This article addresses errors that occur when calling certain Auth0 Management API endpoints after enabling the Multiple Custom Domains (MCD) feature. When attempting to create a password change ticket, one of the following errors may occur:

Conflict: The tenant has multiple verified custom domains.

Bad Request: Payload validation error: 'Additional properties not allowed: domain'.

• Auth0 Management API
• Multiple Custom Domains (MCD)
• Actions

These errors occur because once the MCD feature is active, requests to API endpoints that generate user-facing URLs, such as POST /api/v2/tickets/password-change, require an auth0-custom-domain HTTP header. This header specifies which of the verified custom domains to use when constructing the URL.

The "Conflict" error appears when this header is missing. The "Bad Request" error occurs if an attempt is made to specify the domain as a property within the request body, which is not a supported parameter for this endpoint.

To resolve the issue, include the auth0-custom-domain header in the Management API request. The header value should be the desired verified custom domain.

1. For external applications, add the header during Management Client initialization. The following example uses the Auth0 Node.js SDK:
   

   const { ManagementClient } = require('auth0');
   
   const managementClient = new ManagementClient({
     domain: '<your-tenant-domain>',
     clientId: '<your-m2m-client-id>',
     clientSecret: '<your-m2m-client-secret>',
     headers: { 'auth0-custom-domain': '<your-custom-domain.com>' }
   });
   

2. When calling the Management API from within an Auth0 Action, create a new instance of the ManagementClient using credentials stored in secrets. Use event.request.hostname as the value for the auth0-custom-domain header to ensure the contextually correct domain is used. 

   const { ManagementClient } = require('auth0');
   
   exports.onExecutePostLogin = async (event, api) => {
     const managementClient = new ManagementClient({
       domain: event.secrets.AUTH0_DOMAIN,
       clientId: event.secrets.M2M_CLIENT_ID,
       clientSecret: event.secrets.M2M_CLIENT_SECRET,
       headers: { 'auth0-custom-domain': event.request.hostname }
     });
   
     const changePasswordBody = {
       user_id: event.user.user_id,
       result_url: '<https://your-app.com/reset-password-complete>',
     };
   
     await managementClient.tickets.changePassword(changePasswordBody);
   };
   

With the Multiple Custom Domains (MCD) feature enabled, the auth0-custom-domain header becomes mandatory for password change ticket creation as well as the following endpoints. Make sure to include this header in all relevant requests to ensure proper functionality and prevent request failures.

POST /api/v2/tickets/email-verification

POST /api/v2/organizations/{id}/invitations

POST /api/v2/guardian/enrollments/ticket 

POST /api/v2/jobs/users-imports

POST /api/v2/jobs/verification-email

POST /api/v2/users 

PATCH /api/v2/users/{id}