Changes

• Adds support for the Auth0-Custom-Domain header, enabling users to specify a custom domain for API endpoints that generate user-facing links (email verification, password reset, organization invitations, etc.)
• Implements an OkHttp interceptor (CustomDomainInterceptor) that enforces an endpoint whitelist, the header is automatically stripped from requests to non-whitelisted paths, preventing misuse
• Supports both global configuration (via ManagementApiBuilder.customDomain()) and per-request overrides (via CustomDomainHeader.of() helper)

New classes

Modified classes

Whitelisted endpoints

The Auth0-Custom-Domain header is only sent to endpoints that generate user-facing links:

• POST /jobs/verification-email
• POST /tickets/email-verification
• POST /tickets/password-change
• /organizations/{id}/invitations
• /users and /users/{id}
• POST /guardian/enrollments/ticket
• /self-service-profiles/{id}/sso-ticket

All other endpoints have the header automatically stripped by the interceptor.

Usage

// Global — applies to all whitelisted requests
ManagementApi client = ManagementApi.builder()
    .domain("your-tenant.auth0.com")
    .token("YOUR_TOKEN")
    .customDomain("CUSTOM_DOMAIN")
    .build();

// Per-request override
CreateVerificationEmailResponseContent createVerificationEmailResponseContent = client.jobs().verificationEmail()
              .create(CreateVerificationEmailRequestContent.builder().userId("<USER_ID>").build(), CustomDomainHeader.of("<CUSTOM_DOMAIN>"));

Test classes added

• CustomDomainInterceptorTest — 18 unit tests validating whitelist matching for both allowed and blocked paths
• CustomDomainHeaderIntegrationTest — 8 integration tests using MockWebServer verifying end-to-end header behavior (global config, per-request override, stripping on non-whitelisted paths, no-config scenarios)