Skip to main content

Custom (vanity) domains

Replace your default SecureAuth tenant URL with a custom domain that matches your brand. A vanity domain gives your users a familiar, trusted URL at sign-in and across all OAuth/OIDC endpoints.

URL examples

WhatDefault URLWith vanity domain
Sign-in pagehttps://acme.us.connect.secureauth.com/acme/default/loginhttps://auth.acme.com/acme/default/login
OAuth authorizationhttps://acme.us.connect.secureauth.com/acme/default/oauth2/authorizehttps://auth.acme.com/acme/default/oauth2/authorize
Token endpointhttps://acme.us.connect.secureauth.com/acme/default/oauth2/tokenhttps://auth.acme.com/acme/default/oauth2/token
OIDC discoveryhttps://acme.us.connect.secureauth.com/acme/default/.well-known/openid-configurationhttps://auth.acme.com/acme/default/.well-known/openid-configuration
Issuer URLhttps://acme.us.connect.secureauth.com/acme/defaulthttps://auth.acme.com/acme/default

Only the hostname changes. The tenant ID, workspace ID, and path structure remain the same.

Why use a vanity domain

  • Brand trust – users see your domain (auth.acme.com) instead of secureauth.com at sign-in
  • Simpler URLs – shorter, easier to communicate and remember
  • Cookie scope – authentication cookies are scoped to your domain, which can simplify SSO across your applications
  • Compliance – some regulatory frameworks require authentication endpoints on your own domain

Setup options

You can configure vanity domains in two ways:

  1. Customer-managed infrastructure: Use a web application firewall (WAF), content delivery network (CDN), or custom proxy.
  2. Direct through SecureAuth: Let SecureAuth handle the domain setup.

Implementation methods

WAF/CDN/proxy setup

Use your existing WAF, CDN, or proxy as a reverse proxy. TLS is terminated at the proxy level.

Best for: Organizations with existing proxy infrastructure.

SecureAuth provides an x-acp-domain-key when your vanity domain is created. Your proxy must include this header in every request to SecureAuth so the platform can identify and route traffic to your tenant.

Learn how to configure this setup

Direct setup with SecureAuth

SecureAuth handles domain traffic directly if you don't have a proxy or WAF.

Best for: Organizations without proxy infrastructure.

How it works:

  1. SecureAuth creates a custom Ingress for your vanity domain.
  2. You configure a CNAME record pointing to the SecureAuth ingress endpoint.
  3. SecureAuth maps and routes the traffic to your tenant.

Learn how to configure this setup

Getting started

To set up a custom domain for your organization, contact SecureAuth Support.