Problem statement
This article explains how to rotate the cname-api-key
for an Auth0 custom domain with self-managed certificates.
Solution
It’s not supported to rotate (or re-generate) the cname-api-key
directly, but you can get a new cname-api-key
(and invalidate the old one) by following these steps:
- Delete the current custom domain from your Auth0 tenant.
- Create a new custom domain with the same domain name.
- Finish verifying the ownership of the custom domain.
- After the verification is completed, you will get a new
cname-api-key
as well as the Origin Domain Name. - Update your reverse proxy with the new
cname-api-key
and the new Origin Domain Name.
Please note:
- Following the above steps will result in a new set of
cname-api-key
and Origin Domain Name, and both MUST be updated in the reverse proxy. - There is downtime from step #1 to step #5. The custom domain will be unavailable before the new
cname-api-key
and new Origin Domain Name are updated in the reverse proxy. Please schedule the steps during off-peak hours or a maintenance window.