Custom Domains

Serve your Passage OIDC app on a custom domain


Existing passkeys will no longer work on your new, custom domain.

Passkeys are scoped to a single auth origin, meaning they will only be valid for the domain they were created on.

New Subdomain

  1. Configure a DNS record to be used as your authentication domain (ex:

  2. Add your custom domain in the Passage Console on the Settings --> OIDC page

  3. Add a CNAME record for your subdomain to point at

  4. Click the Verify button in the Passage Console in the Custom Domains section you entered you subdomain in during step #2

Existing Subdomain

If you have existing authentication traffic to a subdomain you would like to continue using you have two options.

Option 1: No Downtime

When verifying custom domain ownership, an HTTP verification method is used since it doesn't require additional actions. However, this can potentially introduce downtime if the custom domain is already in use.

To avoid this, a DNS-based verification method that ensures no service interruptions is also available.

Contact [email protected] for support, and we'll guide you through each step to ensure a smooth experience for your users. Currently, this process takes less than 3 business days to complete.

Option 2: Limited Downtime

In the instances where you have an existing subdomain but have an accepted available window of downtime, you can run the flow via the Console UI. In most cases, you will experience a downtime of 2-10 minutes + your record TTL.

  1. Reduce the TTL on your existing record to 10

  2. Point your CNAME record at

  3. Increase your TTL to your previous value

Domain Status



Custom hostname has completed hostname validation and is active.


Custom hostname is pending hostname validation


Non-active after an active domain moved to a pending state for more than 7 days

Last updated