Custom Domains
Custom domains allow you to serve Auris hosted login pages, OIDC Discovery endpoints, and email links under your own domain. Instead of your users seeing the Auris platform URL during authentication, they see your branded domain — for example, auth.yourcompany.com.
Access custom domain management at Console → Settings → Custom Domains.
Why Custom Domains Matter
When a user clicks “Sign In” in your application, they are redirected to the Auris hosted login page. Without a custom domain, the browser’s address bar shows the Auris platform URL. With a custom domain:
- Trust: Users see your domain during authentication, building trust
- Branding: The entire login experience appears to be operated by your organization
- Email links: Password reset links, magic links, and verification emails come from your domain
- OIDC Discovery: The
/.well-known/openid-configurationdocument references your domain, which matters for integrations that inspect issuer URLs
Custom Domains Page Overview
The Custom Domains page displays all registered domains for your tenant:
| Column | Description |
|---|---|
| Domain | The full domain name (for example, auth.yourcompany.com) |
| Status | Verification status (Pending, Verifying, Active, Failed) |
| SSL Status | Certificate status (Pending, Active, Expired) |
| Primary | Whether this is the active primary domain (star icon) |
| Added | When the domain was registered |
Adding a Domain
Click Add Domain
From the Custom Domains page, click the Add Domain button.
Enter your domain
Type the full subdomain you want to use for authentication. This must be a subdomain — apex domains (bare domains like yourcompany.com) are not supported.
Good examples:
auth.yourcompany.comlogin.yourcompany.comid.yourcompany.comauth-staging.yourcompany.com(for staging environments)
Click Add
Auris registers the domain and generates verification instructions. The domain appears in the list with Pending status.
You can register multiple domains per tenant — for example, one for production and one for staging. However, only one domain can be set as primary at a time. The primary domain is used in all hosted login redirects and email links.
DNS Verification Flow
After adding a domain, you need to prove ownership by configuring DNS records at your DNS provider.
Viewing Required DNS Records
Click the domain in the list to open the detail view. The Verification section shows the DNS records you need to create.
Auris generates a unique verification token for your domain. You can verify using one of two methods:
CNAME Verification (Recommended)
Create a CNAME record that points your subdomain to the Auris platform hostname:
Type: CNAME
Name: auth (just the subdomain part, without your root domain)
Value: proxy.auris.example.com (shown in the Console)
TTL: 300 (5 minutes, or your provider's minimum)CNAME is the recommended method because:
- It handles both verification and routing in a single record
- Traffic for your custom domain is automatically routed to Auris
- No additional configuration is needed after verification
TXT Verification
If you cannot create a CNAME record (for example, if a CNAME already exists for the subdomain), use TXT verification:
Type: TXT
Name: _auris-verification.auth (shown in the Console)
Value: auris-verify=abc123def456 (unique token shown in the Console)
TTL: 300With TXT verification, you still need to set up routing separately (for example, via an A record or a CNAME at a different subdomain).
Copying the Verification Token
The Console provides a Copy button next to each DNS value. Click it to copy the exact string to your clipboard, avoiding typos.
DNS Propagation
After creating the DNS records at your provider, propagation typically takes:
| DNS Provider | Typical Propagation Time |
|---|---|
| Cloudflare | Immediate to 5 minutes |
| AWS Route 53 | 60 seconds |
| Google Cloud DNS | 5 minutes |
| GoDaddy | 5-30 minutes |
| Namecheap | 5-30 minutes |
| Traditional providers | Up to 48 hours |
You can verify propagation yourself using a DNS lookup tool:
dig CNAME auth.yourcompany.com
# or
nslookup -type=CNAME auth.yourcompany.comClicking Verify
Once you believe DNS has propagated:
- Return to the Custom Domains page in the Console
- Click Verify next to your domain
- Auris performs a DNS lookup to check for the expected records
If verification succeeds, the status changes to Active. If it fails, the status changes to Failed with an error message indicating what was expected versus what was found.
