> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blaxel.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Domain Capture

> Verify your company's email domain and control which login methods your team can use.

## Overview

Domain capture lets you claim ownership of your organization's email domain (e.g. `acme.com`) and then decide exactly how users from that domain can sign in. You can restrict logins to specific methods (Google, SSO (SAML), or email passwordless) and automatically add new users to your workspaces when they first sign in.

This feature is available to all account administrators at no extra cost.

<Note>
  SAML SSO and Directory Sync are enterprise features built on top of domain verification. See [SSO & Directory Sync](/Security/SSO-Directory-sync) if you need those.
</Note>

## Prerequisites

* You must be an account administrator.
* You must have access to your domain's DNS settings to add a TXT record.

## Step 1: Add a domain

<Steps>
  <Step title="Open Identity & Access settings">
    Go to **Account Settings** → **Identity & Access**.

    <img src="https://mintcdn.com/blaxel/gz9f3VS4Gc515azY/images/identity-access/identity-access-page.webp?fit=max&auto=format&n=gz9f3VS4Gc515azY&q=85&s=585f9478b22f8c14bc0ed8aad2718e03" alt="Identity & Access settings page" width="2972" height="1638" data-path="images/identity-access/identity-access-page.webp" />
  </Step>

  <Step title="Enter your domain">
    Type your company's email domain (e.g. `acme.com`) in the input field and click **Add domain**.
  </Step>
</Steps>

The domain appears in the list with a **Pending** status. It will remain inactive until you complete DNS verification.

## Step 2: Verify via DNS TXT record

To prove you own the domain, add a DNS TXT record provided by Blaxel.

<Steps>
  <Step title="Reveal the DNS record">
    Click **Show DNS** on the pending domain row.

    <img src="https://mintcdn.com/blaxel/gz9f3VS4Gc515azY/images/identity-access/dns-verification.webp?fit=max&auto=format&n=gz9f3VS4Gc515azY&q=85&s=5c7bb9cd850ae6b9b0efac17c3de9913" alt="DNS TXT record panel" width="1028" height="388" data-path="images/identity-access/dns-verification.webp" />
  </Step>

  <Step title="Copy the record values">
    You'll see two values:

    * **Name**: the hostname to add the record to (e.g. `_blaxel-sso-verification.yourdomain.com`)
    * **Value**: the verification string starting with `blaxel-sso-verify=...`

    Click the copy icon next to each value.
  </Step>

  <Step title="Add the TXT record in your DNS provider">
    Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, etc.) and add a new TXT record with the name and value you copied.

    DNS propagation typically takes a few minutes, but can take up to 48 hours in rare cases.
  </Step>

  <Step title="Trigger verification">
    Return to **Account Settings** → **Identity & Access** and click **Verify** on the domain row.
  </Step>
</Steps>

Once verified, the domain status changes to **Verified** (green checkmark) and additional options appear below it.

<Warning>
  If verification fails, double-check that the TXT record name and value are entered exactly as shown. Some DNS providers automatically append the root domain. Confirm the full record name in your DNS provider's interface.
</Warning>

## Step 3: Set allowed auth methods

After your domain is verified, you can restrict which login methods users from that domain can use.

<img src="https://mintcdn.com/blaxel/gz9f3VS4Gc515azY/images/identity-access/domain-verified.webp?fit=max&auto=format&n=gz9f3VS4Gc515azY&q=85&s=1cc1bb2950e4816d845fa5b485d9366d" alt="Verified domain with allowed auth methods and auto-join" width="1020" height="532" data-path="images/identity-access/domain-verified.webp" />

Click a method badge to toggle it on or off:

| Method                   | Description                                                      |
| ------------------------ | ---------------------------------------------------------------- |
| **Google**               | Sign in with a Google account                                    |
| **SSO (SAML)**           | Sign in through your SAML identity provider (requires SSO setup) |
| **Email (passwordless)** | Sign in via email magic link or OTP                              |

If no methods are selected, there is no restriction and users can sign in with any available method.

<Note>
  If SAML SSO is configured and active on your account, **SSO (SAML)** becomes the only allowed method automatically and the other toggles are locked. See [SSO & Directory Sync](/Security/SSO-Directory-sync).
</Note>

## Step 4: Configure auto-join workspaces

You can automatically add new users to one or more workspaces the first time they sign in with your verified domain.

Under **Auto-join**, toggle on any workspace to enable automatic membership for users from that domain.

<Warning>
  Users who are already logged in when domain capture is toggled on will not be automatically added to the workspace until they log out and log back in.
</Warning>

<Warning>
  If Directory Sync is also active, workspace membership may be managed by two systems simultaneously. Prefer using Directory Sync group mappings to control workspace membership when Directory Sync is configured.
</Warning>

## Removing a domain

Click the trash icon on any domain row to remove it. You'll be asked to confirm before deletion.

<Note>
  A domain that is actively linked to a SAML SSO connection cannot be deleted until the SSO connection is removed first.
</Note>

## Related

* [SSO & Directory Sync](/Security/SSO-Directory-sync)
* [Workspace Access Control](/Security/Workspace-access-control)