Sorry, let me re-phrase my answer as using a custom domain is just the most straightforward solution, but not the only one. Any tenant that does not have the ability to utilize a custom domain can get around third-party cookie issues by using refresh tokens / refresh token rotation. This is preferred to traditional silent auth which does rely on an auth0 cookie (third-party without a custom domain).