***

title: Whitelist Email Domains
subtitle: Control who can be invited by whitelisting email domains
slug: allowed-email-domains
description: Configure allowed email domains in Security settings to restrict workspace invitations.
---------------------

For clean Markdown of any page, append .md to the page URL. For a complete documentation index, see https://docs.synthflow.ai/llms.txt. For full documentation content, see https://docs.synthflow.ai/llms-full.txt.

## What this does

Restrict which email domains can receive invitations to join your workspace. When one or more allowed domains are configured, only email addresses matching those domains can be invited.

## Take domain policy further with SSO

Allowed domains secure invite controls inside Synthflow workspace access. For businesses that need centralized authentication and stronger security policy enforcement, [Single Sign-On (SSO)](/sso) is the next step.

With SSO, your domain policy is backed by your identity provider authentication flow, not only by invitation restrictions in Synthflow.

## Permissions

Based on your [role management](/role-management) settings:

* **Super Admins** and **Admins** can create, view, update, and delete allowed email domains
* **Members** cannot manage allowed domains or invite other users

If no allowed email domains are configured, invitations are permitted for all domains.

## Where to configure

Allowed domains are managed in: **Settings** → **Security** → **Whitelist Domains**.

The Security page also contains related settings like webhook security.

## Add or remove allowed domains

<Steps>
  <Step>
    Navigate to **Settings** → **Security**.
  </Step>

  <Step>
    Scroll down to **Whitelist Domains** and click **Add domain**.
  </Step>

  <Step>
    Enter a domain (for example, `example.com`).

    <Note>
      Use bare domains like `example.com`. Do not include `@`, protocols, or paths.
    </Note>
  </Step>

  <Step>
    To remove a domain, use the delete action next to it.
  </Step>
</Steps>

## How invitations are validated

* If at least one allowed domain exists, an invite can only be created for an email whose domain matches one of the allowed domains.
* If no allowed domains exist, invites are not restricted by domain.
* The restriction applies to invite creation. Existing users are unaffected.

If you attempt to invite an email from a non‑permitted domain, the invite will be blocked and you will be prompted to use an allowed domain.

## Agencies and subaccounts

For agencies and their subaccounts:

* The email domain restriction applies to invite creation at the agency (workspace) level
* Agency users can still access subaccounts regardless of their email domain
* A domain restriction set at the agency does not apply to subaccounts

## Invite users (with domain restrictions in place)

Follow the standard invitation flow in [User Management](/user-management). When entering the invitee’s email, the domain will be checked against your whitelist.