Auth0 allows you to map the domain for your tenant to a custom domain of your choosing. This allows you to maintain a consistent experience for your users by keeping them on your domain instead of redirecting or using Auth0's domain.

For example, if your Auth0 domain is northwind.auth0.com, you can have your users to see, use, and remain on login.northwind.com.

It is recommended that you use custom domains with Universal Login for the most seamless and secure experience for your end users. Check the Universal Login documentation to see if your plan and use case support custom domains.

• This feature is not available for free plans. To configure a custom domain you have to upgrade your account to any paid plan
• You must register and own the domain name to which you are mapping your Auth0 domain

Currently, the following Auth0 features and flows support the use of custom domains:

• OAuth 2.0/OIDC-Compliant flows (those using the /authorize and /oauth/token endpoints)
• Guardian (MFA Widget Version 1.3.3/Guardian.js Version 1.3.0 or later)
• Emails (the links included in the emails will use your custom domain)
• Database and social connections
• Lock 11 with cross-origin authentication
• Passwordless connections with Universal Login (The email link will be sent using the custom domain if the option is enabled in Tenant Settings > Custom Domains)
• Google Apps connections
• SAML connections and applications
• WS-Fed clients (Auth0 as IDP using WS-Fed Add-on)
• Azure AD connections
• ADFS connections
• AD/LDAP connections

Auth0 offers two certificate management options.

• Auth0-Managed Certificates: Auth0-managed certificates are those where Auth0 will manage the creation and renewal of the certificates for your custom domain. This is the simplest custom domains deployment option, and the scope of this document

• Self-Managed Certificates: Self-managed certificates are available for enterprise customers only. Choosing this option means that you are responsible for managing your SSL/TLS certificates and configuring a reverse proxy to handle SSL termination and forwarding requests to Auth0.

Setting up your custom domain using Auth0-managed certificates requires you to do the following steps:

1. Provide your domain name to Auth0
2. Verify ownership
3. Complete feature-specific setup

Log in to the Dashboard and go to Tenant Settings. Click over to the Custom Domains tab.

Enter your custom domain in the provided box and select Auth0-managed certificates. Click Add Domain.

Before you can use this domain, you'll need to verify that you own your domain. To do this, you need to add the CNAME verification record listed in the Dashboard to your domain's DNS record.

When you've done so, click Verify to proceed.

If Auth0 was able to verify your domain name, you'll see a confirmation window.

This means the verification process is complete and within 1 to 2 minutes, your custom domain should be ready to use.

There may be additional steps you must complete depending on which Auth0 features you are using. See the Additional Configuration for Custom Domains document for more information.

1. If I use a custom domain, will I still be able to use my YOUR_AUTH0_DOMAIN domain to access Auth0?

Yes, you will be able to use either the default YOUR_AUTH0_DOMAIN or your custom domain. There are however a few exceptions:

• If you are using embedded lock or an SDK, the configuration is pre-defined as using either your custom domain or the YOUR_AUTH0_DOMAIN domain, so you have to use one or the other
• If you start a session in YOUR_AUTH0_DOMAIN, and go to custom-domain.com, the user will have to login again

2. How many custom domains can I use per tenant?

Currently, each tenant on the Auth0 public cloud supports one custom domain.

3. Can you provide me a static list of IP addresses for my custom domain so I can whitelist them?

We cannot provide a static list of IP addresses as they are subject to change. Our recommendation is to whitelist your custom domain instead.

If you are seeing errors, refer to the following troubleshooting steps.

If you continue to see this error in the Dashboard, make sure that the CNAME record is properly configured in your domain management service.

You can confirm the configuration of your CNAME record using:

• A tool like Mxtoolbox or Google
• The dig command in your terminal

Please remember that it can take up to 48 hours for the DNS to be propagated.

Cloudflare has a service called CNAME Flattening. During the verification process, turn off the CNAME flattening process until the domain verification steps are complete to prevent IP address confusion.

If your domain, or the parent domain, already has a Certification Authority Authorization (CAA) record, then you have to add another one for letsencrypt.org.

The reason for that is that Auth0 uses letsencrypt.org to sign certificates so if it's not authorized to issue certificates for your domain, the custom domain functionality will not work for you.

To add a new CAA record and whitelist letsencrypt.org use the following:

"0 issue \"letsencrypt.org\""

If your application issues an /authorize request with audience=https://login.northwind.com/userinfo, the server will return a Service not found: https://login.northwind.com/userinfo error. This is because even if you set a custom domain the API identifier for the /userinfo endpoint remains https://{YOUR_ORIGINAL_AUTH0_DOMAIN}/userinfo.

To fix this your app should instead use audience=https://{YOUR_ORIGINAL_AUTH0_DOMAIN}/userinfo. You can also remove this audience=[...]/userinfo parameter altogether if your application is flagged as OIDC-Conformant in the OAuth2 tab of the application's Advanced Settings.

If you are using Internet Explorer, you may see any of the following error messages:

• "No verifier returned from client"
• "Origin header required"
• "Failed cross origin authentication"

When both the Auth0 domain and the app domain are in the same trusted or local intranet zone, Internet Explorer does not treat the request as a cross-domain request and therefore does not send the cross-origins header.

If you see any of these errors and you are using Embedded Login, you can move one of the sites out of the trusted or local intranet zone. To do this:

1. Go to Internet Options > Security.
2. Select the Local Intranet Zone tab and go to Sites > Advanced. Add your domain.
3. Return to the Security tab, and make sure the proper zone has been selected.
4. Click Custom Level and look for Access data sources across domains under the Miscellaneous section. Check the radio button next to Enable..

Alternatively, you can remove reliance on cross-origin authentication by implementing Universal Login