Overview
Use a custom domain for tenant-facing auth pages while keeping issuer validation stable.
Important issuer rule
Even with a custom domain, token issuer remains anchored to:
https://id.uselamba.com/{tenantSlug}
Configure your verifier with this issuer value.
1) Add domain in tenant settings
- Add your custom host.
- Retrieve verification token.
2) Publish DNS verification record
name: _lamba-verification.<custom-host>
type: TXT
value: <verification-token>
3) Verify domain
Trigger domain verification from tenant domain settings until status is verified.
4) Configure OIDC client
- Register exact redirect URIs for the custom host.
- Keep environment-specific clients (test vs production).
- Keep strict URI matching; no wildcards.
5) Validate runtime behavior
- Unverified host should fail with
custom_domain_not_verified. - Tenant/host mismatch should fail with
custom_domain_tenant_mismatch.
6) Production checklist
- TLS certificate valid for custom host.
- Redirect URIs match exactly.
- Issuer pinned to
id.uselamba.com/{tenantSlug}. - Monitoring in place for login and callback failures.
Next steps
- OIDC security model:
/docs/reference/oauth-oidc-security - Environments:
/docs/concepts/environments