Hey all!

We recently added a custom domain to our account ( We followed the instructions about a CNAME, that has been configured correctly. I then started to update our application, as per these docs. Our application is older, and we are still using /delegation .

After the user logs in, we send a request to /delegation , which works fine with our auth0 domain (, however, when we switched our application to using , we now get a 401 error from /delegation . The error is invalid_iss :

Extra Info
This is what our front-end config looks like:

	window.IA_CONFIG = {
		AUTH0_CLIENTID: 'redacted',
		AUTH0_CONNECTION: 'connectionname',

Our back-end config looks like this:

  "Auth0": {
    "Domain": "",
    "ClientId": "recdacted",
    "ApiUrl": "",
    "TokenUrl": "",

Critical note: if we change our front-end config to use , everything works as expected. The custom domain /delegation endpoint does not recognize our expected iss claim (

Hi @james13, I’m afraid that endpoint does not support custom domains.

If your setup allows, you may be able to achieve the flow you need using silent authentication to get a 2nd token for a different audience without needing the user to log in again, instead of using the /delegation endpoint.


Will try this out and mark as solution if it works. I was hoping we wouldn’t have to move off of /delegation, but your answer makes sense! Trying this out now…