Skip to content

Feat: MCD Support#849

Draft
tanya732 wants to merge 3 commits intomasterfrom
feat/mcd-support
Draft

Feat: MCD Support#849
tanya732 wants to merge 3 commits intomasterfrom
feat/mcd-support

Conversation

@tanya732
Copy link
Copy Markdown
Contributor

@tanya732 tanya732 commented Apr 2, 2026
edited
Loading

Changes

  • Adds support for the Auth0-Custom-Domain header, enabling users to specify a custom domain for API endpoints that generate user-facing links (email verification, password reset, organization invitations, etc.)
  • Implements an OkHttp interceptor (CustomDomainInterceptor) that enforces an endpoint whitelist, the header is automatically stripped from requests to non-whitelisted paths, preventing misuse
  • Supports both global configuration (via ManagementApiBuilder.customDomain()) and per-request overrides (via CustomDomainHeader.of() helper)

New classes

Class Description
CustomDomainInterceptor OkHttp interceptor that strips the Auth0-Custom-Domain header from requests to non-whitelisted endpoints
CustomDomainHeader Convenience helper to create RequestOptions with the custom domain header for per-request overrides

Modified classes

Class Change
ManagementApiBuilder Added customDomain(String) builder method; registers the interceptor and header when configured
ClientOptions.Builder Added addInterceptor(Interceptor) method to support custom OkHttp interceptors

Whitelisted endpoints

The Auth0-Custom-Domain header is only sent to endpoints that generate user-facing links:

  • POST /jobs/verification-email
  • POST /tickets/email-verification
  • POST /tickets/password-change
  • /organizations/{id}/invitations
  • /users and /users/{id}
  • POST /guardian/enrollments/ticket
  • /self-service-profiles/{id}/sso-ticket

All other endpoints have the header automatically stripped by the interceptor.

Usage

// Global — applies to all whitelisted requests
ManagementApi client = ManagementApi.builder()
    .domain("your-tenant.auth0.com")
    .token("YOUR_TOKEN")
    .customDomain("CUSTOM_DOMAIN")
    .build();

// Per-request override
CreateVerificationEmailResponseContent createVerificationEmailResponseContent = client.jobs().verificationEmail()
              .create(CreateVerificationEmailRequestContent.builder().userId("<USER_ID>").build(), CustomDomainHeader.of("<CUSTOM_DOMAIN>"));

Test classes added

  • CustomDomainInterceptorTest — 18 unit tests validating whitelist matching for both allowed and blocked paths
  • CustomDomainHeaderIntegrationTest — 8 integration tests using MockWebServer verifying end-to-end header behavior (global config, per-request override, stripping on non-whitelisted paths, no-config scenarios)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kailash-b kailash-b kailash-b approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tanya732 @kailash-b