Troubleshoot Custom Domains

See the following video on common issues with custom domains and refer to the sections below for troubleshooting steps for specific scenarios.

Custom domain is still pending verification

It can take up to 48 hours for the DNS to be propagated.

  • If you continue to see this error in the Dashboard, ensure that the CNAME record is properly configured in your domain management service. You can confirm the configuration of your CNAME record using:

  • Ensure that the domain name is not already associated with an A record.

  • Ensure that no errors were made when typing or copying the CNAME record's domain name or value.

If you have ensured the above and the custom domain is still pending verification, wait 4 hours before reverifying your domain. To avoid any interruptions to your service, do not recreate the custom domain when reverifying.

Cloudflare CNAME flattening

CNAME flattening affects the Auth0 verification and certificate renewal processes due to the way it handles DNS records. Enabling CNAME flattening in Cloudfare after setting up a custom domain does not prevent certificate renewal.

If you need to enable CNAME flattening for all subdomains managed by Cloudfare and also configure a specific subdomain to be an Auth0 custom domain, consider delegating the subdomain for Auth0 to another DNS provider. To learn more, read Delegating Subdomains Outside of Cloudflare in the Cloudflare documentation. This will enable you to use CNAME flattening for all subdomains except the one used for Auth0.

"You should not be hitting this endpoint"

If you see this error when configuring a custom domain, you must perform additional configurations, which varies depending on your setup. To learn more, see Configure Features to Use Custom Domains.

"Service not found"

If your application issues an /authorize request with audience=, the server will return a Service not found: error. This is because even if you set a custom domain the API identifier for the /userinfo endpoint remains https://{yourOriginalAuth0Domain}/userinfo.

Similarly, using your custom domain in calls to the Auth0 Management API will error for the same reason.

To fix this your app should instead use audience=https://{yourOriginalAuth0Domain}/userinfo. You can also remove this audience=[...]/userinfo parameter altogether if your application is flagged as OIDC-Conformant in the OAuth2 tab of the application's Advanced Settings.

If you are using Internet Explorer, you may see any of the following error messages:

  • "No verifier returned from client"

  • "Origin header required"

  • "Failed cross origin authentication"

When both the Auth0 domain and the app domain are in the same trusted or local intranet zone, Internet Explorer does not treat the request as a cross-domain request and therefore does not send the cross-origins header.

If you see any of these errors and you are using Embedded Login, you can move one of the sites out of the trusted or local intranet zone. To do this:

  1. Go to Internet Options > Security.

  2. Select the Local Intranet Zone tab and go to Sites > Advanced. Add your domain.

  3. Return to the Security tab, and make sure the proper zone has been selected.

  4. Click Custom Level and look for Access data sources across domains under the Miscellaneous section. Check the radio button next to Enable.

Alternatively, you can remove reliance on cross-origin authentication by implementing Auth0 Universal Login.

Learn more