Migration scenarios
Choose the scenario that best matches your situation:| Scenario | Description | Use case | Complexity | Downtime |
|---|---|---|---|---|
| Adding additional domains | You currently have one custom domain and want to add more while keeping the existing domain operational | Expanding to serve multiple brands or regions | Low | None |
| Replacing an existing domain | You want to replace your current custom domain with a new one | Rebranding or domain ownership change | Medium | Minimal (during DNS cutover) |
| Migrating from canonical domain | You’re currently using your Auth0 canonical domain (e.g., tenant.auth0.com) and want to migrate to custom domains | Initial custom domain implementation with multiple domains | Medium to High | None (parallel operation) |
Pre-migration checklist
Before starting your migration, ensure you have completed the following:- Verified domain ownership for all new custom domains
- Reviewed current authentication flows and API integrations
- Identified all applications using the current domain
- Documented current email templates and links
- Obtained SSL/TLS certificates (if using self-managed certificates)
- Tested the new custom domain configuration in a development or staging environment
- Prepared rollback plan
- Scheduled migration during low-traffic period (if applicable)
- Notified stakeholders and users (if required)
Migration steps
Add your new custom domains
Add your new custom domains using the Auth0 Dashboard or Management API.Verify domain ownership
Complete the domain verification process for each new custom domain:For Auth0-managed certificates
- Note the CNAME record provided by Auth0
- Add the CNAME record to your DNS provider
- Verify the domain through the Dashboard or API
For self-managed certificates
- Add the required TXT record to your DNS
- Configure your reverse proxy or CDN
- Upload your SSL certificate
- Verify the domain
Configure default domain (optional)
If you want one domain to be used by default for emails and API calls, set it as the default domain:Update application configurations
Update your applications to use the appropriate custom domain:SDK configuration
Update your Auth0 SDK initialization:Callback URLs
Update your application’s callback URLs in the Auth0 Dashboard:- Navigate to Auth0 Dashboard > Applications. Choose the application to configure and select the Settings tab.
- Update Allowed Callback URLs to include the new domain:
- Update Allowed Logout URLs:
- Update Allowed Web Origins:
Update email templates
If you want emails to use your new custom domain:- Navigate to Branding > Custom Domains
- Enable Use Custom Domain in Emails
- Set your desired domain as the default to make its context available in email templates
- Customize your email templates to use the custom domain information in the “From” address, subject, and body as needed
Setting a domain as default makes its context available in email templates, but you must customize your templates to use that information. The default domain’s context will be used when no specific domain is provided through the
auth0-custom-domain header.Update social identity providers(IdP)
Update redirect URIs for your social identity providers:- Go to Google Cloud Console
- Navigate to APIs & Services > Credentials
- Add
https://new-domain.example.com/login/callbackto Authorized redirect URIs
- Go to Facebook Developers
- Navigate to your app > Facebook Login > Settings
- Add
https://new-domain.example.com/login/callbackto Valid OAuth Redirect URIs
Other providers
Update redirect URIs for all configured social providers following each provider’s documentation.Update enterprise connections (if applicable)
If you use SAML, WS-Fed, Azure AD, or other enterprise connections, update their configuration:SAML connections
Update the Assertion Consumer Service (ACS) URL:You do not need to manually update the ACS URL with your IdP if you use SP-initiated SAML requests and your IdP accepts dynamic ACS.
Azure AD connections
- Go to Azure Active Directory > App registrations
- Select your app > Authentication
- Add
https://new-domain.example.com/login/callbackto Redirect URIs
ADFS connections
Update the endpoint in your ADFS settings to use the new custom domain.Test authentication flows
Before completing the migration, thoroughly test:- User login: Verify users can authenticate through the new domain
- Password reset: Test password reset emails use the correct domain
- Email verification: Verify email verification links work
- Social logins: Test each configured social provider
- API calls: Verify API calls work with the new domain
- Token validation: Ensure JWTs have the correct
issclaim
Monitor and verify
After migration:- Monitor authentication logs for any errors
- Check email delivery and link functionality
- Verify SSL certificate validity and expiration dates
- Test from different geographic regions (if applicable)
- Confirm all applications are using the intended custom domains
Decommission old domain (if applicable)
If you’re replacing an existing custom domain:- Ensure all applications have migrated to the new domain
- Monitor traffic to the old domain to confirm it’s no longer in use
- Consider keeping the old domain active for a grace period
- Delete the old custom domain when ready:
Migration patterns
Parallel operation (zero downtime)
Run both old and new custom domains simultaneously:- Add new custom domain
- Update new applications to use new domain
- Keep existing applications on old domain
- Gradually migrate applications
- Decommission old domain when fully migrated
Phased migration by application
Migrate applications one at a time:- Identify applications by priority or risk
- Migrate low-risk applications first
- Monitor for issues before proceeding
- Migrate remaining applications
- Clean up old configurations
Blue-green deployment
Use separate environments for testing:- Set up new custom domain in staging environment
- Test all functionality thoroughly
- Cut over production in one operation
- Keep old domain as backup
- Decommission after verification period
Handling existing user sessions
When migrating custom domains, existing user sessions may be affected:Session considerations
- Sessions created with the old domain remain valid until expiration
- New logins will create sessions with the new domain
- Cross-domain sessions require careful planning
Recommended approach
- Notify users: Inform users they may need to log in again
- Grace period: Keep old domain active during transition
- Session transfer: Use Universal Login to handle session migration
- Clear guidance: Provide clear instructions if users experience issues
Rollback plan
If you encounter issues during migration:Immediate rollback
- Revert application configurations to use the old domain
- Keep the new custom domain configured for future attempts
- Document the issue for troubleshooting
Partial rollback
- Identify affected applications
- Revert only those applications to the old domain
- Investigate and fix issues
- Re-migrate when ready
Complete rollback
- Update all application configurations to use the old domain
- If you set a default domain, change it back to the old domain
- Notify users of any required actions
- Schedule another migration attempt
Troubleshooting
Common issues and solutions
| Issue | Cause | Solution |
|---|---|---|
| Domain verification fails | DNS records not propagated | Wait for DNS propagation (can take up to 48 hours), verify CNAME record is correct |
| Login redirects to old domain | Application configuration not updated | Update SDK initialization and callback URLs |
| Email links use wrong domain | Default domain not configured | Set default domain or configure email routing |
| Social login fails | Redirect URIs not updated | Add new custom domain to social provider’s allowed redirect URIs |
| Invalid token issuer | JWT validation expects old domain | Update token validation to accept new domain as issuer |
| SAML assertion errors | ACS URL not updated | Update SAML configuration with new custom domain URL |
| Certificate errors | Certificate not provisioned or expired | Verify domain, wait for certificate provisioning, or update certificate |
Getting help
If you encounter issues during migration:- Check Auth0 Community for similar issues
- Review troubleshooting documentation
- Contact Auth0 Support with:
- Your tenant name
- Custom domain IDs
- Detailed description of the issue
- Steps to reproduce
- Error messages or logs
Post-migration best practices
After completing your migration:- Document the configuration: Record which applications use which custom domains
- Monitor certificate expiration: Set up alerts for certificate renewal
- Review periodically: Ensure custom domain configuration aligns with business needs
- Update runbooks: Update operational documentation with new custom domain information
- Train team members: Ensure your team understands the new multi-domain setup
- Plan for scale: Consider how you’ll manage additional domains in the future