Restrict user invitations by domain

What this does

Restrict which email domains can receive invitations to join your workspace. When one or more allowed domains are configured, only email addresses matching those domains can be invited.

Permissions

Based on your role management settings:

Super Admins and Admins can create, view, update, and delete allowed email domains
Members cannot manage allowed domains or invite other users

If no allowed email domains are configured, invitations are permitted for all domains.

Where to configure

Allowed domains are managed in: Settings → Security → Whitelist Domains.

The Security page also contains related settings like webhook security.

Add or remove allowed domains

Navigate to Settings → Security.

Scroll down to Whitelist Domains and click Add domain.

Enter a domain (for example, example.com).

Use bare domains like example.com. Do not include @, protocols, or paths.

To remove a domain, use the delete action next to it.

How invitations are validated

If at least one allowed domain exists, an invite can only be created for an email whose domain matches one of the allowed domains.
If no allowed domains exist, invites are not restricted by domain.
The restriction applies to invite creation. Existing users are unaffected.

If you attempt to invite an email from a non‑permitted domain, the invite will be blocked and you will be prompted to use an allowed domain.

Agencies and subaccounts

For agencies and their subaccounts:

The email domain restriction applies to invite creation at the agency (workspace) level
Agency users can still access subaccounts regardless of their email domain
A domain restriction set at the agency does not apply to subaccounts

Invite users (with domain restrictions in place)

Follow the standard invitation flow in User Management. When entering the invitee’s email, the domain will be checked against your whitelist.