PSaaS Appliance: Webtask with Dedicated Domains

Some extensions, such as the Authorization Extension, required us to enable full trust in your PSaaS environment to run correctly.

Beginning with PSaaS Appliance version 13451, you may now configure Webtask on a dedicated domain. This enables you to safely use extensions in multi-tenant environments (the behavior is akin to that of the Auth0 Public Cloud Service).

If you do not use Webtask or Web Extensions, you do not need to implement Webtask dedicated domains.

To configure Webtask on a dedicated domain, you will need to set up a DNS zone to host the name entries for each tenant. As with the authentication domain, the Webtask dedicated domain requires a valid certificate issued by a public certificate authority (CA). If you're not certain how many tenants you'll be hosting, we recommend using a wildcard certificate such as *.your-webtask-dedicated-domain.

This will give to each container a URL of the form:


For example, let's say that your tenant name is acme and your Webtask dedicated domain is If you create a container named hello, your Webtask URL will be

Note that you can still use the original Webtask URL (for example, The primary difference is that, during runtime, the Webtask will remove any headers bearing cookies from the request.


For each environment (such as Development, Testing, or Production), you will need:

  • A certificate for your Webtask dedicated domain
  • A DNS zone for each domain to manage the name records of your tenants

Sample Architecture

To clarify the requirements, let's look at a sample setup.

The following are applicable to your environment as it current exists:

  • Your Production environment is accessible via
  • Your primary Auth0 tenant is
  • Your current certificate is (or similar)

You plan to implement the following change:

  • You want a Webtask dedicated domain configured to be

To implement your change, you'll need:

  • A DNS zone for *
  • A certificate with the names of all your tenants or a wildcard certificate for *

Once complete, you'll be able to use the following for all containers under your primary tenant: