Configure Cloudflare as Reverse Proxy

Limited Access

Your Auth0 subscription plan and the login method you choose can affect feature availability. To learn more, read:

To set up Cloudflare as a reverse proxy, a Cloudflare Enterprise Plan with the following features is required:

Auth0 recommends turning off CNAME flattening unless it's strictly necessary, according to the Cloudflare documentation, Understand and configure CNAME flattening. CNAME flattening for Auth0 managed certificates is an unsupported configuration and as such may cause the custom domain to break without notice if CNAME flattening is enabled.

If you need to enable CNAME flattening for all subdomains managed by Cloudfare and also configure a specific subdomain to be an Auth0 custom domain, consider delegating the subdomain for Auth0 to another DNS provider. To learn more, read Delegating Subdomains Outside of Cloudflare in the Cloudflare documentation. This will enable you to use CNAME flattening for all subdomains except the one used for Auth0.

  1. Configure Custom Domains with Self-Managed Certificates if you haven't already. Make note of the Origin Domain Name and cname-api-key values since you'll need these later.

  2. Configure a CNAME setup with Cloudflare.

  3. Once Cloudflare has verified your domain, log in to the Cloudflare Dashboard.

  4. Create a new Cloudflare Page Rule with the following settings:

    Setting Entry
    Host Header Override YOUR_TENANT.<CUSTOM_DOMAIN_ID>
    Replace <CUSTOM_DOMAIN_ID> with the custom domain ID from the Origin Domain Name that you received from Auth0. If your tenants are not in the US region, use one of the following:
    True-Client-IP Enable

  5. Create and deploy a new Cloudflare Worker for the configured CNAME using the following script:

    addEventListener('fetch', event => {
    async function handleRequest(request) {
        request = new Request(request)
        request.headers.set('cname-api-key', '<YOUR_CNAME_API_KEY>')
        return await fetch(request)

    Replace <YOUR_CNAME_API_KEY> with the cname-api-key you received from Auth0.

Configure Auth0

Use the Management API Update Custom Domain Configuration patch endpoint with the following in the body:

  "tls_policy": "recommended",
  "custom_client_ip_header": "true-client-ip"

Learn more