Custom Domain Mapping

Serve login pages and authentication endpoints from your own branded domain with automatic SSL

Custom Domain

Your Brand, Your Domain

Replace the default AuthAction URL with your own branded domain. Instead of users seeing acme.eu.authaction.com, they see auth.acme.com. All OAuth 2.0, OpenID Connect, and well-known endpoints work identically on your custom domain.

Setup takes minutes: add your domain in the dashboard, create a CNAME record, verify, and you are live. SSL certificates are provisioned and renewed automatically.

Request Demo View Documentation API Reference

Why Custom Domains?

Build trust and reinforce your brand at every authentication touchpoint

Brand Consistency

Keep your brand front and center throughout the entire authentication flow. Users never leave your domain, building trust and reducing confusion.

Automatic SSL

SSL/TLS certificates are provisioned and renewed automatically once your domain is verified. No manual certificate management is required.

Zero Downtime Setup

Add a CNAME record, verify in the dashboard, and go live in minutes. No code changes, no server restarts, no migration required.

Key Features

Everything you need for branded authentication

Full Endpoint Support

All OAuth 2.0, OpenID Connect, and well-known endpoints work on your custom domain, including authorization, token, user info, and JWKS.

  • Authorization endpoint
  • Token endpoint
  • Discovery & JWKS

Managed SSL/TLS

Certificates are automatically issued after domain verification and renewed before expiry. HTTPS is ready the moment verification succeeds.

  • Auto-provisioned
  • Auto-renewed
  • No manual steps

Multiple Domains

Configure up to 5 custom domains per tenant. Use different branded URLs for different products or audiences that share the same tenant.

  • Up to 5 per tenant
  • Independent operation
  • Per-product branding

Discovery Aware

The OpenID Connect discovery document adapts endpoint URLs to match the requested domain while preserving the canonical issuer for token validation.

  • Dynamic endpoint URLs
  • Stable issuer claim
  • Standard compliant

Simple DNS Setup

Just add a single CNAME record pointing to your tenant's canonical hostname. AuthAction handles verification and routing automatically.

  • Single CNAME record
  • Dashboard verification
  • Automatic routing

Branded Login Pages

Login, signup, consent, and all authentication pages are served under your domain, providing a seamless branded experience for your users.

  • Login & signup
  • Consent screens
  • Password reset

How It Works

Get up and running with a custom domain in three simple steps

1

Add Your Domain

Navigate to Tenant SettingsCustom Domain in the AuthAction Dashboard and enter your domain (e.g. auth.acme.com).

2

Create a CNAME Record

In your DNS provider, add a CNAME record pointing your domain to your tenant's canonical hostname (e.g. acme.eu.authaction.com).

3

Verify and Go Live

Click verify in the dashboard. AuthAction confirms the CNAME, provisions SSL certificates automatically, and your custom domain is live.

Well-known endpoint response on your custom domain

{
  "issuer": "https://acme.eu.authaction.com/",
  "authorization_endpoint": "https://auth.acme.com/oauth2/authorize",
  "token_endpoint": "https://auth.acme.com/oauth2/token",
  "userinfo_endpoint": "https://auth.acme.com/oauth2/user",
  "jwks_uri": "https://auth.acme.com/.well-known/jwks.json",
  "registration_endpoint": "https://auth.acme.com/oauth2/register",
  "end_session_endpoint": "https://auth.acme.com/oauth2/logout"
}

The issuer stays as your canonical tenant domain, while all endpoint URLs use your custom domain.

Frequently Asked Questions

Common questions about Custom Domains

No. SSL/TLS certificates are automatically provisioned and renewed after your domain is verified. HTTPS is ready immediately with no manual steps required.

Each tenant can have up to 5 custom domains configured simultaneously. All verified domains are active at the same time, allowing you to use different branded URLs for different products or audiences.

No. The issuer in the OpenID Connect discovery document and in issued tokens always remains your tenant's canonical AuthAction domain (e.g. acme.eu.authaction.com). All other endpoint URLs in the discovery response use your custom domain. Your application should validate the iss claim against the canonical tenant domain.

Verification fails when the CNAME record does not point to your tenant's canonical hostname, or DNS has not propagated yet. Confirm your CNAME record is correct using dig or an online DNS checker, wait for propagation (up to 48 hours), and retry verification from the dashboard.

Ready to brand your login experience?

Set up your custom domain in minutes and give your users a seamless, branded authentication experience.

Start Free Trial View Pricing