Custom Domains

You can use your own domain name (also known as a CNAME or vanity URL) on authentication pages. A custom domain lets you unify the login experience with your own brand and products. Your users see a URL that displays your brand such as login.YOUR_DOMAIN.com instead of YOUR_DOMAIN.auth0.com. The custom domain in Auth0 is like a "mask" for your tenant domain URL.

You can configure your custom domain when you create your tenant or you can add a custom domain to an existing implementation with minor code and configuration changes.

With a custom domain, your users feel confident that they are providing their credentials to the right party. Authentication happens within the context of your brand which helps you build brand loyalty. Users are not redirected to a third-party site that breaks the branding context. This prevents users from becoming confused about whether they are still making a transaction or operation with you.

Containing your authentication services in one place makes your application architecture more maintainable. Applications gain only the access they need and authentication services scale easily. Other security benefits of using a custom domain include:

• Some browsers, by default, make it difficult to communicate in an iFrame if you don't have a shared domain.

• It's harder to phish your domain if you have a vanity URL because the phisher must create a vanity URL to mimic yours. For example, with a custom domain, you can use your own certificate to get an Extended Validation, making phishing harder.

You configure a custom domain on the Auth0 Dashboard > Branding > Custom Domains tab in the Auth0 Dashboard. Add your custom domain, choose your certification type and follow the instructions. You will complete a verification process for your domain that varies depending on whether you use an Auth0-managed or a self-managed certificate. When you create a CNAME, you must declare it to Auth0 so that Auth0 can verify it and use the custom domain. After you configure and verify the custom domain, you must configure the Auth0 features to use the new custom domain.

Auth0 recommends that you create your custom domain during the development phase (before you go to production) so that you can ensure that you have managed the CNAME correctly. For example, you can create a CNAME that maps login.YOUR_DOMAIN.com to YOUR_DOMAIN.auth0.com.

You can update an existing tenant to use a custom domain. Your existing integrations using YOUR_DOMAIN.auth0.com will continue to work. After the change, your users must log in again because existing sessions will no longer be valid. In addition, users may need to delete the browser cookie associated with your custom domain if errors are present during login. If you use embedded Lock or an SDK, you can choose to use the standard domain setting or a custom domain.

The following Auth0 authentication features support the use of custom domains.

Auth0 uses certain metadata endpoints for interoperability and configuration of third-party identity providers and applications. When the metadata contains URIs that point back to Auth0, the URL can be either the Auth0 subdomain or your custom domain depending on the hostname you used to request the metadata. For example:

To learn more, review Redirect Users After Login.

This flexibility applies to the following authentication scenarios:

• Configure Applications with OpenID Connect Discovery

• Configure Auth0 as SAML Service Provider

• Configure Auth0 as SAML Identity Provider

Auth0 issues tokens with the iss claim for the domain you used with the token request. For example:

If you obtain an access token for the Management API using an authorization flow with your custom domain, you must call the Management API using the custom domain or your token will be considered invalid. The token's iss claim is independent of the audience. Audience values remain the same for tokens obtained using a custom domain. To learn more about tokens, review Management API Access Tokens.

Auth0 can manage the certificates for your custom domain and manage the SSL handshake directly. You add a CNAME record on the domain, Auth0 validates the record and generates the certificate on Auth0 servers. The certificate renews automatically every three months. Once verified, configure your Auth0 features to start using your custom domain. To learn more, review Configure Custom Domains with Auth0-Managed Certificates.

You can obtain and manage your own certificates in Custom Domains. In this case, you are responsible for handling SSL certificates and setting up and managing a reverse proxy to send content to Auth0. Auth0 negotiates SSL with the proxy not directly with the end-user client. The proxy, in turn, negotiates SSL with the end-user. To prevent someone from trying to use your Auth0 account from a domain you don't own, Auth0 needs to validate that the domain belongs to you: You need to provide Auth0 with a header (cname-api-key) to validate. You must be an Auth0 Enterprise subscriber to use this option.

Auth0 provides instructions to configure a reverse proxy for the following providers:

• Google Cloud Platform with Load Balancing

• Cloudflare

• AWS CloudFront

• Azure CDN

• Configure Features to Use Custom Domains
• Configure Custom Domains with Auth0-Managed Certificates
• Configure Custom Domains with Self-Managed Certificates
• Troubleshoot Custom Domains
• Migrate Private Cloud Custom Domains