Use a custom identity-flow domain such as auth.example.com so hosted sign-in and other identity flows use your brand's hostname instead of the default Authdog hostname. Configuration is environment-specific.
Verify the parent domain
First prove control of the parent domain at tenant level:
- In the Authdog console, open tenant Settings → Domains.
- Add the apex domain, such as
example.com. - Copy the displayed validation subdomain and validation token.
- Create the requested DNS
TXTrecord with that exact name and value. - After DNS propagation, choose Retry DNS Verification.
Authdog queries the displayed validation name for a TXT value exactly matching the token. Keep the record until the console marks the domain Verified.
Verification belongs to the tenant. A verified apex domain can then back an environment hostname at the apex or one subdomain level, such as example.com or auth.example.com.
Configure the environment hostname
- Select the target project and environment.
- Open Domains.
- Enter Identity Flows URI as a hostname only, for example
auth.example.com. - Save it.
- At your DNS provider, create a
CNAMEfrom that hostname to the target shown by the console. The standard target displayed by Authdog isauthdog.pages.dev. - In Verified Domains, select Sync Domain.
- Wait for status to move from Initializing to Ready or Active.
- Test sign-in and callback behavior on the custom hostname before sending production traffic.
Synchronization requires a verified matching tenant domain and DNS already pointing at Authdog. It then provisions the hostname and certificate. DNS changes may take time to propagate.
Hostname rules
Enter only a hostname:
- No
http://orhttps:// - No path, query, fragment, or port
- No
localhost - ASCII hostname labels only
- Maximum one subdomain level, such as
auth.example.com
The hostname can be at most 253 characters, with each label at most 63 characters.
Security guidance
- Verify domain ownership before binding an environment.
- Keep DNS and Authdog ownership aligned. Remove the Authdog mapping before deleting or repointing its DNS record.
- Use separate hostnames for development, staging, and production.
- Do not point an unverified customer-controlled hostname at your production identity environment.
- Recheck OAuth and SSO provider allowlists after hostname changes. Their redirect URI must match the callback URI shown by the Authdog connection form.
- Treat certificate or DNS failure as an authentication outage; keep DNS changes controlled and reviewed.
Operational notes
- Not in verified domains: verify the parent apex in tenant settings, then retry synchronization.
- DNS not pointing correctly: check the CNAME name and target, wait for propagation, and retry.
- Initializing: certificate and edge provisioning are still in progress.
- Provider callback fails: copy the current redirect URI from Authentication → Providers into the upstream provider's allowlist.
- Moving a hostname: test the replacement first. DNS and certificate propagation can make immediate cutovers unreliable.
Saving Identity Flows URI changes environment configuration; synchronization is the separate step that binds the verified hostname to Authdog.
Related
- Deployments — environment-specific configuration
- Account Portal — hosted identity screens
- SSO — callback and provider setup
- Authentication — identity-flow model
- Security — session and key security