Authdog

Custom domains

Last updated Jul 19, 2026
View as Markdown

Use a custom identity-flow domain such as auth.example.com so hosted sign-in and other identity flows use your brand's hostname instead of the default Authdog hostname. Configuration is environment-specific.

Verify the parent domain

First prove control of the parent domain at tenant level:

  1. In the Authdog console, open tenant Settings → Domains.
  2. Add the apex domain, such as example.com.
  3. Copy the displayed validation subdomain and validation token.
  4. Create the requested DNS TXT record with that exact name and value.
  5. After DNS propagation, choose Retry DNS Verification.

Authdog queries the displayed validation name for a TXT value exactly matching the token. Keep the record until the console marks the domain Verified.

Verification belongs to the tenant. A verified apex domain can then back an environment hostname at the apex or one subdomain level, such as example.com or auth.example.com.

Configure the environment hostname

  1. Select the target project and environment.
  2. Open Domains.
  3. Enter Identity Flows URI as a hostname only, for example auth.example.com.
  4. Save it.
  5. At your DNS provider, create a CNAME from that hostname to the target shown by the console. The standard target displayed by Authdog is authdog.pages.dev.
  6. In Verified Domains, select Sync Domain.
  7. Wait for status to move from Initializing to Ready or Active.
  8. Test sign-in and callback behavior on the custom hostname before sending production traffic.

Synchronization requires a verified matching tenant domain and DNS already pointing at Authdog. It then provisions the hostname and certificate. DNS changes may take time to propagate.

Hostname rules

Enter only a hostname:

  • No http:// or https://
  • No path, query, fragment, or port
  • No localhost
  • ASCII hostname labels only
  • Maximum one subdomain level, such as auth.example.com

The hostname can be at most 253 characters, with each label at most 63 characters.

Security guidance

  • Verify domain ownership before binding an environment.
  • Keep DNS and Authdog ownership aligned. Remove the Authdog mapping before deleting or repointing its DNS record.
  • Use separate hostnames for development, staging, and production.
  • Do not point an unverified customer-controlled hostname at your production identity environment.
  • Recheck OAuth and SSO provider allowlists after hostname changes. Their redirect URI must match the callback URI shown by the Authdog connection form.
  • Treat certificate or DNS failure as an authentication outage; keep DNS changes controlled and reviewed.

Operational notes

  • Not in verified domains: verify the parent apex in tenant settings, then retry synchronization.
  • DNS not pointing correctly: check the CNAME name and target, wait for propagation, and retry.
  • Initializing: certificate and edge provisioning are still in progress.
  • Provider callback fails: copy the current redirect URI from Authentication → Providers into the upstream provider's allowlist.
  • Moving a hostname: test the replacement first. DNS and certificate propagation can make immediate cutovers unreliable.

Saving Identity Flows URI changes environment configuration; synchronization is the separate step that binds the verified hostname to Authdog.

Learn more