> ## Documentation Index
> Fetch the complete documentation index at: https://www.krea.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Domain Verification & Capture

> Verify ownership of your email domain in Krea to enable Domain Capture, auto-enroll team members, and unlock SAML SSO for your enterprise workspace.

Domain verification proves that your organization owns the email domain used by your team members. This is a prerequisite for enabling SAML Single Sign-On (SSO) and other enterprise security features.

<Note>
  Domain verification is required before you can configure SAML SSO. Complete these steps first, then proceed to [SAML SSO Setup](/user-guide/help-and-support/saml-sso-setup).
</Note>

<Tip>
  Verified domains default to **Enforced (Auto-Enroll)** for [Domain Capture](#configure-domain-capture), meaning users with matching email addresses will be automatically added to your workspace on their next login. Review the capture mode immediately after verifying your domain.
</Tip>

## Prerequisites

<CardGroup cols={2}>
  <Card title="Workspace Role" icon="user-shield">
    You must be a **workspace owner** or **admin**
  </Card>

  <Card title="DNS Access" icon="globe">
    Access to your organization's DNS settings (Cloudflare, Route 53, GoDaddy, etc.)
  </Card>
</CardGroup>

## Why Verify Your Domain?

Domain verification ensures that only authorized administrators can:

* Configure Domain Capture to automatically invite or enroll users with your domain
* Enable SAML SSO for users with your company email domain
* Manage authentication settings for your organization
* Control how team members access your Krea workspace

## Step 1: Add Your Domain

<Steps>
  <Step title="Open Workspace Settings">
    Navigate to [Workspace Settings ↗](https://www.krea.ai/settings/workspace-settings).

    You can also click your **workspace avatar** in the bottom-left corner of the sidebar, then select **Settings**.
  </Step>

  <Step title="Find Domain Management">
    Scroll down to the **Domain Management** section.

    ![Domain Management section](https://s.krea.ai/docs/sso-domain-management.png)
  </Step>

  <Step title="Add Your Domain">
    Type your company's email domain (e.g., `acme.com`) in the input field and click **Add Domain**.
  </Step>
</Steps>

<Tip>
  Use the domain portion of your employees' email addresses. For example, if employees use `user@acme.com`, enter `acme.com`.
</Tip>

## Step 2: Add DNS TXT Record

After adding your domain, Krea displays a verification token. Your domain will show as **Pending** until verified.

![Verification token](https://s.krea.ai/docs/sso-verification-token.png)

You'll see:

* A success alert with the **verification token** (starting with `krea-verification=`)
* Your domain listed with a **Pending** status
* A copyable TXT record value

<Warning>
  **Copy the token exactly** — including any special characters. Even a small typo will cause verification to fail.
</Warning>

### DNS Record Details

| Field         | Value                                                |
| ------------- | ---------------------------------------------------- |
| Type          | `TXT`                                                |
| Host/Name     | `@` (or leave blank, depending on your DNS provider) |
| Content/Value | The verification token shown in the modal            |
| TTL           | `3600` (1 hour) or your provider's default           |

### Adding the Record by Provider

<Tabs>
  <Tab title="Cloudflare">
    1. Log in to [Cloudflare Dashboard](https://dash.cloudflare.com)
    2. Select your domain
    3. Click **DNS** in the left sidebar
    4. Click **Add record**
    5. Set Type to `TXT`, Name to `@`, and paste the token in Content
    6. Click **Save**

    <Info>
      Reference: [Cloudflare DNS Documentation ↗](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/)
    </Info>
  </Tab>

  <Tab title="AWS Route 53">
    1. Open the [Route 53 Console](https://console.aws.amazon.com/route53)
    2. Click **Hosted zones** → Select your domain
    3. Click **Create record**
    4. Leave Record name empty, set Type to `TXT`
    5. Paste the token in Value (with quotes)
    6. Click **Create records**

    <Info>
      Reference: [AWS Route 53 Documentation ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html)
    </Info>
  </Tab>

  <Tab title="GoDaddy">
    1. Log in to [GoDaddy](https://godaddy.com) → **My Products**
    2. Find your domain → Click **DNS**
    3. Click **Add** under Records
    4. Select Type `TXT`, Host `@`, paste token in TXT Value
    5. Click **Save**

    <Info>
      Reference: [GoDaddy Help - Add a TXT Record ↗](https://www.godaddy.com/help/add-a-txt-record-19232)
    </Info>
  </Tab>

  <Tab title="Namecheap">
    1. Log in to [Namecheap](https://namecheap.com) → **Domain List**
    2. Click **Manage** next to your domain
    3. Go to **Advanced DNS** tab
    4. Click **Add New Record**
    5. Select `TXT Record`, Host `@`, paste token in Value
    6. Click **Save All Changes**