If verification fails, double-check: (1) the DNS record type is correct (CNAME, not A), (2) the record name matches exactly (watch for trailing dots in some DNS providers), (3) the record value matches the Console’s instructions exactly, (4) enough time has passed for DNS propagation. You can click Verify again as many times as needed.
Status Indicators
Domain Verification Status
| Status | Icon | Meaning | Action Required |
|---|---|---|---|
| Pending | Yellow dot | Domain added, DNS records not yet checked | Create DNS records at your provider, then click Verify |
| Verifying | Blue spinner | DNS lookup in progress | Wait a few seconds |
| Active | Green dot | DNS verified, domain is operational | None — domain is ready to use |
| Failed | Red dot | DNS lookup did not find expected records | Check DNS configuration and click Verify again |
| Deleted | Gray dot | Domain was removed | None — this is a terminal state |
SSL Certificate Status
Once a domain is verified, Auris automatically provisions an SSL/TLS certificate:
| Status | Meaning | Action Required |
|---|---|---|
| Pending | Certificate is being provisioned via Let’s Encrypt | Wait 1-5 minutes; automatic |
| Active | Certificate is provisioned and valid | None — HTTPS is working |
| Expired | Certificate expired (should not happen — auto-renewal failed) | Contact support; check DNS records are still correct |
SSL certificates are provisioned and renewed automatically. You do not need to purchase, upload, or manage certificates. Let’s Encrypt certificates are valid for 90 days and are renewed automatically before expiry.
Setting a Primary Domain
After a domain reaches Active status (verified with active SSL), you can set it as the primary domain:
- Click the domain in the list
- Click Set as Primary
- Confirm the change
The primary domain is used for:
| Feature | Effect |
|---|---|
| Hosted login redirect | Users are redirected to https://auth.yourcompany.com/hosted/login |
| OIDC Discovery | https://auth.yourcompany.com/.well-known/openid-configuration |
| JWKS endpoint | https://auth.yourcompany.com/.well-known/jwks.json |
| Email links | Password reset, magic link, and verification URLs use your domain |
OAuth issuer (iss claim) | Access tokens have "iss": "https://auth.yourcompany.com" |
Only one domain can be primary at a time. Setting a new primary domain automatically removes the primary flag from the previous one.
Switching Primary Domains
You can switch the primary domain at any time. The change takes effect immediately for new authentication flows. Existing tokens retain their original iss claim until they expire.
When switching from domain A to domain B:
- New logins use domain B
- In-flight authentication flows (already redirected to domain A) complete normally on domain A
- Existing access tokens with
iss: "https://domain-a.example.com"remain valid until expiry - New access tokens use
iss: "https://domain-b.example.com"
Deleting a Domain
To remove a custom domain:
- Click the domain in the list to open the detail view
- Click Delete
- Confirm the deletion
If the domain being deleted is the primary domain, authentication falls back to the Auris platform URL.
Important considerations before deleting:
- Applications configured with
redirect_uricontaining the custom domain will break if the domain is deleted - OIDC clients that validate the
issclaim against the custom domain will reject new tokens - Email links in recently sent emails (password reset, magic link) will stop working
Update your application configuration before deleting a domain to avoid disruption.
Multiple Domains
You can register multiple custom domains for a single tenant. Common use cases:
| Use Case | Domains |
|---|---|
| Environment separation | auth.company.com (production), auth-staging.company.com (staging) |
| Regional domains | auth.company.com (global), auth.company.de (Germany) |
| Product separation | login.product-a.com, login.product-b.com (same tenant, different products) |
All domains share the same tenant configuration (users, roles, security settings). The primary domain determines which domain appears in emails and OIDC metadata.
Non-primary domains are still functional for authentication — you can direct specific applications to use a non-primary domain by setting the appropriate redirect URIs in the application configuration. However, email links and OIDC Discovery will always reference the primary domain.
Related Guides
- Branding & Customization — Logo, colors, and email template customization
- Multi-Tenancy — How custom domains fit into the tenant model
- Hosted Login Flow — How the OAuth2 flow uses custom domains
- Applications — Configure redirect URIs for your custom domain