Multi-Tenant SaaS Domain Strategy: Custom Domains, SSL & Isolation

Supporting customer custom domains elevates perceived product quality—and complexity. Build a resilient pipeline.

Onboarding Flow

1. User adds domain (app settings)
2. Provide required DNS targets (CNAME or A + TXT)
3. Poll DNS until ownership proof & resolution succeed
4. Request certificate (ACME) after DNS ready
5. Activate routing entry & purge caches

DNS Validation Patterns

Certificate Automation

• Use batch ACME client (e.g., step-ca, Certbot automation)
• Store private keys encrypted (KMS) with rotation
• Pre-warm renewal 30 days out; retry jitter

Routing Layer

• Edge (CDN or reverse proxy) maintains host -> tenant map
• Wildcard fallback to 404 to avoid leakage
• Rate limit misconfigured host bursts

Isolation & Security

• Per-tenant origin auth (signed headers)
• Header sanitation (Host, X-Forwarded-*)
• Enforce HTTPS redirect after cert ready
• WAF ruleset opt-in for high-risk tenants

Observability

• Domain onboarding duration p95
• DNS error state counts
• Certificate issuance failures & retries
• Per-tenant 4xx/5xx anomaly alerts

Data Model Fields

TenantDomain {
  id, tenantId, domain, status: [pending_dns, validating, provisioning_cert, active, error],
  createdAt, activatedAt, lastCheckAt, failureReason,
  validationMethod, dnsRecordsExpected: [{type, host, value}],
  certExpiresAt
}

Failure Handling

---

Want a starter Prisma model or API route added? Just say so.