Deployments and Testing/Deploy to Production

Multi-Region Architecture and Data Residency

When deploying applications that serve users across multiple geographic regions, ensuring data residency compliance is critical. This guide explains how to architect your Descope authentication setup to meet regional data residency requirements while maintaining a seamless user experience.

Understanding Descope's Regional Architecture

Descope supports multi-region deployments with data residency in specific geographic locations. However, each Descope project can only be hosted in one region. When you create a Descope project, you select its region (US, EU, or AU), and all user data and project configurations are stored and maintained exclusively within that region.

Once a region has been selected during project creation, user and tenant data cannot be moved between regions. This is a permanent configuration that ensures data residency compliance.

For more details on regional support, see our Multi-Region Support documentation.

For applications running in multiple regions (e.g., both US and EU), Descope's strong recommendation is to use different authentication domains for different regional applications. This approach ensures:

  • Data Residency Compliance: User data remains in the appropriate region per regulatory requirements (e.g., GDPR for EU users)
  • Performance Optimization: Authentication requests are routed to the nearest regional endpoint
  • Clear Separation: Each region operates independently with its own project and configuration

Implementation Strategy

1. Create Separate Descope Projects

Create a separate Descope project for each region where your application operates.

Each project will have its own:

  • Project ID
  • Regional base URL
  • User data store
  • Configuration settings

2. Configure Regional Auth Domains

Set up separate authentication domains for each region using Custom Domains:

RegionApplication DomainAuth DomainDescope Project
USapp-us.example.comauth-us.example.comUS Project
EUapp-eu.example.comauth-eu.example.comEU Project

For additional custom deployments in other regions, contact Descope Support for guidance and assistance.

DNS Configuration

For each regional auth domain, configure a CNAME record pointing to the appropriate regional Descope endpoint:

  • US: auth-us.example.comcname.descope.com
  • EU: auth-eu.example.comcname.euc1.descope.com
  • AU: auth-au.example.comcname.aps2.descope.com

3. Implement Regional Routing Logic

Your application needs to route users to the correct regional Descope project based on their location or preference. Implement routing logic that:

  1. Determines User Region: Use geolocation, user preference, or business logic to determine which region a user should use
  2. Selects Project Configuration: Choose the appropriate Project ID and base URL for that region
  3. Initializes Descope SDK: Initialize the Descope SDK with the regional project configuration
Was this helpful?

Custom Domain

Guide describing how to configure CNAME and manage sessions within cookies with Descope.

Public Static IPs

Guide describing how to configure firewall and allowlisting rules with Descope's static IPs for both projects and connectors.

On this page