SSO Domains

Verify a company email domain and have everyone signing in with that domain auto-join your GenMB workspace, no manual invites.

SSO Domains require the Business plan. Domain verification is one-time; auto-join is then automatic.

How It Works

When you verify a domain, GenMB checks the email of every new sign-in against your domain list. If the email matches, the user is added to your workspace as a member on first sign-in, no invite link, no admin approval required.

One TXT record per domain - verified once, then enforced indefinitely.
Auto-join only fires on first sign-in; existing accounts are unaffected.
Membership is workspace-scoped - domain verification belongs to a single workspace.
Designed for companies that want every employee on the same workspace pool without manual invites.

Verifying a Domain

Verification requires DNS access for the domain you want to claim. Plan on involving whoever manages your DNS.

Open SSO settings

From your workspace settings, open the SSO Domains tab and click Add Domain. Enter the domain (e.g., acme.com).

Copy the TXT record

GenMB shows a TXT record token. Add it to your DNS as a TXT record at the apex of the domain.

Verify

Click Verify after the TXT record has propagated (usually a few minutes). GenMB queries DNS and marks the domain verified on success.

Wait for sign-ins

Anyone signing in with a matching email from this point forward is auto-joined to the workspace. Existing accounts are not retroactively affected, they need to be invited manually if you want them in the workspace.

Add multiple domains if your company uses several (e.g., acme.com and acme.co.uk). Each domain is verified independently.

Default Role

By default, auto-joined users are added with the Member role, they can create, edit, and deploy apps and draw from the workspace credit pool. They cannot manage billing or invite others.

Default role	Member
Configurable per domain	Yes - change via the SSO Domains settings
Owner / Admin auto-join	Never, these roles must be assigned explicitly
Removing a member	Available from team settings; removes access immediately

See Workspaces for what each role can do and how the shared credit pool is attributed across members.

Security & Restrictions

DNS-based proof

Verification requires control of the domain's DNS - possessing the email is not sufficient.

Public domain blocklist

gmail.com, outlook.com, yahoo.com, and other shared providers cannot be claimed.

Single-workspace claim

A domain can be verified by only one workspace at a time. Re-verification is required to transfer.

Revocable

Removing the TXT record disables future auto-joins. Existing members remain - remove them manually if needed.

Auto-join applies indefinitely after verification. If your company offboards an employee, remove them from the workspace explicitly - leaving the email address active will let them rejoin on next sign-in.

FAQs

Do I need a separate identity provider?▾

No. SSO Domains in GenMB use Google OAuth, the same provider every GenMB user signs in with. The "SSO" here is domain-based auto-join: anyone signing in with an email matching your verified domain is automatically added to your workspace.

How do I prove I own the domain?▾

Add a TXT record to your DNS. GenMB checks the record and marks the domain verified. Until verification completes, no users are auto-joined.

Can I claim a public email domain like gmail.com?▾

No. Public email domains (gmail.com, outlook.com, yahoo.com, etc.) are blocklisted. SSO Domains are intended for company-owned domains only.

What role do auto-joined users get?▾

Member role by default. You can change individual roles in team settings or set the default role per domain. Owners and admins are never assigned automatically.

Can I remove a domain later?▾

Yes. Removing the domain stops new auto-joins; existing members remain unless explicitly removed. The TXT record can be deleted from DNS afterward.

Ready to build?

Create your first app for free, no credit card required.

Workspaces