# Trusted Domains

Trusted Domains are used to restrict how users signup and login to the WarpStream Console. This includes disabling signups for new accounts using a certain email domain or requiring all authentication to be done via SSO.

### Adding a Trusted Domain

To add a trusted domain navigate to your "Team" in the WarpStream Console sidebar and click on "Trusted Domains" in the top right. Once in the Trusted Domains UI you can use the "Add Domain" button to add the domain.

Once a domain is added, ownership must be verified before any enforcements can be put in place.

### Verifying a Trusted Domain

Domain verification is done via TXT records. Every domain added to WarpStream will require a unique TXT record.\
\
In the Trusted Domains UI, under Operations and clicking verify will show the unique TXT record needed for this domain.

<figure><img src="/files/FXlSDKOXOS5hHlGoA9hI" alt=""><figcaption></figcaption></figure>

1. Sign in to your domain name host provider in a separate browser window.
2. Go to the DNS records for your domain.
3. Add a new TXT record with the following values:

| Field             | Value                                                            |
| ----------------- | ---------------------------------------------------------------- |
| Record type       | TXT                                                              |
| Name/Host/Alias   | @                                                                |
| Value/Destination | Enter the verification code provided by the WarpStream Verify UI |

Example of a verification code:

```
warpstream-verification=84IFEgv7xSyVKsYiWH2Rrg==
```

### Editing a Trusted Domain

Once a domain is added you can edit the domain to add the following access restrictions:

When enabled these access restrictions are only enforced once a domain is verified.

* Disable Signup
  * Users will not be able to signup for a new account with an email matching the trusted domain. They will only be able to signup if invited to an existing team by another user.
* Require SSO
  * Users will not be able to signup or login via password with an email matching the trusted domain regardless if they were invited to an existing team. All users will be required to login via SSO.
  * If SSO is not properly configured for the team all users with an email matching the trusted domain will be locked out of the WarpStream Console. Please make sure SSO is properly setup and verified working before enabling this restriction.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.warpstream.com/warpstream/reference/manage-console-access/trusted-domains.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.