logto-io
diff --git a/‎docs/logto-cloud/billing-and-pricing.mdx‎
Lines changed: 14 additions & 13 deletions b/‎docs/logto-cloud/billing-and-pricing.mdx‎
Lines changed: 14 additions & 13 deletions
diff --git a/‎docs/logto-cloud/custom-domain.mdx‎
Lines changed: 81 additions & 17 deletions b/‎docs/logto-cloud/custom-domain.mdx‎
Lines changed: 81 additions & 17 deletions
diff --git a/‎docs/logto-cloud/system-limit.mdx‎
Lines changed: 8 additions & 7 deletions b/‎docs/logto-cloud/system-limit.mdx‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎static-localized/en/img/assets/custom-domain-processing.jpeg‎
-141 KB b/‎static-localized/en/img/assets/custom-domain-processing.jpeg‎
-141 KB
diff --git a/‎static-localized/en/img/assets/custom-domain-processing.png‎
95.2 KB b/‎static-localized/en/img/assets/custom-domain-processing.png‎
95.2 KB
diff --git a/‎static-localized/en/img/assets/custom-domain-section.jpeg‎
-136 KB b/‎static-localized/en/img/assets/custom-domain-section.jpeg‎
-136 KB
diff --git a/‎static-localized/en/img/assets/custom-domain-section.png‎
68.5 KB b/‎static-localized/en/img/assets/custom-domain-section.png‎
68.5 KB
@@ -30,19 +30,20 @@ Keep in mind that only a few features are part of the add-on structure.
 
 At the same time, Logto also offers a pay-as-you-go and pro-rated pricing model to ensure you get the most out of our service conveniently.
 
-|                                 | Included quota                                          | Addition cost            |
-| ------------------------------- | ------------------------------------------------------- | ------------------------ |
-| **Tokens**                      | 50K                                                     | $0.08 per mo / 100 after |
-| **Machine-to-machine apps**     | 1                                                       | $8 **_each_** per month  |
-| **API resources**               | 3                                                       | $4 **_each_** per month  |
-| **Enterprise SSO**              | 0                                                       | $48 **_each_** per month |
-| **Multi-factor authentication** | All factors                                             | $48 per month            |
-| **Organization**                | Unlimited organizations & All the organization features | $48 per month            |
-| **Role-based access control**   | Unlimited roles and permissions                         | $32 per month            |
-| **SAML app**                    | 0                                                       | $96 **_each_** per month |
-| **Third party app**             | 0                                                       | $8 **_each_** per month  |
-| **Advanced security bundle**    | All advanced security features                          | $48 per month            |
-| **Tenant members**              | 1                                                       | $8 **_each_** per month  |
+|                                 | Included quota                                                                            | Addition cost                          |
+| ------------------------------- | ----------------------------------------------------------------------------------------- | -------------------------------------- |
+| **Tokens**                      | 50K                                                                                       | $0.08 per mo / 100 after               |
+| **Machine-to-machine apps**     | 1                                                                                         | $8 **_each_** per month                |
+| **API resources**               | 3                                                                                         | $4 **_each_** per month                |
+| **Enterprise SSO**              | 0                                                                                         | $48 **_each_** per month               |
+| **Multi-factor authentication** | All factors                                                                               | $48 per month                          |
+| **Organization**                | Unlimited organizations & All the organization features, including organization templates | $48 per month                          |
+| **Role-based access control**   | Unlimited roles and permissions                                                           | $32 per month                          |
+| **SAML app**                    | 0                                                                                         | $96 **_each_** per month               |
+| **Third party app**             | 0                                                                                         | $8 **_each_** per month                |
+| **Advanced security bundle**    | All advanced security features                                                            | $48 per month                          |
+| **Multiple custom domains**     | 1                                                                                         | $48 for up to **10 domains** per month |
+| **Tenant members**              | 1                                                                                         | $8 **_each_** per month                |
 
 If we take those factors into consideration, the algorithm is
 
 
@@ -1,41 +1,62 @@
 ---
 id: custom-domain
-title: Custom domain
+title: Custom domains
 sidebar_position: 4
 ---
 
-# Custom domain
+# Custom domains
 
-Your Logto tenant comes with a default free domain `{{tenant-id}}.app.logto`. However, you can elevate your user experience and brand recognition by using a custom domain, like `auth.example.com`.
+:::note
+Changing the domain after publishing your service may cause troubles because your application code and integrations might still reference the old domain. To ensure a smooth transition, we recommend **setting up your custom domains at the beginning** during Production tenant creation.
+:::
 
-Your custom domain is used for several functions:
+Your Logto tenant comes with a default free domain `{{tenant-id}}.app.logto`. However, you can elevate your user experience and brand recognition by using custom domains, like `auth.example.com`.
+
+Your custom domains are used for several functions:
 
 - [Sign-in and registration page](/end-user-flows/sign-up-and-sign-in) URLs
-- [Passkey](/end-user-flows/mfa/webauthn) linking URLs (Changing the domain after users have linked Passkeys may block their authentication).
 - Callback URIs for [social connectors](/connectors/social-connectors) or [enterprise SSO connectors](/connectors/enterprise-connectors).
+- [Passkey](/end-user-flows/mfa/webauthn) linking URLs (Changing the domain after users have linked Passkeys may block their authentication).
 - [SDK endpoint](/integrate-logto/application-data-structure#openid-provider-configuration-endpoint) for integrating Logto with your application.
 
-:::note
-Changing the domain after publishing your service may cause troubles because your application code and integrations might still reference the old domain. To ensure a smooth transition, **set up your custom domain at the beginning** during a Production tenant creation.
-:::
+## Multiple custom domains \{#multiple-custom-domains}
+
+Logto now supports configuring **multiple custom domains** for a single tenant, making your sign-in page accessible from more than one branded domain.
 
-## Configure custom domain in Console \{#configure-custom-domain-in-console}
+**Plan-based limits:**
+
+- **Development tenant**: Add up to 2 custom domains for free (for testing purposes)
+- **Free plan**: Add 1 custom domain at no charge
+- **Pro plan**: Add 1 custom domain included, with the ability to add up to 10 custom domains total through add-ons
+- **Enterprise plan**: For more than 10 custom domains or custom requirements, please [contact us](https://logto.io/contact)
+
+See the [Logto pricing table](https://logto.io/pricing) for detailed information.
+
+**With multiple custom domains, you can:**
+
+- Use different domains for various regions, locales, applications, organizations, or top-level domains
+- Build trust by maintaining a consistent brand experience before and after sign-in
+- Provide region-specific or brand-specific authentication experiences by [Custom UI](/customization)
+
+## Configure custom domains in Console \{#configure-custom-domains-in-console}
 
 To add a new custom domain in the Logto Console, follow these steps:
 
 1. Navigate to <CloudLink to="/tenant-settings/domains">Console > Settings > Domains</CloudLink>.
-2. In "Custom Domain" section, enter your domain name and click "add domain".
+2. In "Add a custom domain" section, enter your subdomain (e.g., `auth.example.com`, `auth.us.example.com`) and click "add domain".
 
-   <img src="/img/assets/custom-domain-section.jpeg" alt="Add domain" />
+   <img src="/img/assets/custom-domain-section.png" alt="Add domain" />
 
-3. Copy the CNAME value in the table, and go to your domain's DNS provider to add record.
+3. Copy the **CNAME** value `domains.logto.app` in the table, and go to your domain's DNS provider to add record.
 
-   <img src="/img/assets/custom-domain-processing.jpeg" alt="Custom domain processing" />
+   <img src="/img/assets/custom-domain-processing.png" alt="Custom domain processing" />
 
 4. Wait for the verification and SSL process.
    1. We will auto-verify your records every 10 seconds until the custom domain is added. Just ensure that the entered domain name or DNS Records are accurate.
    2. Verification typically takes a few minutes but can take up to 24 hours, depending on the DNS provider. Feel free to navigate away during the process.
 
+To add multiple custom domains, simply repeat the above steps for each domain you want to configure.
+
 ## Troubleshooting \{#troubleshooting}
 
 <details>
@@ -106,7 +127,7 @@ Also verify that the redirect URIs registered in <CloudLink to="/applications">C
 
 </details>
 
-## Use custom domain \{#use-custom-domain}
+## Use custom domains \{#use-custom-domains}
 
 Once you've configured your settings, both your custom domain name and the default Logto domain name will be available for your tenant. However, certain configurations are required to activate your custom domain name.
 
@@ -127,6 +148,8 @@ const client = new LogtoClient({
 });
 ```
 
+On the detail page of your application in <CloudLink to="/applications">Console > Applications</CloudLink>, scroll to the "Endpoints & Credentials" section. Switch the domain dropdown to view and copy the corresponding endpoints for updating your application settings.
+
 ### Modifying auth endpoints for other applications \{#modifying-auth-endpoints-for-other-applications}
 
 If you have applications that aren't using the Logto SDK, it's necessary to update their auth endpoints.
@@ -137,8 +160,49 @@ You can locate the auth endpoints at the well-known URL:
 https://auth.example.com/oidc/.well-known/openid-configuration
 ```
 
-### Updating the social connector's callback URI \{#updating-the-social-connectors-callback-uri}
+### Updating social connector redirect URIs \{#updating-social-connector-redirect-uris}
+
+[Social connectors](/connectors/social-connectors) use the OIDC/OAuth protocol. When users sign in through a custom domain, the redirect URI will automatically use that custom domain. You need to update the redirect URI in your social provider's developer console.
+
+**Steps:**
+
+1. Navigate to <CloudLink to="/connectors/social">Console > Connectors > Social Connectors</CloudLink> and select your connector.
+2. Copy the redirect URI shown in the connector details. Logto lists all available redirect URIs for your configured custom domains.
+3. Add this redirect URI to your social provider's developer console (e.g., Google, GitHub, Facebook).
+
+**For multiple custom domains:**
+
+- Add all redirect URIs for each custom domain you've configured. This ensures social login works regardless of which domain users access.
+- The default Logto domain (`*.logto.app`) remains valid. Include it only if you want to support logins through the default domain as well.
+- For the GitHub connector, use GitHub Apps instead of OAuth apps configured in the GitHub dashboard, as GitHub Apps support multiple redirect URIs. OAuth apps only support a single redirect URI.
+
+### Updating OIDC-based enterprise SSO connector redirect URIs \{#updating-oidc-enterprise-sso-redirect-uris}
+
+[OIDC-based enterprise connectors](/connectors/enterprise-connectors) follow the same pattern as social connectors.
+
+**Steps:**
+
+1. Navigate to <CloudLink to="/enterprise-sso">Console > Enterprise SSO</CloudLink> and select your OIDC connector.
+2. Copy the redirect URIs from the connector details. Logto lists all available redirect URIs for your configured custom domains.
+3. Update the redirect URI in your identity provider (IdP) settings.
+
+**For multiple custom domains:** Add all corresponding redirect URIs to your IdP to ensure enterprise SSO works across all domains.
+
+### Updating SAML-based enterprise SSO connector ACS URLs \{#updating-saml-enterprise-sso-acs-urls}
+
+[SAML-based enterprise connectors](/connectors/enterprise-connectors) use an Assertion Consumer Service (ACS) URL instead of a redirect URI.
+
+**Steps:**
+
+1. Navigate to <CloudLink to="/enterprise-sso">Console > Enterprise SSO</CloudLink> and select your SAML connector.
+2. In the "Configure in the IdP" section, use the domain dropdown to switch between your custom domains.
+3. Copy the ACS URL for the domain you want to support.
+4. Add these ACS URLs to your SAML identity provider configuration.
+
+**Important:** The domain you select determines where users are redirected after SSO authentication. Configure this based on which domain your application expects to receive the SAML response.
+
+### Passkey for MFA \{#passkey-for-mfa}
 
-The social connector's callback URI will be updated automatically if your users are using the custom domain. You need to go to the social provider's developer console to update the callback URI.
+[Passkeys for multi-factor authentication (MFA)](/end-user-flows/mfa/webauthn) are bound to the domain where they were registered. Users must sign in through the same domain to use their Passkeys.
 
-When your users are using the custom domain, the social connector's callback URI will be using the new domain. Therefore, you need to navigate to the social provider's developer console to manually update the callback URI.
+Current limitation: Logto does not yet support cross-domain Passkey verification. If a user registers a Passkey on `auth.us.example.com`, they must sign in through `auth.us.example.com` to use that Passkey for authentication. The Passkey registered on one domain cannot be used when signing in through a different custom domain.
@@ -4,15 +4,15 @@ At Logto, we've set generous limits across all plans and provide flexible pay-as
 
 You may notice that some items on the pricing page are marked as _unlimited_ or as _continuous pay-as-you-go without a ceiling_. This means they can generally be used without restriction, but Logto reserves the right to adjust these actual limits over time to maintain fair use for all users. In other words, entity limits are strict caps that protect the platform's overall health. They are not part of pricing, though they may vary across different plan groups.
 
-If your use case is reasonable but reaches a system limit, feel free to contact us and share your feedback. This helps us better understand real-world usage patterns and adjust system limits to better support our loyal customers.
+If your use case is reasonable but reaches a system limit, feel free to [contact us](https://logto.io/contact) and share your feedback. This helps us better understand real-world usage patterns and adjust system limits to better support our loyal customers.
 
 ## Tenant-level rate limit protection \{#tenant-level-rate-limit-protection}
 
 ### Dev tenants \{#dev-tenants}
 
-For Dev tenants, users can take advantage of Logto's free features and offerings. To prevent abuse and set clear expectations, we define certain system limits. These limits help us manage our platform sustainably while still providing free access for testing and development purposes.
+For [Development tenants](/logto-cloud/tenant-settings#development), users can take advantage of Logto's free features and offerings. To prevent abuse and set clear expectations, we define certain system limits. These limits help us manage our platform sustainably while still providing free access for testing and development purposes.
 
-If you'd like to increase your quota, you can contact us for assistance. We also recommend upgrading from **Dev** to **Pro**, which removes the cap and gives you full access immediately.
+If you'd like to increase your quota, you can contact us for assistance. We also recommend [upgrading from **Dev** to **Pro**](/logto-cloud/billing-and-pricing#dev-tenant-upgrade-to-pro), which removes the cap and gives you full access immediately.
 
 | **Feature**                           | **Entity limit** |
 | ------------------------------------- | ---------------- |
@@ -39,11 +39,12 @@ If you'd like to increase your quota, you can contact us for assistance. We also
 | **Developers and platform**           |                  |
 | Webhooks                              | 10               |
 | Audit log retention                   | 14 days          |
+| Custom domains                        | 2                |
 | Tenant members                        | 20               |
 
-### Pro tenant \{#pro-tenant}
+### Pro tenants \{#pro-tenants}
 
-For Pro tenants, entity limits define the upper ceiling for add-ons and other "unlimited" entities such as applications. The details of the Pro plan's system limits are listed below.
+For Pro plan tenants, entity limits define the upper ceiling for add-ons and other "unlimited" entities such as applications. The details of the Pro plan's system limits are listed below.
 
 | **Feature**                           | **Entity limit** |
 | ------------------------------------- | ---------------- |
@@ -74,6 +75,6 @@ For Pro tenants, entity limits define the upper ceiling for add-ons and other "u
 | Custom domains                        | 10               |
 | Tenant members                        | 100              |
 
-### Enterprise \{#enterprise}
+### Enterprise tenants \{#enterprise-tenants}
 
-For Enterprise plans, limits and features are fully customizable and managed through a the contract. Please [contact us](https://logto.io/contact) for more details.
+For Enterprise plans, limits and features are fully customizable and managed through the contract. Please [contact us](https://logto.io/contact) for more details.