> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation.
>
> - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install <auth-type>@scalekit-auth-stack`
> - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install <auth-type>@scalekit-auth-stack`
> - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `<auth-type>`
> - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill <skill-name>`
>
> `<auth-type>` / `<skill-name>`: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/)

---

# Configure email domain rules

Email domain rules control how users join your application in two ways: by restricting who can sign up and by enabling automatic organization membership for trusted domains. These rules help maintain data quality, prevent abuse, and streamline onboarding for enterprise customers.

Sign-up restrictions block registrations and invitations from generic email providers (like Gmail or Outlook) and disposable email services, ensuring your user base consists of verified business contacts. Allowed email domains enable users with matching email addresses to automatically join organizations through the organization switcher, reducing manual invitation overhead.

Together, these features give you fine-grained control over user addition—blocking unwanted sign-ups while facilitating seamless access for legitimate users from trusted domains.

## Set up sign-up restrictions

Sign-up restrictions help you maintain data quality and prevent abuse by controlling who can create accounts in your application. This is particularly important for B2B applications where you need to ensure users have legitimate business email addresses rather than personal or temporary accounts.

These restrictions automatically block registrations and invitations from two types of email addresses:

- **Generic email domains** - Public email providers like `@gmail.com`, `@outlook.com`, or `@yahoo.com` that anyone can use
- **Disposable email addresses** - Temporary email services often used for spam, trial abuse, or avoiding accountability

When enabled, these restrictions apply to both direct signups and organization invitations, ensuring consistent policy enforcement across your application. This prevents users from creating multiple trial accounts, maintains clean analytics, and ensures your user base consists of verified business contacts.

The following diagram illustrates how sign-up restrictions work:

```d2
direction: right;

user
Scalekit.sign-up page
Scalekit.invite user

user -> Scalekit: "ben0948@gmail.com"
user -> Scalekit: "woxoco4761@knilkk.com"
Scalekit -- restricted: "🚫"
```

### How restrictions affect invitations

- Any user with a disposable email domain cannot sign up to create a new organization and cannot be invited to any existing organization.
- Any user with a public email domain cannot sign up to create a new organization and cannot be invited to any existing organization.

### Set sign-up restrictions

1. ### Navigate to sign-up restrictions settings

   Go to **Dashboard > Authentication > General** and locate the sign-up restrictions section.

2. ### Configure restriction options

   Toggle the following options based on what suits your application:

   - **Block disposable email domains**: Prevents temporary/disposable email addresses from signing up or being invited
   - **Block public email domains**: Prevents generic email providers like Gmail, Outlook, Yahoo from creating organizations

   ![](@/assets/docs/signup-restrictions/ui.png)
**Choosing the right restrictions:** Enable disposable email blocking for all production applications to prevent abuse. Only enable public email blocking if you're building a B2B application that requires verified business identities.

3. ### Save your settings

   Click **Save** to apply the restrictions. Changes take effect immediately for all new signups and invitations.
**Note:** Existing users with restricted email domains remain unaffected. You can return to this section anytime to update your restrictions.
## Configure allowed email domains

Allowed email domains lets organization admins define trusted domains for their organization. When a user signs in or signs up with a matching email domain, Scalekit suggests the user to join that organization in the **organization switcher** so the user can join the organization with one click. This feature is authentication-method agnostic: regardless of whether a user authenticates via SSO, social login, or passwordless authentication, organization options are suggested based on their email domain.

```d2
direction: right;

domain_match: "Domain Match?"
suggest_org: "Show option for the user to join organization"
join_create: "User joined the organization"

domain_match -> suggest_org: "Yes"
suggest_org -> join_create: "Join"
```

When a user signs up or signs in, Scalekit will automatically:

1. **Match email domains** - Check if the user's email domain matches configured allowed domains for any organization.
2. **Suggest organization options** - Show the user available organizations they can join through an organization switcher.
3. **Enable user choice** - Allow users to decide which of the suggested organizations they want to join.
4. **Create organization membership** - Automatically add the user to their selected organization.
**Security consideration:** Disposable and public email domains are blocked and cannot be added to the allow-list (e.g., `gmail.com`, `outlook.com`). We maintain a blocklist to enforce this.

### Manage allowed email domains in Scalekit Dashboard

Allowed email domains can be configured for an organization through the Scalekit Dashboard.

![](@/assets/docs/allowed-email-domains/dashboard.png)

1. Navigate to **Organizations** and **select an organization**.
2. Navigate to **Overview** > **User Management** > **Allowed email domains**.
3. Add or edit allowed email domains for automatic suggestions/provisioning.

### Manage allowed email domains API

Configure allowed email domains for an organization programmatically through the Scalekit API. Before proceeding, complete the steps in the [installation guide](/authenticate/set-up-scalekit/).

```sh title="Register, list, get, and delete allowed email domains" frame="terminal" "ALLOWED_EMAIL_DOMAIN" showLineNumbers=false
# 1. Register an allowed email domain
# Use case: Restrict user registration to specific company domains for B2B applications
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/{organization_id}/domains' \
  --request POST \
  --header 'Content-Type: application/json' \
  --data '{
  "domain": "customerdomain.com",
  "domain_type": "ALLOWED_EMAIL_DOMAIN"
}'

# 2. List all registered allowed email domains
# Use case: Display domain restrictions in admin dashboard or verify current settings
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/{organization_id}/domains'

# 3. Get details of a specific domain
# Use case: Verify domain configuration or retrieve domain metadata
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/{organization_id}/domains/{domain_id}'

# 4. Delete an allowed email domain
# Use case: Remove domain restrictions or clean up unused configurations
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/{organization_id}/domains/{domain_id}' \
  --request DELETE
```

```js title="Register, list, get, and delete allowed email domains" frame="terminal" wrap
// 1. Register an allowed email domain
// Use case: Restrict user registration to specific company domains for B2B applications
const newDomain = await scalekit.createDomain("org-123", "customerdomain.com", {
	domainType: "ALLOWED_EMAIL_DOMAIN",
});

// 2. List all registered allowed email domains
// Use case: Display domain restrictions in admin dashboard or verify current settings
const domains = await client.domain.listDomains(organizationId);

// 3. Get details of a specific domain
// Use case: Verify domain configuration or retrieve domain metadata
const domain = await client.domain.getDomain(organizationId, domainId);

// 4. Delete an allowed email domain
// Use case: Remove domain restrictions or clean up unused configurations
// Caution: Deletion is permanent and may affect user access
await client.domain.deleteDomain(organizationId, domainId);
```

---

## More Scalekit documentation

| Resource | What it contains | When to use it |
|----------|-----------------|----------------|
| [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content |
| [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas |
| [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |