Troubleshoot Custom Domains

If you are seeing errors, take a look at this video on common issues with Custom Domains, or refer to the below sections for troubleshooting steps for specific scenarios.

Custom domain is still pending verification

If you continue to see this error in the Dashboard, make sure that the CNAME record is properly configured in your domain management service.

You can confirm the configuration of your CNAME record using:

It can take up to 48 hours for the DNS to be propagated.

Cloudflare CNAME Flattening

CNAME Flattening affects the Auth0 verification and certificate renewal processes due to the way it handles DNS records. We recommend turning off CNAME Flattening unless it's strictly necessary, according to the Cloudflare documentation.

"You should not be hitting this endpoint"

If you see this error when configuring a custom domain, you must perform additional configuration, which varies depending on your setup.

"Service not found"

If your application issues an /authorize request with audience=, the server will return a Service not found: error. This is because even if you set a custom domain the API identifier for the /userinfo endpoint remains https://{YOUR_ORIGINAL_AUTH0_DOMAIN}/userinfo.

Similarly, using your custom domain in calls to the Management API will error for the same reason.

To fix this your app should instead use audience=https://{YOUR_ORIGINAL_AUTH0_DOMAIN}/userinfo. You can also remove this audience=[...]/userinfo parameter altogether if your application is flagged as OIDC-Conformant in the OAuth2 tab of the application's Advanced Settings.

If you are using Internet Explorer, you may see any of the following error messages:

  • "No verifier returned from client"
  • "Origin header required"
  • "Failed cross origin authentication"

When both the Auth0 domain and the app domain are in the same trusted or local intranet zone, Internet Explorer does not treat the request as a cross-domain request and therefore does not send the cross-origins header.

If you see any of these errors and you are using Embedded Login, you can move one of the sites out of the trusted or local intranet zone. To do this:

  1. Go to Internet Options > Security.
  2. Select the Local Intranet Zone tab and go to Sites > Advanced. Add your domain.
  3. Return to the Security tab, and make sure the proper zone has been selected.
  4. Click Custom Level and look for Access data sources across domains under the Miscellaneous section. Check the radio button next to Enable..

Alternatively, you can remove reliance on cross-origin authentication by implementing Universal Login.