Skip to Content

How Custom-Domain Onboarding Actually Works: DNS, SSL, and the Edge

March 27, 2026 by
How Custom-Domain Onboarding Actually Works: DNS, SSL, and the Edge
Priya Nadkarni

Custom-domain onboarding decomposes into two planes. The connect plane configures DNS and proves ownership (a value-checked DNS challenge, or a signed provider consent). The edge plane terminates TLS on demand during the handshake — but only for hostnames the control-plane authorizes — then reverse-proxies to your origin.

Why on-demand TLS

Certificates are issued and renewed automatically at the edge, so there’s never a cert to wrangle. An O(1) authorization lookup keeps the handshake off your billing and business logic.

Read the architecture →

The Open-Source Alternative to Entri