Skip to content
Scalekit Docs
Talk to an Engineer Dashboard

Organization domains

Verify ownership of customer domains so Scalekit can route Home Realm Discovery (SSO) and SCIM provisioning to the right organization.

An organization domain is a domain your customer owns — such as acmecorp.com. Proving domain ownership unlocks two key features:

  • Home Realm Discovery (SSO): When a user signs in with an email address matching a registered domain, Scalekit automatically routes them to that organization’s SSO identity provider.
  • SCIM Provisioning: Scalekit only processes SCIM user lifecycle events (create, update, deactivate) for users whose email domain matches a registered organization domain. This ensures only the organization that owns a domain can manage those users.

Add and verify an organization domain

Section titled “Add and verify an organization domain”

Via Admin Portal No-code

Section titled “Via Admin Portal ”

The Admin Portal gives the admin of a customer organization a self-serve way to add and verify their domain — without involving your engineering team. This is the recommended approach for production onboarding.

  1. Enable domain verification for the organization

    Section titled “Enable domain verification for the organization”

    Turn on the Domain Verification feature for the organization. You can do this in the Scalekit Dashboard (navigate to Organizations → select the organization → Overview → toggle Domain Verification), or via the API:

    Enable domain_verification feature
    curl --request PATCH \
      'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/<organization_id>/settings' \
      --header 'Authorization: Bearer <ACCESS_TOKEN>' \
      --header 'Content-Type: application/json' \
      --data '{
        "features": [{ "name": "domain_verification", "enabled": true }]
      }'
  2. Section titled “Generate an Admin Portal link and embed in your app”

    Generate an admin portal link and embed in your application:

    Generate portal link for domain verification
    curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/<organization_id>/portal_links' \
      --header 'Authorization: Bearer <ACCESS_TOKEN>'

  3. Organization admin adds the domain and publishes the DNS record

    Section titled “Organization admin adds the domain and publishes the DNS record”

    The admin opens the portal link, clicks Add domain, and enters their domain name. The portal displays the TXT record to add and verify domain ownership. The admin adds this record in their DNS provider (e.g., Cloudflare, Route 53, GoDaddy). Propagation typically takes a few minutes but can take up to 48 hours.

    Domain verification via admin portal

  4. Scalekit verifies the DNS record

    Section titled “Scalekit verifies the DNS record”

    Scalekit polls the domain’s DNS automatically. Once the TXT record is detected, the domain status changes to Verified and SSO routing and SCIM become active.

Via Hosted Widgets No-code

Section titled “Via Hosted Widgets ”

Firstly, turn on the Domain Verification feature for the organization. Then, redirect the end users to Hosted widgets to manage their organization’s domains. The domain verification flow inside the widget is identical to the Admin Portal: the user enters a domain, the widget displays the TXT record to publish, and Scalekit verifies in the background.

Domain verification via hosted widgets

Via Scalekit Dashboard No-code

Section titled “Via Scalekit Dashboard ”

Your team can add organization domains directly from the Scalekit Dashboard, useful for initial setup or when you have already verified ownership through other means.

  1. Go to Dashboard > Organizations and select the target organization.
  2. Navigate to Overview > Organization Domains.
  3. Click Add domain and enter the domain name.

Domain verification via dashboard

Domains added this way are marked as Admin-verified, no DNS verification is required. They become active for SSO routing and SCIM immediately.

Via API API

Section titled “Via API ”

Add and manage organization domains programmatically. Domains created via the API are also Admin-verified by default, no DNS verification is required. Use this when you have already confirmed domain ownership through another process and want to activate SSO routing or SCIM immediately.

Manage organization domains
# 1. Add an organization domain
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/<organization_id>/domains' \
  --request POST \
  --header 'Authorization: Bearer <ACCESS_TOKEN>' \
  --header 'Content-Type: application/json' \
  --data '{
    "domain": "acmecorp.com",
    "domain_type": "ORGANIZATION_DOMAIN"
  }'


# 2. List all organization domains
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/<organization_id>/domains?domain_type=ORGANIZATION_DOMAIN' \
  --header 'Authorization: Bearer <ACCESS_TOKEN>'


# 3. Get details of a specific domain
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/<organization_id>/domains/<domain_id>' \
  --header 'Authorization: Bearer <ACCESS_TOKEN>'


# 4. Delete a domain
curl 'https://<SCALEKIT_ENVIRONMENT_URL>/api/v1/organizations/<organization_id>/domains/<domain_id>' \
  --request DELETE \
  --header 'Authorization: Bearer <ACCESS_TOKEN>'

Listen for organization domain events

Section titled “Listen for organization domain events”

Subscribe to these webhook events to react to domain lifecycle changes in your application:

EventFires when
organization.domain_createdA domain is added to an organization via any method
organization.domain_deletedA domain is removed from an organization
organization.domain_dns_verification_successThe DNS check confirms domain ownership
organization.domain_dns_verification_failedThe DNS verification window expired without a successful DNS match

See Organization domain events for the full event payload schema.

Common scenarios

Section titled “Common scenarios”
How is organization domains different from allowed email domains?

Allowed email domains let users with a matching email address see and join the organization via the organization switcher.

Organization domains prove domain ownership by an organization and unlock SSO routing (Home Realm Discovery) and SCIM provisioning. The distinction is about what the domain enables, not just who can join.

What happens if DNS hasn’t propagated yet?

DNS propagation can take anywhere from a few minutes to 48 hours depending on the TTL and the DNS provider.

Scalekit polls the domain on a scheduled interval and retries automatically until the TXT record is found or the verification window expires. The org admin can also click Verify now in the Admin Portal or Hosted Widget to trigger an immediate check at any time.

If the window expires before the record propagates, the domain status moves to FAILED. Delete the domain and add it again to get a fresh verification token and restart the process.

Can I verify a domain without DNS?

Yes. Domains added via the Scalekit Dashboard or API are marked as Admin-verified, no DNS verification is required. Use this when you have already confirmed domain ownership through another process (contract, business verification, etc.) and want to activate SSO routing or SCIM immediately.