Rotate cname-api-key

Problem statement

This article explains how to rotate the cname-api-key for an Auth0 custom domain with self-managed certificates.

Solution

It’s not supported to rotate (or re-generate) the cname-api-key directly, but you can get a new cname-api-key (and invalidate the old one) by following these steps:

  1. Delete the current custom domain from your Auth0 tenant.
  2. Create a new custom domain with the same domain name.
  3. Finish verifying the ownership of the custom domain.
  1. After the verification is completed, you will get a new cname-api-keyas well as the Origin Domain Name.
  2. Update your reverse proxy with the new cname-api-key and the new Origin Domain Name.

Please note:

  1. Following the above steps will result in a new set of cname-api-key and Origin Domain Name, and both MUST be updated in the reverse proxy.
  2. There is downtime from step #1 to step #5. The custom domain will be unavailable before the new cname-api-key and new Origin Domain Name are updated in the reverse proxy. Please schedule the steps during off-peak hours or a maintenance window.