> ## Documentation Index
> Fetch the complete documentation index at: https://auth0-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Learn how to configure and manage multiple custom domains within a single Auth0 tenant for multi-brand and multi-region deployments.
# Multiple Custom Domains
export const AuthCodeGroup = ({children, dropdown}) => {
const [processedChildren, setProcessedChildren] = useState(children);
useEffect(() => {
let unsubscribe = null;
function init() {
unsubscribe = window.autorun(() => {
const processChildren = node => {
if (typeof node === "string") {
let processedNode = node;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value);
}
return processedNode;
} else if (Array.isArray(node)) {
return node.map(processChildren);
} else if (node && node.props && node.props.children) {
return {
...node,
props: {
...node.props,
children: processChildren(node.props.children)
}
};
}
return node;
};
setProcessedChildren(processChildren(children));
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
return {processedChildren};
};
export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
const [displayText, setDisplayText] = useState(children);
const [copyText, setCopyText] = useState(children);
const wrapperRef = React.useRef(null);
useEffect(() => {
let unsubscribe = null;
function init() {
if (!window.autorun || !window.rootStore) {
return;
}
unsubscribe = window.autorun(() => {
let processedChildrenForDisplay = children;
let processedChildrenForCopy = children;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
let displayValue = value;
if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
displayValue = value.substring(0, 3) + "*****MASKED*****";
}
processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
}
setDisplayText(processedChildrenForDisplay);
setCopyText(processedChildrenForCopy);
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
useEffect(() => {
if (!wrapperRef.current) return;
const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
let isOverriding = false;
const handleClick = e => {
const button = e.target.closest('[data-testid="copy-code-button"]');
if (!button || !wrapperRef.current.contains(button)) return;
isOverriding = true;
navigator.clipboard.writeText = text => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
return originalWriteText(copyText);
}
return originalWriteText(text);
};
setTimeout(() => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
}
}, 100);
};
const wrapper = wrapperRef.current;
wrapper.addEventListener('click', handleClick, true);
return () => {
wrapper.removeEventListener('click', handleClick, true);
if (navigator.clipboard.writeText !== originalWriteText) {
navigator.clipboard.writeText = originalWriteText;
}
};
}, [copyText]);
return
{displayText}
;
};
Within Auth0, a custom domain allows you to unify the login experience with your own brand and products. Multiple Custom Domains enables you to configure multiple custom domains within a single Auth0 tenant. This feature is available for Enterprise customers on both Public Cloud and Private Cloud deployments.
## Prerequisites
Before getting started with MCD, review the requirements below:
* Your tenant is on an Enterprise plan ([Public Cloud or Private Cloud deployments](/docs/deploy-monitor/deployment-options)). For more information, see
Manage Subscriptions.
* Your Enterprise plan provides a base entitlement of up to 20 custom domains per tenant.
* Additional custom domains beyond the base entitlement are available through an add-on SKU. Please reach out to Auth0 sales for details.
* You must be able to prove ownership of the configured custom domains.
## Configure Multiple Custom Domains
You can add and manage multiple custom domains for your tenant using either the Auth0 Dashboard or the Management API.
To create a custom domain in the Auth0 Dashboard:
1. Navigate to **Auth0 Dashboard** > **Branding > Custom Domains**.
2. Select **+Add custom domain**.
3. In the configuration form, provide the following information:
* **Domain:** A [fully-qualified domain name](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) that you own. For example: `my.custom-domain.com`.
* **Certificate type:** Choose [**Auth0-managed certificates**](/docs/customize/custom-domains/auth0-managed-certificates) or [**Self-managed certificates**](/docs/customize/custom-domains/self-managed-certificates).
* **Metadata (Key/Value):** Add optional metadata like `region`, `client_name`, or `client_id`, to help organize and filter your domains.
4. Once you have configured the custom domain details, select **Save**.
Your newly added domain name will show as `pending` until verification is complete.
#### View and manage domains
The Custom Domains page displays all configured domains. You can:
* **Search**: Find domains by name using the search box
* **Filter**: Filter domains by verification status, certificate type, or metadata values
* **Sort**: Sort domains by name, creation date, or verification status
* **View details**: Click on any domain to see detailed configuration, verification status, and certificate information
* **Set default**: Designate a domain as the default domain for your tenant
These features help you efficiently manage large numbers of custom domains across your tenant.
To create a custom domain with the Management API, you need a machine-to-machine (M2M) application that is authorized to use the Management API. For more information, review [Management API Access Tokens](/docs/secure/tokens/access-tokens/management-api-access-tokens).
1. Navigate to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and select **Create Application**.
2. Enter a descriptive name for your application and choose **Machine to Machine Applications**. Then, select **Create**.
3. Switch to the **APIs** view and then enable toggle for the `Auth0 Management API`.
4. Expand the row to configure API’s permissions. For MCD, you must select the following:
* `read:custom_domains`
* `create:custom_domains`
* `update:custom_domains`
* `delete:custom_domains`
5. Select **Update**.
6. Navigate to the **Settings** tab to gather your **Client ID**, **Client Secret**, and **Domain**.
7. Review [Get Management API Access Tokens](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production) to retrieve and store your access token.
#### Create a Custom Domain
You can create a new custom domain by sending a `POST` request to the `/api/v2/custom-domains` endpoint. See the example below to create a new custom domain using the Management API explorer, using the credentials retrieved above:
```bash cURL theme={null}
curl --request POST \
--url 'https://{yourDomain}/api/v2/custom-domains' \
--header 'accept: application/json' \
--header 'authorization: Bearer {yourMgmtApiAccessToken}' \
--header 'content-type: application/json' \
--data '{
"domain": "your.example-custom-domain.com",
"type": "auth0_managed_certs",
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip",
"domain_metadata": {
"environment": "development"}
}'
```
```csharp C# theme={null}
var client = new RestClient("https://{yourDomain}/api/v2/custom-domains");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
request.AddHeader("content-type", "application/json");
request.AddHeader("accept", "application/json");
request.AddParameter("application/json", "{
"domain": "your.example-custom-domain.com",
"type": "auth0_managed_certs",
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip",
"domain_metadata": {
"environment": "development"}
}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
```
```go Go theme={null}
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/api/v2/custom-domains"
payload := strings.NewReader("{
"domain": "your.example-custom-domain.com",
"type": "auth0_managed_certs",
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip",
"domain_metadata": {
"environment": "development"}
}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
req.Header.Add("content-type", "application/json")
req.Header.Add("accept", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}
```
```java Java theme={null}
HttpResponse response = Unirest.post("https://{yourDomain}/api/v2/custom-domains")
.header("authorization", "Bearer {yourMgmtApiAccessToken}")
.header("content-type", "application/json")
.header("accept", "application/json")
.body("{
"domain": "your.example-custom-domain.com",
"type": "auth0_managed_certs",
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip",
"domain_metadata": {
"environment": "development"}
}")
.asString();
```
```javascript Node.JS theme={null}
var axios = require("axios").default;
var options = {
method: 'POST',
url: 'https://{yourDomain}/api/v2/custom-domains',
headers: {
authorization: 'Bearer {yourMgmtApiAccessToken}',
'content-type': 'application/json',
accept: 'application/json'
},
data: {
domain: 'your.example-custom-domain.com',
type: 'auth0_managed_certs',
tls_policy: 'recommended',
custom_client_ip_header: 'true-client-ip',
domain_metadata: {environment: 'development'}
}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});
```
```php PHP theme={null}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/api/v2/custom-domains",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{
"domain": "your.example-custom-domain.com",
"type": "auth0_managed_certs",
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip",
"domain_metadata": {
"environment": "development"}
}",
CURLOPT_HTTPHEADER => [
"accept: application/json",
"authorization: Bearer {yourMgmtApiAccessToken}",
"content-type: application/json"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
```
```python Python theme={null}
import http.client
conn = http.client.HTTPSConnection("")
payload = "{
"domain": "your.example-custom-domain.com",
"type": "auth0_managed_certs",
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip",
"domain_metadata": {
"environment": "development"}
}"
headers = {
'authorization': "Bearer {yourMgmtApiAccessToken}",
'content-type': "application/json",
'accept': "application/json"
}
conn.request("POST", "/{yourDomain}/api/v2/custom-domains", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
```
```ruby Ruby theme={null}
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/api/v2/custom-domains")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
request["content-type"] = 'application/json'
request["accept"] = 'application/json'
request.body = "{
"domain": "your.example-custom-domain.com",
"type": "auth0_managed_certs",
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip",
"domain_metadata": {
"environment": "development"}
}"
response = http.request(request)
puts response.read_body
```
If successful, you should see the following returned with the details of your new custom domain, including it's verification status. The `status` is initially returned as `pending`.
```json lines theme={null}
{
"custom_domain_id": "cd_abc123def456",
"domain": "your.example-custom-domain.com",
"primary": false,
"status": "pending",
"type": "auth0_managed_certs",
"verification": {
"methods": [
{
"name": "CNAME",
"record": "yourtenant.auth0.com",
"domain": "your.example-custom-domain.com"
}
]
},
"tls_policy": "recommended",
"domain_metadata": {
"environment": "development"
}
}
```
## MCD features
MCD offers many key features and functionalities to more effectively manage your Auth0 implementation and improve user experience. You are responsible for owning and registering your desired custom domains with a domain name registrar.
The [Auth0 Management API](https://auth0.com/docs/api/management/v2/custom-domains/get-custom-domains) provides comprehensive support for **Create, Read, Update, Delete, and Verify** operations for these custom domains, offering full programmatic control over their lifecycle.
MCD is supported by the following Auth0 Management SDKs: [Node.js](https://github.com/auth0/node-auth0), [Go](https://github.com/auth0/go-auth0), [Python](https://github.com/auth0/auth0-python), [Java](https://github.com/auth0/auth0-java), and [.NET](https://github.com/auth0/auth0.net). Authentication SDKs automatically work with custom domains when configured in your application.
### Default domain
When multiple custom domains are configured, you can designate a domain as the **default domain**. The default domain is used when domain info is required for Auth0 Management API endpoints but the custom domain is not explicitly specified via `auth0-custom-domain` header. This info is used to customize email notifications (e.g. password resets and email verification) with domain specifics.
To set a default domain:
1. Navigate to **Auth0 Dashboard** > **Branding > Custom Domains**
2. Find the domain you want to set as default in the list
3. Click the **Set as Default** button for that domain
You can also set the default domain using the Management API by updating a custom domain's configuration. Once set, the default domain will be automatically used for customizing email communications unless a specific domain is provided via the `auth0-custom-domain` header.
The default domain makes the `auth0-custom-domain` header optional for Management API endpoints that trigger notifications. If you don't specify a custom domain when calling these endpoints, Auth0 will automatically use the default domain for email customizations.
### Domain verification
The method for verifying domain name ownership depends on your chosen management type:
| Domain Type | Verification Method | Details |
| ------------------------------------------------------------------------------ | ------------------- | --------------------------------------------------------------------------- |
| **[Auth0-Managed](/docs/customize/custom-domains/auth0-managed-certificates)** | CNAME DNS record | Configure this record to confirm domain ownership and activate your domain. |
| **[Self-Managed](/docs/customize/custom-domains/self-managed-certificates)** | TXT DNS record | Specific TXT record details are provided in the Create API response. |
After your custom domain has been verified by Auth0, you can use it immediately to configure Auth0 features for your users. For more information, read [Configure Features to Use Custom Domains](/docs/customize/custom-domains/configure-features-to-use-custom-domains).
### Metadata for enhanced management
You can provision up to 10 metadata fields per custom domain for easier organization and future customization. In upcoming releases, these metadata fields will enable advanced customization of email templates, Universal Login, and authentication logic.
### Customize email templates
Leverage your custom domain information to personalize and brand your email templates, ensuring a consistent user experience. To facilitate this, MCD provides the `custom_domain.domain` variable for use in Liquid Syntax.
For example, you could set the **From Address** of your email template to `support@{{ custom_domain.domain }}` , which would render as `support@my.custom-domain.com`. This variable is available through Liquid Syntax in the **From Address**, **Subject**, and **Message** fields. To learn more, read [Customize Email Templates](/docs/customize/email/email-templates).
#### Customize email handling using the Management API
If you configured Multiple Custom Domains and enabled [Use Custom Domains in Emails](/docs/customize/custom-domains/configure-features-to-use-custom-domains#use-custom-domains-in-emails), the `auth0-custom-domain` HTTP header is available when using the Auth0 Management API. The header is passed as the value for the `domain object` in email templates.
The following Management API endpoints accept the `auth0-custom-domain` HTTP header:
* [Send an email address verification email](https://auth0.com/docs/api/management/v2#!/Jobs/post_verification_email)
* [Create an email verification ticket](https://auth0.com/docs/api/management/v2/tickets/post-email-verification)
* [Create invitations to an organization](https://auth0.com/docs/api/management/v2/organizations/post-invitations)
* [Create a user](https://auth0.com/docs/api/management/v2/users/post-users)
* [Create a multi-factor authentication enrollment ticket](https://auth0.com/docs/api/management/v2/guardian/post-ticket)
* [Create a password change ticket](https://auth0.com/docs/api/management/v2/tickets/post-password-change)
* [Update a user](https://auth0.com/docs/api/management/v2/users/patch-users-by-id)
For example: To create a password change ticket using Auth0 SDK for [Node.js](https://github.com/auth0/node-auth0).
```javascript lines theme={null}
import { ManagementClient, CustomDomainHeader } from "auth0";
// Client-level: auto-applies to whitelisted endpoints
const auth0 = new ManagementClient({
domain: '{yourDomain}',
clientId: '{yourClientId}',
clientSecret: '{yourClientSecret}',
withCustomDomainHeader: 'my-custom-domain.com',});
(async () => {
try {
const ticket = await auth0.tickets.changePassword({
user_id: 'auth0|abc123',
result_url: 'https://example.com/success'
});
console.log('Password change ticket created:', ticket.data.ticket);
} catch (err) {
console.error('Error creating password change ticket:', err);
}
})();
// Alternatively, use per-request override
const reqOptions = {
...CustomDomainHeader('my-custom-domain.com'),
};
const ticket = await auth0.tickets.changePassword(
{ user_id: 'auth0|abc123', result_url: 'https://example.com/success' },
reqOptions
);
```
Sample response: The custom domain is passed in the header used to generate the ticket URL.
```json lines theme={null}
{
"ticket": "https://my-custom-domain.com/u/reset-verify?ticket=abc123"
}
```
##### Response messages
When you provide the `auth0-custom-domain` HTTP header, the following additional response types are possible:
| HTTP status code | Message |
| ---------------- | ------------------------------------------------------------ |
| `409` | The tenant has multiple verified custom domains. |
| `400` | The custom domain does not exist for the tenant. |
| `400` | The `auth0-custom-domain` HTTP header has an invalid format. |
If you enable MCD and use the Auth0 Dashboard to configure email templates, the Try feature will execute using your default custom domain rather than the standard Auth0 domain.
### Application URL placeholders
You can use custom domain metadata as dynamic placeholders in application URLs such as callback URLs, logout URLs, and the Application Login URI (`initiate_login_uri`). This allows each custom domain to resolve to a different application URL at runtime. To learn more, read [Custom domain URL placeholders](/docs/get-started/applications/wildcards-for-subdomains#custom-domain-url-placeholders).
### Multiple Custom Domains with Actions
Auth0 [Actions](/docs/customize/actions) allows you to create custom logic handling of your different transactions based on the custom domain.
For example, you could create an Action that directs a user to an associated [Organization](/docs/manage-users/organizations), or enforce a specific [access control policy](/docs/customize/actions/use-cases#api-authorization).
To facilitate this, post-login Actions features the object `event.custom_domain`, which provides the custom domain being used for the authentication flow.
