Skip to main content
When using multiple custom domains, you need to configure your Auth0 SDKs to use the appropriate custom domain for authentication. This guide covers SDK configuration for different platforms and scenarios.

Key concepts

Domain parameter

All Auth0 SDKs require a domain parameter that specifies which Auth0 domain to use for authentication. When using custom domains, set this parameter to your custom domain instead of your Auth0 canonical domain. Without custom domain:
With custom domain:

Token issuer

When using a custom domain, tokens will have the iss (issuer) claim set to your custom domain:
You must configure your token validation to accept your custom domain as a valid issuer.

Authentication SDKs

When using MCD, the Customer is responsible for providing and validating all custom domains. When configuring SDKs to resolve tenant custom domains via the domain resolver functions, you are responsible for ensuring that all resolved domains are trusted. Misconfiguring the domain resolver can lead to authentication bypass on the relying party or expose the application to server-side request forgery. Failure to properly configure your domains and proxy servers can create critical security vulnerabilities for which Okta is not liable.

Auth0 SPA SDK (JavaScript)

For single-page applications using the Auth0 SPA SDK:

Next.js

For Next.js applications using the Auth0 Next.js SDK (v4+): Key concepts for MCD with Next.js:
  • Single Auth0 tenant, multiple domains: All custom domains share the same clientId and clientSecret since they belong to the same Auth0 tenant.
  • DomainResolver function: The domain parameter accepts a function (config: { headers: Headers; url?: URL }) => Promise<string> | string. This allows dynamic domain resolution per request based on the incoming request headers.
  • Instance caching: The SDK automatically caches Auth0Client instances per domain using a bounded LRU cache (max 100 entries) for performance.
  • Session isolation: Sessions created via one custom domain are isolated to that domain and cannot be used interchangeably with sessions from another domain.
  • URL parameter: The url parameter in the resolver is undefined in Server Components and Server Actions; it is only available in middleware or API routes.
  • Discovery cache tuning: Configure OIDC metadata caching with the discoveryCache option:

Auth0 React SDK

For React applications using the Auth0 React SDK:
For multi-domain scenarios:

Auth0.js

For applications using Auth0.js:

Node.js (Express)

For Node.js applications using express-openid-connect:
For multi-tenant scenarios:

Mobile SDKs

iOS (Swift)

Using Auth0.swift:
For dynamic domain selection:

Android (Kotlin)

Using Auth0.Android:
For multi-domain support:

React Native

Using react-native-auth0:

Flutter

Using flutter_auth0:

Management SDKs

Management SDKs are used to interact with the Auth0 Management API. When using custom domains, you may need to include the auth0-custom-domain header or use the default domain.

Node.js Management SDK

Python Management SDK

Go Management SDK

Token validation

When using custom domains, update your token validation to accept the custom domain as the issuer.

Node.js (Express)

Using express-jwt or jose:
For multiple custom domains:

Python (Flask)

Using python-jose:

Java (Spring Boot)

Using Spring Security:

Environment-specific configuration

Use environment variables to manage custom domains across environments:

.env file structure

Loading configuration

Troubleshooting

Common issues

IssueCauseSolution
Invalid issuer errorToken validation expects canonical domain but receives custom domainUpdate token validation to accept custom domain as issuer
JWKS fetch failsJWKS URI points to canonical domainUpdate JWKS URI to use custom domain: https://custom-domain/.well-known/jwks.json
Redirect URI mismatchCallback URL doesn’t match configured redirect URIsAdd custom domain callback URL to application settings
Cross-origin errors (CORS)Custom domain not in allowed originsAdd custom domain to Allowed Web Origins in application settings
Lock fails to loadMissing configurationBaseUrlAdd configurationBaseUrl parameter with regional CDN URL

Best practices

  1. Use environment variables: Store custom domains in environment-specific configuration files
  2. Validate multiple issuers: If using multiple custom domains, configure token validation to accept all as valid issuers
  3. Update callback URLs: Ensure all custom domains are added to Allowed Callback URLs in application settings
  4. Test thoroughly: Test authentication through each custom domain before going to production
  5. Monitor token issuers: Log and monitor the iss claim in tokens to ensure correct custom domain usage
  6. Document domain mappings: Maintain clear documentation of which applications use which custom domains
  7. Handle failures gracefully: Implement proper error handling for authentication failures
  8. Cache JWKS: Cache JWKS data to improve performance and reduce requests

Learn more