Skip to main content

Set up custom domains

To use the Ory Network on one or more domains that you own, you can set a CNAME record.


This feature is only available on paid plans. If you're using the free plan, you will have to upgrade before being able to add a custom domain.

Adding a custom domain to your project

Locate "Custom Domains" in the Ory Console navigation menu.

When you click it and navigate to the "Custom Domains" page, your list of custom domains will likely be empty at this point. If you're not on a paid plan, you won't be able to add one.

Click "Add one now" to add your first domain. You will be greeted by a creation screen:

Custom Domain Creation form


When you add a custom domain, it becomes your project's SDK Configuration URL. To check your SDK Configuration URL, go to Ory ConsoleAccess & APIs.

The domain you enter in the first step will be the domain that you'll use for requests to Ory Network. You will have to create a CNAME record with the DNS provider with which the domain is registered, with the value that's provided in this form (you will be able to see this value later as well).

Note that the value in the above screenshot is an example. You will have your own value that you will need to copy.

The Cookie Domain is the domain cookies will be scoped to. This is an important security setting. In all likelihood, you'll want this to be the root domain of whatever you supplied in the first step. See the Cookie configuration document and this Stack Overflow answer.


Cross-Origin Resource Sharing (CORS) is also enabled by default on the custom domain you add, in this example we have auth.foobar.ory set as our custom domain which will point to your project. It's important that you add CORS origins to your custom domain to ensure Single Page Applications (SPAs) support. Ory Network allows up to 50 origins. If you plan on using server-side rendering or native applications, you can disable CORS. You can read more about CORS at MDN.


Ory Network doesn't allow setting the CORS origins to be *, null or localhost/ You can, however, use a wildcard subdomain such as https://*.foobar.ory. To be on the safe side, Ory recommends setting the CORS origins to be an exact match instead of a wildcard subdomain. For local development with localhost/ use Ory Tunnel.

Waiting for propagation

When you've added the domain in Ory Console, we will continuously recheck its status to see if it was configured with your registrar. Note that it can take up to 24 hours for your changes to propagate.

You may also manually recheck on the custom domains page, or check the value to set with your DNS provider by clicking the magnifying icon in the custom domains section:

Check custom domain details

When the domain is reachable, it will have the "Active status".

The CORS status will show "Inactive" while the domain is pending verification. After the domain is verified, the CORS status will show "Enabled/Disabled".

Custom Domain Cors enabled

Once active, the Ory Account Experience is reachable at https://<your-custom-domain>/ui/welcome. Learn how to configure a custom UI: Bring Your Own UI.

You may also remove your custom domain from the Console, but please note that any requests to it will no longer resolve once you do.

When editing your custom domain entry, you can update the CORS settings independent of the custom domain or cookie domain settings.

Custom Domain Cors edit

Custom Domain Cors disabled

Setting up a CNAME record

If you're with any of these registrars, you can use their respective guide on how to add a CNAME record:

If not, don't worry - your registrar likely has a similar guide, or a similar process. Setting up a CNAME record typically requires you to specify 3 values:

  1. A record type, CNAME in this case
  2. The Host, which is the subdomain that will be reachable. With most registrars, entering @ as the value signifies that you want to use the root domain.
  3. The value, which is provided by us. Check the value provided in the form (detailed in the first step of this article) to know what this should be for your project.

Automated emails

The Ory Network sends emails for certain actions a user can take, for example account recovery or address verification. Since most email providers take measures against spam and phishing attacks, for example "fake" link campaigns, it's advised to only link to domains that match the sender of the email.

However, when using a custom domain in the Ory Network without a custom SMTP server, links inside the automated Ory Identities emails won't match the domain these emails were sent from. For example the address verification link will point to, but the email was sent from the default Ory Network email sender domain (e.g. Some email providers, such as Gmail, might interpret this as a phishing attack and mark the email as spam, or block it entirely.

To prevent this, configure a custom SMTP server, that matches at least the root domain of your custom domain. For example, if you configured the custom domain, you should also configure an email server that lives under


To learn how to set up a custom SMTP server on the Ory Network, read Send emails using your SMTP server.