header (cname-api-key
) to validate. You must be an Auth0 Enterprise subscriber to use this option.
Auth0 provides instructions to configure a reverse proxy for the following providers: