Custom domain for auth recommended for production
The auth Worker ships on {project}.workers.dev by default — fine for local testing, but cross-site to your app, so Safari and iOS users can't sign in until you put the auth Worker on your app's own domain (see Cookies & Safari for the full why). Bind it to auth.yourdomain.com before going live:
- Open the project's Auth panel and click Attach custom domain
- Pick the zone and subdomain from the dropdown — TLS cert issues automatically (no DNS dance, no redeploy)
- Update your OAuth providers' redirect URIs to the new hostname (Flarelink lists the exact URIs for you)
- Point your app's
FLARELINK_AUTH_URLat the newhttps://auth.yourdomain.com
myapp.com → auth on auth.myapp.com). That's what makes the session cookie same-site. A custom domain that's still a different registrable domain from your app doesn't fix the third-party-cookie problem.Only zones on Cloudflare's nameservers work today — if your domain is on another DNS provider, you'll need to migrate the zone to CF first. The workers.dev URL keeps working as a fallback; CF doesn't tear it down when you attach a custom domain.
The Worker derives its base URL from each request, so OAuth callbacks, email links, and the cookie domain all switch to the custom hostname automatically once CF routes traffic to it — no flarelink_config change, no redeploy.