Skip to main content
SSO Domains require a Business or Enterprise plan. View plans
SSO Domains are the email domains your organization has claimed. Claiming a domain unlocks auto-join, controls which login methods are allowed, keeps identity in sync with your IdP, and lets you attach SSO profiles. A domain can only be claimed by one organization in Invent. The first org to complete email verification wins. If someone else already claims your domain, get in touch with us.

The Domains Table

Each verified domain shows:
ColumnDescription
DomainThe verified email domain (e.g. acme.com)
RoleDefault role assigned to users who auto-join through this domain. Click the pencil icon to change it
Auto-JoinToggle. When on, users signing up with an email on this domain are automatically added as members
⚙️ SettingsOpens the settings dialog for profile sync, email change, and profile change
🗑️ DeleteStarts the 6-digit email-verified deletion flow

Adding a Domain

  1. Go to SettingsSSO (useinvent.com/o/settings/sso).
  2. In the Domains section, click + Add Domain.
  3. Fill in the form:
    • Admin email: an email address on the domain you want to claim. The verification code is sent here.
    • Default role: role assigned to auto-joined members (Admin, Developer, Manager, or Staff).
    • Auto-join: automatically add new users on this domain to your org.
    • Sync profile: refresh name, avatar, and email from the IdP on each sign-in.
    • Allow email change: let users on this domain change their email from the user settings.
    • Allow profile change: let users change their name and avatar.
  4. Click Send Code. A 6-digit code is emailed to the admin address.
  5. Enter the code to complete verification.
Add domain dialog (email and role)
Add domain dialog (toggles and submit)
Enter verification code
The verification code is valid for 10 minutes. If it expires, click Resend to get a new one. You can request up to 10 codes per 10-minute window.
Disposable email addresses and free-mail domains (Gmail, Outlook, Yahoo, etc.) cannot be claimed. They belong to millions of people, not your organization.

Domain Settings Explained

Default Role

Every user who auto-joins through this domain gets this role. Role options match the standard member roles:
  • Admin: full access including SSO and billing
  • Developer: technical features like assistants and API keys
  • Manager: customer-facing operations (inbox, contacts, segments)
  • Staff: view/respond to conversations
See the full role matrix → You can change the default role at any time by clicking the pencil next to the role badge. Existing members keep their current role. Only new auto-joined members get the new default.
Edit role button on domain row

Auto-Join

When on, any new user signing up with an email on this domain is automatically added to your organization with the default role above. Auto-join applies to every sign-in method, not just SSO. A user signing up with Google using their @acme.com email gets auto-joined exactly the same as one signing up via SSO.
Auto-join makes onboarding seamless for teams, no manual invites needed. If you’d rather invite each member explicitly, turn it off.

Sync Profile

When on, every time a user signs in through SSO, Invent refreshes their name, avatar, and email from the claims returned by your IdP. This keeps Invent in sync with your directory of record. When off, identity fields are written once on first sign-in and never updated from the IdP.

Allow Email Change

Controls whether users on this domain can change their own email from the user settings page.
OIDC-connected users are always blocked from changing their email themselves, regardless of this setting. Their email belongs to the IdP. This flag only affects users on the domain who aren’t connected to an IdP (for example, those using Google or email-code sign-in).

Allow Profile Change

Same as above, but for name and avatar. OIDC-connected users are always locked; this flag only affects non-IdP users.

Editing a Domain

Click the ⚙️ Settings icon on any row to open the settings dialog.
Settings icon on domain row
Domain settings dialog
You can change:
  • Sync Profile
  • Allow Email Change
  • Allow Profile Change
Changes take effect on the next sign-in. To change the Default Role, click the pencil icon next to the role badge in the table row. To toggle Auto-Join, flip the switch directly in the table row.
The domain itself (e.g. acme.com) and its verified state are immutable. If you need to change the domain, delete it and add a new one.

Deleting a Domain

Deleting a domain is protected by a second email verification. Even admins can’t delete one with a single click.
Delete icon on domain row
  1. Click the 🗑️ Delete icon on the domain row.
  2. Click Send Code. A 6-digit code is emailed to the original verification address and to all org admins.
  3. Enter the code to confirm.
Deleting a domain:
  • Removes its claim from Invent (another org could then claim it).
  • Disables auto-join and profile sync for new sign-ins on that domain.
  • Does not remove existing members who joined through it. They stay in the org with their current roles and sessions.
  • Does not delete SSO profiles on the org, but profiles become ineffective if no verified domain matches an incoming user’s email.

Relationship with SSO Profiles

Domains and profiles are separate but linked at sign-in time:
  1. A user enters their email on the sign-in page.
  2. Invent checks: is this email’s domain claimed by an org in Invent? → finds your org.
  3. Invent then lists all enabled SSO profiles belonging to that org. Those are the IdP options the user sees.
In short: domain proves org ownership, profile provides the IdP. You need at least one of each for SSO sign-in to work. Set up your first SSO profile →

Troubleshooting

The code is 6 digits and expires after 10 minutes. If it expired, click Resend. If you copy-pasted it, make sure no spaces or extra characters slipped in.
Someone else verified this domain first. If you believe it belongs to your organization, contact Invent support with proof of ownership.
Check your spam folder and any internal email filters. The sender is the from address configured for your workspace (or Invent’s default). If it still doesn’t arrive, try a different admin address on the same domain.
Yes. team.acme.com and acme.com are treated as separate domains. Only users whose email exactly matches the verified domain will match.