Use a custom identity-flow domain such as `auth.example.com` so hosted sign-in and other identity flows use your brand's hostname instead of the default Authdog hostname. Configuration is environment-specific.

## Verify the parent domain

First prove control of the parent domain at tenant level:

1. In the [Authdog console](https://console.authdog.com), open tenant **Settings → Domains**.
2. Add the apex domain, such as `example.com`.
3. Copy the displayed validation subdomain and validation token.
4. Create the requested DNS `TXT` record with that exact name and value.
5. After DNS propagation, choose **Retry DNS Verification**.

Authdog queries the displayed validation name for a TXT value exactly matching the token. Keep the record until the console marks the domain **Verified**.

Verification belongs to the tenant. A verified apex domain can then back an environment hostname at the apex or one subdomain level, such as `example.com` or `auth.example.com`.

## Configure the environment hostname

1. Select the target project and environment.
2. Open **Domains**.
3. Enter **Identity Flows URI** as a hostname only, for example `auth.example.com`.
4. Save it.
5. At your DNS provider, create a `CNAME` from that hostname to the target shown by the console. The standard target displayed by Authdog is `authdog.pages.dev`.
6. In **Verified Domains**, select **Sync Domain**.
7. Wait for status to move from **Initializing** to **Ready** or **Active**.
8. Test sign-in and callback behavior on the custom hostname before sending production traffic.

Synchronization requires a verified matching tenant domain and DNS already pointing at Authdog. It then provisions the hostname and certificate. DNS changes may take time to propagate.

## Hostname rules

Enter only a hostname:

- No `http://` or `https://`
- No path, query, fragment, or port
- No `localhost`
- ASCII hostname labels only
- Maximum one subdomain level, such as `auth.example.com`

The hostname can be at most 253 characters, with each label at most 63 characters.

## Security guidance

- Verify domain ownership before binding an environment.
- Keep DNS and Authdog ownership aligned. Remove the Authdog mapping before deleting or repointing its DNS record.
- Use separate hostnames for development, staging, and production.
- Do not point an unverified customer-controlled hostname at your production identity environment.
- Recheck OAuth and SSO provider allowlists after hostname changes. Their redirect URI must match the callback URI shown by the Authdog connection form.
- Treat certificate or DNS failure as an authentication outage; keep DNS changes controlled and reviewed.

## Operational notes

- **Not in verified domains:** verify the parent apex in tenant settings, then retry synchronization.
- **DNS not pointing correctly:** check the CNAME name and target, wait for propagation, and retry.
- **Initializing:** certificate and edge provisioning are still in progress.
- **Provider callback fails:** copy the current redirect URI from **Authentication → Providers** into the upstream provider's allowlist.
- **Moving a hostname:** test the replacement first. DNS and certificate propagation can make immediate cutovers unreliable.

Saving Identity Flows URI changes environment configuration; synchronization is the separate step that binds the verified hostname to Authdog.

## Related

- [Deployments](/docs/deployments) — environment-specific configuration
- [Account Portal](/docs/account-portal) — hosted identity screens
- [SSO](/docs/sso) — callback and provider setup
- [Authentication](/docs/concepts/authentication) — identity-flow model
- [Security](/docs/security) — session and key security
