The following document details the requirements of DNS records used for Appliance instances.

Important: DNS records must be finalized for all of the tenants prior to Appliance deployment. They cannot be changed afterwards.

Sample DNS Naming Scheme

Management Dashboard manage-project.yourdomain.com
Root Tenant Authority rta-project.yourdomain.com
App Tenant(s) app1-project.yourdomain.com;

For a dev/test non-production Appliance a common practice is to append “-dev” to the hostname component in the domain name:

Management Dashboard (Dev) manage-dev-project.yourdomain.com
Root Tenant Authority (Dev) rta-dev-project.yourdomain.com
App Tenant(s) (Dev) app1-dev-project.yourdomain.com;

Definitions of Terms Used in the DNS Naming Scheme

  • Root Tenant Authority (RTA): highly-privileged tenant used to do the Appliance baseline configuration and for managing the security of other tenants;
  • App: the name of your application;
  • Project: the name of the overarching project or department;
  • yourdomain.com: your organization's domain name.


The Auth0 Appliance is capable of supporting multi-tenancy (that is, each tenant may have one or more associated apps). Auth0 may recommend this deployment model when multiple groups within your company share the Appliance for different projects. If a customer decides to create multiple app tenants, each app tenant must have its own DNS entry.

DNS Configuration Requirements

IP Addresses and DNS Records

In a standard multi-node cluster deployment, the DNS records will point to the IP address of the load balancer in front of the cluster.

For a single-node Appliance instance, the DNS record(s) will point to the IP address of the virtual machine itself (this is often the case for the development/test node).

Auth0 does not recommend using the same wildcard certificate(s) for Production and non-Production (Test/Development) environments or mapping the DNS for both environments to the same servers.


The hostname (e.g. manage-project.yourdomain.com) must be at least three characters long and must not contain any underscores(_).

The following are reserved tenant names and may not be used for the app tenant.

login admin app manage blog
ftp mail pop pop3 imap
smtp stage stats status dev
logs www docs sdk ci
docker styleguide ask it cdn
api releases release spf feedback
help support int

The Management Dashboard, Configuration Tenant, and App Tenant(s) must all be a part of the same parent domain (e.g. yourdomain.com).

Three- or four-part domain names are supported (e.g. manage.project.yourdomain.com).

Custom Domains

In the Appliance, you may map any arbitrary domain name to a tenant using the Custom Domains feature. You may also map multiple custom domains to a single tenant.

Suppose these were your standard domains:

Root Tenant Authority Sample Tenant Custom Domain for the Sample Tenant
config.example.com auth.example.com new-name.not-example.com

Please note that all tenant names are derived from the base RTA. However, you may set your custom domain to point toward any of your tenants (in the example above, new-name.not-example.com maps to auth.example.com, and the latter may be used by your clients).