Custom Domains

If you have a paid Auth0 subscription, you can use your own domain name (also known as a CNAME or vanity URL) on authentication pages. A custom domain lets you unify the login experience with your own brand and products. Your users see a URL that displays your brand such as login.YOUR_DOMAIN.com instead of YOUR_DOMAIN.auth0.com. The custom domain in Auth0 is like a "mask" for your tenant domain URL.

You can configure your custom domain when you create your tenant or you can add a custom domain to an existing implementation with minor code and configuration changes.

Limited Access

Your Auth0 subscription plan and the login method you choose can affect feature availability. To learn more, read:

Benefits of using a custom domain

With a custom domain, your users feel confident that they are providing their credentials to the right party. Authentication happens within the context of your brand which helps you build brand loyalty. Users are not redirected to a third-party site that breaks the branding context. This prevents users from becoming confused about whether they are still making a transaction or operation with you.

Containing your authentication services in one place makes your application architecture more maintainable. Applications gain only the access they need and authentication services scale easily. Other security benefits of using a custom domain include:

  • Some browsers, by default, make it difficult to communicate in an iFrame if you don't have a shared domain.

  • It's harder to phish your domain if you have a vanity URL because the phisher must create a vanity URL to mimic yours. For example, with a custom domain, you can use your own certificate to get an Extended Validation, making phishing harder.

How it works

You configure a custom domain on the Auth0 Dashboard > Tenant Settings > Custom Domains tab in the Auth0 Dashboard. Add your custom domain, choose your certification type and follow the instructions. You will complete a verification process for your domain that varies depending on whether you use an Auth0-managed or a self-managed certificate. When you create a CNAME, you must declare it to Auth0 so that Auth0 can verify it and use the custom domain. After you configure and verify the custom domain, you must configure the Auth0 features to use the new custom domain.

Auth0 recommends that you create your custom domain during the development phase (before you go to production) so that you can ensure that you have managed the CNAME correctly. For example, you can create a CNAME that maps login.YOUR_DOMAIN.com to YOUR_DOMAIN.auth0.com.

Auth0 does not provide a static list of IP addresses because they are subject to change. We recommend that you add your custom domain to the Allow List instead.

You can update an existing tenant to use a custom domain. Your existing integrations using YOUR_DOMAIN.auth0.com will continue to work. After the change, your users must log in again because existing sessions will no longer be valid. If you use embedded Lock or an SDK, you can choose to use the standard domain setting or a custom domain.

Your custom domain must abide by HTTP best practices. If the field order is not correct, you could potentially send duplicate headers. See RFC 7230 HTTP/1.1 Message Syntax Routing - Field Order for details.

Custom domains and authentication

The following Auth0 authentication features support the use of custom domains.

Feature or Flow Details
Universal Login For a seamless and secure user experience
MFA All factors
Guardian MFA Widget version 1.3.3/Guardian.js version 1.3.0 or later
Emails Links included in the emails use your custom domain
Connections Database, social, Google Workspace, Azure AD, ADFS, AD/LDAP
Lock Version 11 with cross-origin authentication
Passwordless With Universal Login (The email link sent using the custom domain if the option is enabled in Dashboard > Tenant Settings > Custom Domains.)
SAML Connections and applications
WS-Federation Auth0 as identity provider using WS-Fed add-on
OAuth 2.0/OIDC-Compliant flows Using the /authorize and /oauth/token endpoints

Custom domains and URIs

Auth0 uses certain metadata endpoints for interoperability and configuration of third-party identity providers and applications. When the metadata contains URIs that point back to Auth0, the URL can be either the Auth0 subdomain or your custom domain depending on the hostname you used to request the metadata. For example:

If you use Reference Inside Metadata
https://travel0.auth0.com/.well-known/... https://travel0.auth0.com/...
https://travel0.auth0.com/samlp/metadata/... https://travel0.auth0.com/...
https://login.travel0.com/samlp/metadata/... https://login.travel0.com/...

To learn more, review Redirect Users After Login.

This flexibility applies to the following authentication scenarios:

Custom domains and token requests

Auth0 issues tokens with the iss claim for the domain you used with the token request. For example:

If you use Claim value for iss
https://travel0.auth0.com/authorize...
https://travel0.auth0.com/oauth/token...
https://travel0.auth0.com/
https://login.travel0.com/authorize...
https://login.travel0.com/oauth/token...
https://login.travel0.com/

If you obtain an access token for the Management API using an authorization flow with your custom domain, you must call the Management API using the custom domain or your token will be considered invalid. The token's iss claim is independent of the audience. Audience values remain the same for tokens obtained using a custom domain. To learn more about tokens, review Management API Access Tokens.

Certificate management options

Auth0-managed certificates

Auth0 can manage the certificates for your custom domain and manage the SSL handshake directly. You add a CNAME record on the domain, Auth0 validates the record and generates the certificate on Auth0 servers. The certificate renews automatically every three months. Once verified, configure your Auth0 features to start using your custom domain. To learn more, review Configure Custom Domains with Auth0-Managed Certificates.

Self-managed certificates

You can obtain and manage your own certificates in Custom Domains. In this case, you are responsible for handling SSL certificates and setting up and managing a reverse proxy to send content to Auth0. Auth0 negotiates SSL with the proxy not directly with the end-user client. The proxy, in turn, negotiates SSL with the end-user. To prevent someone from trying to use your Auth0 account from a domain you don't own, Auth0 needs to validate that the domain belongs to you: You need to provide Auth0 with a header (cname-api-key) to validate. You must be an Auth0 Enterprise subscriber to use this option.

Auth0 provides instructions to configure a reverse proxy for the following providers:

Learn more