    <Info>
      Reference: [Namecheap Knowledge Base - TXT Records ↗](https://www.namecheap.com/support/knowledgebase/article.aspx/317/2237/how-do-i-add-txtspfdkimdmarc-records-for-my-domain/)
    </Info>
  </Tab>

  <Tab title="Google Domains">
    1. Log in to [Google Domains](https://domains.google.com)
    2. Select your domain
    3. Click **DNS** in the left menu
    4. Scroll to **Custom records** → Click **Manage custom records**
    5. Click **Create new record**
    6. Set Type to `TXT`, Host name to `@`, paste the token in Data
    7. Click **Save**

    <Info>
      Reference: [Google Workspace Admin Help - TXT Records ↗](https://support.google.com/a/answer/2716800)
    </Info>
  </Tab>

  <Tab title="Other Providers">
    1. Log in to your DNS provider's dashboard
    2. Navigate to DNS settings for your domain
    3. Add a new TXT record
    4. Set the host/name to `@` (or leave blank)
    5. Paste the verification token as the value
    6. Save your changes
  </Tab>
</Tabs>

## Step 3: Verify Your Domain

<Steps>
  <Step title="Return to Krea">
    Go back to the verification modal in Krea.
  </Step>

  <Step title="Click Verify Domain">
    Click the **Verify Domain** button.
  </Step>

  <Step title="Wait for Confirmation">
    Krea will check your DNS records. Once verified, you'll see a success message.
  </Step>
</Steps>

<Info>
  **DNS propagation** can take anywhere from a few minutes to 72 hours. If verification fails, wait 5-10 minutes and try again.
</Info>

## Configure Domain Capture

Domain Capture controls what happens when a user with a matching verified email domain signs in to Krea. You can automatically add them to your workspace, prompt them to join, or take no action.

### Capture Modes

| Mode         | Label in Settings   | Behavior                                                                                                                                                    |
| ------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Off**      | Disabled            | Users join only via direct admin invitation.                                                                                                                |
| **Optional** | Auto-Invite Enabled | Users see a "Join Your Verified Workspace" modal. They can accept or dismiss it (re-prompted after 1 week).                                                 |
| **Enforced** | Auto-Enroll Enabled | Users are automatically added to your workspace on next login. Their active workspace switches automatically and they see a confirmation modal. No opt-out. |

<Warning>
  **Default behavior:** Newly verified domains default to **Enforced (Auto-Enroll)**, meaning users with matching email domains will be automatically added to your workspace. Review and adjust the capture mode immediately after verifying a domain if this is not your desired behavior.
</Warning>

### Setting the Capture Mode

<Steps>
  <Step title="Open Domain Management">
    Navigate to [Workspace Settings ↗](https://www.krea.ai/settings/workspace-settings) and scroll to the **Domain Management** section.
  </Step>

  <Step title="Locate your verified domain">
    Find the domain you verified. Note that it defaults to **Enforced (Auto-Enroll)** immediately after verification.

    ![Domain capture mode picker](https://s.krea.ai/docs/domain-capture-management.png)
  </Step>

  <Step title="Select a capture mode">
    Use the radio buttons to choose **Off**, **Optional (Auto-Invite)**, or **Enforced (Auto-Enroll)**. Your selection is saved automatically.
  </Step>
</Steps>

### Key Details

<AccordionGroup>
  <Accordion title="Multiple workspaces with the same domain">
    Multiple workspaces can verify the same email domain. Each workspace manages its own capture mode independently. A user matching multiple workspaces may be enrolled or prompted for each one.
  </Accordion>

  <Accordion title="Existing workspace members">
    Users who are already members of your workspace are not affected by Domain Capture. No duplicate invitations or enrollment actions occur.
  </Accordion>
</AccordionGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="DNS record not found">
    * **Wait for propagation** — DNS changes can take up to 72 hours (usually under 1 hour)
    * **Verify your record** — Use [MXToolbox TXT Lookup](https://mxtoolbox.com/TXTLookup.aspx) to check if the record is visible
    * **Check for typos** — Ensure the verification token is copied exactly
    * **Check the host field** — Some providers want `@`, others want it blank, and some want your domain name
  </Accordion>

  <Accordion title="Record exists but verification still fails">
    * **Check for duplicate records** — Remove any old or duplicate TXT records
    * **Verify the exact value** — Some providers add quotes automatically; don't add extra quotes
    * **Try a different TTL** — Lower TTL values (300 seconds) propagate faster
  </Accordion>

  <Accordion title="I don't have access to DNS settings">
    Contact your IT administrator or the person who manages your organization's domain. They'll need to add the TXT record for you.
  </Accordion>
</AccordionGroup>

## Next Steps

Once your domain is verified and Domain Capture is configured, you can proceed to set up SAML SSO for centralized authentication:

<Card title="SAML SSO Setup" icon="key" href="/user-guide/help-and-support/saml-sso-setup">
  Configure Single Sign-On for your Krea Enterprise workspace
</Card>
