Auth0 Custom Domains

Drive Auth0 custom-domain work end-to-end: Auth0 Management API, DNS provider, verification polling, and the configuration that stitches everything together. Detects the user's DNS provider (Cloudflare, Route 53, Azure DNS, or other) and automates record creation when the provider supports it.

Overview

This skill is capability-based, not step-based. It groups the work a user might want to do into five distinct capabilities (setup, troubleshoot, manage, remove, health check), each with its own flow in a dedicated reference file. The main SKILL.md acts as a lobby: it holds the capabilities table, key concepts, prerequisites, and common mistakes that apply across all flows. When a user invokes the skill, pick the matching capability from the table, load its reference file, and follow that flow.

The capability design matches how users actually come to Auth0 custom domain work: "set one up," "mine is broken," "change something," "remove one," or "is my setup still working?" Each intent maps to a distinct flow with its own safety checks and hand-offs.

Interaction style

Ask questions as plain conversational text. Never use structured UI widgets (e.g., AskUserQuestion) except for a single yes/no confirmation immediately before a destructive or irreversible action (create, PATCH, delete). For everything else:

• Capability routing: present a numbered list and wait for the user to reply
• Input gathering: ask one focused question at a time; wait for a response before asking the next
• Free-form values (hostnames, domain names, etc.): just ask directly — don't wrap them in a widget that forces a click before typing

Example of the right pattern for capability routing:

What do you want to do?

1. Set up a custom domain
2. Troubleshoot verification
3. Manage an existing domain
4. Remove a domain
5. Check domain health (read-only, safe starting point)

Example of the right pattern for a single input:

What's the hostname you want to set up? (e.g., login.example.com)

Error-code triage — CHECK THIS FIRST

If the user's message is primarily about an HTTP error code from the Management API (e.g., "I got a 403", "why is this returning 409?", a pasted error body, a log entry with a status code), answer from this table first. Do not default to general Auth0 knowledge — it leads to wrong advice on the Free-tier 403 case in particular. Only after the error-code answer, offer to route into the matching capability if the user wants to continue (e.g., "want me to walk through Set up with that fix in place?").

Full error-code reference with all cases and resolutions: references/api.md#error-codes.

Capabilities

When this skill is invoked and the user is NOT asking about an error code, ask the user which capability they want using a plain numbered list (see Interaction style above). Route to Check domain health first when the user reports a problem without a specific known cause, or when they're unsure which capability they need; it's the safe, read-only starter that will point them to the right follow-up.

Pick a capability, then follow the flow in its reference file. The Prerequisites and Key Concepts sections below apply across all capabilities.

Key Concepts

Full schema and token / iss behavior live in references/advanced.md.

Prerequisites

These apply to any capability that writes to the tenant. Check domain health is read-only and can be run first to verify these.

Auth0 Management API access

All capabilities use the Management API. Either:

• The Auth0 CLI (auth0 ...) authenticated to the target tenant (auth0 tenants use <name>), or
• A Machine-to-Machine application with the scopes in references/api.md.

Check the active tenant immediately before the first Auth0 CLI command in a capability, not at skill invocation. Do not check the tenant before the user has chosen a capability. If a capability uses only non-CLI tools (e.g., DNS lookups, Cloudflare MCP, direct Management API calls via curl), skip the tenant check entirely.

When the chosen capability does use the Auth0 CLI, run this before the first CLI command:

auth0 tenants list

Look for the row marked as active (or check the active field in the JSON output). Show the active tenant to the user and ask them to confirm it is the intended target. If it's wrong, stop and have the user run:

auth0 tenants use <tenant-name>

Then re-confirm before proceeding. For mutating calls (create, PATCH, delete), require explicit confirmation. For read-only CLI flows, surfacing the tenant name (and naming it in the output report) is enough — still never assume the active tenant is correct based on conversational context alone.

DNS provider access (for Set up, Troubleshoot, and Remove)

Set up a custom domain writes a CNAME. Remove a custom domain deletes one. Troubleshoot verification may suggest a fix that requires a DNS edit. What the skill needs depends on the provider tier:

• Tier 1 Cloudflare: Cloudflare MCP connected. If not, skill prompts the user to run claude mcp add --transport http cloudflare https://mcp.cloudflare.com/mcp and authorize in the browser.
• Tier 2 AWS Route 53: AWS credentials configured (env vars, shared config, or SSO session). Verified with aws sts get-caller-identity.
• Tier 3 Azure DNS: Azure CLI signed in. Verified with az account show.
• Tier 4 other: no programmatic access; user manually adds the record in their provider's dashboard.

Plan requirements for automation: None of the three automated tiers require a paid plan on the DNS provider side. Cloudflare DNS record CRUD via the MCP works on the Free plan (Free zones created after Sept 2024 cap at 200 DNS records per zone; Auth0's CNAME counts as one). Route 53 is pay-per-use (~$0.50/hosted zone/month + query costs, not in AWS free tier). Azure DNS is subscription-based with no tier gating; the signed-in identity needs the DNS Zone Contributor role. Full detail per tier in the per-provider sub-files under references/providers/ (router: references/providers.md).

Credit card on file (Free-tier tenants)

Custom domains are available on all plan tiers including Free. Free tenants need a credit card on file for identity verification (card is not charged). Without one, POST /custom-domains returns 403. Fix at Dashboard → Tenant Settings → Billing (or the Teams section for Teams-managed tenants).

Surface this as the likely cause on any 403 rather than suggesting a plan upgrade.

Common Mistakes

Quick index; each entry links to the canonical treatment in the relevant capability file.

Related Skills

• auth0-branding: Customize Universal Login appearance (page templates require a verified custom domain)
• auth0-organizations: Organization-specific branding for B2B multi-tenancy

References

• references/capability-setup.md: Set up a custom domain
• references/capability-troubleshoot.md: Troubleshoot verification
• references/capability-manage.md: Manage existing domains
• references/capability-remove.md: Remove a custom domain
• references/capability-health.md: Check domain health
• references/providers.md: DNS provider router — NS → provider map; links into per-provider sub-files under references/providers/ (cloudflare.md, route53.md, azure-dns.md, manual.md). Open only the sub-file matching the detected provider.
• references/examples.md: cURL samples plus end-to-end CI/CD automation and multi-environment patterns
• references/api.md: Endpoint reference, CLI commands, error codes, scopes
• references/advanced.md: MCD, default-domain, auth0-custom-domain header, self-managed certs, token iss behavior, verification troubleshooting deep-dive

External Docs

• Custom Domains Overview
• Auth0-Managed Certificates
• Self-Managed Certificates
• Multiple Custom Domains
• Default Custom Domain
• Configure Features to Use Custom Domains
• Troubleshoot Custom Domains
• Cloudflare MCP Server