Custom-domain onboarding decomposes into two planes. The connect plane configures DNS and proves ownership (a value-checked DNS challenge, or a signed provider consent). The edge plane terminates TLS on demand during the handshake — but only for hostnames the control-plane authorizes — then reverse-proxies to your origin.
Why on-demand TLS
Certificates are issued and renewed automatically at the edge, so there’s never a cert to wrangle. An O(1) authorization lookup keeps the handshake off your billing and business logic.