The Domains tab is where you put Universal Login on your own subdomain — auth.yourapp.com instead of your-app.authaz.io. Two DNS records and a verification step; SSL is provisioned automatically.
1. Add domain in dashboard → domain status: pending
2. Create CNAME and TXT records → domain status: verifying
3. Authaz validates DNS → domain status: verified
4. Authaz issues SSL certificate → domain status: SSL Active
Type: CNAME
Host: auth (or whatever subdomain you picked)
Target: auth.authaz.io
TTL: Auto / 300
This points your subdomain at Authaz's edge. Once it resolves, browsers hitting auth.yourapp.com reach Universal Login.
Apex domains. CNAMEs cannot be set on apex (root) domains in standard DNS. If you want yourapp.com itself to host Universal Login (rare for auth — most teams use auth.yourapp.com), use a CNAME flattening / ALIAS / ANAME record if your DNS host supports it.
Authaz polls DNS every minute or so. Once both records resolve, the status flips to Verifying → Verified. SSL provisioning then starts; the cert usually issues within 1–5 minutes via Let's Encrypt.
If the domain stays in Pending after 10 minutes, check:
DNS propagation: dig auth.yourapp.com CNAME should return auth.authaz.io..
TXT presence: dig auth.yourapp.com TXT should include the authaz-verify=... value.
TTL: if your old DNS records had a high TTL, they may still be cached.
The dashboard's Domains page has a Retry verification button that forces an immediate poll — useful when you've just fixed a DNS issue.
The certificate is revoked, the routing is removed. Make sure no users are still being redirected to the old domain (your application's redirect URIs, your SDK config, your marketing pages) before deleting.
"Failed" status with no obvious DNS error. The CNAME exists but points somewhere else (a previous host, a redirect service). Update it to auth.authaz.io. Don't stack a CNAME on top of an existing A record.
SSL provisioning failed. Almost always Let's Encrypt rate-limiting (you've hit their domain-renewal cap by deleting/re-adding too quickly). Wait an hour and retry.
Mixed-content warnings on Universal Login. Your branding includes an http:// image URL. Branding assets must be served over HTTPS — update them via the Branding page.
Cookies not persisting after sign-in. Your application is probably on a different second-level domain than Universal Login (yourapp.com vs myauthapp.com). Authaz cookies are scoped to the auth domain by design — set up your app to round-trip through Universal Login rather than relying on cross-site cookies.
