Your Worker is running on *.workers.dev — but you want it on your own domain. This lesson covers two things: pointing a subdomain from your Google Workspace domain to Cloudflare, and attaching it to your Worker with automatic SSL.
There are two ways to use your domain with Cloudflare Workers:
| Approach | How | When to Use |
|---|---|---|
| Full setup (recommended) | Move your domain's nameservers to Cloudflare | You want all Cloudflare features (DDoS, WAF, caching, Workers) on the whole domain |
| CNAME setup (partial) | Keep existing DNS, add a CNAME for your subdomain | You can't or don't want to move nameservers (enterprise DNS locked, etc.) |
For most people with a Google Workspace domain, the full setup is better — you get the complete security and speed layer for free. Google Workspace (Gmail, Calendar, Drive) will keep working because you'll add the required MX and CNAME records in Cloudflare's DNS.
This gives you the most value — your entire domain gets Cloudflare's DDoS protection, caching, and DNS performance.
yourdomain.com)Cloudflare auto-imports your DNS records, but verify that your Google Workspace records are all present before changing nameservers. Check for: MX records (mail), CNAME records (mail, calendar, drive), TXT records (SPF, DKIM, domain verification).
Make sure these records exist in Cloudflare's DNS after import:
| Type | Name | Value | Purpose |
|---|---|---|---|
| MX | @ | aspmx.l.google.com (priority 1) | Gmail |
| MX | @ | alt1.aspmx.l.google.com (priority 5) | Gmail backup |
| MX | @ | alt2.aspmx.l.google.com (priority 5) | Gmail backup |
| MX | @ | alt3.aspmx.l.google.com (priority 10) | Gmail backup |
| MX | @ | alt4.aspmx.l.google.com (priority 10) | Gmail backup |
| TXT | @ | v=spf1 include:_spf.google.com ~all | SPF (email auth) |
| CNAME | ghs.googlehosted.com | Gmail web (if custom URL) | |
| TXT | @ | Google site verification string | Domain ownership |
MX records cannot be proxied through Cloudflare. They must be set to DNS only (grey cloud). This happens automatically for MX records — Cloudflare won't proxy mail traffic.
Cloudflare will give you two nameservers (e.g., ada.ns.cloudflare.com and bob.ns.cloudflare.com). Update these at your domain registrar:
Propagation takes anywhere from a few minutes to 48 hours (usually under 1 hour).
Once your domain is active in Cloudflare, you don't need to manually create DNS records for Worker subdomains. Custom Domains handle this automatically.
If you don't want to move your nameservers (or can't), you can add a CNAME record for just your subdomain at your current DNS provider:
# At your current DNS provider (e.g., Google Domains):
Type: CNAME
Name: app (this creates app.yourdomain.com)
Value: your-worker.your-account.workers.dev
With CNAME-only, you don't get Cloudflare's DDoS protection, WAF, or caching on that subdomain. You only get the Worker execution. For the full security layer, use the full nameserver setup (Option A).
Once your domain is in Cloudflare (Option A), connecting a subdomain to your Worker is one step:
In your wrangler.jsonc:
{
"name": "my-app",
"main": "src/index.js",
"routes": [
{
"pattern": "app.yourdomain.com",
"custom_domain": true
}
]
}
Then deploy:
npx wrangler deploy
That's it. Cloudflare will:
app.yourdomain.com to your Workerapp.yourdomain.comNow that your Worker has a custom domain, update your Google OAuth credentials:
https://app.yourdomain.com/auth/callback to Authorized redirect URIsurl.origin to construct the redirect URIYou can attach multiple custom domains to the same Worker. This is useful for staging vs. production: staging.yourdomain.com and app.yourdomain.com can both point to the same Worker (or different ones).
If you only want users from your Google Workspace (e.g., @yourcompany.com) to sign in, add a check after fetching user info in your OAuth callback:
// In the /auth/callback handler, after fetching user info:
const user = await userRes.json();
// Restrict to your Google Workspace domain
if (!user.email.endsWith("@yourcompany.com")) {
return new Response("Access denied. Must use @yourcompany.com account.", {
status: 403,
});
}
Alternatively, you can use Google's hd (hosted domain) parameter when constructing the auth URL to pre-filter the account picker:
const params = new URLSearchParams({
client_id: env.GOOGLE_CLIENT_ID,
redirect_uri: REDIRECT_URI,
response_type: "code",
scope: "openid email profile",
hd: "yourcompany.com", // Only show Workspace accounts
});
The hd parameter only affects the UI (which accounts Google shows). You must still verify the email domain server-side in the callback, because a determined user could modify the auth URL.
app.yourdomain.com) — via Custom DomainsCustom Domains — Cloudflare Workers Docs — official guide for connecting domains to Workers, including certificate management and route behavior.