#### Use case: Restrict user access to an Organization based on custom domain
Store a domain allowlist and denylist (for example, `allow_domains` and `deny_domains`) in your Organization's metadata.
Create an Action that:
1. Gets the user's domain through the `event.custom_domain?.domain` property
2. Compares that domain with both lists
3. Allows or denies the user access accordingly
```js lines expandable theme={null}
exports.onExecutePostLogin = async (event, api) => {
const customDomain = event?.custom_domain?.domain;
console.log(`org ${event?.organization?.name} accessed from domain ${customDomain || event?.request?.hostname}`);
if (event?.organization?.metadata?.deny_domains && event?.organization?.metadata?.allow_domains) {
console.warn(`[WARNING] configuration issue. org ${event?.organization?.name} has both deny_domains and allow_domains`);
}
// Check either deny (A) allow (B) not both
// (A) checks org's deny_list
const isDomainDenied = () =>
(event?.organization?.metadata?.deny_domains ? event?.organization?.metadata?.deny_domains.split(',').map(d => d.trim()).includes(customDomain) : false);
if (isDomainDenied()) {
return api.access.deny(`access to org ${event?.organization?.name} not allowed on domain ${customDomain}`);
}
// (B) checks org's allow_list
const isDomainAllowed = () =>
(event?.organization?.metadata?.allow_domains ? event?.organization?.metadata?.allow_domains.split(',').map(d => d.trim()).includes(customDomain) : false);
if (!isDomainAllowed()) {
return api.access.deny(`access to org ${event?.organization?.name} not allowed on domain ${customDomain}`);
}
};
```
MCD provides access to custom domain metadata in Actions through the `event.custom_domain` object. You can use this information along with the custom domain metadata configured in your tenant to implement domain-specific logic in your Actions.
### Custom domain attributes
MCD provides the following attributes related to custom domain verification and SSL/TLS certificate management. These attributes provide granular insights into the provisioning and operational status of custom domains.
#### Updated attributes
| Attribute | Description |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `status` | A new enumeration value, `failed`, has been added to the `status` attribute. This value indicates that the custom domain verification process has encountered an error and was unsuccessful. This is in addition to the existing supported values `pending` and `ready`. |
#### New attributes
The following attributes are supported for Auth0-managed domains only:
| Attribute | Description |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `verification.status` | Status of the DNS record verification process. Possible values are: `verified`, `pending`, and `failed`. |
| `verification.error_msg` | In the event that `verification.status` indicates a failure, this string attribute will contain a human-readable error message providing context for the verification failure. |
| `verification.last_verified_at` | This timestamp attribute records the date and time of the last successful verification of the custom domain. The format of this timestamp will adhere to ISO 8601. |
| `certificate` | This object encapsulates information related to the SSL/TLS certificate associated with the custom domain. |
| `certificate.status` | This attribute indicates the current provisioning status of the SSL/TLS certificate. Possible values will include states such as `provisioning`, `provisioned`, `provisioning_failed`, and `renewing_failed`. |
| `certificate.error_msg` | If the `certificate.status` is `provisioning_failed` or `renewing_failed`, this string attribute will provide a user-friendly error message detailing the reason for the failure. |
| `certificate.certificate_authority` | This string attribute specifies the Certificate Authority that issued the SSL/TLS certificate for the custom domain. |
| `certificate.renews_before` | For Auth0-managed custom domains, this new timestamp attribute indicates the date and time before which the SSL/TLS certificate must be renewed. The format of this timestamp will adhere to ISO 8601. |
### Limitations
The following limitations apply to Multiple Custom Domains:
* **WebAuthn/Passkeys**:
* Each custom domain maintains its own passkey enrollment. A passkey enrolled on one custom domain is tied to that specific Relying Party ID (RP ID) and cannot be used across other domains.
* If a user enrolled a roaming security key under Domain A and attempts to log in via Domain B, the authentication will not simply fail. Instead, because the RP IDs do not match, the system will immediately present the user with a new enrollment screen.